Canada’s anti-spam legislation takes effect this week, sparking panic among many businesses, who fear that sending commercial electronic messages may grind to a halt on July 1st. The reality is far less troubling. The new law creates some technical requirements for commercial email marketing alongside tough penalties for violations, but left unsaid is that Canadian law has featured rules requiring appropriate consents for over a decade.
My weekly technology law column (Toronto Star version, homepage version)The concern over the new anti-spam law, which mirrors similar worries from 2004 when private sector privacy legislation arrived, suggests that many may not have complied with their existing obligations. As Canadians receive a flood of requests for consent from long-forgotten organizations they never realized had collected and used their personal information in the first place, the controversy over the rollout of the new anti-spam law says more about poor compliance rates with current privacy laws than it does about the new regulations.
PIPEDA already requires organizations to obtain user consent, allow users to withdraw their consent, and provide the necessary contact information to do so. Compliance with the new anti-spam law (CASL) involves much the same obligations since the three primary requirements involving obtaining user consent, providing an unsubscribe mechanism, and maintaining accessible contact information.
So why has the new anti-spam law caused such an uproar? Three reasons: a shift in approach on consents, the confusion that comes from trying fit into the myriad of exceptions contained in the law, and fear of tough new penalties.
The biggest substantive change in the law comes from the requirement for express consent. Express consent requires disclosing the purposes for why consent is being requested and identifying who is seeking consent. This represents a significant change from current practice, where businesses have frequently relied upon “implied” consent for their use of personal information.
The reality is that users were often unaware that their information was being collected, used, and even disclosed for commercial purposes. The terms were often buried in legal agreements that few bothered to read or presented alongside confusing negative option check boxes that left many bewildered as to whether they needed to check or uncheck the box in order to avoid more email marketing.
Yet business relied upon these approaches to claim they had obtained the necessary implied consent. The shift to express consent represents an important change that has forced many businesses to directly request consent from their users for the first time (if a business already has express consent there is no need to ask again). Those arguing that the new law will have little impact on spam miss the point: the law is shifting privacy expectations in how our information is collected and used.
Given the fears associated with seeking express consent, many businesses are seeking to rely upon exceptions contained in the law. There are many exceptions in CASL with everything from most business-to-business emails to Twitter direct messages excluded. Yet reliance on exceptions creates an assortment of complications that many businesses are finding difficult and has become another source of concern. The exceptions require a close reading and some interpretations, but it is should be remembered that businesses can always seek express consent and avoid the issue altogether.
The third major concern involves the consequences for failing to comply with the law. Failure to comply with the current privacy law results in little more than a non-binding finding from the Privacy Commissioner of Canada with practically no likelihood of financial penalties. On the other hand, CASL’s penalties are significant with the maximum penalty set at $1 million per violation for an individual and $10 million per violation for a business (despite fears of massive penalties for a single slip-up, warnings are far more likely than penalties).
The law also includes a three-year transition period that ensures that as long as an organization already has implied consent, it has until 2017 to upgrade to an express consent. Email marketing will not stop on Canada Day, but the arrival of the anti-spam law after a decade of debate does mean that Canadians are being meaningfully asked for the first time if they give consent to the collection, use and disclosure of their personal information, a change in approach that seems well worth celebrating.