On July 1, 2014, new sections of Canada’s Anti-Spam Legislation (“CASL”) took effect. The changes to the CASL have a broad reach and implications for anyone in the United States that send commercial electronic communication to Canadian residents, whether through email, text messages, and/or messages sent through social network accounts. These changes impact anyone communicating to someone in Canada from inside or outside of Canada, and regardless of whether the sender has any presence there. Accordingly, individuals and organizations that have not created, implemented, or updated their policies to comply with these new anti-spamming provisions of CASL should do so promptly, since they are already potentially subject to liability and/or penalties.
Who does CASL apply to?
CASL applies broadly to any individual, entity, or organization that sends “commercial electronic messages” (“CEMs”) to Canadian residents.
Does CASL apply to CEMs sent to Canada from the United States?
Yes. CASL applies to all CEMs sent from or accessed by computer systems located in Canada. Therefore, CASL governs CEMs sent from all other countries, including organizations in the United States with a presence in Canada.
What type of communication is a “CEM”?
A”CEM” is a very broad term, and is generally defined as an electronic message, including emails, text messages, instant messages, and a messages sent though social-networking sites, that are intended to encourage participation in a “commercial activity.”
“Commercial activity” is also defined very broadly, and includes activities whether or not there is an expectation of profit. Examples include offers to sell, purchase, barter, or lease any good, service or land; offers of business, investment, or gaming opportunities; and advertising. A CEM also includes messages that promote any of the aforementioned activities. Other activities would also include email advertisements of new product or service, an email distributing a company newsletter or updates of interest to a specific industry, and email invitations to attend promotional events hosted by an organization.
The following forms of communication do not constitute a “CEM”: two-way voice communication, faxing, sending voice-recordings to phone numbers, blog-posting or social media not directed at specific electronic addresses linked to an identifiable person or account.
What does the anti-spamming provision of CASL specifically prohibit?
Sending CEMs without recipient’s consent to specific email addresses, social networking or similar accounts, and to cell phones by text messages. CASL would also prohibit altering transmission data in electronic messages to cause delivery to a different destination without express consent.
How can an individual or entity comply with CASL’s anti-spamming policies?
(1) Consent. All individual or organizations that send CEMs must obtain express consent from recipients. In other words, the recipient must specifically opt-in to receiving CEMs from that individual or organization. As a warning, note that an electronic communication requesting “opt-in” could also constitute a CEM, so sending an electronic message requesting consent could itself be a violation of CASL.
In very limited circumstances, CASL also allows for “implied consent,” under specifically-defined scenarios. Note, that implied consent may always be withdrawn, but would include: (a) where an existing business relationship is present based on the purchase, lease, barter for, or receipt/acceptance of any good, service, or land interest within the 2 year period before the CEM, or based on an application within 6 months before the CEM; (b) an existing non-business relationship based on any donation or gift to, membership in, or volunteer work performed for a charity within 2 years before the CEM is sent; and (c) where a person has published his or her contact information on a business website or a social media site without indicating that communications are not welcome; however, any CEMs sent must specifically relate to the recipient’s business to fall within this exception.
(2) Form and Content: Any CEM must contain identification information that identifies the sender or entity on whose behalf the CEM is sent. The following information must be provided:
(a) the mailing address of the sender; and
(b) a phone number, an email address, or a web address related to the sender.
(3) Opt Out: Any CEM must contain information that enables recipients to withdraw consent, or to opt-out of receiving CEM from the sender. Specifically, withdrawal or opt-outs must be allowed at no cost through a reply communication or through a link provided on in the message. If a link is provided, that link must be active for 60 days after the link is sent. Opt out requests must be processed within 10 days after receipt of the withdrawal or opt out request.
What are the penalties for non-compliance?
Penalties for non-compliance are very steep under CASL, and include monetary penalties (up to $1 million on individuals and up to $10 million on other entities), potential criminal charges, and potential liability of employers for employee violations or personal liability of certain officers or directors.
Are there any exceptions to CASL’s anti-spam rules?
Yes, there are limited exceptions. CASL’s requirements for consent, opt out, and sender ID requirements do not apply to CEMs: (1) sent by or on behalf of an individual to another individual with whom there is a personal or family relationship; (2) to a person engaged in a commercial activity if the message consists solely of an inquiry or application related to that activity; (3) responding to a request, question, or complaint initiated by the recipient; and (4) fund raising efforts by registered charities or political parties.
While CASL’s opt out and sender identification requirements would still apply, CASL’s requirement for consent would not apply to CEMs that: (1) provide quotes or estimates requested by the recipient; (2) transmit warranty, recall, or safety/security information; (3) offer a means of facilitating the use and/or purchase of goods and/or services under a subscription, membership, account, loan, or otherwise similar relationships; and (4) facilitate, complete or confirm previously executed transactions.
For individual and organizations that have not yet complied with CASL’s anti-spam requirements, it is important to immediately develop a strategy to get express consent by potential recipients of CEM, to create policies and procedures to address these CASL requirements, and to continue and test and monitor activities triggering CASL. In addition, all organizations should review their relationship with third parties to ensure that parties that may assist with the dissemination of electronic communications are also in compliance with CASL.