The law known as “Canada’s Anti-Spam Law” (CASL) came into force on July 1, 2014, and that deceptively narrow nickname1 has unfortunately remained, masking its surprisingly pervasive scope. CASL does not only target “spammers,” as commonly understood (such as duplicitous click-baiters, shotgun marketers or peddlers of illicit goods or schemes). Rather, it applies broadly in electronic commerce, not just to sophisticated or malicious electronic messaging campaigns, but even to single messages or interactions. CASL violations carry the potential for extraordinary penalties of up to $10 million, directors’ and officers’ liability, CRTC regulatory oversight and, as of July 2017, a private right of action bringing with it class action litigation. This underscores the need for careful CASL analysis within each organization, regardless of size or reach.
The “anti-spam” arm of CASL prohibits sending electronic messages whose purpose, wholly or partly, encourages participation in commercial activity (“commercial electronic messages” or CEMs) without both certain content and the recipient’s prior consent. Ensuring CASL-compliant content is important, but basically intuitive. Thus, it is CASL’s consent requirement that requires more attention, particularly because of the unexpected breadth of CASL’s application. Essentially, a recipient’s consent must be either “express” or “implied,” neither of which can be properly interpreted without a close look at CASL’s narrow definitions and exceptions. In fact, the CRTC recently noted that in its investigations, businesses often cannot prove they have consent to send the CEM in question, despite CASL placing that onus on senders.2
Express consent is collected in a prescribed manner (interestingly, messages to collect consent are themselves CEMs requiring consent). Such consent must be collected directly, clearly and separately, not via language buried in form contracts. Implied consent and exceptions are narrowly-scoped and often time-limited under CASL, despite what casual interpretation might infer. For example, implied consent can arise from “existing business relationships,” such as purchasing goods from the sender within the past two years (making this consent difficult to use long-term), and even if a potential recipient gives a business card to a prospective sender, CASL only implies consent for a CEM that itself is relevant to the former’s role or duties (preventing the usefulness of this consent for general mailing lists unless such relevance is guaranteed for all CEMs).
This makes properly-collected express consent – clear and, until the recipient unsubscribes, everlasting – the best choice under the CASL regime. Indeed, a practical compliance technique, for those without sophisticated consent tracking tools, is to rely heavily on express consent, using implied consent windows to collect express consent instead of using implied consent as the substantive basis to send most CEMs.
Organizations must consider cataloguing and understanding their electronic interactions that may be regulated by CASL, and maintaining evidence of consent (e.g. audio recordings of oral consent, signed consent forms, recorded dates of transactions and documented procedures). Most importantly, and as recommended by the CRTC in its published guidance3 – organizations should implement, update and enforce policies that frame and document CASL (including collection and evidence of consent) in the specific business context of that organization. Taking these steps can help establish due diligence, a statutory CASL defence, to counter potential CASL violations.
CASL’s complexity makes it difficult to prevent all violations, so understanding it and identifying potential compliance issues within the organizational context is critical. An organization that assumes that CASL does not apply – whether to the organization generally or to any of its particular electronic interactions – could be making a costly mistake, particularly in light of CASL’s impending private right of action.
1-3 Click on footnote numbers above for more information.