CASL compliance is a concern with everyone. Canada’s Anti Spam legislation (CASL) came into effect on July 1, 2014 changing the way we can market or promote products and/or services through emails, newsletters and other electronic promotional materials to individuals via email.
The legislation prohibits sending a commercial electronic message (CEM) to an email address via email, SMS, instant messaging, social media or telephone without consent. On January 15, 2015, it is now also illegal to install programs on someone’s computer without their consent. This summary discusses some of the highlights of Canada's Anti-Spam Legislation and how it will affect your business by failing to ensure CASL compliance.
In order to be fully educated on CASL compliance, you can read the full text of Canada’s Anti Spam legislation, An Act to promote the efficiency and adaptability of the Canadian economy by regulating certain activities that discourage reliance on electronic means by carrying out commercial activities, and to amend the Canadian Radio-television and Telecommunications Commission Act, the Competition Act, the Personal Information Protection and Electronic Documents Act and the Telecommunications Act, S.C. 2010, c. 23, Assented to 2010-12-15 referred to as “Canada’s Anti-Spam Legislation (CASL)” here.
CASL Compliance – Prohibition of Unsolicited Electronic Messages
As a result of the legislation, it is now illegal to send, cause or permit a commercial electronic message (CEM) to an electronic address unless express or implied consent (with certain conditions) from the individual is received and the message conforms to certain prescribed requirements.
Section 1(2) defines an “electronic message” as “a message sent by any means of telecommunication, including text, sound, void or image.” A message sent through social media such as Twitter, Facebook and Linked in are also subject to CASL and consent must be obtained (along with identification and an unsubscribe mechanism).
CASL Compliance – What is a Commercial Electronic Message (CEM)?
According to the CRTC, “A CEM is a message that encourages participation in a commercial activity, including, but not limited to: offering, advertising or promotion a product, a service or a person” regardless of whether or not there is an expectation of profit.
Section 6 of the Act applies if you are sending a CEM to an electronic address. Individuals, organizations and businesses have 36 months to obtain express consent from individuals they wish to market to. The question to ask when sending the email is whether the purpose is for the recipient to engage in commercial activity?
A customer must consent to receiving a CEM beforehand. The purpose for which the consent is being sought must be made clear.
CASL Compliance – What is Implied Consent
Generally, the consent to receive a CEM must be explicit such as obtained via opt-in except that there a transitional provision for implied consent effective for three years from the date the Act came into force on July 1, 2014.
The express consent may be verbal but records must be kept to prove such consent was provided in this manner. A consumer can provide written consent by signing or ticking a box but such consent may not be deduced through silence. A consumer cannot be assumed to have given consent because they did not check off an opt-out box or through a pre-checked opt-in box.
Section 66 of the Act provides that there is an implied consent remains valid for a period of 36 months commencing July 1, 2014 where there is an existing business or non-business relationship that includes the communication of CEMs. During this period, an individual must obtain express consent from the individual they are doing business with. The individual receiving the message can still terminate consent at any time during this three year (36 month) period. After the implied consent period of 36 months, express consent must be obtained.
In contact, express consent does not expire at any time until the individual receiving the CEM withdraws their consent.
This three year grace period for the transitional period only applies to an “existing business relationship” (as set out in s. 10(1) to (12)) or “non-existing business relationship”(per s 10(9)(a), s. 10(13)) which was created before section 66 of the Act came into force (July 1, 2014). If such a relationship was created after July 1, 2014, then express consent must be obtained.
CASL Compliance – What are the Prescribed Requirements that Must be in a CEM?
After obtaining consent whether express or implied, you must set out the following in a CEM:
(i) identification information and set out the name of the individual sending the message and the name of the individual if sending it on their behalf.
(ii) contact information of the individual(s) in (i) so the person receiving the message can easily contact the individuals sending the message. The contact information must be valid for at least 60 days from the date the message was sent. The contact information includes email, address, telephone number and website.
(iii) an ability to unsubscribe from the message. Section 11(3) provides that once an unsubscribe mechanism is engaged, the sender has 10 days in which to remove the recipient from its mailing list.
CASL Compliance – When does Section 6 of the Legislation not apply?
Section 6 of CASL does not apply in the following circumstances:
1) In the event the CEM is not sent to an electronic address;
2) Interactive two-way voice communications between individuals;
3) Faxes or voice recordings sent to a telephone account. In these instances, Unsolicited Telecommunications Rules may apply instead. Check out the information on the National Do Not Call List.
4) Section 6(5)(a)R.(2) provides that family or friends are excluded;
5) Section 3(a)(i) provides that co-workers are excluded and that CEMs between employees of the same organization are permitted;
6) Business to business relationships – Section 3(a)(ii) provides that CEMs between employees at once company emailing employees at another company regarding business activities pertaining to the companies if the companies have a business relationship.
7) Responses to requests or complaints from the recipient pursuant to section 3(b) are permitted;
8) Section 3(c) permits CEMs sent for a legal rights, obligation or enforcement.
9) Section 3(d) permits CEMs sent on an electronic message service provided that: (i) the unsubscribe mechanism required under s. 6(2) is conspicuous and readily available and (ii) the recipient consents to receive it either expressly or through implication.
10) Section 3(f) permits CEMs to be sent where sender reasonably believes it will be accessed in a foreign state listed in the schedule to the Act (and sender has complied with the laws of that foreign state).
11) Section 3(g) permits CEMs sent by or on behalf of a registered charity (defined in the Income Tax Act) provided that the purpose of the message is to raise funds.
12) Section 3(h) permits political parties or organizations or candidates to solicit contributions;
13) Section 6(5)(b) permits CEMs when it is a request for information regarding the recipient’s commercial activities.
14) Section 10(9)(b) permits CEMs when recipient has conspicuously published their address without stating “no CEMs” and the message is related to the recipients business. eg. contact information of a contact found online on a website or social media and there is no accompanying statement indicating that they do not wish to receive unsolicited CEMs provided that the message is relevant to the person’s business.
15) Section 10(9)(c) provides that the recipient has provided electronic address to sender without stating “no CEMs” and message is related to recipient’s business. eg. receiving a business card at an event and the individual did not indicate that they do not wish to receive unsolicited CEMs. This is considered implied consent. Eventually, you will need to obtain express consent.
16) Reg (4)(1) provides that consent is not required for the first CEM sent for purpose of contacting an individual through a referral by an individual who has an existing business relationship or non-business relationship, or a family or personal relationship with both the sender and recipient. The sender should still include an unsubscribe along with the identity of the sender.
Infringement Penalties for failure to ensure CASL Compliance
- Includes administrative monetary penalties enforced by the CRTC and private rights of action (to come into force on July 1, 2017)
- Up to $1 million per violation for individuals, and $10 million per violation for corporations (s.20).
- Compensation (s.51) for actual loss and a maximum of:
- $200 per contravention up to $1 million per day for violations of s. 6 of CASL
Copyright, Entcounsel, 2018.