What You Need to Know
The Basics
Canada’s Anti-Spam Legislation (CASL) generally prohibits:
- sending commercial electronic messages (CEMs) to an electronic address without consent;
- altering transmission data in an electronic message so that the message is delivered to a destination other than or in addition to that specified by the sender;
- installing a computer program on a person's computer system without consent; and
- causing a program on a person's computer system to send an electronic message.
Aiding, inducing, procuring or causing to be procured any of these activities is also an offence under CASL.
The contents of this site will focus primarily on the first prohibition, namely the anti-spam provisions under CASL.
The Details
Sending Commercial Electronic Messages
CASL generally prohibits a person from sending a commercial electronic message (CEM) to an electronic address without the consent of the recipient. CASL also prohibits sending a CEM where certain required formalities are not included in the message, including an unsubscribe mechanism.
CASL and its regulations provide for numerous exceptions to the foregoing, including exceptions to consent in certain scenarios, and general exceptions based on the content of the CEM or the relationship of the sender and receiver. Senders may also be relieved of the requirement to meet the formalities where compliance is impractical.
Consent can be either express or implied.
It should be noted that an electronic message seeking consent may constitute a CEM for the purposes of CASL, and may not be sent without the recipient’s consent once this legislation is in force.
Sending Commercial Electronic Messages
Non-Spam Prohibitions
Altering Transmission Data
Canada's Anti-Spam Law (CASL) generally prohibits the alteration of transmission data in an electronic message in the course of a commercial activity (that are typical of “phishing” scams), unless the alteration is made with express consent of the sender or pursuant to a court order.
Installing Computer Programs
CASL generally prohibits the installation of a computer program on a person's computer system unless the person has expressly consented to such an installation, and the installation complies with certain prescribed requirements. This prohibition captures all software, regardless of whether it is spyware, malware or software used for legitimate business purposes.
Causing a Program to Send a Message
CASL generally prohibits a person who has installed a computer program on another person's computer system from causing an electronic message to be sent from that computer system, unless the person has obtained the express consent of the owner or an authorized user of the computer system.
Non-Spam Prohibitions
Consent
Canada’s Anti-Spam Legislation (CASL) generally prohibits sending commercial electronic messages (CEMs) to an electronic address without consent.
There are two types of consent: express and implied. The following will briefly discuss both. When reviewing same, please note that a person who alleges that they have consent to send a CEM has the onus of proving it. As such, it will be particularly important to ensure that any consents that are obtained and relied upon are recorded in a manner that can readily be retrieved.
Consent
Canada’s Anti-Spam Legislation (CASL) generally prohibits sending commercial electronic messages (CEMs) to an electronic address without consent.
There are two types of consent: express and implied. The following will briefly discuss both. When reviewing same, please note that a person who alleges that they have consent to send a CEM has the onus of proving it. As such, it will be particularly important to ensure that any consents that are obtained and relied upon are recorded in a manner that can readily be retrieved.
Express Consent under CASL
Express consent is the gold standard under CASL as it permits the sending of CEMs for the purposes for which the consent was obtained indefinitely (i.e., until such consent is revoked or modified).
It can be obtained either orally or in writing from a recipient. In its non-binding guidelines, the CRTC has indicated that a person giving express consent must take some positive action to do so (e.g., checking a box). The CRTC has further indicated that express consent can neither be bundled into the terms and conditions attached to a product or service, nor be a condition of sale. In other words, express consent must be sought separately.
Certain informational requirements and formalities must also be met in CEMs that are sent even with express consent.
Finally, organizations that wish to rely upon express consent should consider whether the following open issues apply to them.
Ownership of Consents among Complex Organizations
Many large international organizations are composed of numerous sub-entities, including corporations, joint ventures, and trusts. A large organization that wishes to comply with CASL will need to decide which of its entities (or if each of them) will acquire and own its consents under CASL. That decision has consequences in terms of regulatory investigations for non-compliance. It also has consequences with respect to the content such organizations will be required to include in their communications. If your organization is composed of numerous sub-entities, you should determine which of those entities will own your CEM consents before you attempt to collect them. We anticipate that ownership of consents will be one of the first questions under CASL that every large organization will need to answer.
Class-Based Consents
Consent under CASL is not necessarily one-dimensional. While many organizations will be able to comply with CASL by treating consent as an "all-or-nothing" question, the legislation provides for a potential multiplicity of consents given by a wide variety of actors. Class-based consents allow an organization to tailor the specific communications any person receives, and permits a person to unsubscribe to certain communications without revoking consent to all communications.
Collecting express consent from thousands of individuals, or more, may prove to be impractical for many large organizations. Even if an organization has the resources to accurately record and monitor express consent for many different individuals, the cost and inconvenience of collecting such consents may render compliance difficult. Businesses may find helpful the potential availability of organization-level consents, which appear to allow an organization to consent on behalf of its employees. Under CASL, a "person" (e.g., a corporation, partnership, or organization) can give a valid consent in respect of electronic addresses it controls. Accordingly, as many large organizations control their domain names, CASL appears to permit such organizations to give consent in respect of the electronic addresses associated with those domain names. Inter-organizational grants of such consent may permit senders to readily collect and record consent on behalf of organizations, reducing the practical compliance burden.
Implied Consent under CASL
“Implied consent” may be implied by virtue of any number of different scenarios stated in CASL, including the sender and recipient having:
- an “existing business relationship”; or
- an “existing non-business relationship”.
Consent can also be implied by virtue of the transitional provisions under CASL.
Implied consent, unlike express consent, is not indefinite. In most cases, implied consent only permits communication using CEMs for two years from the situation giving rise to the applicable relationship. As such, it will be critical to develop a means to track the currency of all relationships upon which any implied consent is based.
It is also important to note that certain informational requirements and formalities must also be met in CEMs that are sent with implied consent.
What’s an “existing business relationship”?
"Existing business relationship" is defined by CASL as follows:
A business relationship between the person to whom the message is sent and any other persons referred to in that subsection – that is, any person who sent or caused or permitted to be sent the message – arising from
(a) the purchase or lease of a product, goods, a service, land or an interest or right in land, within the two-year period immediately before the day on which the message was sent, by the person to whom the message is sent from any of those other persons;
(b) the acceptance by the person to whom the message is sent, within the period referred to in paragraph (a), of a business, investment, or gaming opportunity offered by any other those other persons;
(c) the bartering of anything mentioned in paragraph (a) between the person to whom the message is sent and any of those other persons within the period referred to in that paragraph;
(d) a written contract entered into between the person to whom the message is sent and any of those other persons in respect of a matter not referred to in any of the paragraphs (a) to (c), if the contract is currently in existence or expired within the period referred to in paragraph (a); or
(e) an inquiry or application, within the six-month period immediately before the day on which the message was sent, made by the person to whom the message is sent to any of those persons, in respect of anything mentioned in any paragraphs (a) to (c).
Since "existing business relationship" is specifically defined by CASL, an organization should carefully assess whether it can rely upon same.
What’s an “existing non-business relationship”?
"Existing non-business relationship" is defined by CASL as follows:
a non-business relationship between the person to whom the message is sent and any of the other persons referred to in that subsection — that is, any person who sent or caused or permitted to be sent the message — arising from
(a) a donation or gift made by the person to whom the message is sent to any of those other persons within the two-year period immediately before the day on which the message was sent, where that other person is a registered charity, a political party or organization, or a person who is a candidate — as defined in an Act of Parliament or of the legislature of a province — for publicly elected office;
(b) volunteer work performed by the person to whom the message is sent for any of those other persons, or attendance at a meeting organized by that other person, within the two-year period immediately before the day on which the message was sent, where that other person is a registered charity, a political party or organization or a person who is a candidate — as defined in an Act of Parliament or of the legislature of a province — for publicly elected office; or
(c) membership, as defined in the regulations, by the person to whom the message is sent, in any of those other persons, within the two-year period immediately before the day on which the message was sent, where that other person is a club, association or voluntary organization, as defined in the regulations.
One of the regulations under CASL defines a membership, club, association and voluntary organization as follows:
(a) membership is the status of having been accepted as a member of a club, association or voluntary organization in accordance with the membership requirements of the club, association or organization; and
(b) a club, association or voluntary organization is a non-profit organization that is organized and operated exclusively for social welfare, civic improvement, pleasure or recreation or for any purpose other than profit, if no part of its income is payable to, or otherwise available for the personal benefit of any proprietor, member or shareholder of that organization unless the proprietor, member or shareholder is an organization the primary purpose of which is the promotion of amateur athletics in Canada.
Since "existing non-business relationship" is specifically defined by CASL, an organization should carefully assess whether it can rely upon same.
Implied Consent by Virtue of the Transitional Provisions
CASL provides transitional provisions that permit a certain amount of time for organizations to become compliant.
Under CASL, a person’s consent to receiving commercial electronic messages from another person is implied until the person gives notification that they no longer consent to receiving such messages or until July 1, 2017, whichever is earlier, if:
(a) those persons have an “existing business relationship” or an “existing non-business relationship” on July 1, 2014; and
(b) the relationship includes the communication between them of commercial electronic messages.
Third Party Referrals
Under CASL's regulations, the first CEM sent following a referral will be exempt from the consent requirements where:
- The sender has an existing business relationship, an existing non-business relationship, a family relationship, or a personal relationship with the referring third party;
- The referring third party has an existing business relationship, an existing non-business relationship, a family relationship, or a personal relationship with the recipient; and
- The sender discloses the full name of the referring third party to the recipient, and states that the message was sent as a result of the referral.
For example, if a person has dealings with a local mechanic, and wishes to refer their father to the mechanic, the mechanic can send one CEM exempt from the consent requirement to that individual’s father following the referral.
Because this exemption provides for only a single CEM exempt from the consent requirement, anyone relying on it should ensure that a request for consent is included in the initial communication.
Exemptions
Canada’s Anti-Spam Legislation (CASL) generally prohibits numerous IT-related activities, including sending commercial electronic messages (CEMs) to an electronic address without consent.
As discussed below, however, CASL provides certain exemptions with respect to the applicability of various requirements outlined therein.
Exemptions
The requirements to obtain consent and comply with any of the required formalities under CASL do not apply to CEMs where the recipient:- has a “personal relationship” or “family relationship” with the sender; or
- is engaged in commercial activity and the message consists solely of an inquiry or application related to that activity.
The aforementioned requirements also do not apply to CEMs that are:
- in whole or in part, an interactive two-way voice communication between individuals;
- sent by means of a facsimile to a telephone account; or
- voice recordings sent to a telephone account.
Furthermore, the applicable sections of CASL do not apply to CEMs:
- that are sent by an employee, representative, consultant or franchisee of an organization:
- to another employee, representative, consultant or franchisee of the organization and the message concerns the activities of the organization, or
- to an employee, representative, consultant or franchisee of another organization if the organizations have a relationship and the message concerns the activities of the organization to which the message is sent;
- that are sent in response to a request, inquiry or complaint or are otherwise solicited by the person to whom the message is sent;
- that are sent to a person
- to satisfy a legal or juridical obligation,
- to provide notice of an existing or pending right, legal or juridical obligation, court order, judgment or tariff,
- to enforce a right, legal or juridical obligation, court order, judgment or tariff, or
- to enforce a right arising under law; and
- that are sent by a registered charity and the message has as its primary purpose raising funds for the charity.
It is important to note that other exemptions are provided under CASL which may be applicable depending upon the circumstances.
Messages Exempt from the Consent Requirement
As discussed above, consent is generally required in order to send a CEM. This requirement, however, does not apply to CEMs that:
- provide a quote or estimate for the supply of a product, or service if the quote or estimate was requested;
- facilitate, complete or confirm a commercial transaction that recipient previously agreed to enter into;
- provide warranty information, product recall information or safety or security information about a product or a service that the recipient uses, has used or has purchased;
- provide factual information about the use or ongoing purchase by the recipient of products or services offered under a subscription, membership, or similar relationship by the sender;
- provide information directly related to the recipient's employment relationship or related benefit plan; or
- provide a product or service that the recipient is entitled to under a previous transaction.
Informational Requirements
Canada’s Anti-Spam Legislation (CASL) generally prohibits numerous IT-related activities, including sending commercial electronic messages (CEMs) to an electronic address without consent. Where a CEM is (a) sent with either express or implied consent or (b) exempted from the consent requirement, it must still meet certain informational requirements and formalities.Informational Requirements
Informational Requirements
Under CASL’s regulations, all CEMs sent with either express or implied consent or exempted from the consent requirement must contain:
(a) the name by which the person sending the message carries on business, if different from their name, if not, the name of the person;
(b) if the message is sent on behalf of another person, the name by which the person on whose behalf the message is sent carries on business, if different from their name, if not, the name of the person on whose behalf the message is sent;
(c) if the message is sent on behalf of another person, a statement indicating which person is sending the message and which person on whose behalf the message is sent; and
(d) the mailing address, and either
a telephone number providing access to an agent or a voice messaging system,
an email address, or
a web address
of the person sending the message or, if different, the person on whose behalf the message is sent.
Unsubscribe Mechanism
CASL’s regulations require that a CEM:
(a) contains an unsubscribe mechanism which must be set out clearly and prominently; and
(b) any such unsubscribe mechanism must be able to be readily performed.
If it is not practicable to include the prescribed information (as described above), and the unsubscribe mechanism in a CEM, such particulars may be posted on a page on the World Wide Web that is readily accessible by the person to whom the message is sent, at no cost to them, by means of a link that is clearly and prominently set out in the CEMs.
Comparing CAN-SPAM and CASL
Canada’s Anti-Spam Legislation (CASL) generally prohibits numerous IT-related activities, including sending commercial electronic messages (CEMs) to an electronic address without consent. CASL applies to any CEM received by a computer system located in Canada. Accordingly, communications sent from outside of Canada may attract liability under CASL.
Organizations operating in the United States have been required to comply with the CAN-SPAM regime since 2003. Like CASL, CAN-SPAM controls commercial electronic communications, and imposes compliance obligations on persons who wish to use e-mail for marketing purposes. However, organizations should be aware that CASL prohibits a broader range of activities than CAN-SPAM. Compliance strategies that merely satisfy the bare obligations imposed by CAN-SPAM will not be sufficient to satisfy CASL. We anticipate that CAN-SPAM-compliant organizations who wish to communicate with Canadians may need to amend their current strategies in order to meet the burdens imposed by CASL. As CASL became law on July 1, 2014, organizations should have begun to take steps to improve their position under the new law.
Comparing CAN-SPAM and CASL
Scope of Application
CAN-SPAM applies only to e-mail messages. Accordingly, most organizations that have implemented CAN-SPAM compliance plans have only been required to consider the application of the legislation to their e-mail communications. CASL, however, applies to any CEM sent to an "electronic address", which includes e-mail communications, but also includes a telephone number, instant messaging account, or any other similar address. While courts have not yet set limits on the types of accounts to which CASL applies, we anticipate that the broad nature of the legislation will lead to an inclusive interpretation. Social networking user IDs may fall within the scope of the term.
Opt-In Consent
CAN-SPAM establishes an "opt-out" consent regime, under which a person may send another person commercial electronic mail messages until the recipient revokes consent. Under CASL, however, a person who sends a CEM must in most cases have the prior consent of the recipient. In other words, CASL establishes an "opt-in" consent regime.
In certain situations, CASL provides that the consent of a recipient may be implied. In other situations, a CEM may be exempted from the consent requirement, or from the application of CASL altogether. However, given that implied consent is limited in duration to two years in many cases, we anticipate that many organizations may wish to collect express consent of recipients to limit potential liability.
Organizations should be aware that they likely cannot rely on implied consent where a Canadian recipient has revoked consent using an existing unsubscribe mechanism, even if that mechanism was not implemented in anticipation of CASL. Furthermore, express consent acquired under CAN-SPAM after July 1, 2014, is likely invalid under CASL, which requires requests for consent to meet certain standards. For example, the CRTC has indicated that a request for consent cannot be a condition for the supply of goods or services. Valid requests for consent should require a user to positively and explicitly express their consent (e.g., typing an e-mail address into a field to indicate consent). Finally, in most circumstances a request for consent itself will constitute a CEM, and as such cannot be transmitted by way of an electronic message without the consent of the recipient.
While transitional provisions will give organizations some time to gather consent from existing contacts, most organizations should implement compliance plans before the legislation comes into force.
Communication Formalities
CAN-SPAM requires a person who sends a commercial electronic mail message to include certain content in that message, including a statement that the message is an advertisement, a clear and conspicuous unsubscribe mechanism, and a valid business or post-office box address. CASL imposes similar, but more onerous requirements. In particular, it requires the sender to disclose information identifying itself and any person on whose behalf it is acting. Further disclosures are also necessary in other specified situations. For example, where a third party refers the contact information of a recipient to the sender, CASL requires the sender to disclose the name of the referring third party.
Enforcement
Canada's Anti-Spam Legislation (CASL) generally prohibits numerous IT-related activities, including sending commercial electronic messages (CEMs) to an electronic address without consent.
On this page, you will find information regarding the potential penalties and liabilities under CASL, as well as steps that your organization can take to mitigate such risks.
Enforcement
Reporting Violations
Individuals can complain about violations of CASL to the SPAM Reporting Center on the CRTC's fightspam.gc.ca website. The CRTC investigates such complaints through their enforcement team. In determining whether to take enforcement action, the CRTC considers the seriousness and impact of the violation, any history of non-compliance, and the efforts taken to prevent a violation.
Liability
As will be discussed in further detail below, a person can incur liability under CASL pursuant to either the administrative monetary penalty provisions or the private right of action provisions. An organization may be liable for a violation committed by an employee acting within the scope of their employment. In addition, an officer, director, or agent of a corporation that commits a violation may be personally liable for the violation if they directed, authorized, assented to, acquiesced in or participated in the commission of the violation.
Given that the penalty for a violation can be severe, it is essential for organizations to develop and employ prudent compliance programs to seek to mitigate these risks.
Administrative Penalties
Enforcement of CASL is based on the specific circumstances of each case. The maximum administrative monetary penalty for a violation of CASL is $10,000,000 for a corporation and $1,000,000 for an individual.
Private Right of Action
In addition to the administrative monetary penalties outlined above, CASL will also create a private right of action for violations of certain provisions. This right of action comes into force on July 1, 2017. Individuals as well as organizations will be permitted to bring an action against any party for a violation of CASL. Remedies under the private right of action can include compensation up to an amount equal to the actual loss or damages suffered (plus expenses), as well as up to $200.00 statutory damages for each violation of the legislation to a maximum of $1,000,000 for each day the violation occurred. We anticipate that some plaintiffs will organize class actions under these provisions, potentially targeted at businesses.
Due Diligence
Due diligence is a defense to a violation under CASL – accordingly, an organization's evidence of compliance procedures and related documentation will be of great importance in determining the risk of liability, if any.
Organizations that send CEMs should ensure that they have reviewed their existing practices, identified high-risk practices, and have adopted a CASL compliance policy. The CRTC has issued an informational bulletin outlining guidelines to develop corporate compliance programs (see the CRTC's Compliance and Enforcement Information Bulletin CRTC 2014-326).
In our experience, the needs of each organization are fact specific and can vary.
Complaints and Investigations
The first investigation under CASL was concluded on October 7, 2014, and resulted in no fine for the offender (see CRTC Concludes First Enforcement Under Canada’s New Anti-Spam Legislation on the Bennett Jones Thought Network).
As of November 10, 2014, the CRTC has received over 167,000 complaints through the SPAM Reporting Center, and a number of investigations are currently underway by the CRTC enforcement team. There is limited information regarding the seriousness of the complaints submitted to the CRTC, the investigation process regarding these complaints and the status of any current complaints.
Complying with the Anti-Spam Law
Given the significant impact of Canada's Anti-Spam Law (CASL) and the scope of its liability, it would be prudent for businesses to be proactive in their approach to compliance with this legislation. To that end, the following strategies should be considered:
- Review all existing communication practices internally, as well as with applicable external service providers.
- Assess whether your communications are commercial electronic messages (CEMs).
- Assess whether your CEMs are subject to CASL.
- Determine which entity in your organization should "own" the consents.
- Address the informational requirements where consent is collected by your organization for itself or for other entities.
- Assess each of your business or non-business relationships to ascertain if implied consent is available for CEMs to be sent.
- Assess and diarize the availability of implied consent to whom you may have an “existing business relationship” or a “non-business relationship” during the three-year transition period.
- Take steps to collect necessary express consents. This cannot be done after July 1, 2014 using CEMs.
- Identify such communications where consents are not required but the informational requirements and formalities are still required.
- Develop a database of your contacts that:
- enables all consents to be tracked, retained and retrievable; and
- allows any waiver or variation of such consent to be readily tracked and implemented.
- Maintain policies to ensure that CEMs are not sent where there is no consent or where implied consent has expired.
- Create and maintain an easy-to-use and effective unsubscribe mechanism for the CEMs.
- Create templates for CEMs which satisfy the informational requirements and formalities, as applicable.
- Develop and implement a CASL-compliance policy to address applicable provisions in CASL.
- Educate all relevant employees and service providers about CASL, and the organization's CASL-compliance strategies.
- Ensure that all records of your compliance procedures and policies are maintained (as such documentation may support a due diligence defense at a later point in time).
- Review your CASL compliance activities from time to time and adapt as needed.
- Review developments in the law concerning CASL from time to time and adapt your compliance policies as necessary.
Key Contacts
Partner, Trademark Agent
Partner, Trademark Agent
Useful Terminology
CASL means Canada’s Anti-Spam Legislation or technically An Act to promote the efficiency and adaptability of the Canadian economy by regulating certain activities that discourage reliance on electronic means of carrying out commercial activities, and to amend the Canadian Radio-television and Telecommunications Commission Act, the Competition Act, the Personal Information Protection and Electronic Documents Act and the Telecommunications Act, S.C. 2010, c. 23.
Commercial electronic message (or CEM) is generally defined to mean an electronic message that, having regard to its content, encourages participation in a commercial activity, namely any transaction, act or conduct or any regular course of conduct that is of a commercial character, regardless of whether there is an expectation of profit. CEMs include an electronic message that:
- offers to purchase, sell, barter or lease a product, goods, a service, land or an interest or right in land;
- offers to provide a business, investment or gaming opportunity; or
- advertises or promotes any of the foregoing.
Electronic address is generally defined to mean an address used in connection with the transmission of an electronic message to an e-mail account, instant messaging (e.g., SMS) account, or any other similar account.
Additional Content
Electronic message is generally defined to mean a message sent by any means of telecommunication, including a text, sound, voice or image message.
Express consent can either be written or oral consent. Any request to obtain consent from a person must set out clearly and simply the purpose or purposes for which the consent is being sought together with all of the formalities prescribed in CASL.
Implied consent means the consent that may be implied by virtue of any number of different scenarios stated in CASL, including the sender and recipient having an “existing business relationship” or an “existing non-business relationship”.
Formalities means the content that must be included in a CEM in order to comply with CASL, including informational content and an Unsubscribe mechanism.
Unsubscribe Mechanism is a method that allows a recipient of a CEM to indicate the wish to no longer receive any further CEMs from the sender.
Getting Help
If you require any assistance in doing so, or wish to learn more about how CASL may apply to you, please contact a lawyer at Bennett Jones LLP.
Details on our CASL initiative may be found on our Anti-Spam Law practice page.
Getting Ready
With the legislation in force since July 1, 2014, registered charities should have implemented their compliance plans.
Steps that such organizations should pursue to begin to implement their compliance strategies, if they haven't done so already, are set out at Complying with the Anti-Spam Law.