canadaantispamlaw

Canada’s new anti-spam law was passed in December 2010 and, following a Governor in Council order, it will enter into force on . Once the law is in force, it will help to protect  Canadians while ensuring that businesses can continue to compete in the global marketplace. On ,sections of the Act related to the unsolicited installation of computer programs or software come into force.

Businesses that violate the new law could face financial penalties of up to $10 million per violation, while individuals could be fined up to $1 million per infraction.

Organizations that don’t comply with CASL risk serious penalties, including criminal charges, civil charges, personal liability for company officers and directors.

In addition to emails, the new law also prohibits businesses from sending unsolicited messages to social media inboxes.

Grace Period for Compliance:

Businesses have a three year grace period after July 1, 2014 to verify and confirm consent to send CEMs, but can still only communicate with recipients with whom they have an existing business relationship (2017). 

When the new law is in force, it will generally prohibit the:

  • sending of commercial electronic messages without the recipient’s consent (permission), including messages to email addresses and social networking accounts, and text messages sent to a cell phone;
  • alteration of transmission data in an electronic message which results in the message being delivered to a different destination without express consent;
  • installation of computer programs without the express consent of the owner of the computer system or its agent, such as an authorized employee;
  • use of false or misleading representations online in the promotion of products or services;
  • collection of personal information through accessing a computer system in violation of federal law (e.g. the Criminal Code of Canada); and
  • collection of electronic addresses by the use of computer programs or the use of such addresses, without permission (address harvesting).

There are three government agencies responsible for enforcement of the law. When the new law is in force, it will allow:

  • The Canadian Radio-television and Telecommunications Commission (CRTC) to issue administrative monetary penalties for violations of the new anti-spam law.
  • The Competition Bureau to seek administrative monetary penalties or criminal sanctions under the Competition Act.
  • The Office of the Privacy Commissioner to exercise new powers under an amended Personal Information Protection and Electronic Documents Act.

How do I obtain consent?

Consent can be obtained either in writing or orally. In either case, the onus is on the person who is sending the message to prove they have obtained consent to send the message.

The CRTC has issued information bulletins to provide guidance and examples of recommended or best practices. Compliance and Enforcement Information Bulletin CRTC 2012-548, among other things, helps explain what information is to be included in a request for consent. The Bulletin also suggests some key considerations that may make tracking or recording consent easier, and therefore, may make it easier to prove consent. They are:

  • whether consent was obtained in writing or orally,
  • when it was obtained,
  • why it was obtained, and
  • the manner in which it was obtained.

The examples provided in the information bulletin are not exhaustive. They are simply examples of recommended or best practices. They may not necessarily be appropriate in every situation. Compliance will be examined on a case-by-case basis in light of the specific circumstances of a given situation.

Source: CRTC

Example of Email to Be Sent Prior to July 1, 2014

Example of Email

Can I use pre-checked boxes in order to obtain express consent?

The manner in which you request express consent cannot presume consent on the part of theend-user. Silence or inaction on the part of the end-user also cannot be construed as providing express consent. For example, a pre-checked box cannot be used, as it assumes consent.

Rather, express consent must be obtained through an opt-in mechanism, as opposed to opt-out.The end-user must take a positive action to indicate their consent. For example, this can be done by providing a blank box which a user can check off to indicate consent.

For more information, please see Compliance and Enforcement Information BulletinCRTC 2012-549 on the use of toggling to obtain express consent.

 

Transition of the Law – What if I gained consent before July 1, 2014?

Knowing that people and businesses may need to change their practices when it comes to sending commercial electronic messages (CEMs), the legislation includes a transitional provision that relates to the consent requirement. There are two types of consent – express and implied. The transitional provision set out in section 66 of CASL applies to implied consent.

Under section 66, consent to send commercial electronic messages (CEMs) is implied for a period of 36 months beginning July 1, 2014, where there is an existing business ornon-business relationship that includes the communication of CEMs. Note however, that this three-year period of implied consent will end if the recipient indicates that they no longer consent to receiving CEMs. During the transitional period, the definitions of existing business and non-business relationships are not subject to the limitation periods that would otherwise be applicable under section 10 of CASL. Businesses and people may take advantage of this transitional period to seek express consent for the continued sending of CEMs.

In contrast, express consent does not expire after a certain period of time has passed. If you obtain valid express consent before July 1, 2014, then that express consent remains valid after the legislation comes into force. It does not expire, until the recipient withdraws their consent.

The Electronic Commerce Protection Regulations (CRTC) Information Bulletin

Information to be included in a CEM (Reg 2)

  • Sender(s) must be identified
    • Including Affiliates
  • CEMs must include the sender’s mailing address
    • Definition
    • Valid for 60 days

This is an example of an unsubscribe mechanism by email. The email says I would like to unsubscribe from receiving: All messages from Company Inc. or, All promotional messages from Company Inc. I will continue to receive notifications consisting of factual information about my account and purchases. At the bottom of the message you may choose to submit your consent.
Form of CEM (Unsubscribe Mechanism) – (Reg 3)

This is an example of an unsubscribe mechanism by text message. The text from Company Inc. says- Special offer! 40% discount on all widgets. Text STOP to unsubscribe. To submit your consent, reply to the text message with the word STOP.
Information to be included in a request for consent – (“sought separately”) – (Reg 4)
This is a webpage that outlines the terms and conditions before download a computer program. The webpage gives you the option of choosing your consent by toggling the boxes beside the following statements: I accept the Terms and Conditions, I agree to the installation of Company Inc.’s Product A software. The function and purpose of Product A are to… To request removal or disabling of this computer program under certain conditions, please contact us at this electronic address. The words ‘certain conditions’ are hyperlinked another webpage where the information can be found, I agree to receive Company Inc.’s newsletter containing news, updates and promotions regarding Company Inc.’s products. You can withdraw your consent at any time. Please refer to our Privacy Policy or Contact Us for more details. The words ‘Privacy Policy’ and ‘Contact us’ are hyperlinked another webpage where the information can be found.
This is a webpage access by a mobile device and gives you the option of choosing your consent by toggling the boxes beside the following statements: I consent to the Terms and Conditions of sale. The words ‘Terms and Conditions’ are hyperlinked another webpage where the information can be found, I consent to the installation of Company Inc.’s Product A application. The function and purpose of Product A are to… To request removal or disabling of this computer program under certain conditions, please contact us at this electronic address. The words ‘certain conditions’ and ‘electronic address’ are hyperlinked another webpage where the information can be found, I consent to receiving promotional message from Company Inc. about its products and services. You can withdraw your consent at any time.<br />
Below the toggling boxes it says “See our Privacy Policy or Contact us for more information.” The words ‘Privacy Policy’ and ‘Contact us’ are hyperlinked another webpage where the information can be found. Once you have given your consent to the installation of the application by toggling the second box, you may click on the install button at the bottom of the page, or select close.
Specify functions of computer programs (Reg 5)
This is a webpage accessed on a mobile device that explains the function of a computer program and asks consent for it to be installed. By toggling the two boxes, the computer program may be installed. The webpage says:<br />
Clicking on the INSTALL button will install Company Inc.’s Product A application. The function and purpose of Product A are to. The Product A app will cause my mobile device to communication with Company Inc.’s server automatically in order to record my consent and to record usage metrics. You can withdraw your consent in the future. To request removal or disabling of this computer program under certain conditions, please contact us at this electronic address.  The words ‘certain conditions’ and ‘electronic address’ are hyperlinked another webpage where the information can be found. See our Privacy Policy or Contact us for more information. The words ‘Privacy Policy’ and ‘Contact us’ are hyperlinked another webpage where the information can be found. You may confirm your consent by toggling the boxes beside the following statements: I have read, understand and consent to the above, I consent to the license agreement. The words ‘license agreement are hyperlinked another webpage where the information can be found. Once both the toggling boxes have been checked, you may click install or choose to close.

Use of Toggling Information Bulletin

What is Toggling?
The first message is not compliant because the toggling box is pre-checked. It says “you are about to purchase Product A for $10.00.” The toggling box is pre-checked and says “I agree to receive Company Inc.’s newsletter containing news, updates and promotions regarding Company Inc.’s products. You can withdraw your consent at any time.” “Please refer to our Privacy Policy or Contact us for more details.” The words ‘Privacy Policy’ and ‘Contact us’ are hyperlinked another webpage where the information can be found. At the bottom of the message you have the option of clicking Back or Confirm Purchase.
The second message is compliant and says “you are about to purchase Product A for $10.00.”The toggling box is not checked and says “I agree to receive Company Inc.’s newsletter containing news, updates and promotions regarding Company Inc.’s products. You can withdraw your consent at any time.” “Please refer to our Privacy Policy or Contact us for more details.” The words ‘Privacy Policy’ and ‘Contact us’ are hyperlinked another webpage where the information can be found. At the bottom of the message you have the option of clicking Back or Confirm Purchase.
The third message is compliant and says “All products 40% off for a limited time only! Enter your email below to receive Company Inc.’s newsletter containing news, updates and promotions regarding Company Inc.’s products. You can withdraw your consent at any time. Please refer to our Privacy Policy or Contact us for more details.” The words ‘Privacy Policy’ and ‘Contact us’ are hyperlinked another webpage where the information can be found. At the bottom of the message you have the option of entering your email address and clicking submit.

Additional Guidance Material

Personal and Family Relationships

  • Section 6 of CASL does not apply to a CEM sent to an individual with whom the sender has a “personal or family relationship”, as defined in paragraph 2(b) of the GiC Regulations.
  • A “personal relationship” involves direct, voluntary, 2-way communication.
    • In each case, the non-exhaustive list of factors set out in paragraph 2(b) (e.g. sharing of interests, frequency of the communication, etc.) will be taken into consideration.
  • As explained in the RIAS, the definition of “personal relationship” should remain limited to close relationships.
    • The purpose is to establish limits and prevent potential spammers from exploiting this concept in order to send CEMs without consent.
  • A “personal relationship” is one that exists between individuals.
    • Legal entities, such as a corporation, cannot have a personal relationship. Someone who sends a CEM on behalf of a corporation may not claim to have a personal relationship with the recipient.

Express consent obtained prior to CASL

  • If you obtained valid express consent prior to CASL coming into force, you will be able to continue to rely on that express consent even if your request did not contain the requisite identification and contact information
  • All CEMs sent after CASL comes into force must contain the requisite information, meet all form requirements and contain an unsubscribe mechanism
  • CASL requires the sender to prove having obtained valid express consent.

Transitional period for implied consent

  • Section 66 deems implied consent for a period of 36 months (unless the recipient withdraws consent earlier)
  • There must be an existing business relationship or existing non-business relationship
  • The relationship must include the communication via CEMs
  • During the transition period, the definition of existing business relationship and non-business relationship is not subject to the limitation periods (6 months and 2 years) that would otherwise be applicable under CASL, for implied consent to exist.

Business to Business

  • Commercial electronic messages (CEMs) sent by an employee, representative, consultant or franchisee of an organization to:
    • Another employee, representative, consultant or franchisee of the organization
      • Message must concern the activities of the organization
    • An employee, representative, consultant or franchisee of another organization
      • The organizations must have a relationship; and
      • Message must concern the activities of the organization to which the message is sent
  • Consent not required to send the CEM
  • No requirement to add information requirements, and an unsubscribe mechanism to the CEM

Content Credit: This content is dirctly sourced from http://fightspam.gc.ca/eic/site/030.nsf/eng/home

If you need further information please take a look at their question and answer section.

Watch a detailed presentation on Canada’s anti-spam legislation.

A detailed presentation on Canada’s anti-spam legislation.
Transcript

Presentation

Download the presentation given at the information sessions.