Is your business sending out commercial or promotional information about your organization or products via email? Then this Blog post is a must- read for you, if not then you can read for general knowledge (sit back and relax).
Please note the sections of the Canadian Anti-Spam Legislation that deal with the right to private action, were suspended on June 7 pending further review. See this briefing from Innovation, Science & Economic Development Canada
What is the CASL private right of action?
Any individual person (private) who considers themselves as the victim of a Canadian Anti-Spam Legislation (CASL) violation can sue the organization or business who has violated CASL (right of action).
Most of the law came into effect on July 1, 2014. These new rules are to protect Canadians from receiving spam email. Rules about computer malware, spyware and additional measures under CASL came into effect on January 1, 2015. The remaining piece of CASL – The private right of Action comes into force on July 1st, 2017, when the Implied Consent Transition Period ends.
CASL applies to:
- Commercial electronic messages (CEMs)
- Malware & spyware
- Scraping email address
- False or misleading electronic messages
What is a CEM or “Commercial electronic message”?
A message which is sent by any means of telecommunication, including a text, sound, voice or image message, intended to encourage participation in a commercial activity. Some examples of CEMs include:
- (a) offers to purchase, sell, barter or lease a product, goods, a service, land or an interest or right in land;
- (b) offers to provide a business, investment or gaming opportunity;
- (c) advertises or promotes anything referred to in paragraph (a) or (b); or
- (d) promotes a person, including the public image of a person, as being a person who does anything referred to in any of paragraphs (a) to (c), or who intends to do so.
CASL does not apply to:
- non-commercial activity
- voice, facsimiles or auto-recorded voice calls (robo-calls)
- broadcast messaging including tweets and social media posts
Main requirements to send CEMs:
- Consent: You must have a form of valid consent as of July 1, 2017
- Identification: Clearly identify yourself and your organization in the sent electronic message. You must include:
- your mailing address
- a phone number for accessing an agent or a voice messaging system
- an email address, or a web address for you or the person on whose behalf you are sending the message.
- Unsubscribe mechanism: You must provide an unsubscribe mechanism that is functional for 60 days. This must be processed without delay.
- Truth in advertising: Your messages must not be false or misleading. You may not include misleading sender information, subject matter information, URLs and/or metadata in your electronic message.
The consent requirement:
The sender must have the recipient’s consent, in order to send CEMs. If your business violates this requirement, you can be sued under CASL.
Consent can be:
- Express consent: A valid consent given in writing or orally. The recipient gave you a positive or explicit indication of consent to receive CEMs (is not time-limited, unless the recipient withdraws his or her consent)
- Implied consent: recipient’s consent implied based on a relationship between sender and recipient, or action taken by recipient (is generally time-limited, 2 years after the relationship began or good purchased. Specific conditions apply. Please refer to the Legislation and its Regulations.)
- An existing business relationship (EBR) – The relationship is either ongoing or has ended not more than two years before recipient has purchased a product or service.
- An existing non-business relationship (ENBR) – The relationship is either ongoing or has ended not more than two years before the recipient has either donated to, volunteered for or had a membership.
- Sender must be a registered charity, political party, organization or candidate, club, association or voluntary organization.
- Business card exemption – unless the message relates to the recipient’s role, functions or duties in an official or business capacity and the recipient has not made a statement when handing you the business card that they do not wish to receive CEMs at that address
- Website exemption – message can be sent: if contact information is listed on the website and there is no statement in connection with the address that the person does not want to receive CEMs at that address, and the content of your CEM is relevant to the recipient’s business, role, functions, or duties in a business or official capacity.
When is consent not required?
Some CEMs are either exempt from all of CASL, or just the requirement to obtain consent.
Consent is Not Required for messages that:
- Are quotes or estimates
- Facilitate or confirm transactions
- Provide warranty, recall, safety or security information
- Provide information about:
- ongoing use or ongoing purchases
- ongoing subscription, membership, accounts, loans or similar
- employment relationships or benefit plans
- delivers a product good or service, including updates and upgrades
The message is Exempt from CASL if it is:
- A communication:
- Within or between business, where there’s an ongoing relationship
- In response to a request
- Enforces a legal right or obligation
- Sent via closed messaging systems
- Sent via a proprietary system
- Messaging systems where ID and unsubscribe is included on platform
- Sent to a foreign jurisdiction in compliance with their spam laws; (see Schedule 1 in the ECPR)
- Sent by registered charities raising funds
- Sent by political candidates or organizations, soliciting political contributions
- You have a Personal Relationship with the recipient
- individuals have a personal relationship (taking into consideration any relevant factors); and
- you’ve had direct, voluntary, two-way communication.
- You have a Family Relationship with the recipient
- marriage, common-law partnership or any legal parent-child relationship; and
- you’ve had direct, voluntary, two-way communication.
Make sure you keep records about how implied or express consent was obtained, since you may have to prove this information.
So, to summarize,
- CEMs are subject to CASL – is the message “commercial”?
- You need consent to send an electronic message (unless an exemption applies);
- Consent can be express or implied;
- Implied consent arises from an existing relationship, website exemption and business card exemption;
- Electronic messages must comply with identification and unsubscribe requirements of CASL.
What you should be doing now and after July 1 when Implied Consent Transition Period Ends?
If your organization had an EBR and ENBR with the recipient at any time before July 1, 2014 and sent or received email or other CEMs, as a part of the relationship, then the consent was implied until July 1, 2017.
How to ensure your business is compliant with Canadian Anti-Spam Legislation:
- Go through your email databases, manage your contact list and make sure you can demonstrate consent for every recipient;
- Separate your EBR and ENBR consents and identify those individuals where consent will expire on July 1st:
- Is there an ongoing relationship (as defined above)? If not, remove them from your contact list, or,
- Get consent. Either express consent or implied consent. This is most easily achieved by emailing your contact list and directly requesting consent.
- Manage your unsubscribe requests.
This blog post provides information about the law but is not a substitute for the law itself. You are strongly advised to review Full text of Canada’s anti-spam law and seek your own legal advice regarding how to comply.