Commercial email did not grind to a halt the day after Canada’s anti-spam legislation took effect and neither did the coverage about the law’s impact (I appeared on CBC’s The Current to debate the issue). Coverage included Microsoft backtracking from its earlier decision to stop security update emails, apparently taking the time to actually read the legislation and find the exception for security notification. There was also a CBC story about the Canadian Avalanche Centre, which stopped an email service after hundred of customization options became “too much of a hassle to maintain”, but the CBC used the timing to link the decision to CASL.
Funny Internet Spam for eMail and Websites is Spicy by epSos .de (CC BY 2.0) https://flic.kr/p/dAPegg
Canada’s anti-spam legislation takes effect this week, sparking panic among many businesses, who fear that sending commercial electronic messages may grind to a halt on July 1st. The reality is far less troubling. The new law creates some technical requirements for commercial email marketing alongside tough penalties for violations, but left unsaid is that Canadian law has featured rules requiring appropriate consents for over a decade.
My weekly technology law column (Toronto Star version, homepage version)The concern over the new anti-spam law, which mirrors similar worries from 2004 when private sector privacy legislation arrived, suggests that many may not have complied with their existing obligations. As Canadians receive a flood of requests for consent from long-forgotten organizations they never realized had collected and used their personal information in the first place, the controversy over the rollout of the new anti-spam law says more about poor compliance rates with current privacy laws than it does about the new regulations.
As the Canadian media reports on the panic associated with the new anti-spam law set to take effect next week, consider the following from Macleans titled “Few Companies Prepared for New Privacy Law“:
The new law..says organizations can only collect personal information for a stated reason – and can use it only for that purpose. Among others things, that means a company that supplies a service can’t sell its list of subscribers to another company’s marketing department. Individuals must be informed, and give their consent, before personal information is collected, used or disclosed..But most firms are unaware of the new law.”
The article continues by noting that “there’s confusion over which organizations might be exempt” and that “there is no grandfather clause – all existing customer information needs to be compliant.” The message is similar in a Globe and Mail article titled “Many small firms not ready for privacy rules“, which also notes the possibility of a constitutional challenge. An IT World Canada reiterates that concern in its coverage:
most Canadian organizations are not aware of the [law]. And very few are prepared to comply.
The imminent arrival of Canada’s anti-spam legislation has sparked considerable fear that might lead the uninitiated to think that sending commercial electronic messages will grind to a halt on July 1st, when parts of the law kick in. The reality is far less troubling. For any organization that already sends commercial electronic messages, they presumably comply with PIPEDA, the private sector privacy law, that requires organizations to obtain user consent, allow users to withdraw their consent, and provide the necessary contact information to do so. Compliance with the new anti-spam law (CASL) involves much the same obligations. While there are certainly some additional technical requirements and complications (along with tough penalties for failure to comply), the basics of the law involve consent, withdrawal of consent (ie. unsubscribe), and accessible contact information.
This post is not legal advice, but it seeks to unpack the key requirements associated with the commercial electronic messages provisions in CASL by answering the ten questions organizations should ask (and answer). Note that there are additional rules associated with software that do not take effect until next year. While this is not designed to be comprehensive – some organizations will face unique issues – it provides a starting point for the key requirements, exceptions, and application of the law. The law itself can be found here. The Industry Canada regulations here and the CRTC regulations here.
The primary takeaways? If you send commercial electronic messages, you need explicit consent along with an unsubscribe mechanism and contact information. There are many common sense exceptions to this general rule, however, including personal messages, most business-to-business messaging, and most messages sent to recipients outside of Canada. Moreover, if you do not have explicit consent, the government has implemented a transition period that grants you three years to get it.
Long before sites such as Youtube and Twitter were even created, the Canadian government established a national task force to examine concerns associated with spam and spyware. The task force completed its work in May 2005, unanimously recommending that the government introduce anti-spam legislation (I was a member of the task force). Four years later, then-Industry Minister Tony Clement tabled an anti-spam law, which underwent extensive committee review before receiving royal assent in December 2010.
My technology law column last week (Toronto Star version, homepage version) notes that while most expected the government to quickly bring the new law into force, the regulation-making process became bogged down by an intense lobbying effort designed to sow fear, doubt, and uncertainty about the legislation. Business groups relied upon implausible scenarios to argue that Canada would be placed at an economic disadvantage, despite the fact that government officials were able to identify over 100 other countries that have similar anti-spam regimes. The lobbying was a partial success, however, as the regulations went through two drafts and three more years of delay.
Almost a decade after Canada started down the path toward anti-spam legislation, Industry Minister James Moore announced earlier this month that the regulations are now final and the law will begin to take effect next year. There will be still yet more implementation delays – the anti-spam rules start on July 1, 2014, safeguards on software installations begin on January 15, 2015, and a private right of action that facilitates lawsuits to combat spam will be delayed until July 1, 2017 – but it appears that Canada will finally get an operational anti-spam law.