If you send email to Canada or perform any electronic business in Canada then you probably are already familiar with Canada’s Anti-Spam Legislation (CASL). However, what you may not be aware of is the impact CASL has had over the past year and insight into what’s to come.
What is CASL specifically? CASL is a comprehensive regulatory scheme which uses administrative monetary penalties rather than criminal sanctions to penalize those sending within, from, or to Canada, commercial electronic messages for which they do not have consent. CASL’s entire legislation is built and based upon consent.
Who administers and enforces CASL? There are 3 different agencies who oversee the enforcement of CASL.
- The Compliance and Enforcement Sector or the CRTC, which was created in 2010. They are also responsible for enforcing the unsolicited telecommunications rules (national do not call list, robo calls) since 2007. Last year they did $2.2M in administrative penalties for unsolicited telecommunications, which is not nearly as strict as CASL penalties which can range from a maximum of $1M (individual) to $10M (company).
- The Competition Bureau (CB) governs misleading or misrepresentation / deceptive practices such as false headers or subject lines, etc.
- Office of the Privacy Commissioner (OPC) – protects against the collection or use of personal information obtained without consent or through illegally accessing or interfering with computer systems (address harvesting, spyware, etc)
What does CASL legislation cover?
The legislation goes beyond fining companies with administrative monetary penalties to also providing provisions for domestic and international cooperation so that agencies responsible for governing electronic commerce have a means of sharing information and working together to prevent spam & fraud. For example, in the U.S. the CRTC shares information with the Federal Trade Commission and the Federal Communications Commission. Additionally, CASL also contains provisions for extended liability to break the corporate veil, meaning you can be sanctioned for something that occurs vicariously where you are the legal owner/entity responsible for the party who committed the violation, such as employees, director, or agents acting on your behalf. Lastly, the CRTC has the Spam Reporting Centre, which houses all of the spam and online threat complaints.
How can you be compliant?
There are three requirements to be compliant:
- You need consent expressed orally or in writing and you can provide documented proof. It can be express or implied as a result of a particular relationship you have or particular circumstances, which includes conspicuous publication (watch the webinar for full details and examples).
- An unsubscribe mechanism in your commercial electronic message.
- You have to meet the identification requirements (See our blog on SPF and DKIM in Sixth Grade English)
Does consent ever need to be renewed?
According to CASL, express consent never needs to be renewed. Yet, implied consent lasts for 24 months (implied consent–based on an inquiry or application about a product or service–that only lasts for 6 months). However, there is a transitional provision for implied consent that existed before CASL came into effect on July 1, 2014. You can get the full explanation in the Database Checklist provided by nNovation.
Are there any exemptions? Yes! There are some exemptions, however, you should always check the CASL website for up to date information. Here’s what Deloitte had to say:
- CEMs sent between family and friends (related through marriage, common law or any legal parent-child relationship, or if there is a voluntary two-way communication between the individuals)
- CEMs sent within or between organizations with an existing relationship (B2B)
- CEMs solicited or sent in response to complaints, inquiries, requests
- CEMs sent due to a legal obligation or to enforce a right
- Telecommunications service providers (TSPs): Under CASL, TSPs need consent to install certain computer programs, including programs that prevent unauthorized or suspicious legal activities (such as the installation of cookies) or programs unrelated to system-wide upgrades or updates. Under the proposed new regulations, TSPs will be permitted to install computer programs without consent for two purposes only
- Preventing illegal activities that pose an imminent risk to network security or
- Updating or upgrading devices across an entire network
- CEMs sent from instant messaging platforms (e.g. BBM messenger, LinkedIn InMail) where the required identification and unsubscribe mechanisms are clearly published on the user interface
- Limited-access, secure, confidential accounts (e.g. banking portals)
- CEMs sent to listed foreign countries, where it is reasonable to believe that the message will be opened in a listed foreign country that has similar rules as CASL
- CEMs sent by registered charities for the primary purpose of fundraising
- CEMs sent by political parties seeking contributions
In our recent webinar we cover:
- Why and how CASL has been enforced in recent months,
- How you can prepare for the next phases of CASL (Canada’s Anti-Spam Legislation)
- How CASL compares to other anti-spam laws
- What you can do if you are served a notice of violation by CASL
- How CASL determines who to investigate and which cases to take forward
- What you can do to stay up to date with the latest compliance trends
- …and much more
Important CASL Legislation Dates
- December 2010, Canada’s new anti-spam law was passed
- July 1, 2014, the anti-spam provisions came into force and the three-year transitional period began
- January 15, 2015, the section of Canada’s anti-spam legislation (CASL) that protects against the installation of unwanted software or software updates on consumers’ computers or devices came into force.
- July 1, 2017 – CASL will introduce “A Private Right of Action” which will allow individuals and organizations who are affected by an act or omission that is in contravention of the law to bring a private right of action in court against individuals and organizations whom they allege have violated the law. More information about this can be found gc.ca website.