On July 1, 2014, An Act To Promote The Efficiency And Adaptability Of The Canadian Economy By Regulating Certain Activities That Discourage Reliance On Electronic Means Of Carrying Out Commercial Activities, And To Amend The Canadian Radio-Television And Telecommunications Commission Act, The Competition Act, The Personal Information Protection And Electronic Documents Act And The Telecommunications Act (S.C. 2010, c. 23) comes into force. This law and the regulations promulgated under it are commonly referred to as Canada’s Anti-Spam Legislation or CASL for short.
CASL is intended to improve users’ confidence in electronic communications and the internet by limiting unsolicited electronic messages sent for commercial purposes, prohibiting damaging and deceptive spam, spyware, malicious code, botnets, and other related threats.
There are three main parts to CASL: (1) a series of restrictions and requirements that apply to commercial electronic messages (CEMs); (2) a prohibition against altering the transmission data in an electronic message so that the message is delivered to a destination other than or in addition to that specified by the sender; and (3) a prohibition against installing a computer program on any other person’s computer system and causing an electronic message to be sent from that computer system, without express consent.
This article provides a brief summary of the requirements for sending CEMs under the CASL regime which take effect on July 1, 2014.
Commercial Electronic Messages
A CEM has been defined very widely to include email, text/instant messages and messages sent on social media (excluding broadcast messages such as postings on walls, etc) related to a commercial activity. A “commercial activity” includes the sale of products or services, information respecting investment or business opportunities and any request for the recipient’s consent to receive a CEM in the future.
After July 1, 2014, senders must have the consent of recipient before sending a CEM and every CEM must include:
the name of the person sending the message and the identify on whose behalf the message is sent, if different;
contact information (mailing addressing and either a phone number or an email address) of the sender(s); and,
a mechanism that allows the recipient to easily unsubscribe at no cost.
(i) Express Consent
Where express consent is provided by the recipient on at least one occasion, it will remain valid unless or until revoked.
If obtained prior to July 1, 2014, the express consent of the recipient does not need to comply with any specific form and content requirements.
After July 1, 2014, there are specific requirements for obtaining consent to send CEMs and restrictions on how those consents may be obtained, including:
requests for consent CANNOT be sought by way of a CEM and may only be sought through other means, such as a telephone call or old-fashioned snail mail;
requests for consent must NOT assume the consent unless the recipient takes an additional step to decline (ie. a pre-checked box that must be un-checked to deny consent);
an oral consent will be acceptable only if it can be verified by an independent third party or if an audio recording of the consent is maintained;
a written consent must be stored in a database together with the date, time, purpose and manner of the consent; and
requests for consent for multiple types of activities CANNOT be bundled into a single request, such as a consent to send a CEM and a consent to install computer programs on a recipient’s computer.
(ii) Implied Consent
CASL does recognize that consent to receive a CEM may be implied in certain circumstances. However, some implied consents are time limited.
Time Limited: An implied consent will exist where the sender and recipient have an existing business or “non-business relationship”. A “non-business relationship” includes situations where the recipient made a donation to, volunteered for or was a member of the sender organization. But this form of implied consent will expire 2 years after the parties last conducted business together or 6 months after the last inquiry exchanged by them.
Transitional provisions in the Act presume that any such existing relationships give rise to implied consent for three years. After July 1, 2017, senders will require explicit consent to send a CEM to recipients with whom they have an existing relationship unless the CEM relates ONLY to ongoing commercial activity and does not promote other goods and services.
Indefinite: An implied consent will also exist where the recipient has conspicuously published their email address or otherwise provided their email address to the sender with no restrictions. For instance, providing a business card on which an email address appears or publishing an email address on a web site implies that person’s consent to receiving a CEM. This form of implied consent is not time limited and will remain valid unless and until revoked.
Exemptions to the above consent and unsubscribe requirements are available for a CEM:
1. sent within family or personal relationships;
2. sent within closed messaging systems, such as secure online banking messaging centres;
3. broadcast style messages, such as updates to an RSS feed or messages posted to your own Twitter stream or your own Facebook wall;
4. sent to make an inquiry or file an application with a business;
5. sent between businesses which have an existing relationship or between members of the same business organization;
6. sent out to satisfy legal obligations or provide notice of existing or pending legal rights;
7. sent to foreign jurisdictions;
8. sent by registered charities, political candidates, and political organizations to raise funds or seek donations; and
9. sent to deliver an update or upgrade for a product or service which the recipient has already purchased.
Transmission Data & Computer Programs
The CASL provisions prohibiting the alteration of the transmission data and the installation of computer programs on another person’s computer without their express consent will come into effect early next year on January 15, 2015.
Please note that these provisions may affect when and how commercial web sites may install HTML code, Java Scripts and other forms of software code on the personal computer or smartphone of any visitor.
CASL provides two means by which its provisions may be enforced, namely: (a) quasi-criminal prosecution by the crown; and (b) an action by private individuals for damages.
CASL has very broad application to electronic communications and failure to comply with the provisions can result in fines: as high as $1,000,000 for individuals or $10,000,000 for businesses. These fines are per violation and violations can be separately assessed for each day of non-compliance.
Private Cause of Action
As of July 1, 2017, a private right of action will become available for violation of the Act. This will mean that individuals will be able to commence lawsuits in the courts for any contravention of CASL. The court may award damages for actual loss or harm which is proven in addition to granting injunctive relief and legal costs.