The imminent arrival of Canada’s anti-spam legislation has sparked considerable fear that might lead the uninitiated to think that sending commercial electronic messages will grind to a halt on July 1st, when parts of the law kick in. The reality is far less troubling. For any organization that already sends commercial electronic messages, they presumably comply with PIPEDA, the private sector privacy law, that requires organizations to obtain user consent, allow users to withdraw their consent, and provide the necessary contact information to do so. Compliance with the new anti-spam law (CASL) involves much the same obligations. While there are certainly some additional technical requirements and complications (along with tough penalties for failure to comply), the basics of the law involve consent, withdrawal of consent (ie. unsubscribe), and accessible contact information.
This post is not legal advice, but it seeks to unpack the key requirements associated with the commercial electronic messages provisions in CASL by answering the ten questions organizations should ask (and answer). Note that there are additional rules associated with software that do not take effect until next year. While this is not designed to be comprehensive – some organizations will face unique issues – it provides a starting point for the key requirements, exceptions, and application of the law. The law itself can be found here. The Industry Canada regulations here and the CRTC regulations here.
The primary takeaways? If you send commercial electronic messages, you need explicit consent along with an unsubscribe mechanism and contact information. There are many common sense exceptions to this general rule, however, including personal messages, most business-to-business messaging, and most messages sent to recipients outside of Canada. Moreover, if you do not have explicit consent, the government has implemented a transition period that grants you three years to get it.
1. What electronic messaging is covered by the law?
The starting point is to first identify whether your message is captured by the law. The law only addresses commercial electronic messages, but CASL takes a broad approach to what is included. The law states that “a commercial electronic message is an electronic message that, having regard to the content of the message, the hyperlinks in the message to content on a website or other database, or the contact information contained in the message, it would be reasonable to conclude has as its purpose, or one of its purposes, to encourage participation in a commercial activity.” That covers a lot – so long as the content, links, or contact information appears to have as a purpose encouraging commercial activity, it is caught by the definition. Note that the CRTC has said that encouraging commercial participation refers to encouraging the recipient’s participation.
2. What are the “big three” requirements under the law?
Sending commercial electronic messages is subject to three requirements under CASL. First, the law prohibits sending messages (or causing or permitting messages to be sent) unless the recipient has consented to receive it. Second, it establishes form requirements for electronic messages that specify that they must identify who sent the message, include contact information, and contain an unsubscribe mechanism. Third, the contact information must remain valid for at least 60 days after the message has been sent. The law expands on each of these requirements, as discussed further below.
3. Does my message qualify for an exception?
CASL features many exceptions to the general rule of having to comply with the big three requirements. Even among the exceptions, there are two types: those exceptions that exclude the message from all the requirements and those exceptions that exclude only the consent requirements (but leave the form and contact information requirements).
General exceptions that exclude the message from all the requirements include:
- messages between individuals with a personal or family relationship. The regulations indicate these messages involve direct, voluntary, two-way communications. They do not involve social-media only relationships (ie. likes or follows)
- messages sent between employees within an organization
- messages sent to a business (or person engaged in a commercial activity) where the message consists of an inquiry or application related to that commercial activity
- messages sent in response to a request, inquiry or complaint
- messages sent on an electronic messaging service (such as a social media direct message service) provided that there is adequate information and unsubscribe mechanisms on the service site
- messages sent to a limited-access secure and confidential account to which messages can only be sent by the person who gave the account to the recipient
- messages sent to satisfy or enforce a legal or juridical obligation
- messages sent to recipients outside the country with qualifying anti-spam laws (see jurisdiction discussion below)
- two-way voice calls, faxes, and voice recordings sent to a telephone account
The exceptions that exclude consent requirements but keep the form and contact information requirements include:
- quotes or estimates sent to someone who has requested it
- completion of commercial transactions
- providing warranty, product recall or safety information
- notifying the recipient of factual information about an ongoing product, service, subscription, membership, account, etc.
- information directly related to an employment relationship
- delivering a product, good or service (including product upgrades) if the recipient was entitled to receive it
- one third-party referral message, subject to certain requirements (including naming who made the referral in the message)
4. Does my organization qualify for an exemption?
The law features a number of exemptions for several types of organizations. First, registered charities are exempt provided that the primary purpose of the message is to raise money for the charity. Second, political parties and political candidates are exempt if the primary purpose of the message is to solicit a contribution. Third, telecom providers are exempt where their role in the communication is to merely provide telecommunications services.
5. My messages or organization do not qualify for an exception. What consent is acceptable under the law?
The law identifies two kinds of consent: express and implied. Express consent requires identifying the purposes for why consent is being requested and identifying who is seeking consent. The law generally requires express consent. Express consent may not involve pre-checked boxes. Rather, there must be an express, opt-in by the user to indicate their consent.
However, there are several exceptions that permit implied consent for electronic messaging:
- there is an existing business relationship between the sender and recipient. This includes any purchase of a product, good or service within the prior two years, the acceptance of a business opportunity within the prior two years, a written contract between the two parties from the previous two years, or any inquiry within the prior six months.
- there is an existing non-business relationship between the sender and recipient. This includes donations or volunteer work to or for charities, political parties, and political candidates, as well as membership over the prior two years in a club, association, or voluntary organization
- the recipient’s email address has been prominently published, there is no statement indicating the person does not want to receive messages, and the message itself is related to the person’s business, role or duties
- the recipient’s email address was disclosed to the sender, there is no statement indicating the person does not want to receive messages, and the message itself is related to the person’s business, role or duties
6. Are my existing consents valid?
Express consents obtained before the law took effect remain valid. Implied consents are subject to the transition described below.
7. What are the requirements for the unsubscribe mechanism?
The unsubscribe mechanism must allow the recipient to unsubscribe using the same electronic means that was used to send the message. There must also be a Web-based address that allows for unsubscribing.
8. What are the jurisdictional limitations in the law? Does it apply to non-Canadians sending messages to Canadians? To Canadians sending messages to non-Canadians?
The law applies to messages sent to Canadians and is invoked when a computer system in Canada is used to send or access the message. There are important exceptions in the application of the law to Canadian organizations that send messages outside the country. First, sending the message to a person in a country with comparable anti-spam laws means those local laws apply. The government has identified 116 countries that qualify for this exception and the list includes virtually all major countries that are likely to have commercial electronic traffic with Canada. Second, merely routing a message through Canada (but not using a Canadian computer server to send or access the message) does not trigger the law.
9. Does everything start on July 1st or is there a phase-in period?
While the law takes effect on July 1st, there is a three-year transition period. Where there is an existing business or non-business relationship, consent is implied for the full three years. In fact, the CRTC has apparently interpreted the transition provision to cover any prior business relationship. In other words, as long as the organization has implied consent, it effectively has until 2017 to upgrade to an express consent.
10. What are the penalties for violating the law?
The penalties are significant, which is why many people are paying attention to the law. The maximum penalty is $1 million per violation for an individual and $10 million per violation for a business.
This is never going to work….
I recently underwent “training” at our out large corp related to this topic… and after the training… I actually think the amount of “spam” will increase after this goes into effect. Specifically related to “implied consent”. Corps will be trying everything to get it, and once they have it, you’ll get spammed every 6 months even if they have nothing to report, since they’ll want to retain the “implied consent”. And if they “lose” it.. then phone spam will be on the rise, constantly asking “Hey, can I get your consent”, and phone spam isn’t covered 🙁 (yes we have a No Not Call registry which is just about as effective as this useless law)
I do have one question though… If I write an App for sale (or with ads…) ie, it’s a “commercial” app… and I post something like, “Hey check out my new app” to all my “friends” on facebook (twitter, G+, etc)… does this constitute “spam” and could I be liable for 10 million?
new unsubscribe trend
I have noticed that a number of companies now require you to log in to their site (user name and password) in order to unsubscribe. Since I do not recall subscibing in the first place, I have no idea what the user name and password would be. In the end, I am using my email service to relegate these messages to junk. To me the end result is that the company still believes that they have great numbers of subscribers but those subscribers are useless as they are not viewing any of the correspondence. Empty marketing and a stupid approach, IMHO.
Editor
Thanks very much, Michael, for this article on the spam legislation. And also your ongoing coverage of tech issues. I am certain you are more appreciated than you think!
anti-competitive scam
This law is an anti-competitive boon to existing businesses (especially ISPs with whom we have no choice but to establish a “commercial relationship”) who now have exclusive access to *my* inbox for the advertising of “upgrades” to their own products while newcomers are shut out from the use of that channel.
Over-reaching or over-reactions?
After a non-profit I work with took part in a free seminar with a lawyer about CASL, they came to the decision that the only way to fully comply with CASL is to make a rule that the “signature” of every single outgoing e-mail message — that is, even one-on-one regular daily e-mail communications from everyone in the entire organization — would have to have an “Unsubscribe” link placed in it. Of course, when you think about that, it is a logistical nightmare: If such a thing were a requirement of CASL for regular everyday e-mails, you would have to have some kind of over-arching e-mail software in place (in this particular case, in many locations, installed on hundreds of computers including even in private homes) so that anytime someone “unsubscribes” to a one-on-one e-mail from one member of the organization, it would have to blacklist that address so that no one else in the entire organization can ever e-mail them one-on-one again either, and presumably notify them that their message will not be delivered. (This mythical e-mail software would be absolutely 100% necessary too, because if you put an “unsubscribe” link, it would be assumed to work globally, and if someone else in the organization doesn’t know and e-mails that person, you’ve actually just made the situation a lot worse, and now they may be angry enough to report you to the authorities…)
The problem is that the wording of CASL doesn’t seem to differentiate between regular ‘ol one-on-one e-mails that you send in the course of regular everyday dealings and those that are part of the kind of unwanted bulk mass mailing we can all agree we’re all hoping to curb. That is, as a non-profit community outreach, they’re often engaging with regular individuals in the community, not just business-to-business. I can understand why all the non-technical people are absolutely panicking… but should they really be this worried?
I just thought I’d post this, because I’m not sure if your title, “The Fear-Free Guide…” quite addresses this angle they are worried about… I was clicking through hoping to find something to take back to them to ease their mind. 😉
(I should note that the non-profit messages they’re talking about wouldn’t be “fund raising”, which is exempt).
Ontario Realtors who keep spamming me!!!
Ontario Realtors who keep spamming me I cannot wait to nail you with these laws. I have unsub’d so many times and you jerks have never stop spamming me.
I cannot wait to nail them with CASL.
Great! This is truly progressive legislation…
Firstly, thank you Michael. This is the most clear summary of the legislation I’ve read so far. Now, in response to the law…
I’m flabbergasted that the government could come up with such idiotic waste of taxpayer’s money pursuing this legislation.
I guess our officials don’t realize technology has already solved this problem? If you’re still getting spam, you’re either using archaic email services or you have no clue how to set your spam filters.
The problem is that aggressive action against a few offenders significantly impairs how the majority of us do business. Who in their right mind is going to take a chance figuring out if an email is going to be deemed “commercial” or not when the fines are $1M? So what are we supposed to do now? Go back to mail, phone and fax to request permission to communicate? Are they out of their mind? Is it just us people in tech and other progressive businesses that understand it’s not the 80’s anymore? People simply don’t use these tools to do business anymore.
Just like the decoupling of the HST in BC, I’m betting this law doesn’t last the three-year compliance grace period. At least I’m hoping it doesn’t. That or Canada gets put out of business.
Doublecheck point #7
Thanks for this Michael. It seems to me though that point #7 in your article requires BOTH email-based unsubscription AND web-based unsubscription. The way I read subsection 11 it sounds like at least one or the other is required, not both. Do you disagree?
Will it help?
So, will this mean the police will collect headers from all the malformed emails I get every day and then spend the hours needed to track down who sent them? I can send them about 150 a day, each day, every day. Do you think they’ll actually enforce this against anyone actually abusing things or do you think it’ll get used to punish the well meaning or ignorant?
Michael, while I think your post about CASL is very clear and correct, your “primary takeway” that “If you send commercial electronic messages, you need explicit consent along with an unsubscribe mechanism and contact information” is actually not completely true. As you explain, there are some very reasonable allowances to use implied consent, not explicit consent, as the primary authority for sending a CEM to a recipient. For many companies doing mainly business to business communication, this is a very practical and reasonable alternative to explicit consent. There is a common misconception out there, I think, that explicit consent is the best or even the only option, but with a response rate of at most 10% to these requests for consent, you are essentially losing 90% of your potential contacts. A pretty horrendous outcome for most. Interested in other perspectives.
Pingback: Consent, new email laws and doing business | EITC - The Emotional Intelligence Training Company, Inc. EITC – The Emotional Intelligence Training Company, Inc.