With Canada’s anti-spam law now in effect, many are starting to ask about enforcement of the law. While no one should expect the law to eliminate spam, the goal much more modest: target the bad actors based in Canada and change the privacy culture by making opt-in consent the expected standard for consumer consents. The CRTC, the lead regulatory agency, has made it clear that the fear-mongering of million dollar penalties for inadvertent violations is not going to happen. Chair Jean-Pierre Blais recently stated:
Funny Internet Spam for eMail and Websites is Spicy by epSos .de (CC BY 2.0) https://flic.kr/p/dAPegg
Canada’s anti-spam legislation takes effect this week, sparking panic among many businesses, who fear that sending commercial electronic messages may grind to a halt on July 1st. The reality is far less troubling. The new law creates some technical requirements for commercial email marketing alongside tough penalties for violations, but left unsaid is that Canadian law has featured rules requiring appropriate consents for over a decade.
My weekly technology law column (Toronto Star version, homepage version)The concern over the new anti-spam law, which mirrors similar worries from 2004 when private sector privacy legislation arrived, suggests that many may not have complied with their existing obligations. As Canadians receive a flood of requests for consent from long-forgotten organizations they never realized had collected and used their personal information in the first place, the controversy over the rollout of the new anti-spam law says more about poor compliance rates with current privacy laws than it does about the new regulations.
As the Canadian media reports on the panic associated with the new anti-spam law set to take effect next week, consider the following from Macleans titled “Few Companies Prepared for New Privacy Law“:
The new law..says organizations can only collect personal information for a stated reason – and can use it only for that purpose. Among others things, that means a company that supplies a service can’t sell its list of subscribers to another company’s marketing department. Individuals must be informed, and give their consent, before personal information is collected, used or disclosed..But most firms are unaware of the new law.”
The article continues by noting that “there’s confusion over which organizations might be exempt” and that “there is no grandfather clause – all existing customer information needs to be compliant.” The message is similar in a Globe and Mail article titled “Many small firms not ready for privacy rules“, which also notes the possibility of a constitutional challenge. An IT World Canada reiterates that concern in its coverage:
most Canadian organizations are not aware of the [law]. And very few are prepared to comply.
The imminent arrival of Canada’s anti-spam legislation has sparked considerable fear that might lead the uninitiated to think that sending commercial electronic messages will grind to a halt on July 1st, when parts of the law kick in. The reality is far less troubling. For any organization that already sends commercial electronic messages, they presumably comply with PIPEDA, the private sector privacy law, that requires organizations to obtain user consent, allow users to withdraw their consent, and provide the necessary contact information to do so. Compliance with the new anti-spam law (CASL) involves much the same obligations. While there are certainly some additional technical requirements and complications (along with tough penalties for failure to comply), the basics of the law involve consent, withdrawal of consent (ie. unsubscribe), and accessible contact information.
This post is not legal advice, but it seeks to unpack the key requirements associated with the commercial electronic messages provisions in CASL by answering the ten questions organizations should ask (and answer). Note that there are additional rules associated with software that do not take effect until next year. While this is not designed to be comprehensive – some organizations will face unique issues – it provides a starting point for the key requirements, exceptions, and application of the law. The law itself can be found here. The Industry Canada regulations here and the CRTC regulations here.
The primary takeaways? If you send commercial electronic messages, you need explicit consent along with an unsubscribe mechanism and contact information. There are many common sense exceptions to this general rule, however, including personal messages, most business-to-business messaging, and most messages sent to recipients outside of Canada. Moreover, if you do not have explicit consent, the government has implemented a transition period that grants you three years to get it.