Oh, Canada – What does your
Anti-Spam Law Mean for Me?
5 Things Those Outside Canada Need to Know About Canada’s Anti-Spam Law (CASL)
Provisions related to sending commercial electronic messages under Canada’s Anti-Spam Legislation (CASL) come into
force on July 1, 2014. As we stand on the eve of this new regime, many Canadian companies are still scrambling to prepare
and, outside of Canada, many companies are just starting to realize how the legislation may impact their communications
with Canadians. If you send emails or text messages, use chat/messaging windows, or even interact on social media with
consumers or businesses in Canada from abroad, here are five important facts to consider in deciding whether you need
to worry about CASL:
1. Rethink “spam”
2. CASL’s extra-territorial reach
CASL applies to more messages than you might think.
The legislation addresses the sending of ”commercial
electronic messages” (CEMs), whether sent to consumers
or business-to-business, and whether sent through mass
emails or one-to-one. Amendments to our Competition
Act provide additional tools for our regulators in respect to
false or misleading conduct, but even without misleading
consumers – and even where you have consent under
private sector privacy legislation – your CEM could run afoul
of CASL.
CASL applies to CEMs sent from, or accessed in, Canada.
So, if you are sending CEMs to Canadians from another
jurisdiction, CASL will apply. Notably, there is an exception
where the person sending the message “reasonably
believes” that the message will be accessed in one of a list
of prescribed jurisdictions with anti-spam laws thought to
be ‘substantially similar’ to CASL and the message complies
with the laws of that jurisdiction. So, for example, if your
database is built from those who have entered contests
open only to residents of the United States, or through a
website only advertised in the UK, it may be reasonable
to believe that your CEMs will be opened in jurisdictions
other than Canada. But, in many cases, it may be unclear
whether to is reasonable to assume that Canadians are not
on your lists.
Beginning July 1, 2014 it is offside CASL to send a CEM
without express consent to do so, unless either an exception
is available, or implied consent is permitted through
specifically prescribed circumstances. Obtaining express
consent also includes the obligation to disclosure certain
contact information, and that the person can opt out at
any time. Further, prescribed disclosures and an opt-out
mechanism need to be included in the CEM. Otherwise, the
message will not satisfy CASL requirements. (Try doing all
that in a text message.)
And, there is no automatic grandfathering of existing email
lists under the legislation, although administrative positions
give some help to salvage prior contacts. Companies need
to consider carefully the grounds under CASL that allow
them to communicate electronically with their existing
contacts.
The extraterritorial reach of enforcement has yet to be
tested, of course, but if you have a physical presence in
Canada, you should be prepared to comply with CASL
even if the CEMs are originating from outside of the
country. CASL also contemplates reciprocal enforcement
agreements or arrangements with governments of other
jurisdictions, but we are still too early in the game to know
what these might capture and to what extent they will be
taken up in cooperation with other regulators.
3. Social media can be murky
Don’t forget that CASL reaches farther than just emails and,
in the context of Facebook, Twitter or other social media
platforms, it may not be “reasonable” to assume that the
audience does not include Canadians. Given the broad
scope of CASL, certain social medial activity is clearly
captured, but in some circumstances it’s not clear how or
whether CASL will apply. We start with the good news –
public posts, broadcast Tweets, and the like, would not be
captured by CASL. Direct or private messages sent through
social media platforms, however, would be captured
and therefore need to meet the consent and disclosure
requirements. Uncertainty lies in “hybrid” activity, including
tagging an individual or calling out another user’s handle in
a Tweet. To the extent that these are messages sent to an
individual user’s social media address, in addition to being
public posts, they could be captured by CASL requirements.
The regulator has yet to comment on how it interprets
these kinds of hybrid messages, and so some companies
may choose to proceed cautiously for now.
4. Exceptions and Implied Consent
There are exceptions to the CASL requirements, in whole
or in part, when sending CEMS to those with whom you
have a “personal relationship” or “family relationship” (also
defined), responding to a customer inquiry, or completing
a transaction, as examples. Note, however that some
exceptions only allow you to proceed without obtaining
express consent; mandatory information disclosures and
opt-out requirements for the message may still apply.
A lot of companies will see to rely on an “existing business
relationship” (EBR) with a person or company to be able
to imply consent to receive CEMs, instead of needing
express consent. Note, however, that there is a very
specific definition of an EBR that general requires a past
purchase or related inquiry, or some other written contact.
Note, however, that this implied consent expires after a
prescribed period of time, and so you have to keep track
of the dates of the activity unless or until you can convert
the communications to be based on express, rather than
implied consent.
Some more good news: if you can meet the definition of an
“existing business relationship” with existing contacts (i.e.
prior to July 1, 2014), and you have sent or exchanged more
than one commercial electronic message with the contact
as part of that relationship before that date, then you can
rely upon implied consent for three years (i.e. until July 1,
2017) unless the contact unsubscribes first.
5. Significant penalties
Non-compliance with CASL is no laughing matter and could
cost even well-meaning businesses dearly. Contraventions
of CASL carry an administrative monetary penalty of
up to $10 million per violation for corporations. CASL
also provides for injunctive relief, vicarious liability, and
authorizes the enforcing regulators to share information
with the government of a foreign state if the information
is relevant to an investigation or proceeding in respect of
a contravention of the laws of a foreign state (and where
the laws of that foreign state are substantially similar to the
conduct prohibited by CASL).
And, as if this wasn’t bad enough, beginning in July 2017
provisions will come into force extending a private right of
action, which would include class proceedings. Hold on to
your hats! We can see the potential for some significant
challenges ahead on this basis alone.
The above discussion only scratches the surfaces of what is a rather complicated and nuanced new legislation, with further
administrative guidance still to come from the regulator. Given its broad reach and strict penalties, it is important for
businesses reaching into Canada to evaluate their compliance efforts. In some cases, this may require re-evaluating existing
business and consumer marketing models, since CASL is now largely thought to be the most onerous anti-spam regime
worldwide. Who would have thought that of Canada, eh?
Added experience. Added clarity. Added value.
Miller Thomson LLP
millerthomson.com
vancouver
calgary
edmonton
saskatoon
regina
london
kitchener-waterloo
guelph
toronto
markham
montréal