Canada’s Anti-Spam Legislation

Presented by Bishop & McKenzie LLPMay 30, 2014

“When Canada’s anti-spam legislation (CASL) comes into force July 1, it’s going to affect far more than the purveyors of viruses, Viagra and vanquished Nigerian fortunes.”

Vancouver Sun, “Anti-Spam Legislation Has Businesses Scrambling to Comply”, May 26, 2014

Canada’s Anti-Spam Legislation (CASL)

Toughest anti-spam/malware legislation in the world

Establishes rules for the sending of commercial electronic messages (CEMs) and the installation of computer programs (ie. cookie tracking software, address harvesting)

Prohibits the unauthorized alteration of transmission data

What Is It?

Main focus of anti-spam provisions is to prevent transmission of CEMs without consent and without proper formalities

If you don’t have consent to send CEMs or messages do not have required content, risk significant liability

Staggered implementation

◦ July 1, 2014 – commercial electronic messages◦ January, 2015 – installation of software◦ July, 2017 – private right of action for damages

Who Does CASL Apply To?

Everyone – incorporated and unincorporated businesses, not for profits, individuals, partnerships, trade associations, etc.

The exemptions are registered charities and political parties seeking donations

Commercial Electronic Messages (CEMs)

A message that encourages participation in a commercial activity (advertising, promotions, etc.)

o If you send a message that entices someone to buy something or use your services – it’s a CEM

o If you send a message asking someone for permission to send a CEM - it’s a CEM

After July 1, 2014, need consent to send CEMs unless the message falls under exemption

Not Just Emails

Applies to texts, SMS messages, social network messages

“Electronic message” is a message sent by any means of telecommunication including text, sound, voice or image

Excludes two-way voice communications, and fax messages and voice recordings to a telephone account

What Does It Mean?

CRTC decides what is “commercial content” on a case by case basis – no real definitions

If it is a CEM, you must have consent to send it unless it falls under one of the exemptions

No exceptions – if it has commercial content it is a CEM, but there are exemptions as to when the rules apply

What Are the Exemptions?

Even if it is a CEM, you do not need consent to:

◦ Send a quotation upon request

◦ Complete a transaction

◦ Provide warranty, safety or recall information

• You must still include the prescribed information and an unsubscribe mechanism

Business to Business Exemptions

CASL does not apply (consent will not be required) for messages sent:

◦ Within an organization◦ Between organizations that have a relationship◦ To satisfy a complaint◦ To respond to an inquiry◦ To satisfy a legal obligation

• No requirement to include prescribed information or unsubscribe mechanism in these messages

What Is Consent?

If it does not fall under an exemption, you must have consent ahead of time from anyone who receives a CEM from you

Two types of consent:

◦ Express – someone actively gives you their permission to send a CEM

◦ Implied – reasonable to assume you have permission based on prior relationships

• You cannot send an electronic message after July 1st asking for this permission

Express Consent

An active indication that someone gives you permission to send them CEMs

Cannot be “opt-out” like US CAN-SPAM

Can be done through sign-up on website, sign-up at point of sale, snail mail consent form, etc.

Oral consent can be given but onus is on sender of CEM to prove consent

Express Consent Samples

“I agree to receive ABC Company’s newsletter containing news, updates and promotions regarding ABC Company’s products. You can withdraw your consent at any time.”

“Enter your email below to receive ABC Company’s newsletter containing news, updates and promotions regarding ABC Company’s products. You can withdraw your consent at any time.”

Obtaining Express Consent

Clearly describe the purpose for requesting consent

Provide the name of the person seeking consent and identify on whose behalf consent is sought, if different

Provide contact information (physical mailing address and either phone number or email address) of the party seeking consent

Indicate that the recipient can unsubscribe at any time

Separate Consents

Cannot “bundle” consents into one for CEMs, installation of software and altering of transmission data.

Can be included in one form of consent (email, consent form, etc.) but recipient has to provide consent for each

Implied Consent

Consent will be implied in the following situations:

◦ Family relationships

◦ Personal relationships

◦ Business or non-business relationships (within 3 year transition)

• Must be evidence of two-way communication over time

Consent Wrap-Up

Express is always best - burden of proof is on you to show consent was obtained

You must have a record of how consent was acquired

◦ For express, any records (electronic database, paper records, audio recordings) to show date, time and permission of receiver

◦ For implied, a record of the nature of the relationship and records of two-way communications

Prescribed Information

All CEMs must contain the following information:

◦ the name of the person seeking consent and identify on whose behalf consent is sought, if different

◦ contact information (physical mailing address and either phone number or email address) of the party seeking consent

◦ a mechanism that allows the recipient to unsubscribe easily at no cost

Penalties

AMPs (administrative monetary penalties) are a maximum of $1 million for individuals and $10 million for organizations

Directors and officers can be held personally liable for breaches of CASL

Companies are vicariously liable for their employees

Due diligence is a defence so developing and implementing a compliance program is essential

Enforcement

Primarily by CRTC, but also Competition Bureau and the Office of the Information and Privacy Commissioner

CASL amends Competition Act to prohibit false or misleading representations in any part of a CEM

CASL amends PIPEDA to prohibit the use of computer programs known as “address harvesters”

Other Stages in CASL

July, 2017

◦CASL creates a private right of action that allows a person to commence a civil action against anyone who violates CASL

• January, 2015

CASL prohibits the installation of computer programs without the permission of the computer’s user or owner

Transition Period

3 year transition period in which some consents remain valid (eg. express consents that do not conform to prescribed requirements)

Implied consent for business and personal relationships that may not meet the criteria, but seems likely express consent will be required during this time.

How to Prepare

1. Review Your Processes

Who are you sending messages to?

What is the content of these messages?

Do you have the proper consents?

How are you going to prove you have consent?

How will you handle unsubscribe requests?

Are your staff properly trained?

How to Prepare

2. What you can do now

Get consent for your current mailing lists if you are not sure they’re covered

Start keeping records of consents (determine how records will be managed)

Appoint a lead or team to manage compliance and to review as needed

Update your privacy policy (if required)

How to Prepare

3. As of July 1st

Start including prescribed information in your CEMs unless exemption applies

Stop sending electronic messages as first point of contact

Stop sending CEMs without consent

Questions?

Tara L. HamelinBishop & McKenzie LLP