Canada’s Anti-Spam Legislation (CASL), including the provisions applicable to commercial electronic messages (CEMs), will come into force on July 1, 2014.
Subject to limited exceptions, CASL prohibits the sending of a CEM to an electronic address unless:
- The person to whom the message is sent has consented to receiving it; and
- The message complies with prescribed form and content requirements.
Note: An electronic message that is sent for the purposes of obtaining consent to send CEMs is itself considered a CEM, which may not be sent without consent (subject to the exceptions discussed below).
COMMERCIAL ELECTRONIC MESSAGE (CEM) DEFINED:
A CEM is defined broadly as an electronic message (e.g., email, text message, social media message) that has as its purpose, or one of its purposes, to encourage participation in a commercial activity.
Commercial activity includes any transaction, act or conduct or any regular course of conduct that is of a commercial character, whether or not the person who carries it out does so in the expectation of profit.
Consent to receive a CEM must be express or implied based on certain limited circumstances.
Materials published by the CRTC (Canadian Radio-television Telecommunications Commission) have made it clear that “a positive or explicit indication of consent is required” to comply with the express consent requirements of CASL. A consumer must take an active step (for example – checking a box) to indicate his or her consent.
The guidelines also state that requests for consent cannot be “subsumed in or bundled with requests for consent to the general terms and conditions of use or sale” but rather must be clearly and separately identified.
To be valid, a request for express consent under CASL must set out “clearly and simply”:
- The purpose for which consent is being sought
- The name (or if different, business name) of the person seeking consent
- If the consent is sought on behalf of another person, the name (or if different, business name) of the person on whose behalf consent is sought and a statement indicating which person is seeking consent and which person on whose behalf consent is sought
- The mailing address, and one of a telephone number providing access to an agent or voice messaging system, an email address or a web address of the person seeking consent or, if different, the person on whose behalf consent is sought
- A statement that the person can withdraw their consent.
Although CASL generally requires express consent, implied consent can be relied upon in the following circumstances:
- Where the recipient and the sender have an “existing business relationship” or an “existing non-business relationship.”
- An existing business relationship exists where the sender and recipient have engaged in certain specified types of business together in the two years preceding the date on which the CEM is sent (for example, a purchase or lease of a product, or entering into or continuing a written contract) or where the recipient of the CEM has made an inquiry to the sender in the previous six months.
- An existing non-business relationship exists where an individual has made a donation or gift in the last two years, or performed volunteer work in the last two years, to or for a registered charity or political party, organization or candidate or where the individual is a member of certain clubs, associations or voluntary organizations.
- Where a recipient has “conspicuously published” his or her electronic address, the publication is not accompanied by a statement that the recipient does not wish to receive unsolicited CEMs, and the CEM is relevant to the person’s business, role, functions or duties in a business or official capacity.
- Where a recipient has disclosed his or her electronic address to the sender without indicating that the recipient does not wish to receive unsolicited CEMs and the CEM is relevant to the person’s business, role, functions or duties in a business or official capacity. This is sometimes dubbed the “business card” exemption.
TRANSITION PHASE – IMPLIED CONSENT
Under Section 66 of CASL, consent to send CEMs is implied for a period of 36 months beginning July 1, 2014, where there is an existing business or non-business relationship that includes the communication of CEMs.
66. A person’s consent to receiving commercial electronic messages from another person is implied until the person gives notification that they no longer consent to receiving such messages from that other person or until three years after the day on which section 6 comes into force, whichever is earlier, if, when that section comes into force,
(a) those persons have an existing business relationship or an existing non-business relationship, as defined in subsection 10(10) or (13), respectively, without regard to the period mentioned in that subsection; and
(b) the relationship includes the communication between them of commercial electronic messages.
The three-year period of implied consent will end if the recipient indicates that they no longer consent to receiving CEMs. During the transitional period, the definitions of existing business and non-business relationships are not subject to the limitation periods that would otherwise be applicable under section 10 of CASL (outlined above). This transitional period can be used to secure express consent for the continued sending of CEMs on a staggered basis as clients come in, are updated etc.
In contrast to above and why express consent may be preferred for diligence, express consent does not expire after a certain period of time has passed per the definitions. So if LBW seeks out express consent during the transitional phase for all clients – then it will not expire until the recipient withdraws their consent.
CASL exempts the following types of CEMs from its anti-spam prohibition altogether:
- CEMs sent by an individual to an individual recipient with whom the sender has a personal or family relationship (“personal relationship” and “family relationship” are specifically defined in the IC Regulations).
- CEMs sent to a person engaged in a commercial activity and consist solely of an inquiry or application related to that activity.
The Regulations also add the following exemptions from the anti-spam prohibition:
- CEMs sent by an employee, representative, consultant or franchisee of an organization to another employee, representative, consultant or franchisee of the same organization (i.e., intra-business) which concern the activities of the organization.
- CEMs sent by an employee, representative, consultant or franchisee of an organization to an employee, representative, consultant or franchisee of another organization (i.e., inter-business), as long as the organizations have a relationship and the message concerns the activities of the organization to which the message is sent.
- This exemption is intended to address concerns regarding the potential application of CASL to ordinary business-to-business communications, and has been slightly broadened from the last draft of the IC Regulations. In particular, the requirement in the last draft for a “business relationship” between the two organizations is now only a requirement for a “relationship”.
- CEMs sent in response to an individual’s request, inquiry or complaint or where the CEM was otherwise solicited by the person to whom the CEM is sent.
- CEMs sent to satisfy a legal obligation or to enforce or provide notice of existing or pending legal rights or actions.
- CEMs sent and received on an electronic messaging service, such as one provided through a social media platform, if the information and unsubscribe mechanism that are required under CASL are conspicuously published and readily available on the user interface through which the message is accessed, and the person to whom the message is sent consents to receive it either expressly or by implication.
- CEMs sent to a limited-access secure and confidential account, such as a message centre in an online banking account, to which messages can only be sent by the person who provides the account to the person who receives the message.
- CEMs sent by a person who reasonably believes the message will be accessed in a foreign state that is listed in the schedule to the IC Regulations and the message conforms to the law of the foreign state that addresses conduct that is substantially similar to conduct prohibited under CASL’s anti-spam prohibition.
- CEMs sent by or on behalf of a registered charity as defined in the Income Tax Act and the message has as its primary purpose raising funds for the charity.
- CEMs sent by or on behalf of a political party or organization, or a person who is a candidate for publicly elected office, and the message has as its primary purpose soliciting a contribution as defined in the Canada Elections Act.
CASL also exempts the following CEMs from the consent requirement (though these CEMs must still comply with CASL’s form and content requirements), if the CEM solely:
- Provides a quote or estimate for the supply of a product, good or service, if the quote or estimate was requested by the recipient
- Facilitates, completes or confirms a commercial transaction between the parties where the recipient previously agreed to enter into such a transaction
- Provides warranty, product recall, safety or security information about a product, good or service that the recipient uses, has used or has purchased
- Provides notification of factual information about the ongoing use or purchase by the recipient of a product, good or service offered under a subscription, membership, account, loan or similar relationship
- Provides notification of factual information about an ongoing subscription, membership, account or loan
- Provides information directly related to an employment relationship or benefit plan in which the recipient is currently involved, participating or enrolled, or
- Delivers a product, good or service, including updates or upgrades further to a transaction that has been previously entered into.
The Regulations also set out an additional exemption that applies only to the first CEM sent to an individual following a referral, provided the referral is from an individual who has an existing business, non-business, personal or family relationship with both the recipient and the sender. The CEM must disclose the full name of the referring party and state that the CEM is sent as a result of the referral.
FORM AND CONTENT REQUIREMENTS
In addition to the consent requirement, CASL sets out specific form and content requirements for CEMs. In particular, each CEM must identify the sender, provide prescribed contact information for the sender, and set out an “unsubscribe” mechanism. The prescribed contact information includes:
- The name of the person sending the message
- If the message is being sent on behalf of another person, the name of the person on whose behalf the message is being sent
- A statement indicating which person is sending the message and which person on whose behalf the message is being sent
- The mailing address and one of a telephone number providing access to an agent or voice message system, or an email address, or a web address of the person sending the message or the person on whose behalf the message is sent.
The unsubscribe mechanism that must be included in each CEM must enable the recipient to indicate, at no cost to them, that they no longer wish to receive CEMs from the sender. The unsubscribe mechanism must be valid for at least 60 days after the CEM is sent, and effect must be given to the unsubscribe mechanism without delay, and without limitation in no more than 10 business days.
Given the shorter-than-expected grace period, organizations will need to act swiftly to build and implement compliance programs that meet the strict standards of CASL. In order to get onside with the law, organizations should:
- Identify their current practices for sending electronic messages and assess which ones will be covered by CASL.
- Seek express consents in accordance with CASL’s requirements. Since requests for consent will constitute CEMs after the law comes into force, requests for consent should be sent out before July 1, 2014.
- Track and document implied consents and ensure there are systems in place to identify when an implied consent expires. Consider requesting express consent, which is not time limited and remains valid until consent is withdrawn.
- Render fully operational unsubscribe mechanisms that meet the requirements of the legislation.
- Develop and implement policies and procedures for compliance with CASL.
- Train employees on applicable CASL policies and procedures.
Review contracts with vendors and service providers that send CEMs on behalf of the organization to ensure they are contractually obligated to comply with CASL.
NOTEWORTHY FAQ RESPONSES PROVIDED BY THE CRTC
Enforceability as of July 1
As we close in on July 1, 2014, the CRTC is reminding businesses that once the key provisions of CASL come into force, they will be immediately enforceable and compliance is required.
Scope of commercial electronic messages
Key to CASL is the concept of a “commercial electronic message” (CEM), which is defined as a message sent by any means of telecommunication that, having regard to the content of the message, the hyperlinks in the message to content on a website or other database, or the contact information contained in the message, it would be reasonable to conclude, has as its purpose, or one of its purposes, to encourage participation in a commercial activity.
In response, the FAQs clarify that the mere inclusion of a logo, hyperlink or contact information in an email signature does not necessarily lead to the conclusion that a message is a CEM. In contrast, the FAQs indicate that a tagline in a message promoting a product or service to the recipient would lead to a message being considered a CEM. Accordingly, businesses should consider removing all promotional messaging, including messaging promoting the business itself (e.g. an award or ranking) from electronic messages that are not categorized by the business as being a CEM to avoid having such messages caught by CASL.
Under CASL, an electronic address is broadly defined as an address used in connection with the transmission of an electronic message to an email account, a telephone account, an instant messaging account or any other similar account. The notion of “similar account” has generated much debate about the application of CASL to social media. In response, the CRTC has affirmed that certain social media accounts may constitute a “similar account,” yet has stated that the determination will have to be made on a case-by-case basis.
The CRTC has clarified that it draws a distinction between direct messages sent through social media messaging systems, such as Facebook direct messages and LinkedIn direct messages, which would be viewed as being sent to an electronic address, and messages posted, published or broadcast on social media websites and blogs, such as a Facebook wall post, which would not be viewed as being sent to an electronic address.
We also note that the Industry Canada regulations enacted under CASL exempt CEMs sent and received on an electronic messaging service, such as BlackBerry Messenger (BBM), if the information and unsubscribe mechanism that are required under CASL are conspicuously published and readily available on the user interface through which the message is accessed, and the person to whom the message is sent consents to receive it either expressly or by implication.
Going forward, organizations will need to pay careful attention to their use of different social media platforms to send messages and the ways in which these platforms function to ensure they are CASL compliant.
While some businesses were hoping to rely on the “personal relationship” exemption for certain of their communications, the CRTC has clarified that the definition of “personal relationship” is limited to close relationships between individuals. According to the CRTC, legal entities, such as corporations and not-for-profit organizations, cannot have a personal relationship under CASL and the “personal relationship” exemption is limited to close relationships. In other words, an individual who sends a CEM on behalf of a business cannot allege that they have a personal relationship with the recipient.
In case there was any remaining doubt, the CRTC has re-emphasized that pre-checked boxes cannot be used to obtain express consent, as consent to receive a CEM cannot be presumed on the part of the end user. In other words, the end user must take a positive action to indicate their consent, such as by proactively checking a blank box.