On July 1, 2014, the first provisions of the Canadian Anti-Spam Law (“CASL”) will come into effect. CASL intends to address the e-mail “spam” problem, where spam is undesired commercial electronic messages (“CEMs”), by requiring that recipients of CEMs to consent to their receipt, either expressly or implicitly. CASL covers the sending of CEMs to all Canadian persons, the unsolicited installation of computer programs, and the alteration of transmitted data by third parties (collectively, “Covered Acts”). If any of the Covered Acts are performed in a manner not compliant with the CASL, the violating party may be subject to a monetary penalty of up to $1,000,000 for an individual and $10,000,000 for an organization (these are in Canadian dollars; however, in recent years the Canadian dollar is nearly equal in value to the U.S. dollar). The below is merely an overview and summary of CASL and therefore does not represent legal advice for any specific scenario or set of facts.
How to Send Compliant CEMs
The following is required in order for a party to send CASL compliant CEMs:
- Obtain consent from potential recipients, either explicitly or implicitly (see below for a more detailed explanation).
- Clearly disclose the purpose of the consent being obtained, and clearly indicate who is requesting the consent.
- Clearly disclose, in each message, who has sent it, and on whose behalf it has been sent.
- Provide working contact information for the party sending CEMs.
- Include an unsubscribe mechanism in each message sent.
Consent can be implied and valid under CASL if the sender and recipient have a pre-existing business (or non-business) relationship, and in a limited number of other circumstances. This prior relationship must, generally, be based on actions within the last two years, except for the first 36 months of CASL (a transitional period during which the relationship can go back an unlimited amount of time). Critically, the burden is on the sender of CEMs to establish implied consent. If, for example, a Canadian recipient of CEMs wrongly files a complaint against a sender, and the sender has lost the business records that would establish valid implied consent, the sender may nevertheless be fined as if there was no consent at all.
Express consent can also be inferred by the sender based on actions or expressions of the recipient; however then the burden of proof remains on the sender.
E-mails, Voice Messages, and Text Messages Oh My!
CASL goes beyond e-mail, and applies to any “electronic communications.” This includes text, sound, voice or image messages; and those sent to an e-mail account, instant messaging account, voicemail, or any similar technology. Although this is beneficial in that it dissuades spammers who are increasingly exploiting these other forms of electronic communication, it creates a potential hazard in that unwitting individuals and organizations need to ensure that much, if not all, of their general communications are CASL compliant.
As mentioned above, core requirements of CASL are that the purpose of the consented-to communications, as well as the identities of the sender (and any party they are acting on behalf of) are disclosed. These foundational provisions clearly bear on and protect the privacy of recipients of CEMs. Additionally, Section 10(5) of CASL, which outlines requirements to install programs, sets out that program installers must clearly notice and describe (including any “reasonably foreseeable impact” of) any aspects of the program that do any of the following:
- collect personal information stored on the computer;
- interfere with the owner’s control of the system;
- change preferences, settings or commands;
- change or interfere with any data stored on the computer;
- cause the computer to communicate with any other system or device without authorization; or
- install any third-party program.
All of the above points touch on major privacy concerns of consumers, who have, in recent years, become frustrated not only with “spam” programs and exploits being placed on their computers (or smartphones) by nefarious actors, but also with legitimate companies installing programs. These installations are both known and unknown to consumers, and they unexpectedly collect personal/private information, and transmit such data to the company (or third parties), which constitutes commission of Covered Acts. These actions play into consumers’ increasing preference to know how they are being “tracked” online, and their desire for the ability to disable such tracking.
But I Am Based In the United States
Because the law applies to anyone sending CEMs to Canadians, those outside of Canada who are (or might be) sending CEMs to Canadian persons are affected by CASL. Since American businesses and individuals send (commercial) e-mails to Canadians, they are logically subject to CASL. Thus, if American individuals or businesses do not comply with CASL, they could be subject to fines and/or legal action in Canada. In order to avoid violating CASL and being subject to penalties, American individuals and entities that send CEMs should ensure their solicitation policies are CASL compliant.
Additionally, CASL defines “commercial” very broadly, and includes all businesses, without regard to profit; as such, even nonprofits are included. While there is an exception for registered Canadian charities, American charities, 501(c)(3)’s and other tax-exempt organizations, somewhat counter-intuitively, are subject to CASL – as much as any for-profit business.
In the end, U.S. entities have nothing to lose by abiding by CASL, as the requirements CASL sets out are simply good digital-age consumer relationship management practice, and can be reasonably considered basic business ethics. Further, by complying, U.S. businesses and individuals have only the elimination of potential international legal hassles to gain. Additionally, in complying with CASL, American entities will also be addressing many current consumer concerns with online data privacy.
The best policy is to put privacy first. United States entities or individuals sending CEMs of any kind should review their privacy policies and compare their procedures and provisions with those required by CASL (as well as U.S. online privacy laws and those of other nations) to determine whether they are compliant. An experienced and certified OlenderFeldman attorney can assist with this process.