Canada's Anti-Spam Legislation - Are you ready?

Bill C-28, Canada's Anti-Spam Legislation (or "CASL", formerly known as the Electronic Commerce Protection Act and the Fighting Internet and Wireless Spam Act), which was passed on December 15, 2010, will come into force some time later in 2012.

CASL is intended to foster the growth of electronic commerce by deterring certain practices that undermine the value of the internet as a medium for commerce. The legislation establishes rules for the sending of commercial electronic messages, the installation of computer programs, and prohibits the unauthorized alteration of transmission data.

The Competition Act has also been amended to prohibit false or misleading representations in the sending of a CEM, whether it be in the content, subject line, or sender information of a message.

Related amendments to the Personal Information Protection and Electronic Documents Act ("PIPEDA") address the use of address harvesting and dictionary attacks - two techniques commonly employed by  spammers to automatically collect and generate electronic addresses. In addition, PIPEDA expressly prohibits the use of computer programs to surreptitiously collect personal information from a computer program.

CASL establishes new enforcement powers, including the ability to impose administrative monetary penalties, as well as a private right of action.

The following provides a brief overview of the main requirements and penalties under the legislation.

Commercial electronic messages

CASL establishes rules for the sending of a commercial electronic message ("CEM"). CASL applies to all forms of electronic messaging, including email, SMS text messages, and messages sent via social networking. The CEM regime applies broadly to any CEM that is sent from or accessed by a computer system located in Canada. The Act therefore applies to marketers who send from Canada, as well as to marketers who send messages into Canada from other countries.

There are three primary rules when sending a CEM: consent, identification, and unsubscribe.

1. Consent

The default rule is that consent from the recipient must be obtained before a CEM is sent. 

There are, however, a number of exceptions to the need for consent. Consent is not needed if the message:

  • is sent to someone with whom the sender has a personal or family relationship;
  • is an inquiry about a product or service offered by the recipient;
  • provides a quotes or estimate, if requested;
  • facilitates a commercial transaction;
  • provides warranty or safety information;
  • provides information about an ongoing subscription, membership, etc.;
  • provides information related to an employment relationship or benefit plan; or,
  • delivers a good or service.

Consent may also be implied in any of the following four circumstances:

  • the sender and recipient have an existing business relationship;
  • the sender and recipient have an existing non-business relationship;
  • the recipient has conspicuously published their electronic address (e.g., on a website), has not expressly stated that they do not wish to receive unsolicited messages, and the message is related to the recipient's professional capacity; or,
  • the recipient has disclosed their electronic address directly to the sender, has not expressly stated that they do not wish to receive unsolicited messages, and the message is related to the recipient's professional capacity.

2. Identification

Senders are required to clearly identify themselves. If the message is sent on behalf of another person, that person must be identified as well.

3. Unsubscribe mechanism

Every CEM must contain a functional unsubscribe mechanism that enables the recipient to unsubscribe, at no cost. Unsubscribe requests must be processed immediately.

Installation of computer programs

CASL also establishes rules for the installation of computer programs onto a computer system. Most importantly, CASL requires that all computer programs be installed only with prior express consent of the owner or authorized user of the computer system.

CASL deems consent to have been given in the program is

  • a cookie;
  • HTML code;
  • Java Scripts;
  • an operating system; or,
  • any other program that functions only with the use of another computer program that was previously installed with express consent; and,

it is reasonable to believe that the person has consented to the installation based on their conduct.

Consent is not required for updates or upgrades where:

  • the original program was installed with express consent;
  • the terms agreed to when the user originally provided express notified the individual that they would be entitled to receive an update or upgrade in the future; and,
  • the upgrade is installed in accordance with those terms.

Finally, additional requirements apply when installing a computer program that performs any of the following functions:

  • collecting personal information stored on the computer system;
  • interfering with the user’s control of the computer system;
  • changing or interfering with settings, preferences or commands already installed or stored on the computer system without the knowledge of the user;
  • changing or interfering with data that is stored on the computer system in a manner that obstructs, interrupts or interferes with lawful access to or use of that data by the user;
  • causing the computer system to communicate with another computer system, or other device, without the authorization of the user; or,
  • installing a computer program that may be activated by a third party without the knowledge of the user.

If the program performs any of these functions, the fuction(s) must be brought to the explicit attention of the computer user, and the user must be provided with assistance in removing the program if the user believes that the program was inaccurately described.

Unauthorized alteration of transmission data

CASL prohibits the unauthorized alteration of transmission data. This is intended to address issues such as 'pharming', which involves the use of technical measures to redirect a person from an intended website to a fraudulent version of that website.

This prohibition does not apply to telecommunications service providers where an alteration is made for the purposes of network management.

Penalties and enforcement

CASL is enforced by the Canadian Radio-television and Telecommunications Commission ("CRTC"). Related amendments to the Competition Act and PIPEDA are enforced by the Competition Bureau and the Office of the Privacy Commissioner of Canada ("OPC") respectively.

The CRTC has the ability to impose administrative monetary penalties for violations of CASL of up to $1 million per violation for individuals, and $10 million per violation for other persons (e.g., businesses).

CASL also includes a private right of action, which allows any person affected by a violation of CASL and related amendments to PIPEDA and the Competition Act to sue for actual and/or statutory damages. 

How we can help

With extensive experience in anti-spam, privacy, electronic commerce, competition and advertising law, nNovation LLP is well-positioned to provide practical advice in navigating the various requirements of CASL and related legislation. We offer a range of services, including:

  • a comprehensive approach to compliance that addresses all process-related aspects of e-marketing campaigns, from list-building to deployment;
  • ensuring that message content is neither false nor misleading according to Canadian legal standards;
  • limiting the risk of liability for marketing agencies and email service providers;
  • advising software developers and marketers on how to obtain proper consent when installing computer programs;
  • acting on behalf of organizations who are affected by a breach of CASL and related legislation;
  • interfacing with enforcement agencies on behalf of clients who commit honest mistakes in order to limit exposure to penalties.

While the penalties under CASL are potentially significant, organizations do not need to afraid to continue to engage in electronic marketing campaigns to reach out to customers. In many cases, only minor changes to existing practices may be necessary, if any. Let us assist you in developing marketing campaigns that are CASL-compliant.

Please contact us if you have any questions.

 

March 14, 2012 - CRTC responds to stakeholder concerns with final regulations under CASL

Bill C-28, Canada's Anti-Spam Legislation (or "CASL", formerly known as the Electronic Commerce Protection Act and the Fighting Internet and Wireless Spam Act), which was passed on December 15, 2010, will come into force some time later in 2012.

CASL is intended to foster the growth of electronic commerce by deterring certain practices that undermine the value of the internet as a medium for commerce. The legislation establishes rules for the sending of commercial electronic messages, the installation of computer programs, and prohibits the unauthorized alteration of transmission data.

The Competition Act has also been amended to prohibit false or misleading representations in the sending of a CEM, whether it be in the content, subject line, or sender information of a message.

Related amendments to the Personal Information Protection and Electronic Documents Act ("PIPEDA") address the use of address harvesting and dictionary attacks - two techniques commonly employed by  spammers to automatically collect and generate electronic addresses. In addition, PIPEDA expressly prohibits the use of computer programs to surreptitiously collect personal information from a computer program.

CASL establishes new enforcement powers, including the ability to impose administrative monetary penalties, as well as a private right of action.

The following provides a brief overview of the main requirements and penalties under the legislation.

Commercial electronic messages

CASL establishes rules for the sending of a commercial electronic message ("CEM"). CASL applies to all forms of electronic messaging, including email, SMS text messages, and messages sent via social networking. The CEM regime applies broadly to any CEM that is sent from or accessed by a computer system located in Canada. The Act therefore applies to marketers who send from Canada, as well as to marketers who send messages into Canada from other countries.

There are three primary rules when sending a CEM: consent, identification, and unsubscribe.

1. Consent

The default rule is that consent from the recipient must be obtained before a CEM is sent. 

There are, however, a number of exceptions to the need for consent. Consent is not needed if the message:

  • is sent to someone with whom the sender has a personal or family relationship;
  • is an inquiry about a product or service offered by the recipient;
  • provides a quotes or estimate, if requested;
  • facilitates a commercial transaction;
  • provides warranty or safety information;
  • provides information about an ongoing subscription, membership, etc.;
  • provides information related to an employment relationship or benefit plan; or,
  • delivers a good or service.

Consent may also be implied in any of the following four circumstances:

  • the sender and recipient have an existing business relationship;
  • the sender and recipient have an existing non-business relationship;
  • the recipient has conspicuously published their electronic address (e.g., on a website), has not expressly stated that they do not wish to receive unsolicited messages, and the message is related to the recipient's professional capacity; or,
  • the recipient has disclosed their electronic address directly to the sender, has not expressly stated that they do not wish to receive unsolicited messages, and the message is related to the recipient's professional capacity.

2. Identification

Senders are required to clearly identify themselves. If the message is sent on behalf of another person, that person must be identified as well.

3. Unsubscribe mechanism

Every CEM must contain a functional unsubscribe mechanism that enables the recipient to unsubscribe, at no cost. Unsubscribe requests must be processed immediately.

Installation of computer programs

CASL also establishes rules for the installation of computer programs onto a computer system. Most importantly, CASL requires that all computer programs be installed only with prior express consent of the owner or authorized user of the computer system.

CASL deems consent to have been given in the program is

  • a cookie;
  • HTML code;
  • Java Scripts;
  • an operating system; or,
  • any other program that functions only with the use of another computer program that was previously installed with express consent; and,

it is reasonable to believe that the person has consented to the installation based on their conduct.

Consent is not required for updates or upgrades where:

  • the original program was installed with express consent;
  • the terms agreed to when the user originally provided express notified the individual that they would be entitled to receive an update or upgrade in the future; and,
  • the upgrade is installed in accordance with those terms.

Finally, additional requirements apply when installing a computer program that performs any of the following functions:

  • collecting personal information stored on the computer system;
  • interfering with the user’s control of the computer system;
  • changing or interfering with settings, preferences or commands already installed or stored on the computer system without the knowledge of the user;
  • changing or interfering with data that is stored on the computer system in a manner that obstructs, interrupts or interferes with lawful access to or use of that data by the user;
  • causing the computer system to communicate with another computer system, or other device, without the authorization of the user; or,
  • installing a computer program that may be activated by a third party without the knowledge of the user.

If the program performs any of these functions, the fuction(s) must be brought to the explicit attention of the computer user, and the user must be provided with assistance in removing the program if the user believes that the program was inaccurately described.

Unauthorized alteration of transmission data

CASL prohibits the unauthorized alteration of transmission data. This is intended to address issues such as 'pharming', which involves the use of technical measures to redirect a person from an intended website to a fraudulent version of that website.

This prohibition does not apply to telecommunications service providers where an alteration is made for the purposes of network management.

Penalties and enforcement

CASL is enforced by the Canadian Radio-television and Telecommunications Commission ("CRTC"). Related amendments to the Competition Act and PIPEDA are enforced by the Competition Bureau and the Office of the Privacy Commissioner of Canada ("OPC") respectively.

The CRTC has the ability to impose administrative monetary penalties for violations of CASL of up to $1 million per violation for individuals, and $10 million per violation for other persons (e.g., businesses).

CASL also includes a private right of action, which allows any person affected by a violation of CASL and related amendments to PIPEDA and the Competition Act to sue for actual and/or statutory damages. 

How we can help

With extensive experience in anti-spam, privacy, electronic commerce, competition and advertising law, nNovation LLP is well-positioned to provide practical advice in navigating the various requirements of CASL and related legislation. We offer a range of services, including:

  • a comprehensive approach to compliance that addresses all process-related aspects of e-marketing campaigns, from list-building to deployment;
  • ensuring that message content is neither false nor misleading according to Canadian legal standards;
  • limiting the risk of liability for marketing agencies and email service providers;
  • advising software developers and marketers on how to obtain proper consent when installing computer programs;
  • acting on behalf of organizations who are affected by a breach of CASL and related legislation;
  • interfacing with enforcement agencies on behalf of clients who commit honest mistakes in order to limit exposure to penalties.

While the penalties under CASL are potentially significant, organizations do not need to afraid to continue to engage in electronic marketing campaigns to reach out to customers. In many cases, only minor changes to existing practices may be necessary, if any. Let us assist you in developing marketing campaigns that are CASL-compliant.

Please contact us if you have any questions.