Complying With the New Canada Anti-Spam Legislation (CASL): Practical Advice for U.S. Businesses

On July 1, 2014, Canada’s new Anti-Spam Legislation (the “CASL”) took effect after years of anticipation. This legislation has a broader reach than similar legislation in the U.S., and the details of the CASL’s guidelines and prohibitions matter to U.S. companies for several reasons.

First, the legislation applies to specified activities initiated outside of Canada but completed within its borders. Second, the CASL addresses a wider variety of messages and devices—including marketing messages included in app software downloaded in Canada. And, perhaps most important, the CASL authorizes both administrative and private causes of action with damages of up to $10 million dollars Canadian. With so much at stake, CASL violation risks make ensuring compliance an important topic on both sides of the border.

The CASL’s key rules

The CASL regulates a wide variety of messages and means of communications. But for U.S. businesses who do business in Canada—even just electronically—the CASL addresses two primary areas of concern: the delivery of “commercial electronic messages” (“CEMs”) and the installation of computer programs on another’s computer system (which is defined broadly enough to include personal computers and mobile devices).

CASL Section 6 governs CEMS and is already in effect. CASL section 8, which controls computer programs, will take effect January 15, 2015. The ability to bring a private right of action for violation of the CASL begins July 1, 2017, and will be subject to a 3-year statute of limitations. But the Canadian Radio-television and Telecommunications Commission (the “Commission”) may enforce the law before then, subject to a 3-year statute of limitations that started on July 1, 2014.

Most important for U.S. businesses, the CASL applies to CEMs received and programs installed in Canada, even if they originate elsewhere.

A. Section 6 - CEMs

Under CASL Section 6, a covered CEM is:

• An electronic message—text, sound, voice, and/or image;

• Sent to an electronic address —e-mail, instant message, or phone;

• That has as its purpose or one of its purposes (considering message content, hyperlinks and/or contact info);

• The encouragement of participation in a commercial activity.

Under these guidelines, the CASL clearly applies to most business marketing e-mail and social media messages. In addition, “push” messages sent within a business or commercial app arguably also meet the definition of a CASL-regulated CEM—although nowhere in the law or regulations is “application” or “app” mentioned.

CEMs may be sent if the sender has obtained the recipient’s express or implied consent. Express consent may only be obtained via opting-in, so the long-standing tradition of pre-checked-boxes is now unacceptable. Consent may be written or oral, but oral consent carries a difficult evidentiary burden and is not recommended, as the burden of proving consent will be on the sender. In obtaining express consent, a sender must always provide its:

• Name

• Purpose for the consent

• Mailing address

• Phone number, e-mail, or web address

• Information that consent may be withdrawn.

When the sender and recipient have an “existing business relationship,” the CASL allows sending of CEMs based upon implied consent. An existing business relationship can arise from:

1. The purchase of goods/services from the sender within the 2-year period immediately preceding the day on which the CEM was sent;

2. The acceptance by the recipient of a business or gaming opportunity offered by sender within the 2-year period immediately preceding the day on which the CEM was sent; or

3. A written contract between and the recipient concerning either 1 or 2 above that is still in existence or expired within the 2-years immediately preceding the CEM.

Regardless of the implied consent, the CEM must still contain certain information or include a prominent hyperlink in which the sender identifies itself, provides a mailing address and either a telephone number or e-mail/web address, and includes an unsubscribe mechanism.

B. Section 8 – Computer programs

CASL Section 8 covers programs installed on computers. Under its provisions, program installation and electronic messaging from the program require express consent of the owner/authorized user of the computer system. In addition, for one year after installation, the entity that generated the program must provide an electronic address to which a recipient may send a request to remove or disable the computer system.

As with a CEM, to obtain express consent for Section 8, the initiating company must provide its name and purpose for the consent, its mailing address and either phone number/e-mail/web address, and information that consent may be withdrawn. The company must also describe in general terms the function and purpose of the computer program that’s to be installed if consent is given.

Additionally, separate notice must be raised when seeking consent if the computer program:

• Collects personal information stored on the computer system;

• Interferes with the owner’s control of the computer system;

• Changes or interferes with the settings, preferences, or commands on the system without the user’s knowledge;

• Changes or interferes with data on the system in a manner that obstructs, interrupts, or interferes with the user’s lawful access to or use of that data;

• Causes the computer system to communicate with another computer system or other device without the authorization of the owner; or

• Installs a computer program that may be activated by a 3rd party without the user’s knowledge

Express consent is not further required for updates/upgrades of a program if consent for the primary program already exists. And, a person may expressly consent through their conduct if the program installed is a cookie, an HTML code, a Java script, an operating system, or any other program that is executable only through use of another program whose installation or use the person previously expressly consented.

Under either Section 6 or 8, an unsubscribe request must be honored within 10 days.

Practical advice for dealing with CASL

While the specifics of each technology will ultimately control, companies can undertake the following steps to start protecting marketing communications from running afoul of the CASL’s CEM and computer programs rules.

Messaging Basics

• Eliminate the pre-checked box. All opt-ins must be done through a non-pre-checked box—especially for e-mail based offers.

• Know CEM e-mail communication basics and ALWAYS include:

• Sender name

• Purpose for the consent

• Sender’s mailing address

• Sender’s phone number, e-mail, or web address

• A means to unsubscribe.

• Get CASL compliant on web-based landing pages that obtain e-mails for marketing purposes. These kind of web pages must include:

• Company name

• The purpose for seeking consent –e.g., to receive promotional or informational communications

• Sponsoring company address

• Other means of contact (telephone/e-mail address/web address

• Notice that consent may be withdrawn

• Remember your apps. App compliance is similar to that required in other areas and the app description should include:

• App sponsor’s name

• A general description of the app and its functions/purpose

• A link to the sponsoring business site that contains its physical address and telephone/e-mail/web address

• An indication that the app may be deleted or consent revoked if the user wishes.

Further, if the App does any of the functions listed in the Section 8 bullet-point section, the function should be included in the App description.

• Treat push notifications as CEMs. Like CEM’s, messages sent via push should contain at least a link in which the sponsor identifies itself, provides a mailing address and either a telephone number or e-mail/web address, and includes a means (or directions) for unsubscribing/turning off push. The push notification consent-requests should remain in their own separate pop-up and should include the following information:

• Sponsor name

• A concise general description of reasons that a push may be sent

• A link to sponsor’s site that contains physical address and phone/e-mail/web address

• Notice that consent for the notifications may be revoked.

Potential wording for push notification consent could state “I agree to receive push notifications from this application. [Business name] will send promotional or informational push notifications from time to time. You may choose to stop receiving these notifications by changing your settings. “www. business name.com”

Pointers going forward

• Reach out to all current e-mail subscribers while you can. Devise and execute an e-mail to all current e-mail address subscribers (or, at minimum, all those in Canada) in which you provide a link to a landing page in which they can provide their express consent to receive future e-mail marketing messages or in which they can reply to convey their consent to receive future e-mail marketing messages from you. You have a 3-year window that began on July 1, 2014, in which to gain such express consent from existing subscribers—so reach out now while direct contact for consent is permitted.

• Document CASL changes. Consider documenting all changes discussed here and updating your privacy policy to specifically reference compliance with the CASL as a means of documenting your due diligence efforts, to assist in a defense should a CASL violation ever be alleged.

• Remember e-mail addresses obtained from customers at point of sale—but relax. CASL’s exception for existing business relationship should allow businesses to use emails collected at the point of sale for marketing messages without additional consent. The POS information detailing customer visits/transactions is a good way to prove the presence of an existing business relationship. When sub-contractors or franchisees are involved these records may be harder to produce—so if those situations predominant, a record of a customer’s express consent is always cleaner, though potentially harder to manage.

• Screen shots? Consider collecting screen-shots of e-mail sign-ups in which people disclose their e-mail address and click the box affirming their consent to receive e-mail communications from the sponsoring business. A written policy detailing how consent is received, maintained, and respected may be a viable alternative to this, but screen-shots or some variation thereof would be the best form of proof.

Conclusion

The provisions—and penalties—of the CASL have already begun begin to take effect. U.S. and other businesses that send marketing messages to Canadian consumers can limit their CASL liability by understanding the legislation’s key provisions and taking the steps needed to make their communications CASL compliant. Failing to do so could now lead not only to unhappy customers but to millions of dollars in fines and future litigation. Taking action now will help all companies doing business in Canada avoid this fate.