Bill C-28, labelled as Canada’s Anti-Spam legislation, was passed in 2010 and it goes into effect July 1, 2014. You need to be ready as it WILL affect the way most people do business in Canada. Here is what you need to know:
What does it regulate?
This bill regulates a broad range of activities that relate to sending Commercial Electronic Messages (or CEMs). A CEM is any electronic message which includes but is not limited to email, texts, instant messages, social media direct messages or any other similar means of communication. In its broadest scope, it is meant to regulate activities
associated with spam messages, hacking, malware, spyware, phishing, fraudulent/misleading practices, electronic privacy invasion and/or the harvesting of emails without consent. The CRTC will be the main body involved with regulation and enforcement but the Competition Bureau will be involved as well as the Office of the Privacy Commissioner.
The underlying principle is that a business is required to have consent in order to send CEMs to individuals or organizations.
What is a CEM?
A Commercial Electronic Message is any electronic message that encourages a person or organization to participate in a commercial activity such as: an offer to purchase, sell or lease goods, services, investments or gaming opportunities. A CEM must include the following information at a minimum:
- Identifying information for the sender
- A means to contact the sender
- A method to opt-out or unsubscribe. There are specific rules laid out in the regulation that govern how the unsubscribe mechanism must be setup.
What does “consent” mean for CEMs?
Senders are prohibited from sending CEMs to an electronic address unless they first receive consent and the message includes certain prescribed information. There are two types of consent defined:
Express – Where there is proof that the sender has obtained consent from the recipient either orally or in writing. A request for consent must include at a minimum: full identification of the sender, contact information and a statement that the person can withdraw consent.
Implied – Where there is an existing business relationship or existing personal relationship. Implied consent also exists if the recipient conspicuously publishes their electronic address and hasn’t indicated a desire to not receive unsolicited CEMs (i.e. on their website). Regardless, the message must be relevant to the recipient’s business role.
How is an “existing business relationship” defined
Within the past 2 years prior to sending the CEM, the recipient:
- purchased/leased a product, goods, service or investment from the sender
- entered into a contract with the sender not listed above
- inquired about one of the above items in the prior 6 months
It is up to the sender to prove consent!
Who is Exempt? What is Exempt?
Family and Personal Relationships – check out the legislation for details of what this means.
Existing non-business relationship - Certain non-business relationships are exempt from the rules
such as senders who are registered charities, or political parties/candidates; however, the recipient must have made a donation or volunteered within the last 2 years. CEMs sent by membership clubs are also exempt where the recipient has been a member for 2 preceding years.
Third Party referral Exemption – check out the legislation for details of what this means.
What are the potential penalties for noncompliance?
- Individuals – fines up to $ 1 million/violation
- Corporations – fines up to $ 10 million/violation
- Private rights of action by anyone affected by the noncompliance of $ 200/message/day (up to a maximum of $ 1 million)
- Risk of class action
- This Bill is currently touted as the strictest regulation in the world
Wow, this is a lot to absorb! What should I do?
First, this is a short summary of the CASL legislation. It is not meant as a compressive look at the entire spectrum of the bill, your rights involved or the penalties of noncompliance. You should educate yourself on what is involved. HLB makes no claim to the accuracy of the information listed here. There are plenty of firms (often lawyers) offering consulting services on this regulation. In order to self-educate and prepare for conversations related to CASL you should:
- audit your business on all CEMs (including 3rd parties)
- develop consent/opt-in mechanisms
- develop CASL compliant CEM templates
- record evidence of express consent obtained
The onus is on the sender to prove compliance. You should START NOW!
What are some links to more information?
- Government of Canada - www.fightspam.gc.ca
- CRTC - https://www.crtc.gc.ca/eng/casl-lcap.htm
- Canadian Chamber of Commerce - https://www.chamber.ca/resources/casl/