Understanding Canada’s new anti-spam legislation
On July 1, Canada’s anti-spam legislation (CASL) came into effect. CASL regulates more than just traditional “spam.” The new law prohibits the sending of electronic messages, such as emails or text messages that contain a commercial element (known as Commercial Electronic Messages or “CEMs”), unless specific requirements are met under CASL.
Understanding the new law is crucial for Canadian organizations, as failing to meet CASL rules for CEMs can result in administrative penalties of up to $1 million for individuals and up to $10 million for organizations.
WHAT CASL COVERS
Any CEM that is distributed to encourage participation in a “commercial activity” (as defined in CASL) is subject to the new rules. CEMs that contain sales offers, product or business reviews, hyperlinks to online stores, or other advertisements may be subject to CASL’s requirements.
For communications that meet CASL’s definition of CEM, senders must have express or implied consent from the intended recipient before the message is sent. The message itself must also contain certain prescribed formalities, including the sender’s contact information and an unsubscribe mechanism.
There are a few important exceptions. Messages sent within an organization (to franchisees, representatives or employees) are not subject to CASL as long as they concern the business of the organization. CEMs sent in response to inquiries or requests are also exempt. In addition, consent does not need to be obtained for the first CEM sent to a prospective customer if the message follows a referral by someone who has an existing business, non-business, personal or family relationship with both the referred recipient and the sender.
CASL’s main purpose is to discourage organizations from using electronic means to distribute unsolicited offers and commercial messages. CASL’s consent requirements are the cornerstone of this objective; ensuring recipients pick and choose the communications they want to receive.
In most cases, senders need to obtain “express consent” before sending any CEM. In addition to including the prescribed formalities, requests for consent must specify the class of communications to which consent will apply (eg. a daily newsletter or sales offers). Intended recipients must give permission to receive CEMs through a positive action, such as entering an email address or clicking on a hyperlink.
Express consent is not required if the CEM is sent to a person or business that the sender has a designated “pre-existing business relationship” with. Instead, consent to receive the communication is implied from the relationship. This exception allows companies to send promotional messages to customers or vendors from the past two years, as long as the message includes the prescribed formalities.
Consent is also implied if a CEM is sent to a person that conspicuously publishes their electronic address, the message is relevant to the recipient’s business activities, and the published address is not accompanied by a statement that the person does not wish to receive CEMs.
Employees should be educated about CASL’s requirements and familiarized with compliance measures to reduce the risk of inadvertent contraventions. Procedures should be put in place to monitor compliance and promptly respond to unsubscribe requests, complaints and investigations.
Contact lists should be reviewed to identify recipients for whom consent is implied and those for whom express consent is required. Systems should also be put in place to maintain an accessible and accurate list of consenting recipients for each class of CEM and for every CEM sender. In addition, all communications that contain a commercial element should be revised to comply with the prescribed formalities: identifying the sender, providing contact information and including a clear unsubscribe mechanism.
Record keeping and documentation is an essential component of CASL compliance. Organizations have the burden of demonstrating when and how consent was obtained from each CEM recipient. If relying on implied consent, information should be readily available that proves the existence of an existing business relationship within the last two years.