by Violet French, Partner, Torkin Manes LLP, Toronto, Canada [email protected]
Canada’s new anti-spam law (“CASL”), the toughest anti-spam law in the world, will come into force on July 1, 2014. Regardless of where your client is based, CASL could have significant ramifications. Don’t assume that this legislation applies only to spammers. It will affect any business that is marketing, advertising or doing business over the internet in Canada.
All lawyers and their clients should care about CASL. It has considerable extra-territorial reach, and applies where “a computer system located in Canada is used to send or access” an electronic message. So, CASL will apply if an email is sent from a European company or the US to a Canadian who receives and opens it on a computer located in Canada. In light of the long statutory reach outside of Canada and because of the unprecedented toughness of CASL, anyone involved in online commercial communications flowing into Canada needs to consider compliance with CASL.
A violation of CASL attracts significant administrative monetary penalties of up to $1 million for individuals, and $10 million for other legal entities, including corporations. Corporate directors and officers may be personally liable if they direct, authorize or assent to, or acquiesce or participate in, a contravention of CASL, subject to a due diligence defence. Employers may be vicariously liable for violations of CASL by their employees, subject to a due diligence defence. It is also an offense under CASL to aid, induce, procure, or cause to be procured the doing of any acts contrary to certain sections of CASL, including the sections relating to CEMs.
CASL regulates “commercial electronic messages” (“CEM”) which includes any electronic message that has as its purpose, or as one of its purposes, the encouragement of participation in a commercial activity. An electronic message includes email, text/sound/voice/image messages, and social media messaging. Even if the electronic message itself is not related to a commercial activity, it may still be a CEM, having regard to the hyperlinks to other content or websites or the contact information contained in the message. Commercial activity is defined in CASL to mean any transaction, act or conduct or any regular course of conduct that is of a commercial character, whether or not the person who carries it out does so with the expectation of profit. Common business activities, including sending email messages to customers, operating a website, or making an application available for download, will be subject to CASL.
CASL is different than the US CAN-SPAM Act of 2003 (the “CAN-SPAM Act”) because, unlike the CAN-SPAM Act, which is based on an “opt-out” model which assumes that recipients of unsolicited electronic messages have implicitly consented to their receipt until and unless they take steps to opt-out of the receipt of such messages, Canada is moving to an “opt-in” consent regime. This will prohibit the sending of CEMs unless the recipient has given his or her express or implied consent, subject to limited exceptions. A significant issue with CASL is that after July 1, 2014, a CEM cannot be used to request this consent which means companies will need to obtain express consent without using email.
In addition to the obligation to obtain express or implicit consent to the sending of CEMs, CASL also regulates the content and form of CEMs. Every CEM must identify the sender, include prescribed contact information for the sender, and provide a specific unsubscribe mechanism which must permit the recipient to indicate, at no cost, that the recipient no longer wishes to receive CEMs from the sender. The sender must comply with requests to unsubscribe to CEMs “without delay,” and in any event within 10 business days. Prescribed contact information for each CEM includes the name and mailing address of the person sending the CEM, and a telephone number, email address, or web address of the person sending the CEM. Where the CEM is being sent on behalf of another person, such as by a third party service provider, the name of the third party as well as the name of the person on whose behalf the CEM is being sent must also be included.
CASL establishes a right of private civil action which may be commenced by any individual or organization affected by a contravention of CASL; however, this private right of action will not come into force until July 1, 2017. Class actions are also possible. These actions are of significant concern for anyone doing business in Canada or communicating online with Canadians. CASL also regulates the unsolicited installation of computer programs or software; however, these provisions will not come into force until January 15, 2015.
As a result of consultation with many different stakeholders, the three sets of regulations to CASL include many important exceptions that have to be assessed carefully by clients when implementing a compliance program. It is also important to consider Industry Canada’s Regulatory Impact Analysis Statement (“RIAS”) which clarifies questions raised during the consultation process, although the RIAS is not legally binding. Given the complexity and novelty of CASL, compliance with CASL will be complex and must be tailored for each client’s specific operations and processes.
The first phase of CASL’s implementation commences July 1, 2014, with the balance of its provisions being phased in over the following three year period. Legal advisors and their clients will want to act quickly to assess whether the client needs to comply with CASL and if so, the process for compliance with CASL. Given the extremely high administrative monetary penalties, it is critical to act now.