A Summary of Canada’s New Anti-Spam Law: Your Questions Answered
26/06/14
Canada's new Anti-Spam Law ('CASL') comes into effect on July 1 and will apply to all 'Commercial Electronic Messages' including email newsletters. Find out what this means for you and the steps you can take to ensure your business practices comply.

 

Does Canada’s new anti-spam law apply to me?
The law applies to Commercial Electronic Messages (CEMs), which include emails, text messages and social media messages relating to your business. If you send regular or occasional email newsletters or updates or do marketing for your business via email or develop email campaigns for your clients, the law will affect you.

 

How do I know if my email newsletter is a CEM?
If the content of your message (or content that is linked to in the message) encourages readers to participate in a ‘commercial activity,’ it is considered a CEM.

 

A commercial activity includes:

  • purchasing or selling a product, good or service
  • offering a business investment opportunity
  • advertising or promoting a product, good, service or business
  • promoting a person who does any of the things mentioned above

 

When is it okay to send a CEM?
There are two main conditions for sending a CEM under the new law. You can send a CEM if:

  1. You have express or implied consent from recipients, AND
  2. The message you send includes an unsubscribe mechanism and complies with other content requirements (below)

 

How does consent work?
If you claim to have the consent of your subscribers, you must be able to prove it in a way that complies with the new rules.

 

Express Consent can be acquired by request (see below).

 

Implied Consent includes the following:

 

Business Dealings: Consent is implied if within the last two years there has been a purchase/lease of products or services, or a contract between parties or if the recipient has made an inquiry or application regarding business matters in the last six months. The time periods are calculated from the date on which the CEM is sent.

 

You must be able to prove implied consent, which means tracking all dealings to ensure that you can prove that the CEM was sent within the applicable two year/six month period.

 

‘Business Card Exemption’: Consent is implied if the recipient has provided their address and the message is relevant to their business or official capacity (e.g., if they have provided their email address at a networking or professional development event). If the recipient has indicated that they do not wish to receive CEMs, consent is no longer be implied.

 

If someone's email is posted publicly (i.e. on a website) and there is no statement that indicates that the person does not wish to receive unsolicited messages, this is considered implied consent to receive a message that is relevant to their business.

 

How can I request Express Consent?

A request for express consent must clearly state the following:

  • the name of the business or person seeking consent*
  • the mailing address and one of the telephone number, email address or web address of the person / business seeking consent
  • the purpose for seeking consent
  • the person consenting can withdraw consent if they choose

*if you are seeking consent on behalf of another person, you must clarify exactly who you are and on whose behalf consent is sought.

 

For express consent to be valid, the recipient must actively check a box or click an icon. Pre-checked boxes are not considered valid. A request for express consent should not be bundled with other requests. 

 

Oral consent is also permitted, but may be difficult to prove. A complete recording of consent or verification of consent, recorded by an independent third party, may be necessary.

 

A request for consent that is sent as an e-mail or other electronic message on or after July 1st is deemed to be a CEM and must comply with the rules for CEMs (including express or implied consent).

 

If the people subscribed to my newsletter gave their email addresses willingly, does the new law still apply to me?

You will still be required to prove implied or express consent for the recipients of your email in accordance with the rules.

 

If a reasonable person would conclude that your newsletter is encouraging readers to engage in a commercial activity, you need to make sure you have express or implied consent to be sending it and you must include an unsubscribe mechanism (see below).

 

Aside from consent, what else does the new law require?

After you have confirmed express or implied consent, the message you send to your recipients must contain the following in order to comply with the new law:

  • an unsubscribe mechanism
  • the name of the business or person sending the message (or the person / business on whose behalf the message is sent)
  • the mailing address, and one of the telephone number, email address or web address of the sender

If you are not able to include this information in the content of the message, you can include a link to a web page containing this information. The recipient must be able to readily access the link at no cost, and it must be prominently set out in the message.  

 

What is required for the ‘unsubscribe’ mechanism?
Under the new law, you must provide an option for recipients to unsubscribe from receiving your messages. The unsubscribe mechanism must be readily available –you may provide a link that takes the user to a web page where he or she can unsubscribe from receiving all or some types of messages from the sender.

 

Other requirements:

  • the unsubscribe link must be valid for a minimum of 60 days after the message has been sent
  • if a person unsubscribes the sender must comply without delay, within 10 business days at most

 

What is the penalty for non-compliance with the new law?
The maximum penalty is $1,000,000 per violation by an individual and $10,000,000 for violation by an organization.

 

What types of messages are exempt from the new law?

  • Personal, internal business or legal communications
  • If someone emails to inquire about your business, your response to that email would not be considered a CEM
  • Business to business communications – if your organization has a relationship with another and the message you are sending is relevant to both, you are able to send emails to employees, representatives or consultants of that organization
  • Emails with the primary purpose of raising funds for a registered charity or political fundraising will be exempt from the new law

 

Is there a grace period?
There is a three-year grace period of implied consent if there is an existing business or non-business relationship with the recipient (as defined in the new rules) as of July 1, 2014, and the relationship included the exchange of CEMs, regardless of when it was last active. If the recipient withdraws consent this is no longer valid.

 

How will the new law impact campaigns that I’m doing for clients that include email messages?

Clients should be made aware of the fact that they must be able to prove implied or express consent for all recipients in the mailing lists to which the email messages will be sent.

 

A design firm that sends out CEMs on behalf of its clients may be held liable under the new anti-spam law if the law is not followed.

 

The most practical way for clients to build their mailing lists moving forward will be to set up a subscription form on the organization’s website that complies with the new rules and suggest that new clients and other contacts subscribe themselves.

 

What should I do to make sure the messages I send out comply with the new law?

  1. Review your contact database for any emails you currently send to determine whether express or implied consent exists and what steps you may need to take to obtain consent from your contacts – if it is not feasible to go through each individual contact, consider sending out a request for express consent to your entire list
  2. If you plan to send out a request for express consent, do it before July 1
  3. Establish appropriate data management – implied consent is subject to expiry, which means tracking the date of your last business interaction may be necessary. New contacts that are added to the database should be tracked to identify whether their consent is express or implied, and in the case of implied consent, when it expires.
  4. Make sure the format of the CEMs you send out complies with the content requirements of the new law
  5. Make sure you include an unsubscribe mechanism in all CEMs you send and that the mechanism complies with the requirements of the law
  6. Document your compliance efforts to ensure you are able to provide proof of consent in the event of a complaint

 

Note: We do not have any court decisions regarding the new law because it is not yet in force; as decisions emerge over time, they will be helpful to assist in the interpretation of the new rules.  At this stage, many provisions are difficult to interpret and future court decisions will provide clarification.

 

For more information on Canada's New Anti-Spam Law:

Ralph Kroman of WeirFoulds LLP is an experienced business lawyer with an emphasis on contract negotiations, intellectual property, information technology and commercial transactions. Any questions regarding Canada’s new anti-spam law may be directed to him. Contact Ralph at 416.947.5026 or

 

To read Ralph's overview of the new law, click here.

RGD Members can view a recording of Ralph's webinar on this topic here. (Passwords to access recorded presentations are listed in the Members Only section.)