Last Phase of Canadas Anti-Spam Legislation (CASL) Rolls Out July 1

Three-year transition expires and private court actions can now be filed.

Overview

Subscription News: Last Phase of Canada's Anti-Spam Legislation (CASL) Rolls Out July 1

Source: CRTC

In February 2016, Subscription Insider wrote a best practice report on Canada’s Anti-Spam legislation (CASL) designed to protect Canadians from electronic spam and to work toward a safer, more secure online marketplace. The majority of that legislation went into effect on July 1, 2014, section 8 of the CASL Act went into effect on January 15, 2017, and the remaining portion – sections 47 to 51 and 55 of the Act – come into force on July 1, 2017.

When CASL was enacted, it imposed three new requirements on companies sending commercial electric messages (CEMs), including emails, social media messages, text messages and sound, voice or image messages, being sent to a computer or device located in Canada:

  1. Consent: Companies must get the desired recipient’s express or implied consent before sending a CEM.
  2. Identification: Companies and organizations sending CEMs must clearly identify themselves and provide a business mailing address, a phone number and an email or web address for the contact person who is sending the CEM or on whose behalf the CEM is being sent.
  3. Unsubscribe: Companies are required to provide an unsubscribe mechanism with every CEM sent. The mechanism must be clear, prominent and in good working order.

There are exemptions to the CASL regulations. For example, email responses to inquiries, requests or complaints are excluded from the Act.

Express consent versus implied consent

Subscription News: Last Phase of Canada's Anti-Spam Legislation (CASL) Rolls Out July 1

Source: Adobe Stock Photo

Express consent means a recipient has clearly agreed to receive a CEM, either orally or in writing. This is a proactive action which often comes in the form of an opt-in mechanism, like completing an online form. Express consent is not time-limited. A company can send CEMs to the recipient until the recipient notifies the company that it does not want to receive CEMs anymore.

Implied consent is more complex and can come in different forms. For example, implied consent can occur when a company has an existing business relationship (EBR) with a recipient, if the sender and the recipient have an existing non-business relationship such as belonging to the same club, or if the recipient has published their email address publicly on a website without a caveat that says they will not accept CEMs. In the last scenario, the content of a CEM sent must be relevant to the recipient’s business, role, functions or duties in a business or official capacity.

In the case of an existing business or non-business relationship for implied consent, the relationship must have been established before July 1, 2014 to fall under the three-year transitional provision of CASL.

Regardless of the type of consent a company has obtained, if a recipient asks a company to stop sending CEMs to them through an unsubscribe mechanism or other form of communication, companies are required to stop sending CEMs within 10 business days. The onus of proving consent, express or implied, is on the company.

Obtaining express consent via opt-in

Subscription News: Last Phase of Canada's Anti-Spam Legislation (CASL) Rolls Out July 1

Source: Bigstock

Under CASL, an opt-in form must have four parts:

  1. An opt-in statement that clearly identifies what a user is agreeing to
  2. A way to unsubscribe or opt-out in the future. This could be done through language in the opt-in form, or in an email confirmation that confirms the opt-in.
  3. A clear identification of who the company is or on whose behalf they are speaking
  4. The company’s mailing address, phone number, and email or web address.

It isn’t enough to follow these rules, however. A company should keep good records to prove they are compliant and have received an opt-in from a recipient. The burden of proof is on the company. Companies should record and save the following information:

  • The subscriber’s email address
  • The subscriber’s IP address
  • The date and time of opt-in
  • The specific URL of the landing page or other source (if that page is no longer active, provide a screenshot)

Requirements for opt-out

An unsubscribe link is a common best practice and will help a company comply in other jurisdictions like the United States. However, CASL rules require the following:

  • The sender must always give a subscriber the option to unsubscribe from all CEMs, including transactional emails.
  • The sender must not require any information except the subscriber’s email address.
  • The sender must not ask subscribers to log into a website or visit more than one page to complete a request to opt-out.
  • All unsubscribe requests must be complied with within 10 business days.

Requirements for installing computer programs

One area of CASL that is not discussed as often is the new requirements for installing computer programs, effective January 15, 2015. CASL prohibits the installation of a computer program to another person’s device in the course of commercial activity without the expert consent of the device owner or an authorized user. CASL does not apply to programs or apps that owners or authorized users download themselves to install on their own computers or devices or updates they install.

In some cases, express consent is granted without requesting it prior to installation. The list includes:

  • Cookies
  • HTML
  • Javascript
  • An operating system
  • Any other program that is executable through another program that was consented to
  • If you are a telecommunications service provider and you are installing software to protect the security of all or part of your network from a current and identifiable threat or update or upgrade all or part of your network.
  • Software installed solely to correct a failure in a computer system.

What’s new as of July 1?

As of July 1, the three-year transition period that started on July 1, 2014 for CEMs will end. This transitional period allowed for flexibility for organizations that communicate regularly with their contacts. They were given a lot of latitude in terms of implied consent. Any company who had implied consent from a recipient prior to July 1, 2014 and who had at least some prior CEMs with its contacts were able to maintain that implied consent through the three-year transition. Such companies had three years to obtain express consent as well as establish overall CASL consent. That grace period is now over and all companies are required to be fully compliant with CASL or face the consequences.

Subscription News: Last Phase of Canada's Anti-Spam Legislation (CASL) Rolls Out July 1

Source: Bigstock

Also, starting July 1, the Act will allow individuals and organizations who were impacted by an act or omission in violation of CASL to bring a private court action against those who violated the law and to seek actual damages and, in some cases, statutory damages. Class action suits may also be filed.

Complainants can sue for compensation equal to the actual loss or damage suffered or expenses incurred and additional amounts for different CASL violations, each with a maximum amount, said David Spratley for DLA Piper in a March article. In addition, officers, directors, agents and mandataries of a corporation that violated CASL can be held personally responsible if they directed or participated in the violation.

David Young Law outlines the severity of the consequences of a private right of action in a 2016 article:

“The private right of action, in effect, gives a monetary remedy to persons (i.e. both individuals and businesses) affected by any of: a contravention of sections 6 – 9 of CASL; a false or misleading electronic message under CASL’s amendments to the Competition Act; or the new e-mail harvesting provisions of PIPEDA effected under CASL.  The potential remedies are significant – in addition to actual losses or expenses, persons may recover, without any proof of loss, $200 for each non-compliant CEM up to a maximum of $1,000,000 per day or in the case of computer hacking, misleading electronic messages or e-mail harvesting, up to $1,000,000 per day.  The potential risks of private litigation under the PRA and particularly in the event of a class action could be – not to be understated – potentially devastating and point to an important need for organizations to focus on their CASL-related risk management and avoidance strategies.”

As the transition period expires, companies that previously relied on implied consent must either obtain express consent, achieve implied consent from some other method, or remove those recipients from its mailing lists by July 1.

This new phase of CASL is in addition to the actions that are already being taken by the Canadian Radio-Television and Telecommunications Commission (CRTC). Here are two cases that are already setting the tone for how CRTC will handle CASL violations.

CRTC vs. Blackstone Learning Corp.

Subscription News: Last Phase of Canada's Anti-Spam Legislation (CASL) Rolls Out July 1

Source: Bigstock

In October 2016, CRTC issued its first Compliance and Enforcement Order since CASL was enacted. In CRTC 2016-428, Blackstone Learning Corp. committed nine violations of CASL by sending CEMs without consent. CRTC imposed an administrative monetary penalty (AMP) of $50,000. Blackstone had appealed the original decision which imposed an AMP of $640,000, stating the company was denied due process and that it had implied consent to send CEMs based on guidance it received from the Department of Industry. Blackstone also argued that the amount of the AMP was “unreasonably high.”

In this case, five complainants said they received unsolicited emails from Blackstone, though they had no previous relationship with the company and had not consented to receiving the messages. Blackstone argued that it had implied consent, but did not produce documentation confirming how it obtained consent, express or implied, to send CEMs. CRTC said in its order that Blackstone had not cooperated with the investigation and had “demonstrated a low likelihood of self-correction because the company’s non-compliant behavior did not change after it received the notice to produce in November 2014.”

To Blackstone’s credit, however, the company did attempt to understand CASL before it went into force and that played a factor in CRTC’s final decision and imposition of the $50,000 AMP.

“The Commission accepts that Blackstone is a small business with a relatively limited ability to pay. The evidence demonstrates that Blackstone was aware of the Act, and made appropriate, if limited, inquiries before the Act came into force and after learning that the company was under investigation. The Commission is concerned that the company did not cooperate with the investigation, but recognizes that CASL is a relatively new regulatory regime and that Blackstone has no history of non-compliance under CASL or related acts. The company erroneously believed it had implied consent to send commercial electronic messages and did not have the benefit of more recent guidance published on this topic, such as the Commission’s Guidance on Implied Consent, published on 4 September 2015.”

CRTC vs. William Rapanos

In March of this year, CRTC imposed an AMP of $15,000 on William Rapanos for 10 violations of section 6 of CASL. In the CEMs sent by Rapanos, the electronic messages did not identify the sender, did not include information about how the recipient could contact the sender, did not have express or implied consent, and in some cases, did not provide a functioning unsubscribe mechanism.

In this case, CRTC had received 58 submissions to the Spam Reporting Centre from 50 individuals who received a flyer advertising Rapanos’ art design and printing business. An investigator reviewed the facts and issued a notice to Rapanos in September 2015 to produce a list of everyone who had access to an internet connection at Rapanos’ residence. Rapanos said he had boarders at his residence and did not know who had accessed his unsecured Wi-Fi connection.

Rapanos claimed that someone else had sent the CEMs, and he was a victim of a personal vendetta or identify theft. The CRTC didn’t buy that explanation and said Rapanos did not prove his case beyond a reasonable doubt, failing to provide requested documentation.

When arriving at the AMP of $15,000, CRTC considered the following:

  • The purpose of the penalty (to promote compliance, not to punish)
  • The nature and scope of the violation
  • The person’s previous history regarding any previous violation under the CASL Act
  • Any financial benefit gained by the violator
  • The person’s ability to pay the penalty
  • Whether the person voluntarily paid compensation to the person affected by the violation
  • Factors established by the regulations

Mr. Rapanos said he could not afford the penalty because he had not been sufficiently employed due to health issues, but he did not provide any documentation to support his claim. The amount of the penalty equates to $1,500 per violation and is lower than the maximum allowable penalty of $1,000,000 per violation. CRTC explains the reason for its decision, in part, below:

“While the submissions to the Spam Reporting Centre related to the campaigns in question appear to have ceased as of 23 July 2015, the Commission finds that Mr. Rapanos’ continued denial of his involvement diminishes his likelihood of self-correction should he resume his commercial online marketing campaigns in the future.

Accordingly, the factors of non-cooperation and likelihood of self-correction are relevant in the circumstances. The Commission considers that there is sufficient evidence of non-cooperation to justify the imposition of the AMP that was initially set out in the notice of violation. Similarly, the Commission further considers that self-correction and future compliance with the Act is unlikely because Mr. Rapanos did not clearly specify how this would occur. As such, the Commission finds that the AMP amount is appropriate to promote compliance in these circumstances.”

How to keep records of consent

To help businesses and individuals to be compliant under CASL, CRTC has created a list of good record-keeping practices:

  • Identify potential non-compliance issues
  • Investigate and respond to consumer complaints
  • Identify the need for corrective actions
  • Demonstrate that these corrective actions were implemented
  • Establish a due diligence defense in the case of a CASL violation

In addition, senders of CEMs should keep a hard copy or an electronic copy of the following:

  • All evidence of express and implied consent (e.g., audio recordings, copies of signed consent forms, completed electronic forms) from consumers who have given their express consent
  • Documented methods through which consent was collected
  • Policies and procedures regarding CASL compliance
  • All unsubscribe requests and resulting actions

Subscription News: Last Phase of Canada's Anti-Spam Legislation (CASL) Rolls Out July 1

Source: Bigstock

CRTC has also provided extensive guidance to help businesses create their own corporate compliance programs in Compliance and Enforcement Information Bulletin CRTC 2014-326. The components of a good corporate compliance program including senior management involvement, risk assessment, a written corporate compliance policy, good record keeping, effective staff training, auditing and monitoring, a complaint-handling system and corrective (disciplinary) action.

Best practices

Ideally, companies have already made the necessary changes to ensure their compliance with CASL since it began in 2014. For new companies or those revisiting their policies and procedures, Lisa R. Lifshitz of Torkin Manes LLP in Toronto wrote the following best practices for the American Bar Association:

  1. Develop a compliance team that should include your marketing team, among others.
  2. Audit existing practices and identify what types of CEMs your company uses.
  3. Inventory existing databases for contacts based in Canada. You can identify them by their mailing address, physical address and/or the suffix .ca in their email address.
  4. Review all electronic mailing lists to determine what type of consent was obtained and when.
  5. Review your “express consent” language and revise it, if needed, to be CASL compliant.
  6. Update opt-in language and other documents and templates that include appropriate language for express consent.
  7. Keep track of implied consent in a database and know when that implied consent expires.
  8. Update and test your company’s unsubscribe mechanism for compliance.
  9. Train your staff so they understand the rules of CASL and to ensure their compliance.
  10. Review compliance with any third-party vendors who must also comply with CASL.
  11. Obtain express consent from new contacts.
  12. Delete contacts for whom you do not have express consent, implied consent or who do not fall under the necessary exemptions.
  13. Document your CASL policies and procedures.

In our original CASL report, we included additional best practices:

  1. Clearly identify your company or organization as the sender in any CEMs and include contact information for each relevant person involved. When a CEM is sent on behalf of multiple people, such as affiliates, all those people must be identified in the CEM. If not possible to include all material individuals in the body of the email, link to a webpage where the additional identifying information is available.
  2. Include your business mailing address in each CEM. This information should also be included in a request for consent. Each CEM must also include a phone number to access a representative or voice mail system, an email address or a web address for the person on whose behalf you are sending a message. These contact methods must be accurate and valid for a minimum of 60 days after sending the message.
  3. The unsubscribe mechanism must be consumer-friendly, clear and prominent, and it must be able to be “readily performed.” In other words, if the unsubscribe link doesn’t work or it can’t be accessed without difficulty or delay, you have not complied.
  4. Email unsubscribe mechanisms can be readily performed if they link to a web page where the recipient can unsubscribe. For SMS/text messages, the recipient should be able to reply STOP or UNSUBSCRIBE, or click on a link to unsubscribe.
  5. Ensure that the subject line of email communications is clear, relevant and truthful.
  6. The content in the message should be consistent with the message’s subject line.
  7. When requesting consent, checkboxes cannot be pre-filled to suggest consent. Each subscriber must check the box themselves for consent to be valid.
  8. Unsubscribe requests must be processed within 10 days. Unsubscribe requests never expire.

Sources:

CRTC, Compliance and Enforcement Decision CRTC 2017-65, March 9, 2017.

CRTC, Compliance and Enforcement Decision CRTC 2016-428, October 26, 2016.

CRTC, Compliance and Enforcement Information Bulletin CRTC 2014-326, June 19, 2014.

CRTC, Enforcement Advisory – Notice for businesses and individuals on how to keep records of consent.

CRTC, From Canada’s Anti-Spam Legislation (CASL) Guidance on Implied Consent.

CRTC, Requirements for Installing Computer Programs.

Government of Canada, Justice Laws website, text of CASL regulations, last amended January 15, 2015.

Lifshitz, Lisa R., American Bar Association, CASL – How to Send E-mails to Canadians Safely, April 4, 2016.

Spratley, David, DLA Piper, Data Protection, Privacy and Security Alert, March 16, 2017.

Square 2 Marketing, CASL Compliance: Essentials Every Marketer Needs to Know, May 16, 2017.

David Young Law, Countdown to July 1, 2017 – CASL Transition Period Ending, 2016.

Up Next

Register Now For Email Subscription News Updates!

Search this site

You May Be Interested in:

Log In

Join Subscription Insider!

Get unlimited access to info, strategy, how-to content, trends, training webinars, and 10 years of archives on growing a profitable subscription business. We cover the unique aspects of running a subscription business including compliance, payments, marketing, retention, market strategy and even choosing the right tech.

Already a Subscription Insider member? 

Access these premium-exclusive features

Monthly
(Normally $57)

Perfect To Try A Membership!
$ 35
  •  

Annually
(Normally $395)

$16.25 Per Month, Paid Annually
$ 195
  •  
POPULAR

Team
(10 Members)

Normally Five Members
$ 997
  •  

Interested in a team license? For up to 5 team members, order here.
Need more seats? Please contact us here.