The document summarizes key points about Canada's new Anti-Spam Law (CASL) which comes into effect on July 1, 2014. It notes that CASL will require express consent to send any commercial electronic messages (CEMs) and that CEMs will need to include mandated information like an unsubscribe option. It provides details on the definition of CEMs, the consent requirements, content rules, exemptions, penalties, and compliance checklist. The document aims to help organizations understand and prepare for the new legislation.
3. CASL Overview – 5 Key Points
– Covers any electronic message that has a
commercial purpose
– You need to get express consent from a person to
send such a message
– You need to include an unsubscribe option in all
such messages even if you have consent
– Law comes into force July 1 2014
– Penalties are big
Document # 21888271.
3
5. What is an Electronic Message
– CEMs include emails, tweets, text messages,
website interactions, other electronic
communications (including voice) and include
requests for consent
– Currently, telephone communications (2-way voice,
fax and automated calls) are exempted from CASL
and are governed only by the Do Not Call rules
Document # 21888271.
5
6. CEM: Is the message being sent to an
electronic address?
– Included (private messaging):
– Direct message (DM) tweets
– Facebook chat, Facebook messages
– Likely excluded (broadcast-style):
– Updates to a subscribed RSS feed
– Tweets posted to your own twitter stream
– Posts to a Facebook wall
Document # 21888271.
6
7. What is a “Commercial” activity?
– “any particular transaction, act or conduct or any
regular course of conduct that is of a commercial
character, whether or not the person who carries it
out does so in the expectation of profit.”
Document # 21888271.
7
9. Mandatory Consent Requirements
– Consent from the recipient of the CEM must be
express consent given on an opt-in basis
– This means that consent cannot be implied or
“read-in” and recipients must actively give consent
Document # 21888271.
9
10. CRTC Guidelines - Express Consent
NO PRE-CHECKED BOXES
“The Commission… considers that a
default toggling state that assumes consent
cannot be used as a means of obtaining
express consent under the Act for the
purposes of sending CEMs”
CRTC Comment: pre-checked boxes not
acceptable even if person must click icon to
accept/submit
10
Document # 21888271.
11. CRTC Guidelines – Express Consent
– May be either oral or in writing. CRTC guidelines:
– Example: oral consent OK if it can be verified by
an independent third party or if an audio
recording of consent is maintained
– Example: written consent OK if record
maintained of date, time, purposes, and manner
of the consent, stored in a database
11
Document # 21888271.
12. CRTC Guidelines – No Bundling
– CRTC regulations: consent for each activity must
be “sought separately” but guidelines clarify that it
doesn’t mean for each instance (e.g., per email);
rather, for each type of activity:
o Sending CEMs / Altering transmission of data /
Installing computer programs
– No bundling: requests for consent contemplated
above must not be subsumed in, or bundled with,
requests for consent to the general terms and
conditions of use or sale.
Document # 21888271.
12
14. CRTC Guidelines – Express Consent
– CRTC Comments:
– Only need to obtain consent once and unless
revoked, the consent remains valid
– No need to provide receipt of consent (though it
would be helpful as evidence that consent was
received)
– Requests for consent made prior to the CASL
in-force date do not need to comply with the
specific form and content requirements but
would still need to represent “express consent”
14
Document # 21888271.
15. Requests for Express Consent – Content
and Form
– The request must include:
– Purpose(s)
– Identify requester, any principal and relationship
(e.g. client and email provider)
– Any other business names that requestor might
use
– Contact information (street address and one of:
telephone number, email address, web address)
– That person can withdraw consent
15
Document # 21888271.
16. Requests for Express Consent – Content
and Form
– The Act does allow you to seek consent on behalf
of unnamed people (i.e. you may name a class of
person such as “suppliers to McMillan”)
– In that case you only need to provide the
mandatory content information for the party
requesting the consent
– But there are special unsubscribe requirements
16
Document # 21888271.
18. Mandatory Content Requirements
All CEMs must include:
– Sender’s identity and contact information
– Readily-usable “unsubscribe” mechanism which
must remain operative for 60 days from the date of
the message
Document # 21888271.
18
19. CEM Content ─ Sender Contact Information
– All CEMs must clearly and prominently disclose:
– Identity of sender and, if applicable, sender’s principal
(e.g. client)
– Description of relationship between sender and principal
(as applicable)
– Any carrying-on-business names to be used in CEMs
– Contact information for sender and principal (as applicable):
– mailing address, and
– one of:
• telephone number with active response voicemail
• email address
• web address
19
Document # 21888271.
20. CRTC Guidelines ─ Sender Contact
Information
– Identification of sender
– No need to include prescribed information for
intermediaries if they act only as intermediary
and have no role in the CEM content or choice
of recipients
– If a CEM is sent on behalf of multiple persons
(e.g., multiple affiliates of a company), all such
persons must be identified
20
Document # 21888271.
21. CEM Content – Unsubscribe Mechanism
1. Must be set out clearly and prominently to enable
recipient to request removal from CEM list, as sent
by sender or its principal
2. Using same or, if that is not practical, other
equivalent electronic media as the CEM
3. Must provide electronic address or a link to a web
page, to which unsubscribe message may be sent
4. Address/web page must be valid for 60 days
5. Sender/principal must give effect to unsubscribe
request within 10 business days
21
Document # 21888271.
22. CRTC Guidelines ─ Unsubscribe Mechanism
– Unsubscribe mechanism – CRTC guidance:
– “readily performed” means “accessed without
difficulty or delay, and should be simple, quick
and easy for the consumer to use”
– “an example of an unsubscribe mechanism that
can be readily performed is a link in an email
that takes the user to a web page where he or
she can unsubscribe from receiving all or some
types of CEMs from the sender.”
22
Document # 21888271.
23. CRTC Guidelines ─ Unsubscribe Mechanism
– Example of unsubscribe:
23
Document # 21888271.
24. CRTC Guidelines ─ Unsubscribe Mechanism
– CRTC Comment:
– Not required to provide unsubscribe for ALL
messages, only CEMs
– Permitted to offer granularity to unsubscribe
from all CEMs or some types of CEMs e.g.
option to unsubscribe from all CEMs, product
updates, weekly email newsletters
24
Document # 21888271.
27. A) Exemptions From All Content and
Consent Requirements
Document # 21888271.
27
28. Exemptions from All CEM Requirements
– Consent, content and unsubscribe requirements do
not apply to CEMs:
a) sent within family or personal relationships
b) that make an inquiry or application sent to a
business, or
c) other categories as may be prescribed
Document # 21888271.
28
29. Personal Relationship Exemption
– Family relationships are exempt
– Defined as a relationship between two people
related through a marriage, common-law
partnership, or any legal parent-child relationship,
who have had direct, voluntary two-way
communications
Document # 21888271.
29
30. Personal Relationships
– Friends are exempt
– Defined as relationship between sender and
recipient that involves direct, voluntary, two-way
communications where it is reasonable to conclude
that the relationship is personal
Document # 21888271.
30
31. Exemptions to All CEM Requirements
– Consent, Content and Unsubscribe mechanisms do
not apply to CEMs sent:
a) Intra-Business: by an employee, representative, contractor
or franchisee of the organization to another such person
and that concern the activities of the organization
b) Inter-Business: by an employee, representative, contractor
or franchisee of the organization to an employee,
representative, contractor or franchisee of another
organization if the organizations have a relationship and
the CEM concerns the activity of the organization to which
the message is sent
Document # 21888271.
31
32. Exemptions to All CEM Requirements
– Consent and Content requirements do not apply to
CEMs that are:
c) Requests, Inquiries or Complaints: in response to a
request, inquiry or complaint or otherwise solicited by the
person to whom the CEM is sent
d) Legal rights: to satisfy a legal obligation or enforce or
provide notice of existing or pending legal rights
e) Sent and received using an electronic messaging service
(e.g. social media platform) that meet certain
requirements
f) Sent within closed messaging systems which contain
limited access, or secure and confidential accounts (e.g.
secure portals, online banking messaging centre)
Document # 21888271.
32
33. Exemptions to All CEM Requirements
– Consent and Content requirements do not apply to
CEMs that are:
g) Foreign jurisdictions: by a person who reasonably
believes the CEM will be accessed in a foreign state
where the CEM conforms to the foreign state’s law that
addresses substantially similar conduct to that prohibited
under CASL
h) Registered charities: by or on behalf of a registered
charity and the primary purpose of the CEM is to raise
funds for the charity
i) Political candidates or organizations: by or on behalf of a
political party, organization, or candidate for publicly
elected office and the message has as its primary
purpose soliciting a contribution
Document # 21888271.
33
35. Exceptions to the Consent Requirements
– Consent is not required (BUT the Content
requirements still apply) if a CEM solely:
a) Provides a quote or estimate requested by the recipient
b) Confirms a commercial transaction among the parties;
c) Provides warranty, recall, safety or security information
for product/service previously purchased;
Document # 21888271.
35
36. Exceptions to the Consent Requirements
– Consent is not required (BUT the Content
requirements still apply) if a CEM solely:
d) Notifies of factual information relating to the ongoing use
or purchase of a product, good or service under an
established relationship;
e) Provides information relating to an ongoing employment
relationship, including a benefit plan;
f) Delivers a product, good or service including product
updates/upgrades; or
g) Is sent as a result of a third-party referral (one time
exception)
Document # 21888271.
36
37. New Referral Exemption
– Exception to the consent requirement only (content
rules still apply)
– For first CEM sent by an individual following a
referral by another individual who has a
relationship (business, non-business, personal,
family) with the sender and with the recipient
– Permits business persons/professionals to follow-
up on referrals
Document # 21888271.
37
38. Implied Consent
– Specifically defined (i.e. is not open-ended, content
still required)
– Exists only:
– If sender and recipient have an existing business
relationship or existing non-business relationship
– If recipient has published conspicuously the email address
to which a message may be sent, without including that it
does not want to receive commercial emails
– If a person has given you the email address with no
restrictions
Document # 21888271.
38
39. Implied Consent
– “Existing business relationship” and “existing non-
business relationship” are defined terms
– Essentially, any relationship not more than 2 years
old, or a (business) inquiry within the last 6 months
– The implied consent for the business card referral
lasts until it is withdrawn
Document # 21888271.
39
40. Is there Valid Consent?
– Can a conference organizer contact me to promote
an upcoming event on privacy law?
– Can a women’s rights organization contact me to
speak about Leadership among Women?
– Can a third party marketer contact me to sell
security systems to McMillan?
Document # 21888271.
Sharon E. Groom
Partner,
d 416.865.7152 | f 416.865.7048
Email: sharon.groom@mcmillan.ca
40
41. Transitional Provisions
– Extend the time periods for implied consent for all
existing business and non-business relationship to
July 1, 2017 if on the date CASL comes into force
there exists such a relationship, without regard to
the time period otherwise applicable, and the
relationship includes CEMs
– This means that any relationship that includes
CEMs and exists now or at any time in the past will
qualify – however, onus is on the sender to prove it
Document # 21888271.
41
43. Penalties
Administrative monetary penalties of up to $1,000,000
(individuals); $10,000,000 (companies/organizations) per
violation
Violations can be addressed via an undertaking
Directors and officers liable for violations if they directed,
authorized, assented to, acquiesced or participated
Employers are responsible for acts of their employees
Due diligence defence
Document # 21888271.
43
44. Private Right of Action
– Comes into effect July 1, 2017 (Will the private right
of action apply to pre-July 1, 2017 CASL violations?)
– A person affected by a breach can seek
compensation through the courts
– Court can order compensation equal to the loss or
damage suffered and expenses incurred plus up to
$200 per violation to a maximum of $1,000,000 per
day
– Not available if an undertaking has been agreed to
or notice of violation issued
– Same factors taken into account as with violations
– Due diligence defence
Document # 21888271.
44
45. 6) NEXT STEPS: COMPLIANCE
CHECKLIST
Document # 21888271.
45
46. 1. Use internal survey to gather information from your
employees on existing databases
2. Conduct an inventory of email contacts –
categorized by:
Nature of e mails sent to that person
Existing customer/prospect/donor relationships
Express consent
Received contact information publically with no restrictions
(i.e. Business cards)
3. Determine compliance strategy – whether to rely
on exemptions/implied consents vs. express consent
4. If to rely on exemptions etc., upgrade databases
by CASL categories
Compliance Checklist
Document # 21888271.
46
47. 5. If will seek express consent, develop strategies for
capturing (e.g. email response, website sign up,
applications, agreements, email policies) and initiate
email opt-in consent program immediately (i.e. prior to
Act coming into force)
6. Develop consent request template
7. Develop CEM template
8. Develop CASL compliance procedures, policies,
and controls including for third party service providers
9. Conduct training
Compliance Checklist
Document # 21888271.
47
49. Summary
– New legislation comes into effect July 1, 2014 and it
affects all commercial electronic messages
– You need express consent to send any CEM
– Need to provide mandated information in each CEM
including an unsubscribe option
– There are exceptions to express consent and
mandatory content, but they are limited
– Start thinking about your CASL compliance program
now!
Document # 21888271.
49
50. For further Information please contact:
Sharon E. Groom
Direct: 416.865.7152
Sharon.groom@mcmillan.ca
McMillan LLP
Brookfield Place
181 Bay Street, Suite 4400
Toronto, Ontario
M5J 2T3
Document # 21888271.
50