Canada's Anti-Spam Law (CASL) comes into force on July 1, 2014 and regulates commercial electronic messages (CEMs). CASL requires express or implied consent to send CEMs and that CEMs contain sender disclosure and unsubscribe mechanisms. Violations of CASL can result in significant administrative monetary penalties or private rights of action, with penalties up to $10 million for corporations. There is a three year transitional period where implied consent can be used based on existing business or non-business relationships.
Canada's Anti-Spam Law & Commercial Electronic Messages
1. Canada’s Anti-Spam Law (CASL)
re: Commercial Electronic
Messages
Paul Armitage, Partner
paul.armitage@gowlings.com
604-891-2755
2. CASL Basics
• CASL will be in force July 1, 2014 for CEMs
• CASL regulates “commercial electronic messages”
(“CEMs”) with new requirements for consent, sender
disclosure, and unsubscribe mechanisms
• Additional parts of CASL regulating software installations
will be in force January 15, 2015
2
3. Does CASL Apply to the Message?
CASL covers:
• Email
• SMS
• Instant messages
• Messages to user accounts on social networks
• Messages to user accounts on portals
• Messages sent by telecommunication to similar
accounts
3
4. Is the Message a “CEM”?
A CEM is a message which encourages participation in a
“commercial activity”, e.g.,
• Offers to sell a product, service or interest in land
• Offers of a business, investment or gaming
opportunity
• Advertisements or promotions for any of the above
• A request for consent to send CEMs
If the message does any of the above, then it is a “CEM”
even if that is not its only or primary purpose
4
5. Is the Message a “CEM”? (con.’t)
CASL excludes several classes of message from its
requirements:
• Interactive two way voice communications
• Messages sent via facsimile to telephone accounts
• Voice recordings sent to a telephone account
These messages are currently subject to the CRTC’s
oversight via the Telecommunications Act and the Do Not
Call List
5
CASL contains a provision that permits the government to repeal this exception
AND the National Do Not Call List at a later date. If exercised, this would make
unsolicited commercial telephone calls subject to the CASL requirements
6. Examples of CEMs
If the following is true: CEM (Yes/No)
The message promotes the organization as being
able to provide a good or service
Yes
A recipient reasonably interpreting the “Re:” line or
content is likely to conclude that the message
contains an advertisement for the organization
Yes
Posting on the organization’s own website, portal or
social media pages (other than to another user’s
account)
No
The message contains a survey or newsletter and
does not include any secondary marketing of the
organization’s products or services
No
The message gives safety or security information
about a product or service
No
6
7. Is the CEM Exempt? (Fully Exempt CEMs)
The following CEMs are fully exempt (“Fully Exempt CEMs”):
• Internal communications between employees,
representatives, consultants or franchisees of the
organization, and the CEM concerns the organization’s
activities
• B2B communications between employees,
representatives, consultants or franchisees of the
organization and another organization which has a
relationship with the organization, and the CEM concerns
the activities of the other organization
• An inquiry or application related to the recipient’s
commercial activity
• A response by the organization to a request, inquiry or
complaint it receives
7
8. Is the CEM Exempt? (Fully Exempt CEMs) (con.’t)
• Messages sent to a limited-access secure and confidential
account offered by the organization to which only the
organization can send messages (e.g., secure portal for its user
accounts)
• Certain instant messaging platforms whose interfaces meet the
sender disclosure and unsubscribe requirements (see later), with
the recipient’s express or implied consent
• Sent to a recipient in a foreign state which has anti-spam laws
substantially the same as CASL and the message complies with
the foreign laws (e.g., US, EU, Japan, China, Korea, and
Australia)
• Communications between individuals with a “family relationship”
or “personal relationship” (as defined in CASL) (see next slide)
• Messages sent by a registered charity for fund-raising
• Messages sent by a political party, organization, or candidate
soliciting contributions
8
9. Is the CEM Exempt? (Fully Exempt CEMs) (con.’t)
9
The personal or family relationship exemption
“Personal relationship”
Must have had direct, voluntary, two-
way communications
Must be reasonable to conclude
they have a “personal” relationship
“Family relationship”
Must have had direct, voluntary,
two-way communications
Marriage
A common-law partnership
Legal parent-child
Note: siblings, cousins, aunts, uncles,
etc. are not included
10. What Consent is Required to Send CEMs?
Except for Fully Exempt CEMs (see before), CEMs
must:
• Either have express or implied consent, or
• Be transactional messages or referral
messages which do not require consent
10
11. Express Consent
Express consent is opt-in consent which the organization
has recorded and can substantiate if necessary
11
Examples Valid (Yes/No)
Signature on a consent form Yes
Checking an “I agree” box on a web page Yes
Oral consent recorded by the organization Yes
Clicking on a consent link in an email Yes
Pre-checked “I agree” box No
Opt-out box that recipient must check in order to
decline consent
No
12. Express Consent (con.’t)
12
When requesting consent, the following requirements must
be met:
Requirements for Express Consent
Provide the purpose of consent (i.e., to receive CEMs)
Seek CEM consent separate from other consents (e.g., from a general
consent to purchase the service)
Identify the organization seeking consent (or on whose behalf it is sought)
by its business name and identify the party seeking consent
Provide the mailing address, and one (or more) of a telephone number,
website, or email address of the organization seeking consent (or on whose
behalf it is sought)
State that consent may be withdrawn
Note: Industry Canada has advised that express consents obtained before
CASL comes into force (July 1, 2014) will be recognized as being
compliant with CASL, even if the above requirements are not met
13. Implied Consent
Unlike Canadian privacy law, implied consent is not a general concept
that can be assumed, but only exists under CASL in specific situations:
• An “existing business relationship” exists due to:
(i) The purchase, lease or barter of a good, service, or land
interest by the recipient from the organization within the
previous two years
(ii) Acceptance of a business, investment or gaming
opportunity made by the organization to the recipient within
the previous two years
(iii) An inquiry from the recipient to the organization about any of
the above within the previous six months
(iv) A written contract between the organization and the
recipient which is in force, or which expired within the
previous two years
OR
13
14. Implied Consent (con.’t)
• An “existing non-business relationship” exists due to:
(i) A donation or gift made by recipient to the sender within the
2-year period immediately before the day on which the
message was sent, where the sender is a registered
charity, a political party or organization, or a person who is
a candidate for election
(ii) Volunteer work performed by the recipient for the sender,
or attendance at a meeting organized by the sender, within
the 2-year period immediately before the day on which the
message was sent, where the sender is a registered
charity, a political party or organization, or a person who is
a candidate for election
(iii) “Membership” by the recipient, in the sender, within the 2-
year period immediately before the day on which the
message was sent, where the sender is a “club,
association or voluntary organization” (see next slide)
14
15. Implied Consent (con.’t)
• “Membership” is the status of having been accepted as a
member of a club, association or voluntary organization in
accordance with its membership requirements
• “Club, association or voluntary organization” is a non-profit
organization that is organized and operated exclusively for
social welfare, civic improvement, pleasure or recreation or
for any purpose other than personal profit, if no part of its
income is payable to, or otherwise available for the personal
benefit of, any proprietor, member or shareholder of that
organization unless the proprietor, member or shareholder is
an organization whose primary purpose is the promotion of
amateur athletics in Canada
OR
15
16. Implied Consent (con.’t)
• The recipient has given (e.g., on a business card) or
conspicuously published (e.g., on a website) his or her electronic
address and
(i) Without indicating they do not wish to receive unsolicited
CEMs, and
(ii) The CEM is related to the recipient’s business, role, functions
or duties
Note: this does not apply to electronic addresses which have been
harvested using automated tools, which is prohibited
16
17. Transactional Messages Not Requiring Consent
Consent is not required for transactional CEMs which solely:
• Provide a quote or estimate in response to a request
• Facilitate, complete or confirm a previously agreed upon
transaction
• Provide warranty, product recall, or safety or security information
about a product or service the recipient uses
• Provide factual information about an ongoing subscription, loan,
account, membership, or similar relationship
• Provide information directly related to an ongoing employment
relationship or related benefit plan
• Deliver a good or service, including a product update or upgrade,
as part of an existing transaction between the organization and
the recipient
Note: secondary marketing of other organization products and services
must not be included
17
18. Referral Messages Not Requiring Consent
• If the CEM is being sent to a recipient referred to the
organization by another person, then consent is not
required for the first CEM (only), so long as the following
conditions are met:
(i) The person making the referral must have an
“existing business relationship”, “existing non-
business relationship”, “personal relationship” or
“family relationship” with both the organization and
the person being referred
(ii) The CEM must disclose the name of the individual
who made the referral, and state that the CEM is a
referral
18
19. Content and Format Requirements for CEMs
• Except for Fully Exempt CEMs (see slides
before), all CEMs must meet sender disclosure
and unsubscribe mechanism requirements
19
20. Sender Disclosure Requirements
(e.g., in the email template)
• The organization sending the message and (if different)
on whose behalf it is sent must be identified by business
name, and the party sending the CEM must be indicated
• The mailing address, and one (or more) of a telephone
number, website, or email address must be provided for
the party sending the message or (if different) for the
person whose behalf it is sent
• This contact information must be valid for 60 days after
the CEM is sent
Note: If it is not practicable (e.g., for a text but not for an email) to
include this information and the unsubscribe mechanism in the CEM, it
may be provided by a clear and prominent link in the CEM to a web
page which can be accessed by one-click and at no cost to the
recipient
20
21. Unsubscribe Mechanism
(e.g., opt-out in an email)
• The unsubscribe mechanism must be clear and
prominent in the CEM and both:
(i) Use the same electronic means that were used to
send the CEM, or if this is not practicable, another
electronic means; and
(ii) Specify an electronic address or a link to a website to
which the unsubscribe request can be sent
• Effect must be given to the unsubscribe request within
10 business days and at no cost to the recipient
21
22. Unsubscribe Mechanism (con.’t)
22
Examples of Unsubscribe Mechanism Valid (Yes/No)
An email CEM which permits the recipient to
unsubscribe by responding to the email using the
same address (or a different email address)
Yes
An email CEM which permits the recipient to
unsubscribe by responding to the email using the
same (or a different) address or by clicking on a link
Yes
An SMS CEM which permits the recipient to
unsubscribe by texting back “STOP” or “unsubscribe”
Yes
An SMS CEM which permits the recipient to
unsubscribe solely by clicking on a link
Yes
23. Unsubscribe Web Pages
(e.g., managing user preferences)
• Must enable the recipient to indicate that he or
she no longer wishes to receive:
(i) All CEMs, or
(ii) Specific classes of CEMs, so long as the
option to unsubscribe to all CEMs is also
given
23
24. Third Party Marketing Lists
CASL expressly provides for consent obtained on
behalf of an unknown third party; however, it limits
how this consent may be obtained and used:
• The party that seeks consent (i.e., the list-creating
company) is required to comply with the standard CASL
requirements for obtaining consent, including stating the
purpose for the collection, and providing their name and
contact information
• A person who relies on such a consent (i.e., the
organization that buys or rents the list) must meet
additional disclosure requirements for the message content
24
25. Third Party Marketing Lists (con.’t)
Message content when consent is obtained from a
third party (e.g., list-creating company)
When a contact list is purchased from a third party, it is
essential that the third party list be used separately from
the organization’s own opt-in lists, as messages sent
pursuant to the third party list are subject to additional
disclosure requirements:
• The message must identify the person who obtained the original
consent as well as the person who sent the message
• The unsubscribe mechanism must allow the recipient to remove
consent from both the person who sent the message and the
person who obtained the original consent
25
26. Misleading Advertising
• CEMs sent by the organization must not contain
false or misleading statements, either in the
literal words used or by the impression left, in
the:
(i) “Re:” line of the CEM, or
(ii) Body of the CEM (in a material respect)
26
27. Misleading Advertising (con.’t)
When sending CEMs:
• DO NOT use overly broad or misleading statements in
the “Re:” line in an attempt to catch the recipient’s
attention, and then try to qualify the statements in the
“fine print” in the body of the CEM
• DO include in the “Re” line next to the subject matter
description of the CEM a notation like “terms and
conditions apply” or “see message below for details
and conditions”
• DO include all material terms and conditions about the
product or service offered by the organization
27
28. CASL - Penalties
Administrative monetary penalties (AMPs) for
violations:
• A fine of up to $1,000,000 for a violation by an
individual
• A fine of up to $10,000,000 for a violation by a
corporation
Factors for determining penalty:
• Previous history of contraventions
• Financial benefit received from offending activity
• Ability to pay
• Other
28
29. CASL – Penalties (con.’t)
Competition Act (Misleading Advertising)
• Criminal prosecution
• Fines/imprisonment possible
• AMPs
• Corporation, fines of up to $10,000,000 for the 1st
offence; up to $15,000,000 subsequent
29
30. CASL – Penalties (con.’t)
July 1, 2017: private right of action for breach of CASL
comes into force
• CASL creates a private right of action for persons who
allege they have been affected by a violation. If the
action is successful in court, the court may order:
• Compensation equal to the actual loss or damage
suffered
• Up to $200 for each contravention, not exceeding
$1,000,000 for each day on which a contravention
occurred
• Up to $1,000,000 for each event of aid, induce, or
procure a violation PLUS $1,000,000 for each day
if actual violation
30
31. CASL – Penalties (con.’t)
Factors to consider in determining award in the private right
of action:
• Person’s history of contraventions
• Ability to pay
• Financial benefit received by offender
• Other
31
32. CASL – Penalties (con.’t)
• Private right of action will be available for any
CASL violation unless CRTC has taken
enforcement action, or CRTC has agreed to an
undertaking (i.e., negotiated settlement) by the
violating organization
• Will organizations self-report and settle with
the CRTC to avoid the private right of action?
32
33. CASL – Penalties (con.’t)
• Liability extends to any person who aids, induces or
procures a prohibited act
• Organizations are liable for acts of their employees
within the scope of their authority
• Liability extends to officers, directors, agents,
mandataries if they directed, authorized, assented to,
acquiesced, or participated in the prohibited act
33
34. Transitional Period
• There is a three year transitional period (i.e., until July 1,
2017) after CASL comes into force during which implied
consent will survive in cases of “existing business
relationships” or “existing non-business relationships”
which have included the sending of CEMs
• The transitional period provides an extended timeline for
perfecting existing implied consent by seeking express
consent
34
35. Thank You
montréal ottawa toronto hamilton waterloo region calgary vancouver beijing moscow london
Paul Armitage, Partner
Tel: 604-891-2755
Email: paul.armitage@gowlings.com