Effective July 1 2014, all commercial electronic messages (CEMs) sent to electronic addresses in Canada will be regulated by a new law, Canada’s Anti-Spam Legislation, (or CASL). CASL dictates minimum content requirements for all CEMs, requires consent to send such messages, and contains rules prohibiting misleading statements as well as the unauthorized collection of personal information. CASL also contains rules requiring consent to the downloading of computer software programs and the unauthorized interception of electronic communications.
For CEMs within its application, the law stipulates three key requirements:
- Disclosure of the identity and readily-accessible contact information of the sender
- A readily-accessible unsubscribe mechanism
- The recipient’s prior consent to receive the CEM.
CASL provides for a number of exceptions to these requirements as well as provisions for implied consent. Organizations will need to determine whether they can qualify under any of these exceptions or for implied consent and then determine whether they will rely exclusively on these provisions, or whether or not they qualify, they will comply with the Act’s consent and content rules as a matter of best practice, including seeking express consent
All CEMs must include clearly and prominently a no-cost unsubscribe mechanism using the same media as the CEM or, if using that media is not practicable, any other electronic means enabling the unsubscribe request, and must specify an electronic address or link to a web page to which the request may be sent.
Subject to certain exceptions, sending of CEMs is prohibited unless the intended recipient has consented, in advance, to receiving them from the sender or from a person on whose behalf they are sent. Consent must be express – i.e. ‘’ opt-in”, unless implied consent has been given. CASL does not define express consent; however implied consent is defined to include only certain specifically-described existing business or existing non-business relationships, or an unqualified publication of a recipient’s electronic address.
Requests for consent
A sender that does not have implied consent, or does not qualify under one of the specified exceptions, must obtain prior, opt-in, express consent to send a CEM to an intended recipient. CASL stipulates certain information requirements to be included in any request for consent, including the purposes for which consent is sought, identification and contact information of the requestor, and a statement that consent may be withdrawn at any time.
It should be noted that, once CASL comes into force, requests for express consent cannot be made by CEM unless the sender already has another (e.g. implied) consent to send CEMs. This means that organizations having substantial contact lists that do not qualify for implied consent or under a CASL exception should consider e-mail strategies to obtain consent in advance of CASL coming into force. Furthermore organizations should review any express consents that they have currently to determine whether they qualify. CASL imposes an onus on a person claiming to have consent to prove that they have it. While consents obtained via requests made prior to CASL’s in-force date likely do not need to comply with the CASL-specified requirements, it is recommended that the CASL-stipulated procedures be followed.
The CASL Regulations
CASL contemplates two sets of regulations, one from Industry Canada and another from the CRTC. The Industry Canada Regulations are intended to address potential exclusions and exceptions from the law. In addition, the IC Regulations stipulate a number of other definitions and procedural conditions for exceptions as well as computer programs that may be installed without a user’s separate consent. The CRTC regulations specify the required form and content of CASL-compliant CEMs as well as the form and content for requests for consent.
No grandfathering of PIPEDA consents
Industry Canada has made clear that there will be no grandfathering of consents obtained under PIPEDA, unless those consents qualify as express consent for CASL purposes. PIPEDA permits both implied and express consent. As noted, under CASL, implied consent is available only in limited specifically-defined circumstances.
Implied consent is defined under CASL to include circumstances where a potential recipient has either posted or provided his or her electronic address without an indication that they do not wish to receive CEMs or the sender and the recipient have a defined existing business relationship, or existing non-business relationship. An existing business relationship is defined essentially to mean a relationship that existed within the previous two years involving the sale or lease of a product, service or land or a contract relating to such a transaction, or an inquiry relating to such a transaction made within the previous six months. An existing non-business relationship is defined to mean a donation, gift or volunteer work provided to a registered charity, or membership in a club or association (as defined).
Exclusions from all CEM compliance requirements
CASL excludes certain CEMs from both the content and consent requirements, including CEMs:
- Sent to friends or to family,
- Sent within or between organizations that have a relationship;
- Sent by charities and political parties for fundraising purposes,
- Sent within electronic messaging services such as BBM, Facebook Chat and Yahoo Messenger
- Sent by foreign entities
- Sent pursuant to a legal obligation or requirement
- Sent within a limited-access and confidential account
Exclusions from the consent requirement
CASL excludes from the consent requirement CEMs sent to facilitate commercial transactions as well as an initial CEM sent as a result of a third party referral.
CASL provides that, for a period of three years following the in-force date (July 1, 2014), CEMs may be sent to persons who qualify under an existing business or non-business relationship on the in-force date without regard to the otherwise applicable time period, provided that such relationship included the sending of CEMs. This means that if such a relationship existed at any time in the past (and such existence can be established), implied consent will exist for the three-year period commencing July 1, 2014. This time period will allow organizations to qualify their CEM contact lists by obtaining express consent, or alternatively setting up appropriate procedures to ensure compliance under an exception or an ongoing implied consent provision.
CASL Compliance Checklist
- Use an internal survey/questionnaire tool to gather information on existing databases
- Conduct an inventory of email contacts – categorized by:
- Main purposes of the email communications
- Existing donor/volunteer/customer/user relationships
- Express consent
- Determine your organization’s compliance strategy – whether will rely on exceptions/implied consents vs. express consent
- If determine that you will rely on exceptions, etc., you need to upgrade databases by CASL categories
- If you decide to seek express consent, you need to develop strategies for capturing consent (e.g. email response, website sign up, applications, agreements, email policies) and initiate an email opt-in consent program immediately (i.e. prior to July 1, 2014 when the Act comes into force)
- Develop consent request template
- Develop CEM template
- Develop CASL compliance procedures, policies, and controls including for third party service providers
- Conduct training
Canada’s New Anti-Spam Law – Compliance Primer for Charities and Nonprofits http://davidyounglaw.ca/compliance-bulletins/demystifying-casl-the-new-anti-spam-law-and-its-july-1-in-force-date/
CRTC Compliance and Enforcement Information Bulletins
- CRTC 2014-326 http://www.crtc.gc.ca/eng/archive/2014/2014-326.htm
Industry Canada FAQs http://fightspam.gc.ca/eic/site/030.nsf/eng/h_00050.html