Canada’s anti-spam law is in effect; are you compliant?
On July 1, Canada’s Anti-Spam Legislation (CASL) went into effect. The law is broad and has far-reaching effects, even for those who do not do extensive business in Canada.
In a nutshell, CASL requires individuals and companies to: 1) obtain consent (with limited exceptions) from consumers in Canada prior to sending them any commercial electronic messages, 2) provide complete and accurate information identifying the sender, and 3) provide an unsubscribe mechanism. The law comes with teeth, too, as failure to comply with CASL may lead to fines of up to $1 million for individuals and $10 million for businesses. Liability may extend to directors, officers, and agents of a company as well if they participate in the violation.
Since many businesses conduct business in Canada and/or have mailing lists that include Canadian residents (or email addresses of individuals with unknown residency), it is important to be aware of the law’s requirements and to ensure an appropriate compliance program is implemented.
What messages are affected?
CASL requires individuals and entities to obtain consent prior to sending any commercial electronic messages (CEM) to or from any computers or devices in Canada. CEMs encompass any type of electronic message, including email, text messages, instant messages, and some social media communications. CASL defines CEM very broadly as well, so that it encompasses any message that encourages recipients to engage in some type of commercial activity.
How do I obtain consent?
Consent may be obtained expressly or may be implied. For example, if you have an existing business relationship with a customer, you infer that the customer wants you to continue sending him or her messages. However, implied consent will be limited to individuals who have made a purchase from you or otherwise interacted with you within the last two years. This, of course, makes consent somewhat difficult to monitor.
The burden is on the sender of CEMs to demonstrate consent exists under CASL, so the safest approach is obtaining express consent. To obtain express consent, you need to: 1) provide a clear description of why you are requesting consent; 2) describe the types of messages you will be sending; 3) provide your company’s full name and contact information, including physical address, phone number, email, and domain name; and 4) provide a statement that they may unsubscribe at any time. Many companies are directing customers to a website where they can check the box to opt in. It is important to note, however, that the box should not be pre-checked or it will not be valid under CASL.
Is this required now?
Knowing that many companies will have to adjust to the new law, CASL provides a transition period to come into compliance. From July 1, 2014 through July 1, 2017, you may continue sending CEMs to recipients from whom you have implied consent because you previously had some business relationship with them in general. After July 1, 2017, you may send messages only to people from whom you have express consent or implied consent under CASL (transaction within the last two years).
Who is enforcing this law?
The Canadian Radio-television and Telecommunications Commission (CRTC), the Competition Bureau, and the Office of the Privacy Commissioner of Canada have authority to investigate and fine those who do not adhere to CASL. In the first week and a half that CASL was in effect, the CRTC reported that more than 12,000 complaints had been filed under CASL and were coming in at a rate of roughly 1,000 to 2,000 per day. How vigorously these complaints will be prosecuted remains to be seen.
Beginning on July 1, 2017, individuals may bring private causes of action against any person or entity sending spam messages in violation of CASL.
What should you do?
To ensure compliance with CASL, you should take the following steps:
- Educate senior management on the importance of the issue.
- Undertake a risk assessment. Research the number of .ca email addresses on current lists and determine how many addresses have unknown residency.
- Institute a written corporate compliance policy, which outlines internal procedures for ongoing compliance with CASL, establishes training needed, and identifies auditing mechanisms.
- Maintain records of activities undertaken in an effort to comply with CASL.
Taking these steps will not only assist in ensuring compliance, they may also be very useful for demonstrating that your company took the law seriously and attempted to be in compliance in the event you are investigated in the future. There are many gray areas of the law and, of course, mistakes happen. If you can document that your company was educated and took good-faith steps toward compliance, any potential penalties/liability will likely be reduced. The stated purpose of CASL is to promote compliance and reduce spam, not to penalize companies that make small mistakes.
Mindi Giftos is an attorney with the law firm of Whyte Hirschboeck Dudek S.C., practicing in the areas of intellectual property and technology law. She can be reached at firstname.lastname@example.org.
Click here to sign up for the free IB ezine — your twice-weekly resource for local business news, analysis, voices, and the names you need to know. If you are not already a subscriber to In Business magazine, be sure to sign up for our monthly print edition here.