CASL: Canadian Anti-SPAM Law “In Force” Anyday Now
After establishing a parliamentarian working group in 2004 to explore the matter, Canada – the last first world country without a SPAM law — finally got around to outlawing unwanted electronic solicitations by passing CASL (Canadian Anti-SPAM Legislation). And while the law is not yet “in force,” a Canadian politician recently said, “a specific date for enforcement will be set in the coming months.”
CASL may be one of the last Anti-SPAM laws coming out of the Western world, but it’s also one of the most robust. CASL takes a top down approach; it starts off by illegalizing all commercial electronic messages then goes on to outline exceptions to that rule. The law is so strict it requires online marketers to “get consent in order to ask for consent” – a sticking point that will inevitably be tested in a court of law once CASL goes into “force.”
CASL penalties are stiff. Companies of two or more employees, officers or directors can be fined up to $10 million per violation. Individuals caught spamming face a $1 million fine. Furthermore, under the law, individuals can sue spammers directly, which will probably lead to some high-dollar class action lawsuits when CASL “goes live.”
The Canadian Radio-television and Telecommunications Commission, the Competition Bureau and Office of the Privacy Commission are all involved in CASL enforcement.
Technically, CASL says that foreign entities in Canadian Web space are subject to the law, but it is still unclear how much international cooperation we’ll see. Guidelines set out in the Hague Convention may play a big role.
The new law creates a lot of compliance review work for businesses. Most companies will need to gather fresh consents from customers and review their social media and viral marketing campaigns.
What constitutes “Commercial Activity” under the new Canadian Anti-SPAM law?
“Commercial activity” is defined as any transaction, “whether or not the person who carries it out does so in the expectation of profit,” that is of a commercial character. Transactions involving law enforcement, public safety, official international affairs and national security, however, are not considered “commercial activity” under CASL.
What constitutes “data” under the new Canadian Anti-SPAM law?
CASL defines “data” as “signs, signals, symbols or concepts that are being prepared or have been prepared in a form suitable for use in a computer system.”
What constitutes an “electronic address” under CASL?
“Electronic address” is defined as “an address used in connection with the transmission of an electronic message to:”
- An electronic mail account;
- An instant messaging account;
- A telephone account; or
- Any similar account.
In what instances do CASL standards not apply?
It is illegal to send or facilitate the sending of a commercial electronic message under the new Canadian Anti-SPAM law unless:
- The recipient previously consented to getting the correspondence, “whether the consent is express or implied.”
- The message identifies both the person who sent the message and the person on whose behalf it was sent.
- Contact information for either the sender or the person on whose behalf it was sent is readily available. Contact information must be valid for a minimum of 60 days after the message is sent.
- The message has a conspicuous opt-out mechanism.
Additionally, CASL states it is “immaterial whether the electronic address to which an electronic message is sent exists or whether an electronic message reaches its intended destination.” In other words, if you set up a SPAM system that breaks the rules but never use it, you may still be held responsible.
If I send an email to a friend telling them about a financial opportunity, will I be violating CASL?
Thankfully, Canadian lawmakers remembered to add some common sense exceptions to CASL to ensure that the average citizen won’t get hauled into court for sending an email to their friends or family.
Exceptions to what constitutes a “commercial email:”
- Sending emails between family and friends;
- Inquiries about a given commercial matter;
- Requested quotes;
- Email that “facilitates, completes or confirms” a business transaction to which the recipient already agreed;
- Email containing warranty information, product recall, safety or security information to a person who has used or has purchased a product or service;
- Message that provides information about “an employment relationship or related benefit plan” in which the recipient is enrolled or involved;
- Email that provides notification of factual information about” a subscription product or service, membership account or loan;
- Communication that delivers a product or update to a user who has already agreed to enter into a business relationship;
I run a telecommunications company, can I be held liable for merely doing routine updates to my network or system?
No. Telecommunications service providers cannot be held liable “merely because the service provider provides telecommunications services that enable the transmission of the message.” Part of CASL prohibits entities from redirecting electronic messages “to a destination not agreed to by the recipient,” but telecommunication services providers are exempted from said clause.
Are installations addressed in CASL?
Yes. The new Canadian Anti-SPAM law specifically mentions installation of programs on computers. In short, the new statute outlaws the act. According to CASL, it is illegal to “install or cause to be installed a computer program on any other person’s computer system” unless the recipient “gave permission or acting in accordance with a court order.”
The main crux of CASL is consent. What are the prescribed steps for obtaining legal consent outlined in the Canadian Anti-SPAM law?
The rules for obtaining consent are straightforward. Simply state purpose for consent and identify the person seeking consent. If the message is being sent on behalf of another person, include information about said person.
Please provide examples of what constitutes “consent” under CASL (may be dependent on nature of violation).
- A pre-existing business relationship exists; or non-business relationship exists;
- If you purchased or leased a good, service, land within 3 years immediately prior to the sending of the message;
- Written consent;
- If an email address is conspicuously published, or an email address is provided and the recipient does not indicate that they don’t want to be solicited (must give them option online). However, these types of message must be relevant to the person’s business role, functions or duties in a business or in an official capacity.
What factors are considered when determining the monetary penalty amount?
- Nature and scope of violations;
- Perpetrators violation history;
- Financial benefit the violation conferred on the actioner;
- Ability to pay;
- Evidence of voluntary compensation to person affected by scheme;
- Other relevant factors.
If you do business online in North America — whether you’re in the United States or Canada — gear up for CASL implementation. Again, the law calls for international enforcement, so be a good scout and prepare! (Get in touch if you need a professional compliance audit of your online marketing efforts.)