Complying with Canada’s Anti-Spam Legislation (“CASL”) – An Outline
Estimates put the number of Internet users at around 1/3 of the global population with the numbers of users having grown by over 500% in the past decade. This higher level of connectivity brings greater concerns over online exploitation of end users including through the distribution of unsolicited bulk messages some of which aim to promote legitimate goods and services but others of which are nuisance emails or may be sent for malicious purposes such as distribution of spyware. As a result, the past decade has seen a number of jurisdictions implement anti-spam legislation either as standalone laws or as part of broader data protection or telecommunications directives and laws. Canada is following suit with new anti-spam legislation, CASL, which was granted Royal Assent in December, 2010 and which is expected to finally come into full force within the next 12 months.
Rather than waiting until 2014 to learn about CASL and the related regulations provided by Industry Canada and the CRTC, it is advisable for any business sending mass mailers and other forms of ‘commercial electronic messages’ (“CEMs”) to Canadian citizens to use this transition period to become familiar with the law and start putting in place measures to be compliant because the penalties for non-compliance include significant fines. In outline, now is the time to start:
1. Identifying the activities you carry out which are within the remit of CASL. The law primarily focuses on:
- The sending of commercial electronic messages without express or implied consent of the recipient. There are a few exceptions to the consent requirement but it will be easier to have policies that seek consent rather than trying to rely on the limited expectations
- sending messages that automatically download/install computer programs without the recipients consent
- altering transmission data
This means you should identify:
- What means of communication you use which could fall within CASL
- In what circumstance you obtain contact information of intended recipients and look to contact them through CEM
- How do you obtain consent and do you keep track of it (e.g. dates of consent)
- Whether you are asking for referrals. If yes, you may only send 1 CEM to a referred individual who must contain the referrer’s full name, your contact information, and an opt-in mechanism to receive further messages.
- Whether you are you installing any computer programs on any computing devices that you do not own
2. Categorizing recipients of your communications:
- Have they provided consent to receive CEMs from you?
- Is there an exception to obtaining consent in the legislation or regulations? e.g. the recipient is in a pre-existing commercial relationship with your business?
- Does implied consent apply?
3. Structuring your CEMs. Each CEM should identify the company/entity sending the message and/or the entity on whose behalf the message is being sent together with the mailing address, and either a phone number, email or web address of the sender or party on whose behalf it is sent. These contact details must be valid for at least 60 days from the date of sending the CEM.
4. Obtaining Consent. You should start obtaining consent from intended recipients of commercial electronic messages from your business and put in place policies to document that consent. Express consent is always best because implied consent has limitations including expiry dates attached to it.
5. Updating Your Web Forms. To ensure compliance with CASL you need to have an opt-in tick box for consents to CEMs which is separate from the tick boxes for agreeing to your Terms of Service or Privacy Policy. Consent is required for each communication you send so a tick-box/opt-in is probably the easiest way to achieve this. CRTC’s guidelines on tick-boxes is that a default toggling state that assumes consent (consent box is pre-ticked) cannot be used to obtain express consent. A positive explicit indication of consent is required.
6. Providing Unsubscribe Mechanisms. Ensure there is an appropriate unsubscribe mechanism in every CEM and note that there is a maximum of 10 days to stop sending CEMs after an individual elects to unsubscribe. The unsubscribe method needs to be free to the user and ideally should be through the same method that the user subscribed although any electronic method seems to be acceptable.
When CASL comes into force a more in-depth analysis of requirements will need to be carried out by businesses but now is the time to get to grasp with the basics and take steps to get your business compliance-ready.
Author: Gisèle Salazar