Approaching the CASL: The Compliance Date for Canada's Anti-Spam Legislation Draws Near
The first phase of Canada’s Anti-Spam Legislation (CASL) goes into effect on July 1, 2014. Accordingly, all businesses engaged in the transmission of Commercial Electronic Messages (CEMs) in Canada should assess their business practices and take steps to adhere to any applicable provisions of the law. To that end, my February blog post summarizing several key elements of CASL is presented below.
The Canadian Radio-television and Telecommunications Commission (CRTC) has released final regulations to implement CASL. CASL applies notice and consent obligations upon organizations that transmit CEMs to individuals in Canada. The plain language of the CASL is somewhat broader than some other anti-spam laws, such as the CAN-SPAM Act in the United States, applying to electronic communications beyond traditional e-mail, such as SMS text messages.
For example, the law requires that prior to the installation of computer programs on computers, the software publisher must present a description of the function of the computer program and acquire express consent from an authorized user. Also notable is the introduction of a private right of action with a three-year statute of limitations.
In addition, an entity that acquires electronic addresses from a third party that obtained the consent from individuals to collect those addresses must identify the source of the electronic addresses in its CEMs. Thus, if an e-mail address is collected from website visitors by the publisher of the website, sold to a mailing list aggregator, then resold to a retailer, the retailer must identify the website publisher in its CEM.
Similar to many anti-spam laws around the world, CASL allows entities to rely upon implied consent when sending CEMs to individuals with whom they have an existing business relationship. Existing business relationships include circumstances such as a relationships established by purchase of products or services. The CRTC has indicated that if an individual unsubscribes from a mailing list then commits an act that initiates a new existing business relationship (such as a new purchase), implied consent is restored for subsequent CEMs.
The final Electronic Commerce Protection Regulations and Regulatory Impact Analysis Statement are designed to resolve some uncertainties arising from the language of CASL. These areas of clarification include the:
- definition of CEM;
- application of CASL to IP addresses and cookies;
- implied consent to install programs for Telecommunications Service Providers (TSPs); and
- use of express consent previously acquired under PIPEDA.
Each of these clarifications is summarized in turn below.
Significant controversy has arisen concerning the definition of CEMs and applicable scope of CASL. The original language of CASL and previous draft regulations led many commenters to express concerns that the law would impose comprehensive notice and consent requirements upon ordinary transactional messages. The RIAS explains that transactional messages are not covered by CASL as follows. “The mere fact that a message involves commercial activity, hyperlinks to a person’s website, or business related electronic addressing information does make it a CEM under the Act if none of its purposes is to encourage the recipient in additional commercial activity. If the message involves a pre-existing commercial relationship or activity and provides additional information, clarification or completes the transaction involving a commercial activity that already underway, it would not be considered a CEM since, rather than promoting commercial activity, it carries out that activity.”
In addition, the final regulations introduce a number of explicit exceptions to the definition of CEM. The exceptions include the following.
- Messages transmitted via a service where notice and unsubscribe functions are readily available within the user interface of the service and consent to receive messages is either express can be reasonably implied. Presumably, this exception addresses tools such as instant messaging services.
- Messages that are reasonably expected to be received by individuals located in foreign countries that have similar anti-spam laws and are designed to comply with such laws. The list of applicable countries, including China, the United Kingdom, and the United States, is attached as a Schedule to the final regulations.
- Messages intended to raise funds for charity.
- Messages intended to solicit contributions for political campaigns.
- Messages transmitted to limited access accounts where only the service provider may send messages. This exception appears to have been created in response to public comments from financial services companies to address direct consumer communications during interactions such as online banking.
When first introduced, there was concern that IP addresses alone could constitute an “electronic address” under the statute. If that were true then the law could apply to display advertisements on websites. The RIAS states the following. “Insofar as IP addresses are not linked to an identifiable person or to an account, IP addresses are not electronic addresses for the purposes of CASL. As a result, banner advertising on websites is not subject to CASL.”
Similarly, there has been persistent controversy concerning application of CASL to cookies. While cookies would not meet the definition of computer program contained in section 1(1), cross-referencing the definition of the same in subsection 342.1(2) of the Criminal Code, because they content of cookies is not executable. However, section 10(8) of CASL refers to cookies as a type of computer program. The RIAS attempts to clear up this confusion by stating that: “Insofar as cookies are not executable computer programs, and they cannot carry viruses and cannot install malware, and are simply lines of text or data that are read from a web browser, they are not computer programs for the purposes of CASL.”
TSPs may imply consent to install programs on its customers’ computers to:
- protect the security of its network;
- update or upgrade its network; or
- otherwise prevent failure of an information system or program.
The definition of TSP is quite broad. For instance, the RIAS clarifies that auto manufacturers are TSPs when operating automobile-based information networks, such as General Motors OnStar and Ford Sync.
When first passed, it was not clear whether express consents obtained from individuals under the Personal Information Protection and Electronic Documents Act (PIPEDA) would be considered valid under CASL. The RIAS resolves this question by stating that for the purposes of such consents under PIPEDA: “Express consents, obtained before CASL comes into force, to collect or to use electronic addresses to send commercial electronic messages will be recognized as being compliant with CASL.”
Finally, it should be noted that CASL will be implemented in three phases. Most of the CASL provisions will go into effect on July 1, 2014. The rules regarding installation of computer programs shall be effective on January 15, 2015. The private right of action provisions shall be effective as of July 1, 2017. It is unclear whether CASL would be enforced against a US company directly. Nevertheless, Canadian affiliates or business partners could be exposed to liability under CASL if a related US company fails to conform to the law when communicating with Canadian residents. Accordingly, US companies that transmit CEMs to Canadian residents should review their electronic messaging practices and business relationships to ensure that they remain in compliance with CASL as its enforcement dates occur.