Anti-Spam Regulations

What is CASL?
CASL is a new anti-spam law that will apply to all electronic messages (i.e. email, texts) organizations send in connection with a “commercial activity.” Its key feature requires Canadian and global organizations that send commercial electronic messages (CEMs) within, from or to Canada to receive consent from recipients before sending messages.

A CEM is any electronic message that encourages participation in a commercial activity, such as an email that contains a coupon or tells customers about a promotion or sale. That said, a message that includes hyperlinks to a website or contains business-related information does not make it a CEM.

CEMs must be sent to an electronic address to be caught by CASL. Confirmations of successful unsubscribes, courtesy SMS (Short Message Service) sent to roaming customers, and publication of blog posts on micro-blogging and social media sites are out of scope.

What constitutes consent?
To send a CEM, organizations need express consent from recipients—either orally or in writing. Written consent can be electronic.

How can we get consent from our recipients?
When requesting consent, you must provide recipients with:

• The name of the person or organization seeking consent
• A mailing address and either a phone number, voice message system, email address or website where recipients can access an agent for more information
• A statement identifying the person on whose behalf consent is being sought
• The identity and contact information of any third-party or affiliate used to obtain consent
• You can link directly to your privacy policy
• A free unsubscribe mechanism that lets recipients electronically opt-out of communications
• The ability to opt-out of all types of communications sent by either your organization or a third-party partner

Can consent be implied?
Yes. Organizations don’t need express consent to send a CEM in the context of an existing business or non-business relationship, or if recipients conspicuously publish their electronic contact information or voluntarily disclose it without indicating they don’t want to receive communications.

Implied consent is satisfied when:

1. An active business relationship exists between the business and the recipient of the CEM.
2. The email address/phone number where the CEM will be sent has been made available to the public world by the individual.
3. Someone who has business activities that are relevant to the message in your CEM has given you his contact information and has not indicated that he does not want to receive marketing messages. For example, if someone has signed up to receive messages from your business in the past, it can be implied that the individual consents to receive messages from your business.
4. Note: Until June 30, 2017, consent can be implied if: The recipient of the CEM has not ever explicitly withdrawn consent to be contacted, and if either of the following requirements is met:

• The individual has purchased something from your business in the past, or
• The individual has sent an inquiry to your business in the past

If none of the above exceptions apply to an individual you wish to communicate with via CEMs, you will need to obtain explicit consent.

What happens if we don’t comply with CASL?

Organizations that don’t comply risk serious penalties, including criminal charges, civil charges, personal liability for company officers and directors, and penalties up to $10 million.

When will CASL come into force?
CASL will come into force in three stages:

• July 1, 2014: the anti-spam provisions come into force and the three year transitional period begins
• January 15, 2015: the consent and notice rules for installation of computer programs come into force and the three year transitional period for computer programs begins
• July 1, 2017: the private right of action comes into force, the transitional period for commercial electronic messages ends and the three year mandatory review for CASL will be triggered

• CEMs sent between family and friends (related through marriage, common law or any legal parent-child relationship, or if there is a voluntary two-way communication between the individuals)
• CEMs sent within or between organizations with an existing relationship (B2B)
• CEMs solicited or sent in response to complaints, inquiries, requests
• CEMs sent due to a legal obligation or to enforce a right
• Telecommunications service providers (TSPs): Under CASL, TSPs need consent to install certain computer programs, including programs that prevent unauthorized or suspicious legal activities (such as the installation of cookies) or programs unrelated to system-wide upgrades or updates. Under the proposed new regulations, TSPs will be permitted to install computer programs without consent for two purposes only
• Preventing illegal activities that pose an imminent risk to network security or
• Updating or upgrading devices across an entire network

What new exemptions did Industry Canada introduce?
The new Industry Canada regulations introduced five new full exemptions:

• CEMs sent from instant messaging platforms (e.g. BBM messenger, LinkedIn InMail) where the required identification and unsubscribe mechanisms are clearly published on the user interface
• Limited-access, secure, confidential accounts (e.g. banking portals)
• CEMs sent to listed foreign countries, where it is reasonable to believe that the message will be opened in a listed foreign country that has similar rules as CASL
• CEMs sent by registered charities for the primary purpose of fundraising
• CEMs sent by political parties seeking contributions

What is the partial exemption for third-party referral messages?
Under this partial exemption, businesses can send one single message to obtain consent for future messages. This means a CEM sent for the first time following a referral doesn’t require consent, as long as an existing business, personal or family relationship exists and the sender includes the full name of the individual(s) who made the referral, the identity of the sender and an unsubscribe mechanism. Any CEM sent following the first referral must comply with the form and content requirements of CASL (e.g. identify the sender and include an unsubscribe mechanism).
 
What you need to know
How can we prepare for CASL?
Although the steps each organization must take to update their electronic databases to manage consents and unsubscribe requests will differ, to prepare for CASL you should:

• Determine if you are sending CEMs
• Identify the channels through which you send CEMs
• Assess if you have implied or express consent to send CEMs or if an exemption applies
• Develop a plan to obtain any required consents
• Make sure your CEMs contain the content required by CASL
• Determine how CASL may affect your policies, processes, customer relationship management (CRM) and other IT systems, and staff training and awareness programs
• Revise your policies, processes and systems as required
• Keep an audit trail, since CASL contains a “due diligence” defense

When should we start our compliance process?
CASL involves significant work for most organizations—from reviewing the legal implications of the Act and identifying which resources across the enterprise are affected, to addressing any gaps in people, process, technology and governance. For large organizations with multiple business lines and channels, this could take months. To avoid scrambling to comply at the last minute, it makes sense to begin compliance activities now.

What do we need to understand to comply?

• The Act (CASL)
• The CRTC regulations
• Two sets of CRTC Interpretation Guidelines
• New Industry Canada regulations (issued December 4, 2013)
• The Industry Canada Regulatory Impact Analysis Statement (issued December 4, 2013)
• FAQs (expected to be released December 18, 2013)