My first post defending Canada’s anti-spam law focused on why spam remains a problem and how the new law may help combat fraudulent spam and target Canadian-based spamming organization. Most would agree that these are legitimate goals, but critics of the law will argue that it still goes too far since it covers all commercial electronic messages, not just fraudulent or harmful messages.
If the law were only designed to deal with harmful spam, they would be right. However, the law was always envisioned as something more than just an anti-spam bill. Indeed, when it was first introduced, it was called the Electronic Commerce Protection Act, reflecting the fact that it was expressly designed to address online consumer protection issues (the name CASL was an unofficial working name developed within Industry Canada). The law has at least three goals: provide Canada with tough anti-spam rules, require software companies to better inform consumers about their programs before installation, and update Canadian privacy standards by re-allocating who bears the cost for the use of personal information in the digital environment.
The need for tough anti-spam rules were discussed in my first post. The software installation provisions have yet to attract much attention since they do not take effect until 2015. Once they do, Canadian law will require companies to provide clear and prominent descriptions of the functionality of the software and to obtain express consent before installation. Business groups lobbied for significant changes to the rules, but the government and the CRTC refused to water down the requirements. The new rules are straight-forward consumer protection measures designed to enhance disclosure and require full consent before software programs are installed on users’ computers.
The third – and currently most controversial – aspect of the law is the update to Canadian privacy standards on consent for emails from legitimate businesses. Before CASL, most of the costs of commercial electronic messages were borne by consumers. With weak “implied consent” standards (as evidenced by the many unexpected opt-in emails Canadians received from organizations that harvested email addresses in a myriad of ways with little real awareness or consent from consumers), businesses sent messages safe in the knowledge that consumers would bear virtually all the costs. These include downloading the messages (particularly for mobile downloads where data still counts), higher ISP fees to account for filtering software and equipment costs, time spent reading the email, and the time to respond, delete or opt-out. Given those costs, organizations knew that relatively few would incur the cost (in the form of time) to opt-out.
Businesses unsurprisingly argue that this is a good approach, noting that the cost for any single opt-out is relatively trivial. Yet for consumers, the cumulative effect of hundreds or thousands of emails from different organizations adds up to a non-trivial cost. Multiplied by millions of consumers who each face the same thing and the off-loaded cost on consumers becomes significant. Moreover, from a privacy perspective, this leads to a weakened approach to consent under which privacy and consent start to mean very little. If anything is “ludicrous” or “absurd”, it is the notion that a simple inquiry should grant a business the right to burden the consumer with additional costs by marketing to them in perpetuity using their personal information unless the consumer pro-actively demands that it stop.
The new Canadian law re-calibrates this approach by giving consumers greater control over the costs they bear from commercial email. By shifting to an opt-in approach, the costs associated with receiving and dealing with email better reflects consumer choice since consumers only incur the costs for those commercial emails for which they have expressly provided consent. It is worth noting that the allocation of costs is also reflected in many (though not all) of the exceptions in the law. For example, product recalls and safety warnings are exempt from the consent requirements, reflecting the benefit to consumers, who bear the costs of receipt. Similarly, business-to-business email is generally exempted as a cost of doing business.
The debate over where to strike this privacy balance is an old one. For example, in 1991, the U.S. passed the Telephone Consumer Protection Act. The TCPA included a ban on sending unsolicited commercial faxes without prior express consent. Business groups objected to the TCPA, using many of the same arguments raised with CASL. In fact, a constitutional challenge on the ban was launched, but failed. A review of the Congressional thinking behind the bill notes:
It simply was not fair to require consumers to swallow the costs – paper, ink, wear-and-tear on the machine – of automatically-received, unwanted faxes promising great hotel deals or special car wash discounts. Congress reasoned that the consumer protection rights of the fax recipient – who must unfairly waste time waiting while a machine receives and prints out an unwanted transmission, all at the recipient’s cost – trumped any commercial speech rights of the marketers.
Faxes are not the same as email, but the reasoning is the same. There is a cost to consumers for the receipt of commercial email from legitimate businesses. For over a decade, businesses have effectively off-loaded those costs. CASL seeks to create a more equitable balance, leading to support from many Canadians but opposition from business.
In fact, the same balancing debate occurred with the creation of Canada’s do-not-call list. Marketers warned about the negative impact on many businesses, but the government noted that consumers faced the brunt of the cost for telemarketing calls in the form of time and interruption of privacy in the home. The result was a more balanced approach with an expanded opt-out system that requires all marketers to consult the do-not-call list before engaging in telemarketing.
With respect to commercial email, the policy rationale is similar: since an opt-out do-not-spam list is not viable, the best way to address the cost imbalance on commercial email is to relieve consumers of some of the costs by granting them the right to opt-in to emails, rather than opt-out.
As for the business costs of compliance, business was already required to maintain lists and respect opt-outs. Much of the additional compliance costs stem from either seeking an opt-in or the complexity of relying upon exceptions. In the case of seeking opt-ins, businesses could have obtained an opt-in the first place, but chose not to do so. Moreover, businesses have been given a three-year transition period to address the requirement (note that if the law was only concerned with fraudulent spam, there would be no need for a three year transition). As for the compliance costs from relying upon exceptions, it seems reasonable that there may be some costs for those businesses that would prefer to avoid obtaining express consent.
Some may still disagree with the policy rationale or the privacy balance struck by CASL. However, what should be obvious to all is that the law is about far more than just harmful spam. The application to legitimate businesses is not an unintended consequence but rather a well-considered policy decision to update Canadian privacy standards by more fairly apportioning the costs associated with the use of personal information.