Recent Efforts to Clarify Canada's Anti-Spam Legislation
Industry Canada and the Canadian Radio-television and Telecommunications Commission (CRTC) have received numerous stakeholder submissions and inquiries in relation to Canada's Anti-Spam Legislation (CASL) and its two subordinate regulations, known as the Electronic Commerce Protection Regulations (ECPR). While the CRTC's ECPR have been in final form since March 28, 2012, Industry Canada has been receiving feedback through public comment and bilateral and multilateral stakeholder meetings since its original draft ECPR were published on July 9, 2011. Both Industry Canada and the CRTC have recently attempted to improve understanding of the new legislation: Industry Canada has incorporated stakeholder feedback into a new draft ECPR while the CRTC has released further information on the new legislation.
On January 5, 2013, Industry Canada published its revised draft ECPR under CASL. These regulations have been amended, in part, to address concerns raised by the numerous submissions Industry Canada received with respect to the initial draft regulations.
Of note, the current draft of the ECPR:
- adopts a broader, more principled approach with respect to the definition of “personal relationship” by replacing the previous requirements—to have had an in-person meeting at some point in time and engaged in two-way communication within the previous two years—with an objective test to determine if a given relationship is personal;
- introduces additional exemptions with respect to the consent, content and form requirements currently prescribed by CASL—in particular, the aforementioned requirements will not apply with respect to commercial electronic messages (CEMs) sent, for example: (i) internally within an organization that concerns the affairs of the organization; (ii) in response to a request, inquiry, complaint; or (iii) to satisfy a legal or juridical obligation); and
- exempts from the installation consent requirements two classes of computer programs installed by or on behalf of a telecommunications service provider—those for the purpose of updating or upgrading the provider's network and those preventing illegal activities posing an imminent risk to the security of the network.
Ending on February 4, 2013, the ECPR are currently subject to a 30-day consultation period during which stakeholders are invited to submit to Industry Canada comments regarding these proposed regulations. We expect that the regulations, subject to any revisions which may arise from the consultation process, will be finalized thereafter.
The Canadian IT Law Association (IT.Can) hosted an informative outreach meeting early this year where representatives from the CRTC spoke about their views on the future enforcement of CASL. The focus of the meeting was to provide commentary on the two Compliance and Enforcement Information Bulletins issued by the CRTC on October 10, 2012, as well as to explore some of the hypothetical scenarios that have been raised by industry and the legal community.
The following insights were gleaned from the discussion with CRTC:
- The aforementioned bulletins are intended to be treated as guidance and are not meant to be prescriptive. Thus, the examples provided in these bulletins are not necessarily the only ways to ensure compliance with CASL;
- CEMs must identify the sender, along with the information necessary to readily contact the sender. If sent on behalf of, or in coordination with, an affiliated entity, the sender must also include the affiliate's identifying information;
- In considering what will constitute a CEM, the message need not necessarily be promotional in nature. Those sending electronic messages should pay close attention to the definition in the Act. A link to a website alone may constitute a CEM even if it links to a general homepage;
- Express consent to receive CEMs requires a positive action by the user to give the informed consent necessary. It will not be sufficient for a check-box, for example, through which consent is sought to be preselected/pre-checked;
- The CRTC is of the view that any express consent obtained prior to CASL coming into force will be sufficient to rely upon once CASL is in force (even if the initial consent did not meet all the requirements for compliance under CASL);
- With respect to certain social media sites that allows messages to be posted to “walls” (e.g., Twitter), consent to receive any messages that are posted on a “wall”, sent via a feed, or otherwise not targeted to any specific individual is obtained when a user agrees to follow or otherwise subscribe to receive such messages. Direct messages to any given user's electronic address, however, are different in nature, and will require CASL-complying consent; and
- Enforcement of the new legislation will be supported by the CRTC's Spam Reporting Centre. This is anticipated to be fully operational by March 2013, but will only start processing complaints when CASL comes into force.
Given that CASL is not expected to be in force until late 2013 or early 2014, the full impact of this legislation and its corresponding regulations continues to remain uncertain. While the CRTC and Industry Canada have made efforts at clarifying the requirements under CASL, the multitude of variations on digital communications have made it difficult to anticipate precisely how CASL will apply in all possible emerging scenarios.
Nevertheless, we expect this law will invariably apply broadly and, despite the increased flexibility contained in the ECPR, impose relatively onerous requirements on businesses that rely on CEMs.
In anticipation of this new law, such businesses should be aware of the foregoing requirements, and should begin the process of ensuring that internal policies, practices and procedures comply with same.