Sending Spam in Canada Will Cost You

What You Need to Know About Canada’s Anti-Spam Legislation

On July 1, 2014, Canada’s Anti-Spam Legislation (CASL) went into effect, setting guidelines for businesses to protect Canadians against spam from electronic channels and to work toward a safer, more secure online marketplace.

Parts of the CASL are going live in 2017 that your business needs to plan for or you will risk fines and potential lawsuits from private citizens, and the parts that have already gone live yielded steep penalties in 2015.

If your subscription company sends commercial electronic messages (e.g., email, text/SMS, social media messages, sound, voice or images) to or from Canada, this WILL affect your business. Commercial activities include both profit and not-for-profit transactions and conduct. In this brief, we’ll tell you what you need to know.

Overview

Canadian Anti-Spam Legislation (CASL) imposes three new requirements for companies to comply with when sending commercial electronic messages (CEMs):

Consent – Companies must have express or implied consent to send a CEM.
Identification – Companies and organizations sending CEMs must clearly identify themselves and provide a business mailing address, a phone number, and an email or web address for the contact person who is sending the message or on whose behalf the CEM is being sent.
Unsubscribe – Companies must offer a way for recipients to unsubscribe – an unsubscribe mechanism – with every CEM sent. This mechanism must be clear, prominent and in working order for each communication.

What exactly is a CEM? CRTC provides guidance in its Frequently Asked Questions. Here are some tips to guide your decision:

Is one of the purposes of the CEM to encourage the recipient to participate in commercial activity? Consider the message content, hyperlinks in the body of the CEM that take the recipient to a website or database, and the contact information in the message.
Examples of a commercial electronic message include:
- Offers to purchase, sell, barter or lease a product, goods, a service, land or an interest or right in land
- Offers to provide a business, investment or gaming opportunity
- Promoting a person, including the public image of a person, as being a person who does anything referred to above, or who intends to do so (e.g., celebrity endorsement)

A CEM is deemed being sent to an electronic address if it is an email account, a telephone account (e.g., cell phone for SMS), an instant message account, or a similar account like a social media account. Websites, blogs, microblogs and fax numbers are typically not considered to be electronic addresses.

Exempt messages include¹:

Messages to a family or person with an established personal relationship
Messages to employees, consultants or people associated with your business
Responses to a current customer or someone who has made an inquiry within the last six months
Messages that will be opened or accessed in a foreign country, including the U.S., China and most of Europe
Messages sent on behalf of a charity or political organization for the purposes of raising funds or soliciting contributions
Messages attempting to enforce a legal right or court order
Messages that provide warranty, safety, recall or security information about a product or service purchased by the recipient
Messages that provide information about a purchase, subscription, membership, account, loan or other ongoing relationship, including the delivery of product updates or upgrades
A single message to a recipient without an existing relationship on the basis of a referral. The full name of the referring person must be disclosed in the message. The referrer may be family or have another relationship with the person to whom you’re sending.

According to Direct Marketing, the new Canadian Anti-Spam Legislation is one of the strictest and most aggressive anti-spam laws in the world in terms of opt-ins. While these rules currently apply in Canada, we can expect other countries to adopt similar legislation. Subscription companies would do well to adopt these rules as best practices no matter where they do business.

Timeline of CASL enforcement

The majority of the CASL legislation went into effect July 1, 2014. Other parts of the legislation have gone or will go into force at different times²:

July 1, 2014: sections 1 to 7*, 9 to 46, 52 to 54, 56 to 67 and 69 to 82 of the Act, subsections 12(2) and 12.2(2) of the Personal Information Protection and Electronic Documents Act, as enacted by section 83 of the Act, subsection 86(2), section 88 and subsection 89(1) of the Act went into force.
January 15, 2015: section 8** of the Act went into force.
July 1, 2017: sections 47 to 51 and 55*** of the Act will go into force.

*Section 6 relates to the sending of commercial electronic messages (CEMs).

**Section 8 relates to the installation of computer programs.

***These sections deal with the private right of action.

There is a three-year transition period from July 1, 2014 to July 1, 2017 in which companies and organizations can send CEMs to recipients for whom they have implied consent unless those recipients unsubscribe. After the July 1, 2017 cutoff date, CEMs can only be sent to recipients who have provided express consent or whose implied consent is valid under the new CASL – 24 months after a purchase or six months after an inquiry.

Express vs. implied consent

Express consent: If the sender of CEMs obtains valid express consent before July 1, 2014, that express consent remains valid until the recipient withdraws their consent. Express consent may be written or oral, but the sender must be able to provide proof of consent, including:

Whether consent was obtained orally or in writing
When it was obtained
Why it was obtained
How it was obtained

Silence or inaction on the part of a recipient does not constitute express consent. For example, express consent is not provided if a sign-up box is pre-checked and the recipient must uncheck the box to decline an opt-in opportunity. The recipient must take a positive action to indicate their consent, such as checking a box or typing in their email address.

If oral consent is used, the company or organization has the responsibility of proving that oral consent was provided. Compliance can be achieved if oral consent can be verified by an independent third party, OR if there is a complete, unedited audio recording of the consent.

Express consent is only valid if the following information is included with your request for consent¹:

A clear, concise description of your purpose for obtaining consent
A description of messages you’ll be sending
Requestor’s name and contact information (physical mailing address, telephone number and email address or website URL)
A statement that the recipient can unsubscribe at any time.

Implied consent: Starting July 1, 2014, where there is an existing business or non-business relationship that includes communication of CEMs, consent is implied for 36 months. This three-year period of implied consent ends if the recipient indicates they no longer wish to receive CEMs from the sender.

Implied consent is generally time limited. It is typically a period of two years after the event that starts a relationship, such as the purchase of a good. For subscriptions or memberships, the two-year period starts on the day the relationship ends³.

Additional guidance is provided in the Compliance and Enforcement Information Bulletin CRTC 2012-548.

Nuances to make note of

Direct Marketing points out that the law applies to any email accessed on a Canadian computer, so U.S. companies that do business in Canada, for example, need to be vigilant that their databases are up-to-date, and they know where their customers and prospects are located. We know of some publishers who are adding a mandatory country flag in their signup forms even though it may depress conversion to ensure they can flag where each email address in their file originates from.

Enforcement: violations can be costly

Allison Schiff, senior digital strategist for Direct Marketing, said the days of sending unrestricted emails are gone and businesses better heed the new rules or be subject to serious consequences.

“If you’re emailing people in Canada, you’d better make sure you have their express permission to do so, because the consequences could be expensive, or worse. Not only are the fines potentially steep-up to $10 million per violation-companies that intentionally mislead recipients with false sender information could potentially face criminal charges,” wrote Schiff.

According to CRTC, violations of sections 6 to 9 of CASL may require that the alleged offender pay an administrative monetary penalty (AMP). The maximum amount of an AMP, per violation, for an individual is $1 million (CAD) and $10 million (CAD) for a business⁴.

In 2015, CRTC imposed penalties on three organizations who have violated the anti-spam legislation¹.

In November 2015, Canadian broadcasting and publishing company Rogers Media paid $200,000 (CAD), about $148,000 U.S., in a settlement over alleged violations of CASL, said Telecompaper. According to the Canadian Radio-television and Telecommunications Commission (CRTC), Rogers Media failed to comply with CASL requirements from July 2014 to July 2015. CRTC alleges Rogers Media sent commercial emails with an unsubscribe mechanism that didn’t work properly. In other cases, the unsubscribe email was not available for the required minimum of 60 days after the message was sent. In addition to paying the settlement, Rogers Media said it will update and implement a compliance program.

In June 2015, Porter Airlines agreed to pay $150,000 (CAD), about $111,000 U.S., for noncompliance with CASL. CRTC’s investigation showed that Porter Airlines sent commercial electronic messages that contained an unsubscribe mechanism that was not clear or prominent, that did not have an unsubscribe mechanism or that didn’t provide complete identification information. Porter Airlines was also not able to provide proof of consent for some of the email recipients. Like Rogers Media, Porter Airlines agreed to update and implement a compliance program, and it has brought its mailing list into compliance with CASL.

In March 2015, Plentyoffish Media Inc. paid $48,000 (CAD), about $35,500 U.S., for sending electronic messages to registered users of the Plenty of Fish online dating service that contained an unsubscribe mechanism that was not clear or prominent and that was not able to be “readily performed.” Plentyoffish Media agreed to implement a compliance program and has brought its unsubscribe mechanism into compliance.

Best practices

To make sure your subscription company is compliant with CASL, we’ve prepared a list of best practices and additional resources:

Develop a corporate compliance program to avoid penalties, fees, legal fees and reputational damage. CRTC provides detailed guidelines in Compliance and Enforcement Information Bulletin CRTC 2014-326 covering risk assessment, record keeping, training, auditing and monitoring and more⁵. Consider consulting with legal counsel to ensure your company is in compliance.
Make sure your database is up-to-date and that you know which of your customers and prospects is located in Canada.
Clearly identify your company or organization as the sender in any CEMs and include contact information for each relevant person involved. When a CEM is sent on behalf of multiple people, such as affiliates, all of those people must be identified in the CEM. If not possible to include all material individuals in the body of the email, link to a webpage where the additional identifying information is available.
Include your business mailing address in each CEM. This information should also be included in a request for consent. Each CEM must also include a phone number to access a representative or voice mail system, an email address or a web address for the person on whose behalf you are sending a message. These contact methods must be accurate and valid for a minimum of 60 days after sending the message.
The unsubscribe mechanism must be consumer-friendly, clear and prominent and it must be able to be “readily performed.” In other words, if the unsubscribe link doesn’t work or it can’t be accessed without difficulty or delay, you have not complied.
Email unsubscribe mechanisms can be readily performed if they link to a web page where the recipient can unsubscribe. For SMS/text messages, the recipient should be able to reply STOP or UNSUBSCRIBE or click on a link to unsubscribe.
Ensure that the subject line of email communications is clear, relevant and truthful.
The content in the message should be consistent with the message’s subject line.
Do not include email consent in your terms and conditions of use or sale.
Keep records of how you obtained implied or express consent.
When requesting consent, checkboxes cannot be pre-filled to suggest consent. Each subscriber must check the box themselves for consent to be valid.
Unsubscribe requests must be processed within 10 days. Unsubscribe requests never expire.