Canada’s anti-spam law (CASL), enforced by the Canadian Radio-television and Telecommunications Commission (CRTC), requires that businesses and organizations secure a recipient’s express or implied consent before sending “commercial electronic messages” (CEM). A CEM is any electronic message that encourages participation in a commercial activity, such as a coupon or message about a promotion of the organization, an e-vite, and newsletters sent using email, text messaging or certain forms of messages sent through social networks. The legislation imposes severe fines for non-compliance and leaves open the possibility for private or class actions for damages. CASL has been deemed one of the toughest pieces of anti-spam legislation.

The biggest feature of CASL is the consent requirement, which requires Canadian and global organizations that send CEMs within, from or to Canada to obtain consent from recipients before sending the messages. This requirement does not apply to CEMs merely routed through Canada. The requirement only applies to communications sent to electronic addresses.

Consent may be obtained expressly or may be implied, and it is imperative that an organization, which has the burden of proving that consent was obtained, keep records as to how it obtained consent.

Express Consent – the recipient gives the organization a positive or explicit indication of consent, either written or oral, to receive CEMs.  Express consent cannot be obtained through a CEM. To obtain express consent, the organization must (1) clearly describe the purpose(s) for requesting consent; (2) provide the name of the person seeking consent, and identify on whose behalf consent is sought, if different; (3) provide contact information for either of those persons (mailing address and either a telephone number, email address of web address); and (4) indicate that the recipient can unsubscribe. Express consent is not time-limited and is good until the recipient withdraws his or her consent. If you obtained valid express consent from the recipient prior to CASL, this consent remains valid.

Implied Consent – can be sufficient in the following circumstances: (1) the sender and recipient have an existing business relationship; (2) the sender is a registered charity, political party or candidate, and the recipient has provided the sender a gift, a donation or volunteer work; or (3) the recipient’s email address was conspicuously published or sent to the sender — the address was disclosed without any restrictions and the CEM relates to recipient’s functions or activities in a business or official capacity. Implied consent is typically good for a period of two years after the event that starts the relationship.

Senders of CEMs must also include the following information in every CEM:

  • The name of the person sending the message, and identify on whose behalf the message is sent, if different than the person sending the CEM
  • Contact information for either of those persons (mailing address and either a telephone number, email address or web address)
  • A mechanism that allows the recipient to easily unsubscribe for free

Like many pieces of legislation, CASL comes with a slew of exceptions that exclude some CEMs from the requirements set forth. CEMs to which CASL does not apply include:

  • To someone with whom the sender has a family or personal relationship
  • To someone in commercial activity consisting of an inquiry or application related to that activity
  • In response to a request, inquiry or complaint or otherwise solicited by the recipient
  • To satisfy a legal obligation
  • To provide notice of an existing or pending right, legal or jurisdictional obligation, court order, judgment or tariff
  • To a limited-access, secure, and confidential account to which messages can only be sent by the person who provides the account to the recipient
  • By or on behalf of a registered charity for the primary purpose raising funds for the charity
  • By or on behalf of a political party or organization, or a political candidate for publicly elected office, for the primary purpose soliciting a donation or contribution

See CASL for a full list of exemptions.

CASL not only applies to CEMs but also establishes rules relating to the installation of computer programs onto a computer systems. These rules apply to all forms of computer programs but most importantly, CASL requires any person installing a computer program onto another person’s computer to obtain express consent from the owner or authorized user of the computer systems. The rules pertaining to computer programs went into effect Jan. 15, 2015.

Any organization who is deemed to be non-compliant by the CRTC will face severe penalties that may include criminal or civil charges, personal liability on officers and directors, and fines up to $10 million.

Compu-Finder finds out the hard way

The CRTC has issued its first Notice of Violation under CASL seeking a penalty of nearly $1.1 million from Compu-Finder for allegedly violating CASL. The CRTC conducted an investigation, which found that Compu-Finder sent CEMs promoting its goods and services to potential business customers without first obtaining consent from the recipients. The CRTC further found that the unsubscribe mechanisms on all the messages distributed was not functional.

The investigation targeted four violations which took place between July 2 and Sept. 16, 2014. The CRTC stated that this business accounted for almost 26 percent of complaints to the Spam Reporting Center for their industry sector. Compu-Finder has 30 days from the CRTC’s notice to either submit written representations or pay the staggering fine. The CRTC asserts this is not the only investigation of CASL violations that is underway. Any organization or business not in compliance could be liable under CASL if they are not fully complying with all requirements.

Strategic planning – keeping your company compliant

If your business or organization has not already created and implemented a strategy to comply with CASL, it’s imperative to act now. To effectively comply with CASL, we recommend taking the following steps toward compliance:

Designate a CASL Team
Every business should designate several individuals within the organization to serve on the CASL team. This team should be composed of representatives from marketing, information technology, human resources, risk, individual responsible for privacy control and legal counsel. This team is responsible for assessing current practices, understanding CASL and implementing and enforcing new practices to be in full compliance with CASL.

The CASL TEAM must:

  • Determine current use of CEMs
  • Identify channels by which CEMs are sent
  • Identify and assess whether the organization has implied or express consent to send CEMs or if an exemption applies
  • Develop and implement procedures to obtain required consents
  • include required content by CASL in all CEMs
  • Determine how CASL will affect policies, processes, customer relations, and information technology systems – conduct training and awareness for all personnel dealing with CEMs
  • Update and revise policies and procedures to be CASL compliant
  • Keep detailed documentation as to procedures taken to become CASL compliant

To help businesses comply with this Canadian law, the CRTC has provided numerous information sessions across the country and made guidance materials available on its website.