In our Fasken Alert of December 5, 2013, we provided a general overview of how Canada's "anti-spam law" (formally known as An Act to promote the efficiency and adaptability of the Canadian economy by regulating certain activities that discourage reliance on electronic means of carrying out commercial activities, and to amend the Canadian Radio-television and Telecommunications Commission Act, the Competition Act, the Personal Information Protection and Electronic Documents Act and the Telecommunications Act, but informally and better known as "CASL") had finally come into force the previous day, such that the CASL requirements would be effected in a staged roll-out as follows: the anti-spam provisions coming into force on July 1, 2014; the provisions regarding unsolicited installed programs ("UIP's) - including cookies - coming into force on January 15, 2015; and the provisions providing for a private right of action coming into force on July 1, 2017).
The materials constituting both CASL and its regulations, and the interpretative materials which have been issued by Industry Canada and the Canadian Radio-television and Telecommunications Commission (the "CRTC"), are substantial. In addition to CASL, the CRTC has issued their (a) Electronic Commerce Protection Regulations (March 28, 2012)[1]; (b) Guidelines on the interpretation of the Electronic Commerce Protection Regulations (October 10, 2012);[2] and (c) Guidelines on the use of toggling as a means of express consent under Canada's anti-spam legislation (October 10, 2012) [3]; and Industry Canada has issued (d) the Regulations (Anti-Spam Legislation) 81000-2-175 (SOR/DORS) (December 4, 2013), and (e) the Regulatory Impact Analysis Statement (December 4, 2013).
However, not only does the sheer volume of material itself pose certain challenges, but there are issues and ambiguities in the law which remain outstanding notwithstanding these government efforts to provide guidance. In light of the significant fines which can be imposed for a breach of CASL - namely, up to $1,000,000 for individuals and $10,000,000 for other persons - this has the potential to be problematic for organizations seeking to comply.
In an effort to distill some of the more challenging issues in CASL, we have in this bulletin identified ten key issues/requirements which organizations should understand in order to assist with compliance, organized by their application to spam, UIP's and to both spam and UIP's.
A. Anti-spam Issues
1. Low Threshold for Application. The anti-spam rules under CASL apply to "commercial electronic messages" ("CEMs") which are sent from or accessed from Canada, where "CEM's" are defined as any electronic message that "it would be reasonable to conclude has as its purpose, or one of its purposes, to encourage participation in a commercial activity". Accordingly, to the extent that a commercial electronic message has - even if not as its sole purpose - as at least one of its purposes the encouragement of participation in a "commercial activity", the anti-spam rules under CASL will apply. For example, if an emailed newsletter has no overt commercial purpose but contains a hyperlink to some form of advertisement, that newsletter will be subject to the CASL anti-spam rules.
2. More than Just E-mail. While CASL is colloquially referred to as an "anti-spam law", it applies to any transmission of an electronic message (which includes a text, sound, voice or image message) to (i) an email address, (ii) an instant messaging account, (iii) a telephone account, or (iv) somewhat ambiguously, "any similar account". In contrast, the range of excluded messages is very narrow, and consists of a CEM that (A) in whole or in part is an interactive two-way voice communication between individuals, (B) is sent by means of facsimile to a telephone account, (C) is a recording sent to a telephone account (which may exclude a voicemail left on an internet telephone system), or (D) is sent and received on an "electronic messaging service" (unfortunately not defined, but which may include instant messaging) provided that the required form of unsubscribe mechanism is present and the recipient consents to receive it (either expressly or by implication). Organizations need to carefully review their communications strategy to ensure that they understand each type of electronic message which they send and the CASL requirements which apply to each.
3. "Periods of Validity" of Contact Information. It is important to note that certain information is required to remain valid for a specified period of time after a CEM is sent. For example, CASL imposes certain consent and message content requirements for each CEM. The content must include certain contact information for the sender of the CEM - or if the sender is acting on behalf of a principal, such principal - and such contact information must be valid for at least 60 days from the time the CEM was sent. Note that this contact information must include the mailing address, and either the telephone number to an agent or messaging system, an email address or web address, of the principal, so this has certain implications where the principal moves their physical or electronic addresses. Similarly, recipients of CEMs must generally be provided with an unsubscribe mechanism allowing them to withdraw their consent to receive such CEMs. As above, such unsubscribe mechanism requires that CEMs specify an electronic address, or link to a webpage to which such withdrawal request may be sent, and that such address or link must be also valid for at least 60 days from the time the message was sent. Again, this validity requirement will have operational implications for organizations transitioning to a new domain or email address.
4. Importance of Relationship with Recipient. Depending upon the relationship of the sender with the recipient, the CEM may be exempt from both the consent and message content requirements; exempt from the consent requirements; or subject to deemed, rather than express, consent. For example, there are different exceptions for personal and family relationships, and for pre-existing business and pre-existing non-business relationships (in each case as same are formally defined), as well as for employees of the same organization sending CEMs to each other. Therefore, understanding in which of these categories, if any, the recipient belongs, will assist organizations in understanding which rules apply to that CEM. The potential for a significant diversity of different relationships suggests that senders may need to make a choice between either identifying different categories of recipients and then applying the different CASL rules to each, or applying the highest standard - i.e. express consent and inclusion of the required content - to all of the recipients.
5. Limited Utility of Recognition of other Jurisdiction Anti-Spam Laws. The final Industry Canada regulations attempt to limit regulatory duplication where CEM's are sent from Canada to other states which have their own anti-spam regulatory requirements. They do so by exempting from the CASL consent and content requirements those CEMs where the sender reasonably believes that the CEM will be accessed in one of the foreign countries listed in the regulation and the CEM conforms to the law of the applicable foreign country that is substantially similar to CASL[4]. While this provision at first appears to make it easier to send CEMs from Canada that are solely intended for foreign recipients, the second precondition - that the CEM in question conform to the anti-spam laws of the recipient jurisdiction - imposes an additional and potentially costly due diligence obligation on those organizations seeking to rely on this exemption. In many cases, meeting this precondition will require an organization to engage counsel in that jurisdiction to assist in making that determination.
B. Unsolicited Installed Program (UIP) Issues
6. Deemed Express Consent for Certain UIPs. In addition to anti-spam rules, CASL sets out rules concerning the express consent that must be obtained when software is installed on another person's computer system in the course of commercial activities. This requires that certain disclosure be made to the recipient, and that an appropriate acceptance mechanism be in place. However, a person will be considered to have expressly consented - that is, deemed express consent is said to have occurred - to the installation of a UIP where (a) the program is a cookie, html code, Java Scripts, an operating system, any other program that is executable only through the use of another computer program to which installation or use the person had previously consented, or as otherwise prescribed by regulation (which category currently includes network security patches; network updates or upgrades; and software bug fixes), and (b) the person's conduct is such that it is reasonable to believe that they consent to the program's installation. Unfortunately, it is not clear from CASL, the regulations, or from the various CRTC and Industry Canada bulletins and guidelines, what "conduct" will be sufficient to meet the threshold of evidencing a 'reasonable belief' that the individual consents to the installation of a cookie. Logically, it appears that the requisite conduct should be less than express consent - to give the deemed consent provision meaning - but it is not clear what lesser standard is sufficient. Implied consent would logically appear to be sufficient, but some experience under CASL will be required to confirm this interpretation. It is also important to note that while the provisions relating to the obtaining of express consent are addressed by this deeming provision, the other provisions relating to express consent appear to continue to apply - for example, the CASL provisions relating to the withdrawal of that consent.
7. Different Rules for Program Upgrades and Updates. While network updates or upgrades benefit from the deemed express consent mechanism in CASL, CASL exempts software updates and upgrades from the UIP disclosure requirements only, and does so only where (a) the installation or use of the base software was expressly consented to by the recipient, (b) the recipient is entitled to receive the update or upgrade under the terms of the express consent, and (c) the update or upgrade is installed in accordance with those terms. Thus, while software developers should be pleased that the rules around updates and upgrades are somewhat relaxed, they should also recognise that in order to benefit from these relaxed rules the appropriate consent needs to be obtained when the underlying software is first installed. Additionally, as the terms "update" and "upgrade" are used but not defined in CASL, what is considered to be qualifying software for the purposes of this exemption remains somewhat uncertain: for example, it is not clear that these include security patches, which in the context of networks are treated in CASL as being different from updates and upgrades.
C. General Issues
8. Express Consent must be Opt-in; Consent must Unbundled. The base principle of CASL is that express consent from the recipient is required in order to send CEMs and install certain types of software. For example, CASL requires that (a) express consent must be opt-in (i.e. the recipient must give an explicit indication of consent) and (b) each request for consent must be separate and cannot be bundled together with other requests for consent for different purposes, such as consent requests for terms and conditions; for the collection, use and disclosure of personal information; in the case of UIPs, for the sending of CEMs; and in the case of CEMs, for the installation of UIPs.
9. Multilayered Enforcement Mechanisms. There are various provisions which set out the enforcement framework for CASL. They include:
a. the application of an administrative monetary penalty, where the maximum penalty is (i) $1,000,000 in the case of an individual, and (ii) $10,000,000 in the case of any other person;
b. the entry into an undertaking by the offending party, wherein each act or omission of the offending party and the applicable CASL provision is identified; applicable conditions of compliance are imposed; and a requirement to pay a specified amount - e.g. as a penalty - may be specified, and such undertaking effectively provides immunity against the proceedings commenced by a notice of violation (below); and
c. the issuance of a notice of violation against the offending party, containing similar content to the undertaking but requiring that the offending party either make representations to the CRTC regarding same or pay the penalty, provided that where the offending party makes representations, the CRTC must then decide, on a balance of probabilities, whether the person committed the violation, and if so, may impose, reduce, waive or suspend the penalty, subject to such conditions as the CRTC considers necessary.
CASL also contemplates the provision of injunctive relief, and a private right of action (to come into force on July 1, 2017), which if successful can result in a court order requiring the offending person(s) to pay the applicant (a) compensation in an amount equal to the actual loss or damage suffered or expenses incurred, and (b) in the case of a breach of (i) the anti-spam provisions, a maximum of $200 for each breach, not to exceed $1,000,000 for each day on which a breach occurred, and (ii) the UIP provisions, $1,000,000 for each day on which a breach occurred.
10. Personal Liability. Subject to a due diligence defence, any officer, director or agent of a corporation that commits a violation is liable for the violation if they directed, authorized, assented to, acquiesced in or participated in the commission of the violation, whether or not the corporation is the subject of a proceeding. In light of the potential for personal liability for CASL breaches, it is important that organizations ensure that they develop and implement CASL compliance programs, including the development of Anti-Spam and UIP Policies, and any necessary amendments to their existing Privacy Policies, as soon as possible.
Note: this bulletin was re-published by CCH Canadian Limited publications, Commercial Times, Management Matters, and Ultimate Corporate Counsel Guide.
[1] Telecom Regulatory Policy CRTC 2012-183.
[2] Compliance and Enforcement Information Bulletin CRTC 2012-548.
[3] Compliance and Enforcement Information Bulletin CRTC 2012-549.
[4] It is not clear if the requirement that "the message conform to the law of the foreign state" is intended also to be qualified by the sender's reasonable belief.
