2. AGENDA
• Focus on Commercial Electronic Messages (CEMs)
• What does the law prohibit?
• What are the penalties for non-compliance?
• Key concepts
• Transition period
• Preparing for compliance
3. WHAT IS CASL?
• Full name of the Act is:
– An Act to promote the efficiency and adaptability of the
Canadian economy by regulating certain activities that
discourage reliance on electronic means of carrying out
commercial activities and to amend the Canadian Radio-
television and Telecommunications Commission Act, the
Competition Act, the Personal Information Protection
and Electronic Documents Act and the
Telecommunications Act, SC 2010, c 23
• We’ll just call it Canada’s Anti-
spam Law (CASL)
4. WHAT DOES THE LAW
PROHIBIT?
• Sending unsolicited electronic messages;
• Altering transmission data;
• Installing a computer program without
authorization; and
• Aiding, inducing, procuring or causing to be
procured any of the above-noted prohibited
activities.
5. KEY CONCEPTS
• Administrative and civil penalties
• Commercial Electronic Messages (CEMs)
• Consent
– CEMs cannot be sent without it
• Prescribed information
– certain information must be in every CEM sent
• Records
– the sender has the burden of proof
6. PENALTIES
• Administrative monetary penalties (AMPs) for
violations
• Up to $1 million for individuals & 10 million for
organizations for each violation
– Personal liability for directors, officers, and agents for
violations committed by their businesses
– Vicarious liability for businesses for violations committed
by their employees
• Purpose of AMPs is to promote compliance not
punish
• A number of factors must be taken into account
when determining the amount of the AMP
7. PENALTIES
• Violations are not criminal offences
• Can be appealed to the Federal Court
• Due diligence defence available
• Private Right of Action (PRA) in force July 1,
2017
8. WHAT IS A CEM?
• A commercial electronic message is an electronic
message that, having regard to the content of the
message, the hyperlinks in the message to content on a
website or other database, or the contact information
contained in the message, it would be reasonable to
conclude has as its purpose, or one of its purposes, to
encourage participation in a commercial activity, including
an electronic message that
a) offers to purchase, sell, barter or lease a product,
goods, a service, land or an interest or right in land;
b) offers to provide a business, investment or gaming
opportunity;
c) advertises or promotes anything referred to in
paragraph (a) or (b); or
d) promotes a person, including the public image of a
person, as being a person who does anything referred to
in any of paragraphs (a) to (c) or who intends to do so.
9. WHAT IS A CEM
• Note: an electronic message that
contains a request for consent to
send a CEM is also considered to
be a CEM
• So, subject to the transition
provisions, these cannot be sent
after July 1, 2014 without the
recipient’s implied consent
10. WHAT IS AN ELECTRONIC
MESSAGE?
• “electronic message” means a
message sent by any means of
telecommunication, including a
text sound, voice or image
message
11. WHAT IS A COMMERCIAL
ACTIVITY?
• “commercial activity” means any
particular transaction, act or conduct or
any regular course of conduct that is of
a commercial character, whether or not
the person who carries it out does so in
the expectation or profit, other than any
transaction, act or conduct that is
carried out for the purposes of law
enforcement, public safety, the
protection of Canada, the conduct of
international affairs or the defence of
Canada.
12. BRINGING IT ALL
TOGETHER
• Your message is a CEM if it is sent
electronically and:
1. It entices someone to buy
something or do business with
you; or
2. It is requesting someone’s
permission to allow you to send
them a CEM
13. WHAT DOES CASL REQUIRE
• In order to send CEMs you must:
1. have the recipient’s express or implied
consent; and
2. Include the following information:
a) prescribed information identifying the
sender or the person on whose behalf the
message is sent;
b) information enabling the recipient to
readily contact one of the persons referred
to in (a); and
c) an unsubscribe mechanism
14. SENDER IDENTITY
• the name by which the person sending the message carries
on business, if different from their name, if not, the name of
the person;
• if the message is sent on behalf of another person, the
name by which the person on whose behalf the message is
sent carries on business, if different from their name, if not,
the name of the person on whose behalf the message is
sent;
• if the message is sent on behalf of another person, a
statement indicating which person is sending the message
and which person on whose behalf the message is sent; and
• the mailing address, and either a telephone number
providing access to an agent or a voice messaging system,
an email address or a web address of the person sending
the message or, if different, the person on whose behalf the
message is sent
15. SENDER IDENTITY
• “mailing address” includes the
sender’s valid, current street (or
civic) address, postal office box,
rural route address, or general
delivery address
• Mailing and email address must
remain valid for a minimum of 60
days after the CEM has been sent.
16. UNSUBSCRIBE MECHANISM
• The original message must allow CEM
recipient to indicate, using the same
electronic means, at no cost to them,
their wish to no longer receive CEMs
from the sender (or the person on
whose behalf the message is sent)
• Effect must be given to an unsubscribe
request within 10 days of receipt
19. EXCEPTION
• What if sender identity and/or the
unsubscribe mechanism cannot be
included in a CEM?
• Can be posted on a website:
– accessible by the recipient;
– at no cost to them;
– through a link clearly set out in the
CEM
20. COMPLETE EXCLUSIONS
• Messages sent between individuals having a
“personal relationship” or a “family
relationship”;
• Messages sent within organizations, where their
content concerns the organization’s activities;
• Messages sent between organizations that already
have a relationship, where their content concerns
the activities of the recipient organization;
• Messages sent in response to requests, inquiries, or
complaints, or where the message is otherwise
solicited by the recipient; and
• Messages sent to satisfy or enforce legal rights and
obligations and/or to provide notice of existing or
pending rights or legal obligations.
21. FAMILY RELATIONSHIP
• “Family relationship”:
– the relationship between an individual
who sends a message and the individual
to whom the message is sent if those
individuals are related to one another
through a marriage, common-law
partnership or any legal parent-child
relationship and those individuals have
had direct, voluntary, two-way
communication
22. PERSONAL RELATIONSHIP
• “Personal relationship”
– the relationship between an individual who
sends a message and the individual to whom
the message is sent, if those individuals have
had direct, voluntary, two-way communications
and it would be reasonable to conclude that
they have a personal relationship, taking into
consideration any relevant factors such as the
sharing of interests, experiences, opinions and
information evidenced in the communications,
the frequency of communication, the length of
time since the parties communicated or
whether the parties have met in person.
23. OTHER COMPLETE
EXCLUSIONS
• Messages sent to a limited access and
confidential account to which messages can only
be sent by the person who provides the account to
the person who receives the account;
• Messages sent and received on an electronic
messaging service if the required information and
unsubscribe mechanism are conspicuously
published and readily available on the user interface
through which the message is accessed, and the
person to whom it is sent consents to receive it;
• Messages sent on behalf of registered charities
that have as their primary purpose raising funds for
the charity;
24. OTHER COMPLETE
EXCLUSIONS
• Messages sent by or on behalf of a political party
or organization, or a person who is a candidate for
public office having as their primary purpose
soliciting a contribution; and
• Messages that the sender reasonably believes will
be accessed in a foreign state that is listed in the
schedule and the message conforms with the law of
the foreign state that addresses conduct
substantially similar to CASL prohibition against
sending unsolicited CEMs
– Note: U.S. is a foreign state listed in the schedule
25. OTHER COMPLETE
EXCLUSIONS
• Additional exemptions for a CEM:
– that is, in whole or in part, an
interactive two-way voice
communication between
individuals;
– that is sent by means of facsimile
to a telephone account; or
– that is a voice recording sent to a
telephone account.
26. PARTIAL EXCLUSIONS
• No consent is required for messages that:
– Provide quotes or estimates requested by the recipient;
– Facilitate, complete, or confirm commercial transactions
the recipient previously agreed to enter into with the
sender;
– Provide warranty or product recall information about
goods the recipient uses, has used or has purchased ;
– Provide notification of information about subscriptions or
membership, accounts, or loans of the recipient;
– Provide information directly related to employment
relationships or related benefit plans the recipient is
currently involved or enrolled in;
– Deliver products or services including updates or upgrades
that the recipient is entitled to under the terms of a
transaction they previously entered into with the sender
• Note: messages in these categories must still
conform to CASL’s prescribed requirements
27. THIRD PARTY REFERRALS
• No consent is needed for the first
CEM following a referral by an
individual who has an existing
business, non-business, family or
personal relationship with both the
sender and the recipient
• The CEM must disclose the full name
of the person who made the referral
and must state the message is being
sent as a result of the referral
28. WHAT IT ALL MEANS
• Commercial content is determined
by the CRTC taking into
consideration a number of factors
• If your message is a CEM you
must have recipient consent to
send it or fit into one of the
exemptions
29. WHAT IS CONSENT
• Anyone to whom a CEM is sent must
have provided permission in advance
• Two types of consent
1. Implied
2. Express
• Recall after July 1, 2014 an electronic
message requesting consent is deemed
a CEM
30. IMPLIED CONSENT
• CASL permits consent to be implied in the following
limited situations:
– The sender has an existing business or non-
business relationship with the recipient;
– The recipient has conspicuously published the
electronic address to which the message is sent, the
publication is not accompanied by a statement
indicating that he/she or it does not wish to receive
unsolicited CEMs at the address and the message is
relevant to the person’s business, role, function or
duties in business or official capacity; or
– The recipient has disclosed to the sender his/her or
its electronic address without indicating a wish not to
receive unsolicited CEMs at that address and the
message is relevant to the recipient’s business, role,
function or duties in a business or official capacity
31. EXISTING BUSINESS
RELATIONSHIP
• Means a business relationship between the recipient
and the sender that arises from:
1. The purchase or lease of products, goods, services or land by
the recipient within the two-year period immediately
preceding the day on which the message is sent;
2. The acceptance by the recipient within that period of a
business, investment or gaming opportunity offered by the
sender;
3. The bartering of products, goods, services or land between the
sender and recipient within that two-year period
4. A written contract entered into between the sender and the
recipient relating to a matter not referred to in items 1-3
above if the contract is currently in existence or has expired
within the two-year period immediately preceding the day on
which the message was sent;
5. An inquiry or application sent by the recipient to the sender in
relation to matter set out in items 1-3 above within the six-
month period immediately preceding the day on which the
message was sent
32. EXISTING NON-BUSINESS
RELATIONSHIP
• Means a non-business relationship between
the recipient and the sender arising out of a
donation made to certain entities, or
volunteer work performed, by the recipient
within the two-year period immediately
preceding the day on which the message was
sent
• An existing non-business relationship can also
arise from the recipient’s membership in a
club, association or voluntary organization
within the two-year period immediately
preceding the day on which the message was
sent
33. EXPRESS CONSENT
• Required where relationship between sender and
recipient does not fit any of the categories of
exclusion or implied consent
• Can be requested orally or in writing
• Electronic message requesting express consent
is a CEM
• In addition to prescribed information, the sender
must provide the purpose for which the
recipient’s consent is being sought and must
identify the person seeking consent or the
person on whose behalf consent is being sought
34. EXPRESS CONSENT
• Must be some positive act
undertaken on the part of the
person from whom consent is
obtained
• Examples:
– Checking a box
– Typing an email address into a field
to obtain consent
38. BAD EXAMPLE OF A REQUEST
FOR EXPRESS CONSENT
50% Off!!!
Enter your email below to
redeem your free gift certificate
for 50% off and to qualify for
our grand prize draw
__________ submit
39. ANOTHER BAD EXAMPLE
Please find your coupon for 50%
off attached. You have also been
entered into our grand prize
draw!!!
I agree to receive ABC Inc.’s newsletter. You
can withdraw your consent at any time
40. OTHER CONSENT
CONSIDERATIONS
• Consents must be sought
separately - computer programs
and CEMs must have separate
consents)
• You cannot bundle consent – a
consent to receive CEMs cannot be
tied to an agreement, purchase or
contest
43. BAD EXAMPLE OF ACQUIRING
MULTIPLE CONSENTS
I accept the terms and conditions. I agree
to the installation of ABC Inc.’s software. I
consent to receive ABC Inc.’s newsletter.
45. SHARING CONTACT LISTS
WITH THIRD PARTIES
• A person who obtained express consent on
behalf of an unknown third party may allow
such consent to be used by the unknown third
party to send CEMs. This is conditional on the
person who originally obtained consent ensuring
that, in any CEMs sent to the person from whom
consent was obtained:
a) the person who obtained consent is identified; and
b) the authorized person provided an unsubscribe
mechanism that, not only meets CASL’s
requirements, but also allows the person from
whom consent was obtained to withdraw their
consent from the person who obtained consent or
any other person who is authorized to use it.
46. ALTERATION OF AN ELECTRONIC
MESSAGE’S TRANSMISSION DATA
• Without the express consent of the sender or
recipient CASL prohibits, in the course of
commercial activity, the alteration of transmission
data electronic message so that the message is
delivered to destinations other than, or in addition
to, that specified by the sender
• Same requirement for requests for express
consent to alter the transmission data of an
electronic message as for express consent to
receive CEMs
– Requester must provide the purpose for which the
consent is being sought as well as the identification of
the person(s) seeking consent or on whose behalf
consent is being sought
47. ALTERATION OF AN ELECTRONIC
MESSAGE’S TRANSMISSION DATA
• Additional requirements on those who obtain the
express consent of the original senders or recipients
to alter transmission data:
a) for the period covered by the consent, ensure that
the person who gave their consent is provided
with an electronic address to which they may send
notice of the withdrawal of their consent; and
b) ensure that effect is given to a notice of
withdrawal of consent sent in accordance with
paragraph (a) without delay, but in any event no
later than 10 business days after receiving it
• Exception for alterations made by a
telecommunications service provider for the purpose
of network management
48. INSTALLATION OF COMPUTER
PROGRAMS
• CASL prohibits a person from installing a
computer program on another person’s
computer system, in the course of commercial
activity, and causing electronic messages to be
sent from that computer system, unless:
a) The person has obtained the owner’s express
consent; or
b) The person is acting in accordance with a court
order
• Again, CASL imposes the exact same requirement
upon requests for express consent in respect of
this prohibition as for those discussed previously
49. INSTALLATION OF COMPUTER
PROGRAMS
“Computer program” means:
– data representing instructions
or statements that, when
executed in a computer system,
causes the computer system to
perform a function
50. INSTALLATION OF COMPUTER
PROGRAMS
“Computer system” means:
– a device that, or a group of
interconnected or related devices one
or more of which,
a) contains computer programs or
other data, and
b) pursuant to computer programs,
i. performs logic and control, and
ii. may perform any other
function
51. INSTALLATION OF COMPUTER
PROGRAMS
• Additional requirements for express consent imposed
if the computer program will do certain functions such
as:
– collecting personal information,
– interfering with the user's control of the computer system,
– changing or interfering with settings, preferences or
commands already installed or stored on the computer
system without the knowledge of the user,
– changing or interfering with data that is stored on the
computer system in a manner that obstructs, interrupts or
interferes with lawful access to or use of the computer
system,
– causing the computer system to communicate with another
computer system without authorization,
– installing a computer program that may be activated by a
third party without the knowledge of the user, and
– performing any other function listed in the regulations.
52. INSTALLATION OF COMPUTER
PROGRAMS
• If the computer program does any of those
specified functions when installed, then you
clearly and prominently, and separately
and apart from the licence agreement,
must:
– describe the program's material
elements that perform the specified
function(s), including the nature and
purpose of those elements, as well as
their foreseeable impact, and
– bring those elements to the attention of
the user separate from other information
provided in a request for consent.
54. EXCEPTION
• Prohibition on installing computer
programs does not apply if the
installation is an update or
upgrade to a computer program
that the owner had previously
provided consent to have installed
on their computer and which they
were entitled to receive
55. EXCEPTION
• Computer owners are considered to
have expressly consented to the
installing of a computer program if the
program is:
i. a cookie;
ii. HTML code;
iii. Java Scripts;
iv. an operating system; or
v. any other program that is executable only
through the use of another computer
program whose installation was expressly
consented to
56. EXCEPTION
• Computer owners are considered to expressly
consent to the installation of the following specified
programs:
– a program that is installed by or on behalf of a
telecommunications service provider solely to protect the
security of all or part of its network from a current and
identifiable threat to the availability, reliability, efficiency or
optimal use of its network;
– a program that is installed for the purpose of updating or
upgrading the network, by or on behalf of the
telecommunications service provider who owns or operates the
network on the computer systems that constitute all or part of
the network; and
– a program that is necessary to correct a failure in the operation
of the computer system or a program installed on it and is
installed solely for that purpose
57. EXCEPTION
• Note: Industry Canada has clarified
that automobile manufactures may be
telecommunications service providers
for the purposes of CASL
– Allows auto manufacturers to rely on the
exceptions in the last slide to upgrade
computer software in automobiles
58. IP ADDRESSES
• Industry Canada states:
– Insofar as IP addresses are not linked to an
identifiable person or to an account, IP addresses
are not electronic addresses for the purposes of
CASL
• Result = banner advertising on websites is
not subject to CASL
59. AIDING, INDUCING, PROCURING OR
CAUSING TO BE PROCURED
• It is prohibited “to aid, induce,
procure, or cause to be procured
the doing of any act contrary” to
CASL in respect of the three
previously discussed prohibitions
60. PRIVATE RIGHT OF ACTION
• Contraventions actionable before a
court
• Compensation “in an amount equal to
the actual loss or damage suffered or
expenses incurred by the applicant” and
a maximum amount of statutory
damages for contravention of each
CASL prohibition
61. PRIVATE RIGHT OF ACTION
• CASL statutory damages:
– unsolicited electronic messages
• $200 per contravention up to $1 million
per day
– altering transmission data or installation
of a computer program
• up to $1 million per day per contravention
62. COMING INTO FORCE
• When does the legislation come
into force?
CEMs
• July 1,
2014
Computer
programs
• January
15, 2015
Private right
of action
• July 1,
2017
63. TRANSITION PERIOD
• A person’s consent to receive CEMs from
another person is implied until the earlier of:
1) the person gives notice that they no longer
consent to receiving CEMs from that other person;
or
2) until three years after the day on which the
prohibition against sending CEMs comes into force
if:
a)those persons have an “existing business” or an
“existing non-business relationship”; and
b)The relationship includes the communication
between them of CEMs
64. TRANSITION PERIOD
• If a computer program was installed on a
person’s computer system before the prohibition
comes into force, the persons consent to the
installation is implied until:
1) the person gives notice that they no longer
consent to receiving such an installation; or
2) Until three years after the day on which the
prohibition against installing computer programs
comes into force (January 15, 2018)
65. HOW TO PREPARE
• Get express consent from your current mailing
list
• Review and inventory CEMs currently being sent
– form
– purpose
– recipients
• Developing a database identifying which CEMs:
– require express consent and must comply with the
formalities;
– must comply with formalities; and
– neither require consent nor comply with formalities;
66. HOW TO PREPARE
• Create compliant unsubscribe
mechanisms
• Create template CEMs that meet the
prescribed requirements
• Develop an CASL compliance policy
• Designate one or more people in your
organization to administer the policy
67. HOW TO PREPARE
• Start keeping records of consents and
compliance procedures
– Important for supporting a due diligence
defence
68. OUR CHECKLIST
390 Bay Street, Suite 500
Sault Ste. Marie, ON P6A 1X2
Tel.705.949.6700 Fax.705.949.2465
excellent solutions.
CASL COMPLIANCE CHECKLIST
1. Determine if CASL applies to your organization
2. Review and inventory CEMs being sent
3. Develop database identifying CEMs that require consent
4. Develop standard Consent Forms and record maintenance procedures
5. Get consent from parties on your existing mailing list
6. Identifying gaps and ensure that compliance programs and databases are in
place and working to document consent and unsubscribe information.
7. Ensure sources of contact lists have appropriate CASL compliance protocols
(3rd party lists)
8. Update Business Policies
9. Train All Staff - It is very important to understand that a single unauthorized
CEM is a breach
10. Audit compliance periodically
www.wishartlaw.com
69. QUESTIONS?
J. Paul R. Cassan
pcassan@wishartlaw.com
(705) 949-6700 ext. 230
Tim J. Harmar
tharmar@wishartlaw.com
(705) 949-6700 ext. 233
Notes de l'éditeur
A club, association or voluntary organization is a non-profit organization that is organized and operated exclusively for social welfare, civic improvement, pleasure or recreation or for any purpose other than personal profit, if no part of its income is payable to, or otherwise available for the personal benefit of, any proprietor, member or shareholder of that organization unless the proprietor, member or shareholder is a an organization whose primary purpse is the protection of amateur athletics in Canada. See IC regs s 7(2) that refers to s. 10(13)(3)(c) of CASL.
Note: “install” not defined
Industry Canada has stated that CASL applies to installing computer programs on someone else’s computer system, not installations by personal on their own computing devices.
An example of an acceptable means of obtaining consent pursuant to section 5 of the Regulations would be an icon or an empty toggle box, separate from the licence agreement and other requests for consent, that would need to be actively clicked or checked, as applicable, in order to indicate consent to one, several, or all of the functions listed in subsection 10(5) of the Act, as applicable, provided that the date, time, purpose, and manner of that consent is stored in a database.
S 10(8) of CASL specifically mentions cookies in list of “deemed consent” computer programs -- so are they “computer programs” and subject to CASL?
IC: cookies are not programs -- they are not executable, cannot carry viruses and cannot install malware
CRTC: cookies are programs but are not “installed” and so not subject to CASL prohibition