Canada’s New Anti-Spam Law and Accompanying Regulations: Tips on Compliance

The intent of Canada’s anti-spam law (“CASL”)¹ is to deter the most damaging and deceptive forms of spam in Canada, and to create a more secure online environment. Once the new law enters into force, CASL will create a comprehensive regulatory regime of offences, enforcement mechanisms and severe penalties, all designed to protect individuals and businesses engaged in electronic commerce. CASL also will extend the provisions of the Competition Act² concerning false and misleading marketing to electronic messages, and restrict the scope of certain exemptions under the Personal Information Protection and Electronic Documents Act (“PIPEDA”).³

By addressing a broad range of internet issues, CASL will be one of the most rigorous anti-spam and anti-malware regimes in the world, going beyond legislation in the United States that focuses only on email spam.

CASL (Bill C-28) received Royal Assent on December 15, 2010 (see analysis by Roland Hung at WDPR, January 2011, page 10). However, the provisions of CASL have not yet come into force, to allow time for the accompanying regulations from the Canadian Radio-television and Telecommunications Commission (“CRTC”) and Industry Canada to be developed. On March 28, 2012, the CRTC released the Electronic Commerce Protection Regulations⁴ (see WDPR, April 2012, page 19). Further, in October 2012, the CRTC issued two sets of interpretative guidelines addressing important aspects of CASL (see analysis at WDPR, October 2012, page 13). A draft of the Industry Canada regulations was published in the Canada Gazette on January 5, 2013, for a 30 day comment period (see analysis at WDPR, January 2013, page 17).

CASL and its accompanying regulations are expected to come into force late in 2013.

Prohibitions

Anti-Spam

CASL covers all “commercial electronic messages,”⁵ also known as spam. The term is defined broadly to capture any electronic messages that encourage participation in a commercial activity, regardless of the type of organizations sending them. Further, CASL takes a technology-neutral approach and captures all media and forms of electronic messaging. This means that email, unsolicited text messages, instant messaging and cell phone spam — whether in the form of sound, text, voice or images — are all captured.

CASL prohibits the sending, or causing or permitting to be sent, of a “commercial electronic message” to an electronic address unless:

• the recipient has consented (either express or implied) to receive the message, and

• the message complies with required formalities, including information regarding both the actual and beneficial sender of the message, a sender’s contact information, and an effective and timely unsubscribe mechanism.⁶

Consent to receive a commercial electronic message may be express or implied. Express consent must be based on the disclosure of prescribed information. Prescribed information includes the purposes for which consent is sought and the identity of the person seeking consent.⁷

Consent may be implied in limited circumstances where:

• the person who sends the message has an “existing business relationship” or an “existing non-business relationship” with the person to whom it is sent;

• the recipient has conspicuously published his or her electronic address, without an accompanying statement that he or she does not wish to receive unsolicited messages, and the message is relevant to his or her business, role, functions or duties in a business or official capacity; or

• the recipient has disclosed to the sender the electronic address without indicating a wish not to receive unsolicited messages, and the message is relevant to his or her business, role, functions or duties in a business or official capacity.⁸

In sum, the general rule under CASL is that express “opt-in” consent must be obtained, subject to a proviso that implied consent may be used within specifically defined circumstances. This permission-based, largely “opt-in” approach to consent goes beyond the U.S. CAN-SPAM Act, which allows marketing email messages to be sent to anyone, without permission, until the recipient “opts out” by expressly requesting that the messages cease.

Anti-Phishing

CASL contains an anti-phishing provision⁹ that will prohibit a person, in the course of commercial activity, from altering the transmission data in an electronic message so that the message is delivered to a destination other than or in addition to the destination specified by the sender, without the sender’s express consent. The consent must be informed, and an effective and timely consent withdrawal mechanism must be provided as well.

Anti-Malware

Lastly, the anti-malware provision¹⁰ under CASL prohibits a person, in the course of commercial activity, from installing any computer program on any other person’s computer system, or causing that computer program to send an electronic message from the computer system, without the consent of the owner or authorized user of the computer system. In most circumstances, the required consent must be express and informed, and an effective and timely consent withdrawal mechanism must also be provided. There are limited exceptions that permit implied consent to the installation of legitimate computer software. There is also a three-year transition provision that provides for implied consent to the installation of a software update or upgrade in limited circumstances.

Amendments to PIPEDA and the Competition Act

PIPEDA generally requires knowledge and consent for the collection and use of personal information; however, PIPEDA includes a list of exemptions to this general requirement in specific circumstances. CASL amends PIPEDA to make these exemptions unavailable when a computer system is accessed in contravention of the provisions of CASL. Specifically, PIPEDA is amended to prohibit the unauthorized collection of a person’s electronic address or personal information by use of a computer program designed for collecting that information or by unauthorized access to a computer system, or the use of an electronic address or personal information collected in that manner, without the individual’s consent.¹¹

CASL also amends the Competition Act by prohibiting the sending of electronic messages with false or misleading representations, whether in the sender information, subject matter of an electronic message, or in a locator. The prohibition does not require the electronic message to be a “commercial electronic message”. The amendments also broaden the definition of telemarketing to include “communicating orally by any means of telecommunication” and no longer simply applying to “interactive telephone communications”.¹²

Enforcement and Penalties

CASL gives the CRTC broad powers to investigate and impose substantial administrative monetary penalties up to $1 million (U.S.$988,452) for an individual and up to $10 million (U.S.$9.88 million) for an organization for violations.¹³ In addition, CASL also creates a private right of action¹⁴ that will allow consumers and businesses to take civil action against anyone who violates CASL.

Corporate officers and directors can be held personally liable for corporate violations,¹⁵ and employers can be held liable for violations committed by their employees or agents acting within the scope of their employment or authority.¹⁶ Due diligence to prevent the commission of the violation is a defence.

Regulations

Industry Canada Proposed Regulations

The proposed Industry Canada regulations (“Industry Canada Proposed Electronic Commerce Protection Regulations”) define key terms and concepts in CASL and provide exemptions to certain business practices not intended to be covered by CASL. Highlights from the draft regulations include:

• The proposed regulations clarify the meaning of “family relationship” and “personal relationship” for the purposes of CASL. The definition of “family relationship” is consistent with the definitions in the Income Tax Act, and exempts “commercial electronic messages” between individuals descending from common grandparents. The definition of “personal relationship” covers virtual as well as in-person relationships between individuals who have had direct, voluntary, two-way communications where it would be reasonable to conclude, based on a non-exhaustive list of factors, that the relationship is personal.¹⁷

• The proposed regulations provide that consent to receive messages from a third party is valid only if the commercial electronic message identifies the person who originally obtained the consent and contains an unsubscribe mechanism allowing the individual to withdraw consent from the original requester and any third parties.¹⁸

• The regulations exempt certain business communications not meant to be captured by CASL, including: 1) commercial electronic messages sent within a business or sent between businesses already in a business relationship; 2) commercial electronic messages that are sent in response to a request, inquiry or complaint; 3) commercial electronic messages sent to enforce a legal right; 4) commercial electronic messages sent by a person located outside Canada to another foreign recipient, but accessed while the recipient was in Canada; and 5) exemptions for telecommunications service providers.¹⁹

• The proposed regulations define “membership” and “club, association or voluntary association” as used in the definition of “existing non-business relationship” in CASL.²⁰

CRTC Regulations

Highlights from the CRTC regulations (“CRTC Electronic Commerce Protection Regulations”) and guidelines include:

• Each commercial electronic message must identify the sender and its affiliates, but not necessarily persons situated between the person sending the commercial electronic message and the person on whose behalf the commercial electronic message is sent. Further, the physical mailing addresses of the sender must be included in both the commercial electronic message and the request for consent.²¹

• An unsubscribe mechanism must be able to be “readily performed”, which means it must be accessed without difficulty or delay, and should be simple, quick, and easy for the consumer to use.²²

• A business must seek express consent separately for 1) sending commercial electronic messages, 2) altering transmission data in electronic messages, and 3) installing a computer program on another person’s computer. Furthermore, requests for consent must not be bundled or subsumed with requests for consent to the general terms and conditions of use or sale.

• Businesses seeking oral consent to send commercial electronic messages are advised to make and keep a complete and unedited audio recording of the consent, or to ensure the oral consent can be verified by an independent third party.

• Businesses seeking written consent electronically to send commercial electronic messages are advised to ensure consent is obtained in a manner that allows the information to be subsequently verified. An acceptable example would include checking a box on a webpage to indicate consent where a record of the date, time, purpose, and manner of that consent is stored in a database.

• Express consent cannot be obtained by using pre-checked boxes. The user must give consent through an opt-in mechanism, such as by affirmatively checking a box to indicate consent. The CRTC further notes that confirmation of consent should be sent to the user.

• In addition, the guidelines also address several aspects of the spyware/malware provisions in the regulations and in CASL.

Tips for Businesses

In response to CASL, businesses will have to change their internet marketing practices. The legislation is broadly drafted to capture all electronic messages sent to, through or from Canada, meaning that it applies to international senders who send commercial electronic messages into Canada.

It is important for U.S. businesses to note that compliance with the U.S. CAN-SPAM Act does not translate to compliance with CASL. For U.S. businesses that previously sent marketing emails to anyone, without permission, until the recipient “opted out” by expressly requesting that the messages cease, they will have to change their practices and obtain express “opt-in” consent if they are to continue to send messages to or through Canada.

Here are a few guidelines:

• Do not use false or misleading information about the subject matter or sender. Ensure the subject line, and header information is accurate and identifies the person or business that sent the message.

• Provide recipients with the prescribed information. Commercial electronic messages will be required to disclose prescribed information that identifies the sender, the sender’s contact information and information about the unsubscribe mechanism.

• Tell recipients how to opt out of receiving future email. Businesses will be required to ensure that commercial electronic messages are sent only to persons who have previously given express or implied consent to receive the message, and have not opted out of future messages. The message must include a clear and conspicuous explanation of how the recipient can opt out of getting future emails. Further, any opt-out mechanism offered must remain operative for 60 days.

• Honour opt-out requests promptly. Businesses must honour a recipient’s opt-out request within 10 days.

• Monitor third parties. Businesses will need to ensure that their third-party service providers are knowledgeable about CASL and in compliance with CASL when assisting with and implementing marketing programs and services.

• Ensure compliance when distributing software. Computer software businesses will be required to ensure that any electronic distribution of software (including software updates/upgrades) complies with disclosure and consent requirements.

Conclusion

Although the drafters seem to appreciate the potential impact of this legislation on businesses, and, as such, included transitional provisions, those provisions are of limited assistance. The transitional provisions apply only to the defined categories of existing business and non-business relationship. Further, they do not address any general grandfathering or transitional mechanisms for existing contact lists.

Consequently, businesses should not wait for CASL to come into force; they should proactively evaluate their current practices and privacy policies to ensure compliance with this critical legislation. Compliance with CASL may require businesses to devote significant attention to requalifying their procedures for email communications and ensure proper consent, which should be done well in advance of the legislation coming into force.

Roland Hung is an Associate and Brittany Weikum is an Articling Student at McCarthy Tétrault LLP, Calgary. Roland Hung may be contacted at rhung@mccarthy.ca.