Among the most daunting legal developments for companies doing business in Canada is Canada’s new anti-spam and anti-malware law (CASL), more formally known as the Electronic Commerce Protection Act, most of which came into effect on July 1, 2014. It has extra-territorial effect, applying whenever a computer located in Canada sends or accesses Commercial Electronic Messages (CEMs) regardless of the destination or the point of origin.
Less than a year after CASL came into force, consumer awareness of the legislation was remarkably high and rising. By mid-January 2016, the CRTC had received 205,000 complaints, up from 117,000 in the fall of 2014. It’s not hard to imagine considerable glee on the plaintiff’s side of the class-action Bar, whose bated breath at these developments ensures a foggy future for CASL offenders when CASL’s private right of action kicks into force in 2017.
What’s created all this fuss is a complex and broad – some say overreaching – law that is the world’s most comprehensive attempt to restrict unsolicited email as well as other forms of electronic communications, including instant and text messaging and social media.
CASL seeks to prevent consumers from being misled, gives consumers the right to decline receipt of unwanted e-mails and seeks to reduce the costs for businesses that have to manage an influx of spam. But the legislation does so in a manner that likely makes it the world’s most comprehensive attempt to restrict unsolicited e-mail.
CASL also includes broad prohibitions making it illegal to install any computer program on another person’s computer located anywhere in Canada without making prescribed disclosures and without obtaining consent in the prescribed form. These strictures, which came into force on January 15, 2015, apply to upgrades and updates and regardless of whether a program includes malware or spyware.
The statute applies not only to e-mail but to other forms of electronic communications, including instant and text messaging, and social media. As well, CASL applies not only to business-to-consumer messages, but also affects business-to-business messages.
Unlike any legislation elsewhere, CASL is not limited to messages that may be harmful in the sense that they contain some element of fraud or deceit; rather, CASL prohibits the sending of any “commercial electronic message,” (defined as any telecommunication including text, sound, voice or image) to an electronic address without the recipient’s prior consent, where the purpose of the message is to encourage participation in a commercial activity.
The statute is also based on an opt-in principle premised on express consent, with certain exceptions allowing implied consent for existing business relationships, personal and family relationships, business-to-business emails, and third-party referrals. These include a broad exemption for business-to-business CEMS where a relationship with the recipient exists; a one-time exception for a CEM based on a referral made by someone who has a prescribed relationship with the recipient; a partial exemption for CEMS to recipients with whom the sender has had an existing business relationship in the previous two years; or a partial exemption for CEMs sent to addresses that have been conspicuously published or directly disclosed by the recipient to the sender. There is also an exception for email addresses that have been posted online without a notice that the poster does not wish to receive unsolicited commercial e-mail.
Where the exceptions do not apply, the sender must obtain the express consent of the recipient by setting out the purpose for which the consent is sought, information identifying the person seeking consent, and other information which may be required by regulation.
In addition to the exceptions, the business community has a transition period that could run to 2017 before a business must switch to opt-in consent for its existing customers.
The upshot is that companies engaged in business-to-business communications can take some comfort from the scope of the exemptions. Still, the statute is very clear that consent is required before a CEM can be sent, which means that businesses can’t even send an e-mail asking for express consent without first obtaining implied consent. By contrast, the US legislation, known as CAN-SPAM, allows an initial mailing, as long as it contains the required information and has a simple unsubscribe function.
Indeed, the Canadian law does not even permit consent for a solicitation to be inferred from publication of an e-mail address even if it would be reasonable to assume the message would be of interest to the individual or their organization or more generally from the conduct of the individual or organizations concerned.
Other outstanding concerns include the failure to clarify the rights of manufacturers to contact consumers of their products with whom they do not have a direct relationship and the failure to deal with various practical hurdles inherent in the consent requirements.
From an enforcement perspective, the legislation has sharp teeth. Offenders are liable to administrative monetary penalties of up to C$1 million for individuals and up to C$10 million for corporations. Officers, directors and agents are liable if they directed, authorized or participated in the violation. A due diligence defense is available.