Despite sustained opposition from a wide range of businesses and other organizations, the Canadian government has finalized its controversial anti-spam legislation - known as Canada’s Anti-Spam Law (“CASL”) - and announced that it will be bringing the law into force starting on July 1, 2014.
CASL is an onerous opt-in regime that has serious ramifications for all organizations that do business in Canada and that promote their products and services to Canadian markets. In addition to the costs associated with compliance, violations of the law can lead to significant penalties (up to $1 million for individuals and $10 million for others), damages and statutory damages, including liability for directors and officers and others. Importantly, the law will effectively have extra-territorial application in so far as it regulates commercial electronic messages that are sent or accessed by computer systems located in Canada.
On December 4, 2013, on the fightspam.ca website, the government published final regulations under CASL and announced that CASL will come into force as follows:
(a) most of CASL and the regulations, including requirements regarding the sending of commercial electronic messages, will come into force on July 1, 2014;
(b) section 8 of CASL, which relates to installation of computer programs, will come into force on January 15, 2015; and
(c) sections 47 to 51 and 55 of CASL, which provide for a private right of action and statutory damages, among other things, and which carry the threat of class action litigation, will come into force on July 1, 2017.[i]
This bulletin highlights: (a) the different sources of CASL requirements and guidelines; (b) key issues addressed in the final regulations; and (c) the important guidance provided by the Regulatory Impact Analysis Statement which accompanied the final regulations, including confirmation that pre-existing express consents obtained under privacy laws will be valid under CASL.
Sources of CASL requirements and guidance
In general terms, CASL is an opt-in regime which prohibits organizations from sending commercial electronic messages[ii] unless: (a) an exemption applies; or (b) the recipient has expressly or impliedly consented to receive the message (or an exception to the consent requirement applies) and the message includes an unsubscribe mechanism with prescribed identifying and contact information for the sender. Among other things, CASL also regulates the installation of computer programs. Beyond these generalities, however, CASL is comprised of a very detailed and onerous set of rules, exceptions and requirements.
Organizations subject to CASL will need to consider the following sources of CASL requirements and guidance, as well as further information and FAQs to be published on the CRTC and Fightspam.gc.ca websites in future:[iii]
(a) CASL (An Act to promote the efficiency and adaptability of the Canadian economy by regulating certain activities that discourage reliance on electronic means of carrying out commercial activities, and to amend the Canadian Radio-television and Telecommunications Commission Act, the Competition Act, the Personal Information Protection and Electronic Documents Act and the Telecommunications Act, SC 2010, c 23);
(b) Electronic Commerce Protection Regulations 81000-2-175 (SOR/DORS), which are the final regulations discussed in more detail below and which address the following key issues:
- exclusions from CASL for certain categories of messages, including in the business-to-business context;
- conditions for the use of consent for sending messages;
- a list of specified types of computer programs, the installation of which individuals are deemed to have consented to;
- definitions of memberships in clubs, associations and volunteer organizations that will qualify as an ‘existing non-business relationship’ in respect of which implied consent to send messages will apply; and
- definition of family and personal relationships, which are exempt from the message requirements in CASL;[iv]
c) Electronic Commerce Protection Regulations (CRTC), SOR/2012-36 of the Canadian Radio-television and Telecommunications Commission (“CRTC”), which address:
- prescribed identifying, contact and other information to be included in messages;
- the form of messages and unsubscribe mechanisms;
- information to be included in a request for consent; and
- the form of consent for the installation of certain forms of computer programs;
(d) Compliance and Enforcement Information Bulletin CRTC 2012-548, which are guidelines on the interpretation of certain aspects of the CRTC Electronic Commerce Protection Regulations mentioned in the preceding paragraph; and
(e) Compliance and Enforcement Information Bulletin CRTC 2012-549, which are guidelines on the use of toggling as a means of obtaining express consent.
Summary of the final regulations
As highlighted above, the final regulations address five key areas, each of which is discussed below in the relative order of importance for most organizations.
Exclusions from CASL for certain categories of messages
Subsection 6(5) of CASL excludes certain limited classes of messages from the application of the law and provides that additional classes may be exempted through regulation. In general terms, section 3 of the final regulations exempt from the application of CASL the following important classes of messages:
(a) ‘business-to-business’ messages internally within an organization, as well as between employees and other representatives of different organizations. In the latter case, in order to be exempt from CASL, the organizations must “have a relationship” (not necessarily a business relationship) and the message must concern the activities of the organization to which the message is sent;
(b) messages sent in response to a request, inquiry or complaint or that are otherwise solicited by the person to whom the message is sent;
(c) messages sent for various purposes related to legal obligations and enforcement, including messages that provide notice of an existing or pending right;
(d) messages sent and received on an electronic messaging service (e.g. instant messaging) if the sender’s identifying and contact information and unsubscribe mechanism are conspicuously published and readily available on the user interface through which the message is accessed, and the recipient expressly or impliedly consents to receive the message;
(e) messages sent and received within limited access secure and confidential accounts to which only the provider of the account can send messages (i.e. messages sent within online banking websites);
(f) messages that the sender reasonably believes will be accessed in one of 116 prescribed foreign states (including the U.S., the UK, the EU, Japan, China, Korea, Australia and New Zealand, etc.) and that conform to the law of the foreign state that addresses conduct that is substantially similar to conduct prohibited under section 6 of the CASL. In other words, although section 12 provides that CASL applies if a computer system located in Canada is used to either send or access the message[v], the regulations exempt from CASL messages sent to recipients in certain listed countries if the message complies with the recipient’s country’s anti-spam law.[vi] Otherwise, CASL will apply if a computer system in Canada is used to send or access the message;
(g) messages sent by registered charities which have as their primary purpose raising funds for the charity; and
(h) messages send by political parties and candidates which have as their primary purpose soliciting a contribution.
In addition, although it may be of marginal utility for many businesses, section 4 of the final regulations provides that CASL’s consent requirements not apply to the first commercial electronic message sent to a recipient who was referred to the sender by another individual, but only if: (a) the referral source has an existing business or non-business relationship, or family or personal relationship with the sender; (b) the referral source has at least one such relationship with the recipient; and (c) the sender discloses the name of the individual who made the referral and states that the message is sent as a result of the referral.[vii] For example, this exemption would permit a lawyer to send a commercial electronic message to a potential client if the recipient was referred to the lawyer by, for example, an existing client of the lawyer who also has an existing business relationship with the recipient. Since this exemption applies only in respect of the first message sent, organizations relying on this exemption should consider including in such messages a request for express consent to send additional messages.
Conditions for the use of consent compiling and sharing mailing lists
Section 10(2) of CASL contemplates that organizations may in certain circumstances obtain consent to send commercial electronic messages on behalf of a person whose identity is not known. For example, an organization may wish to obtain its customers’ consent for third parties to send messages to its customers (e.g. third party promotions, affiliates, etc.).[viii] Section 5 of the final regulations sets out rules regarding the use of such consents. In particular, section 5 of the regulations provides that the organization which obtained the consent may authorize others to use the consent but only if the person who obtained the consent ensures (presumably through contractual or other means) that, in any commercial electronic message sent to the person from whom consent was obtained:
(a) the person who obtained consent is identified; and
(b) “the authorized person provides an unsubscribe mechanism that, in addition to meeting the requirements set out in section 11 of the Act, allows the person from whom consent was obtained to withdraw their consent from the person who obtained consent or any other person who is authorized to use it.” In other words, individuals must be provided with option to unsubscribe from all third party messages.
In addition, section 5 of the regulations requires the authorizing organization to ensure, again, presumably in part through contractual or other means, that:
(a) the authorized person notifies the authorizing organization of any withdrawals of consent, including the scope of such withdrawals (i.e. whether the recipient wishes to withdraw from all or some third party messages, messages from the authorized person only, or messages from the person who obtained the consent);
(b) the authorizing organization, without delay, notifies any affected authorized organization(s) of the withdrawal of consent; and
(c) the authorizing organization ensures that it and any organizations affected by the withdrawal of consent give effect to the withdrawal in accordance with subsection 11(3) of CASL.
Although the foregoing rules will permit the compilation and sharing of mailing lists in some circumstances, the rules are onerous and in practice may discourage such activity.
Deemed consent for specified computer programs
Paragraph 10(8)(a) of CASL deems that individuals expressly consent to the installation of certain computer programs (e.g. cookies, HTML code, Java Scripts, and an operating system). This is an exception to the normal rule under CASL which requires that consent be obtained for the installation of computer programs. Section 6 of the final regulations expands on the list in paragraph 10(8)(a) of CASL, adding a deemed consent in respect of certain programs installed by telecommunications service providers and in respect of “a program that is necessary to correct a failure in the operation of the computer system or a program installed on it and is installed solely for that purpose.”
Memberships in clubs, associations and volunteer organizations
Subsection 10(9) of CASL provides that implied consent to send commercial electronic messages is present where, for example, there exists an “existing non-business relationship” between the sender and recipient. Subsection 10(13) states that such a relationship may arise from, among other circumstances, “membership” by the recipient in the sending organization within two years, if the sender is a “club, association or voluntary organization.”
Subsection 7(2) of the final regulations defines “membership” and “club, association or voluntary organization” for the purpose of subsection 10(13) of CASL. The former is defined as the status of having been accepted as a member in accordance with the organization’s membership requirements. The latter is defined as “a non-profit organization that is organized and operated exclusively for social welfare, civic improvement, pleasure or recreation or for any purpose other than personal profit, if no part of its income is payable to, or otherwise available for the personal benefit of, any proprietor, member or shareholder of that organization unless the proprietor, member or shareholder is an organization whose primary purpose is the promotion of amateur athletics in Canada.”
Family and personal relationships
Pursuant to paragraph 6(5)(a) of CASL, the law does not apply to messages sent by or on behalf of an individual to another individual with whom they have a personal or family relationship. Section 2 of the final regulations defines these terms. A “family relationship” is defined as a relationship between sender and recipient through “a marriage, common-law partnership or any legal parent-child relationship” and includes a requirement that the sender and recipient have had “direct, voluntary, two-way communication.”[ix]
A “personal relationship” is defined more broadly in the regulation as a relationship between sender and recipient “if those individuals have had direct, voluntary, two-way communications” and it would be reasonable to conclude that they have a personal relationship. The regulation provides a non-exhaustive list of factors to be taken into account in considering whether individuals have a personal relationship, as follows: “the sharing of interests, experiences, opinions and information evidenced in the communications, the frequency of communication, the length of time since the parties communicated or whether the parties have met in person.”
Summary of the regulatory impact analysis statement
The Regulatory Impact Analysis Statement that accompanied the final regulations included extensive discussion of a number of key issues, including many that had been raised by stakeholders in previous public consultations regarding the regulations and CASL. Highlights of these statements, with salient excerpts, may be summarized as follows:
(a) Definition of “commercial electronic message”: “The mere fact that a message involves commercial activity, hyperlinks to a person’s website, or business related electronic addressing information does not make it a [commercial electronic message] under [CASL] if none of its purposes is to encourage the recipient in additional commercial activity. If the message involves a pre-existing commercial relationship or activity and provides additional information, clarification or completes the transaction involving a commercial activity that is already underway, it would not be considered a [commercial electronic message] since, rather than promoting commercial activity, it carries out that activity.” In addition, “surveys, polling, newsletters, and messages soliciting charitable donations, political contributions, or other political activities that do not encourage participation in a commercial activity would not be included in the definition;”
(b) Grandfathering of express consents: “Express consents, obtained before CASL comes into force, to collect or to use electronic addresses to send commercial electronic messages will be recognized as being compliant with CASL.” Although this grandfathering of pre-CASL consents applies only in respect of express consents, this is a significant ‘win’ for organizations subject to CASL. Previously, many organizations had concluded that it would be necessary to re-obtain consents from individuals, which would have been cumbersome, arguably unnecessary and expensive;
(c) Transitioning from implied consent to express consent: CASL provides that businesses have until July 1, 2017 to convert any implied consents (based on business or non-business relationships in existence as of July 1, 2014) into express consents;
(d) Sending messages from a number of affiliates: “[W]hen a [commercial electronic message] is sent on behalf of multiple persons, such as affiliates, all of these persons must be identified in a [commercial electronic message]. Where it is not practicable to include this information in the body of a [commercial electronic message], a hyperlink to a page on the World Wide Web containing this information that is readily accessible at no cost to the recipient may be included in the [commercial electronic message];”
(e) Social media and related activities: “Where they are not sent to electronic addresses, the publication of blog posts or other publications on microblogging and social media sites does not fall within the intended scope of [CASL].”
(f) Reinstatement of implied consents with new transactions: “Implied consent due to an existing business relationship is reinstated with every new or subsequent transaction that would qualify them under section 10(10) of [CASL].” Again, this is a significant ‘win’ for businesses subject to CASL because implied consents may thus be reinstated notwithstanding an earlier withdrawal of consent by the recipient. However, in this context, organizations should proceed with caution because some recipients of the messages, having previously indicated that they do not wish to receive messages, may not be pleased to receive further messages based on implied consent arising from a subsequent transaction;
(g) Forward to a friend campaigns: Liability for customer or other messages sent in organizations’ ‘forward to a friend’ campaigns may be mitigated through proper instruction to the relevant individuals and reliance on the due diligence defence in CASL; and
(h) Transfer of consent on sale of a business: On the sale of a business, express consents under CASL will transfer if the contract of sale includes a provision transferring these as a business asset. However, compliance with the Personal Information Protection and Electronic Documents Act or other privacy laws will often be required where personal information is transferred between organizations.
Conclusions
With the publication of the final regulations, organizations subject to CASL now have a complete picture of the law, regulations and guidelines that will affect their operations. Although organizations will be pleased that the threat of litigation, statutory damages and class actions under CASL will be delayed for several years, in the near term CASL will be enforced by the regulators and will present considerable risk, compliance challenges and costs for many organizations. With a July 1, 2014 in-force date for most of the key provisions in CASL, organizations subject to the law will need to budget, plan, finalize and implement compliance programs within a relatively short timeframe in the coming weeks and months.
[i] The Regulatory Impact Analysis Statement states that: “Stakeholders expressed concern regarding the Private Right of Action (PRA), citing concerns with the potential of class action lawsuits combined with the possibility of administrative monetary penalties and a general uncertainty as to how the legislation will be interpreted and applied by the courts. In order to foster better understanding of how [CASL] will be interpreted and enforced, a longer transition period is provided for the PRA. Accordingly, the sections of [CASL] that provide for the PRA will come into force on July 1, 2017, three years after the rest of the anti-spam provisions of [CASL] come into force. During that period, the enforcement agencies will enforce [CASL].” For further reading regarding the threat of class action litigation, see: Alex Cameron & Jesse Harper, “The New Face of Privacy in the Courts: Damages, Tort Claims and Class Actions” Eye on Privacy, Ontario Bar Association; Peter Mantas, Alexandra Logvin and Tala Khoury, “Unique Opportunity: New Anti-Spam Legislation will Permit Federal Court Class Actions” Ontario Bar Association, November 5, 2013; and Peter Mantas and Leslie Milton, “New anti-spam legislation provides new tools for class action certification” Capital Perspectives.
[ii] In general terms, section 1 of CASL defines a “commercial electronic message” as a message “that. having regard to the content of the message, the hyperlinks in the message to content on a website or other database, or the contact information contained in the message, it would be reasonable to conclude has as its purpose, or one of its purposes, to encourage participation in a commercial activity” and includes an electronic message that contains a request for consent to send such messages.
[iii] A “Spam Reporting Centre”, education and awareness campaigns, as well as training of compliance and enforcement personnel will be completed prior to enactment.
[iv] As stated in the Regulatory Impact Analysis Statement discussed herein, the objective of the final regulations was “to avoid legal uncertainty when interpreting key terms in the anti-spam provisions of [CASL] and to provide exclusions for certain business activities outside the intended scope of [CASL].”
[v] The Regulatory Impact Analysis Statement provides some clarification on this point as it states that “[t]he provision of CASL that addresses sending [commercial electronic messages] only applies where the [message] is sent from Canada or accessed in Canada. It does not apply when the [message] is simply routed through Canada.”
[vi] Notably, this exemption in respect of foreign-bound messages does not extend to the installation of computer programs. Subsection 8(2) of CASL provides that “A person contravenes subsection (1) only if the computer system is located in Canada at the relevant time or if the person either is in Canada at the relevant time or is acting under the direction of a person who is in Canada at the time when they give the directions.”
[vii] The Regulatory Impact Analysis Statement discusses this exemption in more detail, as follows: “These are situations where there is an existing relationship (personal, family, business, or non-business) between a person (such as an agent or business), and an individual (such as an existing client), and the existing client refers a prospective client to the agent or person by providing the prospective client's electronic address information. The existing client making the referral must have an existing relationship (personal, family, business, or non-business) with the prospective client that they are referring to the agent. The Regulation permits the agent or business to send a single message to the prospective client, as long as the agent has both provided the prospective client with the full name of the individual who made the referral, and has included the identification and unsubscribe requirements as set out in [CASL].”
[viii] The Regulatory Impact Analysis Statement provides the following example: “For example, a gym might seek consent from a client to send them [commercial electronic messages]and, in addition, it might seek consent from that client to allow other businesses to send their own [messages] to that client, such as local clothing or health food stores.”
[ix] If construed narrowly, the definition of “family relationship” could exclude messages sent between siblings, to nieces and nephews, to cousins, etc.