Canada’s anti-spam legislation is broad and complex, with many uncertainties
The bald truth about Canada’s anti-spam law (CASL) is that it has significantly narrowed the digital landscape for business. The law, which commenced its phase-in on July 1, 2014, means no more wholesale buying and selling of customer lists, no more indiscriminate contact sharing, and no more comprehensive mining of the Internet for email addresses — and that’s just the don’ts.
The dos include purging customer lists, obtaining consent from new contacts and existing contacts who don’t meet the requirements for implied consent, crafting general compliance policies and communicating them across the organizational landscape.
“I’ve seen reductions in the use of email as a means of marketing in conjunction with a resurgence in telemarketing and direct mail,” says David Elder of Stikeman Elliott LLP in Ottawa. “I’ve also had a few clients, especially foreign businesses like US retailers with cross-border shoppers, who said complying with CASL wasn’t worth it and just dropped Canadians from their mailing lists.”
Evidence is already accumulating to support CASL’s impact. “The hardest thing for many of my clients was deciding what do with their existing customer distribution list,” says Adrian Liu of Borden Ladner Gervais LLP in Toronto.
Many of those who culled their lists were shocked at the results.
“Clients tell me they lost between 20 to 60 per cent of their customer databases because they didn’t have the records necessary to support the implied consent that would allow them to continue to send emails to existing customers,” Elder says.
Dan Michaluk of Hicks Morley Hamilton Stewart Storie LLP in Toronto thinks the database shrinkage may be considerably greater. “Anecdotally, I’ve heard that email databases are being pared down by 75 per cent and that’s an impact that’s tangible, measurable and real,” he says. “What’s unanswered is whether you’re losing people who aren’t listening to you anyway.”
In other words, it’s not that the sometimes gargantuan compliance efforts required don’t have a silver lining.
“CASL has forced a lot of businesses to actually go through their CRM [customer relationship management] database and clean it up by getting rid of the deadwood, so that they end up with a database that is more meaningful,” says Christine Carron of Norton Rose Fulbright Canada LLP in Montréal. “It’s also forced them to track relationships with customers to ensure that they get the express consent they need when the transitional period expires, and doing that helps businesses understand which of their marketing efforts are actually working.”
Be that as it may, what’s clear is that, less than a year after CASL came into force, consumer awareness of the legislation was remarkably high and rising. By mid-January, the CRTC had received 205,000 complaints, up from 117,000 in the fall of 2014. It’s not hard to imagine considerable glee on the plaintiff’s side of the class-action Bar, whose bated breath at these developments ensures a foggy future for CASL offenders when CASL’s private right of action kicks into force in 2017.
What’s created all this fuss is a complex and broad – some say overreaching – law that is the world’s most comprehensive attempt to restrict unsolicited email as well as other forms of electronic communications, including instant and text messaging and social media. Formally known as the Electronic Commerce Protection Act, CASL applies to business-to-business (B2B) messages as well as missives to consumers.
CASL seeks to prevent consumers from being misled, gives consumers the right to decline receipt of unwanted emails and seeks to reduce the costs for businesses that have to manage an influx of spam.
But unlike any legislation elsewhere, CASL is not limited to messages that may be harmful in the sense that they contain some element of fraud or deceit; rather, CASL prohibits the sending of any commercial electronic message (CEM) (defined as any telecommunication including text, sound, voice or image) to an electronic address without the recipient’s prior consent, where the purpose of the message is to encourage participation in a commercial activity. The legislation has extra-territorial effect, applying whenever a computer located in Canada sends or accesses CEMs regardless of the destination or the point of origin.
CASL also includes broad prohibitions, making it illegal to install any computer program on another person’s computer located anywhere in Canada without making prescribed disclosures and without obtaining consent in the prescribed form. These strictures, which came into force on January 15, 2015 and will be dealt with only tangentially in this article, apply to upgrades and updates and regardless of whether a program includes malware or spyware.
The statute as a whole is based on an opt-in principle premised on express consent, with certain exceptions allowing implied consent for existing business relationships, personal and family relationships, business-to-business emails and third-party referrals. These include a broad exemption for business-to-business CEMs where a relationship with the recipient exists; a one-time exemption for a CEM based on a referral made by someone who has a prescribed relationship with the recipient; and partial exemptions for CEMs to recipients with whom the sender has had an existing business relationship and CEMs sent to addresses that have been conspicuously published or directly disclosed by the recipient to the sender. There is also an exemption for email addresses that have been posted online without a notice that the poster does not wish to receive unsolicited commercial email.
Where implied consent cannot be inferred and the exemptions do not apply, the sender must obtain the express consent of the recipient by setting out the purpose for which the consent is sought, information identifying the person seeking consent, and other information prescribed
CASL includes a transitional period that runs to 2017 before opt-in consent (in the absence of an applicable exemption) becomes mandatory. The transitional period extends to persons with whom organizations have had an existing business relationship that included sending CEMs at any time before July 1, 2014.
Furthermore, federally regulated industries, like financial institutions, airlines and telecommunications companies, should be aware that CASL does not explicitly recognize consents given under Canada’s federal privacy legislation, the Personal Information Protection and Electronic Documents Act (PIPEDA). Although regulators have indicated they will recognize consents given before CASL comes into force as long as the consents meet the requirements of federal privacy legislation, the difficulty is that implied consents are not recognized under privacy law. This means that organizations subject to PIPEDA could experience duplication of effort in obtaining consent; at the very least, they will have to ensure that their means of obtaining consent complies with both statutes.
Other outstanding concerns include uncertainty regarding the rights of manufacturers to contact consumers of their products with whom they do not have a direct relationship and various practical hurdles inherent in the consent requirements.
From an enforcement perspective, the legislation has sharp teeth, mandating administrative monetary penalties of up to $1 million for individuals and up to $10 million for corporations. Officers, directors and agents are liable if they directed, authorized or participated in the violation. A due diligence defence is available.
Already, the Canadian Radio-television and Telecommunications Commission has given notice that it intends to use these weighty powers: in early March, the CRTC announced that it had issued its first Notice of Violation, including a $1.1 million penalty, to Quebec-based Compu-Finder for four violations that involved sending CEMs without the recipient’s consent as well as emails in which the unsubscribe mechanisms did not function properly.
And while there has been a great deal of skepticism about CRTC’s ability to enforce CASL against foreign-based entities, the Commission followed on its landmark sanction against Compu-Finder by issuing its first penalty to a foreign-based telemarketer for violations of the Unsoli-cited Telecommunications Rules. Just six days after the Compu-Finder announcement, Consolidated Travel Holdings Group Inc., an American cruise company, paid a $200,000 fine as part of a settlement for unlawfully making automated calls to Canadians. The calls, including many to Canadians on the National Do Not Call list, offered them a “free” cruise to the Bahamas in exchange for answering a survey. While the settlement did not engage CASL, the fact remains that the CRTC worked closely with the US Federal Trade Commission to enforce the Unsolicited Telecommunications Rules, leaving little doubt that the CRTC has both the will and the resources to deal with offshore offenders in the CASL context.
But Compu-Finder and offshore entities aside, is the Canadian business community prepared for all this?
“Big companies are for the most part better prepared than others, but for smaller businesses it’s been a nightmare,” Elder says. “Overall, it’s a bit of a mixed bag, so much so that even some well-known and established companies have been late to the compliance party.”
Dominic Jaar, the Montréal-based National Practice Leader, Information Management Services for KPMG, says the degree of preparation is frequently related to the perceived risk of non-compliance. “For the most part, the larger members of the retail sector are aligned and so are the telecoms, but the degree of compliance for smaller companies and sectors like the industrial market where companies don’t send out a lot of emails has been more basic, sort of a ‘wait-and-see if we need to do something more’ approach that doesn’t involve a full overhaul of the process.”
The feasibility of wait-and-see is much enhanced, of course, by the provisions in CASL that grant businesses implied consent status for existing customers during a transitional three-year period.
“Organizations are also waiting to see what enforcement and sanctions will look like, whether the focus will be on technical violations or more substantive ones, and which companies will be the poster children for regulators,” Jaar says.
The upshot is that many companies have taken a “soft approach” to compliance. Whether the Compu-Finder sanction changes that remains to be seen. “Quite a few organizations have gone no further than telling people what they can’t do by way of sending email without verification from the marketing or IT departments,” Jaar says. “In fact, the greatest impetus has come from legal departments that have focused on changing standard contracts, and not from the marketing departments regarding their customer databases.”
All of which is not to say that CASL isn’t being taken seriously enough. It may simply be a matter of degree.
“From what we’ve seen, our clients have been very prepared in terms of putting in place compliance policies and understanding how the law affects marketing policies,” says Molly Reynolds of Torys LLP in Toronto. “We’ve seen a high uptake on voluntary compliance on which my clients have spent a lot of time and money.”
Increasingly, however, creativity abounds. “Express consent was the gold standard last year, but because of the complications involved in obtaining it, more and more businesses are starting to look at the implied consent rules and the exemptions,” says David Young of David Young Law in Toronto. “But it’s still early, and many are just feeling their way around the statute.”
As it turns out, full compliance may simply not be in the cards for smaller companies, at least not for the time being. “Smaller businesses are aware of CASL, but their level of compliance may be lower because they don’t have the resources to do an all-hands-on-deck compliance program,” Young adds. “Instead, they’re trying to act reasonably and hoping to get some slack if they’re targeted by the CRTC.”
Others, like financial institutions, are better equipped to weather the storm. TD Bank’s legal department, for example, reacted much as they do to any new legislation that is untested and open to different interpretations.
“We worked collaboratively with different stakeholders, unpacked the provisions and tried to interpret them as best as we could on our own and with the assistance of industry associations,” says Sue-Anne Fox, Senior Counsel with TD Bank Group in Toronto.
Ultimately, however, there haven’t been wholesale changes in the bank’s marketing practices. Rather, much of the effort has centred around developing policies and internal communication strategies.
“We’re still marketing by email and we’ve always had unsubscribe options that we continue to respect,” says Fox. “But there has been a fair degree of training and education to explain how CASL works.”
Not surprisingly, communicating effectively can be a frustrating endeavour that drains resources. “The most difficult challenge many companies faced was in crafting a compliance policy that was simple enough to circulate and allowed for the remaining uncertainties in the legislation,” Reynolds says.
Equally daunting is ensuring that the policy imbues the organization. “It’s relatively easy to control what an organization’s centralized marketing department does,” Elder explains. “But getting the message across to salespeople and others in the field can be difficult.”
Part of the difficulty is the very broad definition of what constitutes a CEM.
“Some people may believe that sending an email asking a prospective customer to discuss their needs is not the same as sending a message asking if someone wants to buy three widgets, but for CASL’s purposes it’s all the same,” Elder says.
The key challenge for Young’s clients, apart from the law’s restrictiveness and what he views as narrow exemptions, has been recordkeeping. “The onus under the legislation is always on the sender to prove consent or fit within the exemptions, and that’s been a serious challenge for organizations that do not have prior consent on which they can rely,” he says. “You have situations where companies are logging business cards and meticulous meeting records into a centralized database for the sole purpose of providing justification for CEMs, and some have been able to cope only by acquiring new software.”
When all is said and done, however, the myriad uncertainties in the legislation remain one of the primary obstacles to effective compliance. “Eight months after CASL came into force, it still remains largely untested,” Fox says. “But as is the case with any new legislation, the passage of time and the benefit of experience will minimize the uncertainties.”
Generally speaking, stakeholders agree that the CRTC has done its best to hasten the process. “The regulators have been very good at providing FAQs as well as guidance and regulations that have narrowed the scope of the law,” Jaar says. “This has had a major impact, but there are still hundreds if not thousands of questions that remain.”
That doesn’t include the questions that aren’t being asked. “The most problematic inquiries may be the ones that companies refrain from making for fear of the answers they may get,” Jaar says. “Many are hoping that if problems arise, the regulator will just tell them to change their practices and not do it in the future.”
Even the line between what is and what isn’t a CEM is not clear. “My guess is that we’ll be dealing with a case-by-case approach that will make things clearer over time,” Elder says.
Another significant grey area engages the indicia of the “relationships” that give rise to implied consent in B2B transactions.
“We’d like to take a broad view, but that part of the Act is very vague and I don’t know how much guidance we’re going to get,” Reynolds explains. “Does ‘relationship’ include affiliates and parents? Must there have been a transaction between the parties? Does common membership in a trade organization give rise to the necessary relationship? No one knows for sure about any of these things.”
Social media also poses a range of interpretative difficulties. “Take the case of someone who’s following me through a portal,” Jaar says. “Is it fair game for me to push commercial content to them in a direct way or am I limited to just posting the material and hope they see it?”
What compounds the difficulty is that many media sites do not have subscribe or unsubscribe mechanisms governing communications between people or entities, like “friends” or “connections,” who are linked within the system.
Compounding the social media conundrum is the CRTC’s unwillingness to clarify it. “The CRTC is purposely hedging on this issue, partly because I don’t think they have an answer and partly because they want to reserve the right to go after people who put a flagrant interpretation on the rules as they apply to social media,” Liu says.
Another difficulty relates to businesses like headhunters, who solicit candidates and organizations on behalf of clients for a variety of purposes. The same can be said of human resource departments, which source candidates on sites like LinkedIn.
“Headhunters who are ‘following’ potential candidates may nonetheless be sending an unauthorized CEM whenever they advise the candidate of an opening without having been requested to do so,” Jaar says. “And if I approach a LinkedIn contact about a job at KPMG, is that an unauthorized CEM? These are precisely the kind of questions that people don’t want to ask.”
Where all this goes ultimately depends on the way CASL is enforced. As Compu-Finder discovered, that it will be enforced is no longer in question.
Still, the focus has been on voluntary compliance with the CRTC making it clear that it would concentrate on the most severe types of violations. Compu-Finder, which runs training courses for business, is presumably a relatively sophisticated outfit and accounted for 26 per cent of all complaints submitted to the Spam Reporting Centre in its industry sector.
“Going forward, I don’t believe that the regulator will set its sights on communications between legitimate business or on compliance with the strict letter of the law,” Reynolds says.
Looming over the enforcement scenario are the 200,000 complaints the CRTC had received by mid-January. But it’s important to understand the nature of these complaints. Anyone can complain simply by forwarding an allegedly non-compliant email to the CRTC. Only about 5,000 of the complaints received by press time, however, had been lodged through the regulator’s online complaint form, which requires individuals to go to the trouble of inputting information online.
“The will prioritize the big fish, of whom they can make a very public example, but I also believe that medium and smaller-sized companies who are technically offside will be shown some tolerance,” Carron says.
Still, for all the talk about voluntary compliance and tolerance, the optics are not necessarily promising. “The CASL police have dark blue uniforms with embroidered badges on their chest and cargo pants that look like a cross between military and police uniforms,” Elder says. “They seem very serious about their job.”
In the long run, however, the CRTC may be the less worrisome of the enforcement options available under CASL. Private rights of action, including class actions, kick in on July 1, 2017. What makes that particularly daunting is the unease over whether the provisions will have retroactive effect: in other words, will plaintiffs be able to rely on breaches, even technical ones, which pre-date the coming into force of the private rights? And will the “technical” breaches that CRTC is reportedly prepared to overlook in the face of good faith compliance efforts come back to haunt the business community?
No one really has a definitive answer.
“Many people would like to see an amendment that clarifies any ambiguity over retroactivity,” Elder says. “But as it stands, the courts will likely have to decide.”
Unfortunately, with legislation this complex, these are not comforting words.