Canada’s anti-spam legislation (“CASL”) came into effect on July 1, 2014 and applies to all for-profit and non-profit organizations in Canada. Since this legislation came into effect, provisions have been implemented on an ongoing basis. For instance, rules regarding the installation of computer programs (anti-malware provisions) came into force January 15, 2015, and requirements surrounding a private right of action were due to come into effect July 1, 2017.
In a last-minute announcement in June, the Government of Canada suspended the provisions allowing for a private right of action in response to widespread concerns by business and non-profit organizations who would be at considerable risk of legal action for perceived violations of CASL.
These rules allowing for a private right of action would have allowed individuals to pursue legal action against any individual or organization that they felt violated CASL through either an act or omission. Affected individuals would have had the ability to bring an action against an organization, its directors, officers and agents and pursue compensatory and statutory damages.
These provisions were suspended pending a parliamentary review to ensure that the interests of consumers and their right to privacy were balanced with the rights of business, charities or non-profits. On one side, consumers deserve the protection CASL affords from businesses sharing or selling personal contact information without authorization and an avenue of recourse if consumers are adversely affected by a breach of CASL. On the other side, there remain concerns that the private right to action provisions are too onerous for businesses and non-profit groups and have the potential to place undue cost and burden on them as they work toward maintaining compliance with the legislation.
While this review is underway, businesses, charities and non-profit organizations should take this opportunity to review their anti-spam compliance policies and ensure their IT communications are in line with the requirements of CASL.
IT Requirements of CASL
CASL prohibits organizations from sending out Commercial Electronic Messages (e.g. emails where some if not all of its purpose is to encourage participation in commercial activities) without: first obtaining the recipient’s consent, presenting opt-out requirements and highlighting
“cookie” notifications.
When obtaining consent, a client must provide express consent to receive the electronic messaging and must choose to opt-in to the messaging. This consent can be provided in writing and should be documented. Requests for consent must also identify that consent can be withdrawn.
Messaging must contain the identity of the sender with contact details, and include an unsubscribe function that allows a quick, easy and no-cost mechanism to unsubscribe to the mailing list. Once a request to unsubscribe is received, it must be acted upon without delay.
“Cookie” notifications refer to data stored on a client’s computer that can be used by a service to track visits and activities. Organizations can only install cookies on client computers if users are first notified and afforded the opportunity to opt-out.
A final area of note regarding CASL is the importance of record keeping. Organizations should ensure records are kept regarding any commercial electronic messaging they send out in order to respond to client concerns. Records should also be kept of all unsubscribe requests and actions and evidence of express consent for those who agree to be part of that mailing list. This will help ensure compliance with CASL and prepare organizations pending the outcome of the parliamentary review on private rights of action.
For more information, please see the Government of Canada’s website on CASL: fightspam.gc.ca.