Does your organization send out electronic messages associated with your business’s commercial activities? If so, as of July 1, 2014, it has become a lot tougher for you to do so legally. But don’t panic just yet, businesses have a three year grace period to verify and confirm consent.
Canada’s new Anti-Spam Legislation (“CASL”) creates a comprehensive regime of offences, enforcement mechanisms and severe penalties designed to prohibit unsolicited commercial electronic messages and deter online and other electronic fraud. The requirements of the legislation are stringent and achieving compliance will likely be a lengthy and complicated process for most organizations. Unless you begin preparing your organization and your workforce to be compliant ahead of time, you may be caught off-guard by the far-reaching implications of this new legislation.
In a nutshell, the law requires the sender of commercial electronic messages (“CEMs”) to obtain the prior express or implied consent of the recipient, to include certain required information in the messages and to provide an easy-to-use unsubscribe mechanism.
CASL’s provisions addressing CEMs came into force on July 1, 2014. Other provisions addressing the installation of computer programs without express consent will come into force January 15, 2015. Provisions pertaining to the private right of action will come into force on July 1, 2017. This post only addresses compliance issues surrounding CEMs.
CASL’s definition of CEMs covers any message sent by electronic means, whose purpose or consequence is to encourage participation in a commercial activity. The definition likely covers e-mails, text messages, tweets, website interactions and instant messaging services, among others.
To ensure compliance with CASL, your organization must meet the following three requirements for each CEM:
1. Express or implied consent of the recipient: to provide express consent, the recipient must take some positive action (i.e. check a box, send an email stating consent). Express consent cannot be bundled into the terms and conditions attached to the service, be a condition of sale, or appear as a pre-checked box. It must be sought separately. It must also comply with the content and unsubscribe requirements discussed below.
Although express consent can be oral or written, since the onus is on the sender to prove that consent was given, it will always be better to receive written consent than to prove compliance. If oral consent is given, it must be in a manner that can be verified.
Consent may be implied in a number of ways, including the sender and recipient having an “existing business relationship” or an “existing non-business relationship”, as these terms are defined by CASL. Each of these relationships must only be up to two years old, or must stem out of a business inquiry within the last six months.
2. Clear and prominent disclosure of contact information. All CEMs must clearly and prominently disclose:
a. the identity of the sender;
b. the name of the business; and
c. contact information for the sender, that must include:
mailing address, and one of the following:
- telephone number
- e-mail address
- web address
If the sender sends CEMs on behalf of a principal, the CEMs must include the identity of the sender and the sender’s principal, and a description of the relationship between the sender and the principal.
3. Unsubscribe mechanism: all CEMs must include a method that allows a recipient to unsubscribe from any further CEMs from the sender. If the unsubscribe mechanism is not clearly and prominently included in the CEM, the CEM must provide a link to a webpage with an easy-to-use unsubscribe mechanism.
CASL lists many exceptions to the requirements pertaining to CEMs. These include:
- if the recipient and sender have a personal or family relationship;
- if the recipient and sender are employees of the same organization and the CEM concerns the activities of the organization;
- If the recipient and sender are employees of different organizations, the organizations have a relationship, and the CEM concerns the activity of the organization to which the message was sent;
- If the CEM was solicited by the recipient (i.e. a response to a request, inquiry or complaint); and
- If the CEM is sent on a closed messaging system (i.e. banking message centres).
There are also a number of exceptions to the consent requirement, including CEMs that provide a quote or estimate upon request, provide information on products already purchased, or CEMs that are third party referrals. It is important to review the act closely to determine which CEMs sent by your organization may be exempted.
The penalties imposed by CASL are severe. Monetary penalties may be imposed on individuals in amounts up to $1,000,000.00. Corporations may be penalized as much as $10,000,000.00. Directors and officers of corporations may be personally liable if they directed, authorized or participated in sending CEMs in violation of CASL, and employers will be held responsible for the actions of employees. CASL provides for a reverse onus, meaning that the sender will be presumed guilty unless and until the sender can show otherwise. This is one Act that no organization can afford to take lightly.
To ensure compliance your organization should, at a minimum, take the following steps:
- Conduct a comprehensive internal audit. Gather information on existing databases, e-mail contacts, e-mail lists and existing relationships with customers and other organizations.
- Create a database of recipients and organizations from whom you already have express consent, and another database of recipients with whom you have an existing business relationship and therefore have implied consent. CASL provides a three-year grace period for obtaining express consent, so recipients who have only provided implied consent should be flagged.
- Contact your current legal advisor. He or she may have already developed CASL compliance tools that can assist you to cut down on the amount of work to bring your organization into compliance.
- Upgrade your existing databases and data collection methods to comply with CASL.
- Obtain express consent from current and potential recipients. Express consent obtained prior to CASL coming into force can be relied on now that CASL has come into effect, even if your request for the express consent did not contain the CASL requirements. However, even with such express consent, all CEMs sent after July 1, 2014 must contain the requisite information and a proper unsubscribe mechanism.
- Develop CASL-compliant consent request templates.
- Develop unsubscribe mechanisms and systems to keep track of such requests.
- Develop compliance procedures, policies and controls.
- Develop CEM templates that include an unsubscribe option for all communication.
- Train your staff.
Most importantly, throughout the process of bringing your business into compliance, employ due diligence. CASL allows for a due diligence defence – your organization may not be liable despite a violation of CASL if it has taken all steps reasonable in the circumstances to attempt compliance. However, if your organization cannot show that it has taken all reasonable steps to attempt compliance (or, even worse, any steps at all), the liability and other implications arising out of enforcement proceedings will likely cause great damage. There is no good reason not to take the time to ensure you become CASL compliant. While there is a grace period of 3 years for businesses to verify and confirm consent, the sooner your organization becomes CASL compliant the better.
Inna Koldorf is a partner with Koldorf Stam LLP, a law firm providing legal services in the areas of employment, labour relations, workplace investigations, human rights, social media and internet law.
The Sloan eNews would like your consent to keep sending you articles like these.
In case you haven’t already, make sure you provide your express consent to be emailed by subscribing here.