Canada's Long Awaited Anti-Spam Law Will Be In Force Beginning July 1, 2014
We are all aware of the existence of SPAM and the need to curtail these messages. Canada’s Anti-Spam Law, (“CASL”) will be in force beginning on July 1, 2014. CASL will be one of the strictest anti-spam regimes in the world. However CASL will impact both illegitimate and legitimate commercial electronic messages. Businesses must therefore appreciate the impact of CASL on the ability to communicate with customers and clients via electronic messaging.
SPAM refers to bulk messages of an unsolicited nature which often promote products or services through electronic mail, text messages, or video messages. SPAM can be used for ill purposes by those aimed at misappropriating personal data, banking information, or credit card numbers, luring individuals into scams including identity theft schemes, or defrauding consumers via counterfeit business websites.
SPAM messages are a nuisance, a drag on online commerce, and a menace for consumers. These messages have become a vehicle for a wide range of threats related to online commerce which affect both individuals and businesses.
CASL will affect individuals, businesses, and organizations by imposing regulations aimed at limiting and controlling the messages that are distributed. It is purposed to address three broad areas:
(1) commercial electronic messages (CEMs);
(2) alteration of transmission data; and
(3) the production or installation of computer programs.
The central feature and unifying purpose of CASL is to create an opt-in, consent-based regime to the receipt of these types of messages. Essentially, if a Canadian wishes to send an electronic message to a recipient that encourages the recipient to buy, sell, or lease a product or offers to provide certain opportunities, that recipient must first provide the sender with consent.
Most businesses will be largely impacted by the provisions and regulations restricting CEMs. Generally speaking, CASL requires that consent to receive CEMs must be “express consent”. In other words, the recipient of the message must have expressly agreed to receive such a message.
Under CASL, “express consent” can be oral or written. A person who seeks express consent from a recipient must meet certain prescribed criteria. Before a sender gets consent, he must, in a clear and simple manner:
identify himself by setting out prescribed information and providing contact information which must remain valid for 60 days;
outline the purpose(s) for which the consent is being sought; and
provide a free and electronic mechanism to permit recipients to indicate a desire to stop receiving the messages.
There are a few exceptions to this requirement and there are a number of situations where consent need only be implied. Express consent is not required for personal relationships, existing business relationships that involve communications via electronic messages, or for non-business relationships (i.e. messages sent by charities).
Importantly, if a business is sold, the new owner can continue sending CEMs to existing customers who have previously given express consent.
Moreover, implied consent from the receiver will be sufficient to meet the requirements of CASL where:
there is an existing business or non-business relationship between the sender and receiver;
the receiver has published or disclosed (to the sender) the address to which the message is sent without publishing or indicating that the receiver does not wish to receive unsolicited e-mails; or the message is sent according to the Regulations.
With more and more businesses sending out electronic messages to customers and potential customers, for marketing and other purposes, the impact of CASL on these legitimate business activities must be monitored. Businesses need to ensure that CEMs are delivered in accordance with the new regulations. Failing to do so could expose the company to far reaching and significant penalties under CASL. Individuals and businesses can be fined per violation, face civil and/or criminal charges, and be subject to private actions. Where compensatory damages are not awarded, recent case law has indicated that punitive damages may be warranted.
All businesses should take steps to do the following now:
Review organizational practices to determine what existing CEMs do not fall under one of the exceptions
Consider whether consent may be implied for the messages that are sent out
If consent cannot be implied, develop a system to obtain express consent. Make sure to follow the requirements under both the Act and Regulations when sending out requests for express consent
Ensure the existence of a system to reliably record the express consents gathered
Develop another system to track messages that fit under implied consent and make certain that each consent remains valid
Implement an “unsubscribe” policy and ensure requests to unsubscribe are complied with according to the time periods outlined under the Act
Will your business be prepared once the Act comes into force? To learn more about how the new Act will impact your workplace, please contact our office to schedule a meeting with a member of our Corporate-Commercial Group.