Gaining Consent

With the adoption of Canada’s Anti-Spam Law (CASL) in July, the new legislation will impose cumbersome and expensive requirements on most Canadian organizations. While CASL provides various requirements, which are complex and will be open to interpretation in some grey areas, consider the following top five steps any organization must take to be CASL-compliant.

STEP 1

DETERMINE IF MESSAGES ARE COVERED

For the purposes of CASL, an “electronic message” is broadly defined as a message sent by any means of telecommunication, including a text, sound, voice or image message, although not a commercial electronic message that is an interactive two-way voice communication between individuals, that is sent by means of a facsimile to a telephone account or that is a voice recording sent to a telephone account.

What is a CEM?

A commercial electronic message (CEM) is an electronic message for which it would be reasonable to conclude its purpose is to encourage a commercial activity (having regard to its content, to where it links or the contact information contained in the message), whether or not the person sending the message does so in the expectation of profit. A CEM includes, for instance, a message that offers to purchase, sell, barter or lease a product, good, service, land or an interest or right in land, offers to provide a business, investment or gaming opportunity, or advertises or promotes any person engaged in anything previously mentioned.

CASL does not apply to certain types of e-mails

Organizations do not have to comply with CASL when sending messages that include service, warranty or product-upgrade information, or if there are health and safety issues related to a product purchase. Organizations should still use discretion in sending such messages, however, since customers may view these as spam if the organization uses them as an opportunity to up-sell or cross-sell other products.

CASL does not apply to messages that are sent within an organization or between businesses, where there is an ongoing business relationship and the message pertains to that relationship. CASL also does not apply to any message sent in response to a request or to enforce a legal right or obligation.

Other exemptions include messages sent via closed-messaging systems, messages sent to certain foreign jurisdictions in compliance with their anti-spam laws, and messages sent by a registered charity where the primary purpose of the message is fundraising.

CEMs are excluded from the application of CASL if the sender has a personal relationship with the recipient: for instance, if the individuals have had direct, voluntary, two-way communication.

In addition, there is a one-time exemption for a CEM sent to someone to whom the sender has been referred by a friend or business relation of the recipient.

STEP 2

OBTAIN CONSENT

Under CASL, it is prohibited to send – or cause or permit to be sent – a CEM to an electronic address unless the person to whom the message is sent has consented receipt.

Do I have express consent?

Consent from the recipient of the CEM must be express, meaning the recipient has said “yes.” Any request for consent must clearly set out the purposes for which it is being requested and properly identify the requestor. Consent may be obtained orally or in writing, and must include the name of the person seeking consent (or the name by which the person seeking consent carries on business, if different), the mailing address, and either a telephone number providing access to an agent or a voice-messaging system, an e-mail address or a web address of the person seeking consent and a statement indicating the person whose consent is sought can withdraw consent.

An electronic message that contains a request for consent to send a CEM is considered to be a CEM. This means that an organization cannot contact a potential customer by e-mail to obtain express consent, unless there is already an implied consent, as detailed below.

Is consent otherwise implied?

Certain other communications are deemed by CASL to have been consented to by their recipients, including if the sender can show he or she has an existing business or non-business relationship with the recipient that has been active in the last two years, or if the sender has received an inquiry or application within the last six months from the recipient in respect of a potential transaction.

This would mean, for instance, that if a potential customer makes a request for information to a business for one of its products on January 5, the business can send to the potential customer CEMs for six months (i.e., July 5 of the same year). If this customer purchases something on April 14, 2015, the business has a new period of two years to send CEMs to that customer (i.e., it has implied consent until April 14, 2017. Should the customer purchase another product within this timeframe, this creates a new two-year period to send CEMs to the customer).

This means organizations must ensure that their customer databases keep track of the date of an e-mail transaction or a request for information to be able to benefit from the implied consent under CASL.

Consent would also be implied if the recipient disclosed his or her e-mail address to the sender (for instance, provided a business card), or his or her electronic address is published (for instance, on the business’ website) and there is no statement saying that the person does not wish to be contacted, although the CEM must relate to the recipient’s job or business.

To benefit from implied consent under CASL, an organization will have to show where it got each electronic address, meaning it will need to track how it has obtained consent of each individual to whom CEMs are sent.

Is the message exempt from consent requirements?

Certain types of messages are exempt from consent requirements, meaning that although there is no need to obtain consent before sending them, they still must include content and unsubscribe requirements.

The types of messages exempt from the consent requirement include quotes or estimates, as well as messages that deliver a product, good or service, deliver upgrades, facilitate or confirm a transaction, provide warranty, recall, safety or security information, and give information about ongoing use or ongoing purchases. Messages that provide information about ongoing subscription, membership, accounts, loans or similar employment relationships or benefit plans are also exempt.

STEP 3

INCLUDE PRESCRIBED CONTENT

CASL prescribes mandatory content to be included in each CEM. More specifically, the sender must clearly identify himself or herself, and provide a method for the recipient to readily contact the sender. Moreover, it has to include a working unsubscribe mechanism at no cost, using the same means as the one used to send the CEM, unless it is impracticable to do so.

If the latter, the sender may include either an electronic address or a link to the relevant unsubscribe mechanism. The language used should be as simple as the following: “If you no longer wish to receive marketing offers from ABC, please click unsubscribe or e-mail info@ABCcompany.com.”

Users could also be instructed to reply to a text CEM with the word “unsubscribe” in the subject title.

The unsubscribe mechanism must remain operative for 60 days from the date of the message. The organization may end a confirmation either by e-mail or by website notice that the opt-out message has been received and that the user will be removed from all lists.

STEP 4

HONOUR REMOVAL REQUESTS

Opt-out or unsubscribe requests
should be honoured on a timely basis, and if possible, immediately upon receipt of the opt-out request using real-time removal procedures. Under CASL, the CEM sender must ensure an unsubscribe request is in effect no later than 10 business days after it is sent, without any further action required by the person asking to be removed.

Once the organization obtains an opt-out request from a user wishing not to be contacted again by that sender, this request should be valid forever.

STEP 5

ASSESS RISKS, GET READY

The risks for non-compliance with CASL are much more than reputational. Every person who contravenes CASL is liable, resulting in a possible monetary penalty. As such, every organization has an incentive to conduct and undertake compliance assessments of their communication practices before July 1, 2014.

What are the risks?

The maximum penalty for a violation of CASL is $1 million for an individual, and $10 million for any other person. Various factors will be taken into account by the Canadian Radio-television and Telecommunications Commission (CRTC) when determining the penalty, including the nature and scope of the violation, any other CASL violations, any financial benefit the person obtained from committing the violation, the person’s ability to pay the penalty, and whether or not the person voluntarily compensated the person affected by the violation.

CASL also includes a right of private action, which opens the door to potential privacy class actions.

CASL includes directors’ and officers’ liability – an officer, director, agent or mandatary of a corporation that commits a violation is liable for the violation if he or she directed, authorized, assented to, acquiesced in, or participated in the commission of the violation.

Furthermore, under CASL, a person is liable for a violation that is committed by employees acting within the scope of their employment or agents or mandataries acting within the scope of their authority.

This means organizations should ensure that their employees, who may be contacting customers or potential customers – such as those working in marketing or business development departments – receive proper privacy training on CASL.

Getting ready?

Organizations looking to get a head start on compliance with CASL should consider the aforementioned five key steps to ensure they are ready for the new requirements, whether those relate to identifying what messages are covered, obtaining consent or honouring unsubscribe requests.

As well, organizations should develop anti-spam policies, conduct employee privacy and anti-spam training, and avoid illegally collecting and using e-mail addresses.