Site icon Bluetrain

Everything You Need To Know About CASL (Canada’s Anti-Spam Legislation)

Canada is cracking down on spam. We’re only one of the last countries to join the anti-spam game, so as proof that the politicians are really serious about this, they decided to come up with the most stringent, vague, and overly-broad laws that could possibly be conceived. Luckily, most of the regulations don’t apply to politicians –convenient, right?

If you haven’t noticed yet, this article is going to be an opinion piece that also contains useful tips, recommendations and information about how to avoid penalties under this new legislation. Please feel free to comment on it and get a dialogue going!

I’m also going to absolve myself from any legal ramifications by saying that I’m not a lawyer and this blog post isn’t an expert opinion – do speak with a real lawyer if you need advice that will hold up in a Canadian court. As well, I’d like to note that I’ve been looking around the interwebs, and I’ve discovered a lot of over-simplified posts on CASL. I think it’s important to say that this new piece of federal legislation is going to be policed by the CRTC (Canadian Radio-television and Telecommunications Commission), so it really is a big deal.

Let’s start by reviewing the vocabulary around this legislation.

What is CASL?

CASL is the acronym for Canada’s Anti-Spam Legislation (affectionately pronounced “Cassel”) which is really only a nickname since people were finding it difficult to remember its full title: An Act to promote the efficiency and adaptability of the Canadian economy by regulating certain activities that discourage reliance on electronic means of carrying out commercial activities, and to amend the Canadian Radio-television and Telecommunications Commission Act, the Competition Act, the Personal Information Protection and Electronic Documents Act and the Telecommunications Act.

CASL applies to all commercial electronic messages (CEMs) which include emails, texts, social media and instant messages. In other words, CASL impacts any electronic communications with commercial intentions.

So, what constitutes a commercial electronic message?

That hasn’t actually been fully worked out yet, but this is what Brian Curial from Miller Thomson LLP told crowds that attended the Miller Thomson Legal Alert on Canada’s Upcoming Anti-Spam Legislation session on May 29, 2014. If the message contains “a link to a website, a signature block referring to your organization or any content that could be considered commercial, promotional or marketing” then, yep, you could be guilty of sending a CEM and forced to pay a crazy amount of money in fines if someone complains. What is a “crazy amount of money”, you ask? In this case, an individual could pay up to $1 million in fines or up to $10 million for a corporation per day. That’s right, you could be charged $1 million per day for every day you send CEMs.

Okay, so if the definition of a CEM sums up 99.9% of the emails that you send each day internally to staff, clients or extended family, then you need to protect yourself and get consent.

Consent under CASL

So I’m going to start off by saying that whoever wrote the legislation around CASL seems to understand the Internet about as much as the 90-year-old biddy who used to buy shoes from me and pay by cheque because she didn’t understand how money could be stuffed into something as thin as a credit card.

But since nobody in the Federal Government called me to ask my opinion on the legislation, I’ll get back to business. Below are the top 3 things that you need to remember in order to send any CEMs.

1. You need to get expressed consent from the recipient before sending the CEM. Expressed consent must be given, which means that users must opt-in and agree to receive CEMs. Essentially, users must click a previously unchecked box in order to say ‘yes’. You can’t bundle the consent and require it in order to complete an online transaction. Don’t hide the agreement for consent in a bunch of legal mumbo-jumbo somewhere in the 800 pages of service agreement. Just write it in a line at the bottom of a document with an unchecked box next to it. It’s also your obligation to keep a record of obtaining that consent. Finally, remember this consent doesn’t last forever. It’s on a rolling 2 year period, so go ahead and inform yourself at fightspam.gc.ca/.

2. When requesting consent include all the required sender info (name of person sending the message, on whose behalf the message is being sent, and all contact info such as mailing address, email address, telephone number, web address, etc.).

3. Have an unsubscribe option at the end of every single email, and make sure that you actually unsubscribe someone if they request it.

So what email communication is still allowed?

Well, any digital communication where you have expressed consent to parley with the other party and any emails where you are covered under implied consent. Implied consent can extend to:

I’m going to dive into some questions that have come up recently. Please note that the correct answer for every single one of these questions is: talk to your lawyer and get real legal advice.

Q: I’m a not-for-profit, so I don’t need to worry about CASL, right?

A. Nope, not necessarily. You may have some implied consent, but it’s restrictive. Inform yourself on what you need to know as a non-profit.

Q. Are businesses required to ask for consent in order to reply to a contact request or quote form submitted by email?

A. No, if someone has come to you requesting info about your products or services, then you are free to reply, however make sure you have an unsubscribe option in your email and your email signature has all the info it needs. You cannot add them to a newsletter list if you didn’t receive consent to communicate with them forever.

Q. Do businesses based in another country (and yes that includes the USA) need to follow this law if doing business in Canada?

A. Yes.

Q. If we get someone’s email off their website, do we have to screenshot that image and save it to prove that it was on their website?

A. No, but recently a lawyer said that it’s probably a good idea.

Q. Do I need to prove that I got consent?

A. Yes, you need written consent (includes paper and/or electronic consent) and this consent must record date, time, purpose and manner of the consent. Yes, you could also get oral consent, but that’s pretty hard to prove so just get written if and whenever possible.

Get prepared for July 1st, 2014 and do the following:

1. Get consent from all parties that you deal with. Be broad with request for consent. For example, “Do you wish to continue receiving electronic communication?” vs. “Do you want to continue receiving newsletters and promotional coupons…” I’d recommend sending out these email requests before July 1st otherwise, your requests for consent may be interpreted as spam.

2. Change your email signature so that it contains all of the required info.

3. Have an unsubscribe option in all of your emails. Even a “Reply to this email with ‘Unsubscribe’ to stop receiving emails from us” works.

4. Do your due diligence and develop an internal policy, then train your staff and update your privacy policies. This is part is critical because there’s a due diligence defence where: “A person must not be found to be liable for a violation if they establish that they exercised due diligence to prevent the commission of the violation (see Rules About Violations, section 33.1 in the CASL legislation). Law firm Miller Thompson has a great post on how to conduct an internal audit.

Basically you need to obtain consent for every touch point with someone new to establish that you received expressed consent and you need a record keeping system so you can prove it.

Lastly, inform yourself, follow what’s coming up (this is only stage 1 of 3), and feel free to tell the Federal Government what you think of the new legislation.

Resource Links

Exit mobile version