The Canadian Anti-Spam Law: Businesses Beware
On July 1, 2014, the most aggressive anti-spam legislation known to date took effect: the Canadian Anti-Spam Law ("CASL"). CASL sets out strict rules outlining how businesses may contact Canadian customers through electronic means and provides penalties if these rules are broken. CASL specifically applies in situations where an electronic message is accessed in Canada, even if it did not originate in Canada. Therefore, even non-Canadian companies need to be compliant with CASL if they may be contacting Canadian customers.
CASL applies to any electronic message that is sent to an electronic address, defined in the law as "Commercial Electronic Messages" ("CEM"). This includes emails, text messages, image messages, social media messages, voice messages, and more. As such, CASL has a much broader scope than many of its counterparts, such as the United States "Can-Spam Act," which only applies to emails. However, CASL does not apply to faxes, two-way voice communications (such as phone calls), and voice recordings sent to a telephone account.
The law defines a CEM as an electronic message that has as "one of its purposes" the encouragement of participation in a commercial activity. This, once again, is a broader scope than other anti-spam laws, which usually require that the message have a primary purpose of commercial activity. Therefore, under CASL, an electronic message that has a primary purpose besides commercial activity may still be found to be a CEM and subject to CASL if a secondary purpose is found to be commercial. However, certain exceptions do exist to exclude messages from being categorized as a CEM, such as a message between people in a personal or family relationship, messages within a company, or messages that solely provide certain, specific information such as a quote or estimate that was requested, or delivery information of a product ordered.
CASL is an "opt-in" law, which is in stark contrast to the "opt-out" regime implemented by most other anti-spam laws. This means that a CEM can only be sent if the recipient has previously consented to receiving the message. Additionally, an electronic message asking for consent to receive CEMs is a CEM itself, meaning that businesses cannot send out mass requests for consents. The recipient must have given consent to the business before any messages can be received. In terms of consent, CASL outlines two possible options: implied consent and express consent.
Implied consent allows for CEMs to be sent to recipients where an existing business or non-business relationship exists. An existing business relationship includes situations where an actual transaction exists between the business and the recipient, such as a lease, contract, or business opportunity, and inquiries or applications made by the recipient to the business. An existing non-business relationship includes situations such as charitable donations, volunteer work, or membership in an organization. Implied consents expire under CASL, usually 24 months after the transaction occurred, or 6 months after an inquiry was made.
Express consents do not expire and are therefore preferable to implied consents. To gain express consent, the business must "set out clearly and simply" what the consent is being sought for and who is seeking the consent. This means that a business must outline what the content of the CEMs that will be sent to the recipient will be, and provide contact information, including a mailing address and a telephone number or email address. These express requests for consents cannot be hidden in terms of service or bundled with other requests. For example, a business may not state that by checking a box, a customer agrees to the terms of service and to receive CEMs. The request for consent must be its own separate checkbox, and the checkbox cannot be pre-checked for the customer. The customer must take actual and specific action in giving consent.
The burden of proving implied or express consent is on the sender of the CEM. Relevant regulatory bodies have stated that when a check box is used for express consent, "a record of the date, time, purpose and manner of that consent [needs to be] stored in a database" so that subsequent verification of the consent can occur.
For CEMs in general, CASL requires that each CEM contain specific elements. A CEM must include the identity of the sender, the mailing address and contact information of the sender, and an unsubscribe mechanism. The unsubscribe mechanism must be valid for 60 days from when the CEM is sent and must be readily performed. Examples of adequate unsubscribe mechanisms include a link in an email to a web page that allows the recipient to unsubscribe from some or all of the CEMs being sent, or replying STOP to a CEM sent via text message.
Monetary penalties for violating CASL can be up to $1 million for individuals and $10 million for companies. These penalties may be charged per violation and separately assessed for each day of non-compliance, leading to the possibility of extremely high penalties for those who ignore the requirements of the law. Beginning in 2017, individuals can file suit against those who fail to adhere to CASL. If successful, such individuals may recover monetary damages.
We recommend that businesses sending CEMs to individuals in Canada create a CASL compliance team to address CASL. This team should identify the CASL requirements that apply to the business, and implement appropriate measures to ensure compliance. These measures may include the development of appropriate express consent requests such as checkboxes on the business website, the updating of CEMs to include CASL requirements, and the implementation of a database of consents so that the business can prove consent if challenged. Additionally, the team should into place a compliance plan that will ensure continued compliance with CASL over the long term.
Please contact any member of the Intellectual Property Practice Group (Roberta Christensen, David Goeschel, or Linda Dammann) if you have any questions about this article. Special thanks to Zachary M. Rupiper, Law Clerk, in the preparation of this article.
by Roberta L. Christensen and David A. Goeschel