Last Wednesday, the government announced that Bill C-28, aka Canada’s Anti-Spam law, aka CASL, aka “An Act to promote the efficiency and adaptability of the Canadian economy by regulating certain activities that discourage reliance on electronic means of carrying out commercial activities, and to amend the Canadian Radio-television and Telecommunications Commission Act, the Competition Act, the Personal Information Protection and Electronic Documents Act and the Telecommunications Act” (no really that’s its official title, click the link) will come into force July 1, 2014, thus putting an end to spam in Canada forever. Or something like that.
It’s no secret that I am not particularly a fan of CASL. I have called it a joke, and for what I thought were good reasons. I still believe they are good reasons. And if the Canadian government thinks this will put an end to spam, they are sorely mistaken. Here’s a quote from the government press release:
It protects lawful businesses and consumers from the bad actors ruinously abusing the online experience of millions by putting a stop to email spam and all types of messaging abuse
HAHAHAHA. Good one. Here’s another good one:
Internet users and honest businesses will welcome the opportunity to clean up email
I know several “honest businesses”. Really! Some of them are even clients. And frankly, they do not welcome this at all. Getting compliant with CASL is going to make their lives quite difficult between now and July 1, 2014.
But no use crying over spilled milk! The law will be the law in 204 days. So you better know what’s in it. I rarely do “actual legal information” posts, because I prefer snarky reaction to internet law news or reporting on fun and / or important court cases (with snark). But if you use email to market anything, and you send to Canadian recipients (whether as a Canadian or foreign company), you are going to have to know about this law. So as a public service, here goes with the information. Regular readers who love my snark and are just going about their daily lives without sending marketing emails can go away now, I won’t be offended. For the rest of you, here is a handy FAQ. Oh who am I kidding; it will be an FAQ with snark.
What does this law cover?
The sending of “commercial electronic messages” (CEMs). A CEM is an electronic message that “encourages participation in a commercial activity, regardless of whether there is an expectation of profit.” That includes emails, but also text messages. There was a fear for a while that it would include Twitter, Facebook, or other social media messages, but the government says they are not because they are not sent to a particular electronic address. We’re not so sure about that.
That definition of CEM seems ridiculously vague. Is it?
Yes. Yes it is.
Does CASL cover anything else?
Yes! There are whole bits about not altering electronic communications in transit and not installing computer programs without permission (i.e. adware and malware and that horrible Ask.com toolbar). But that stuff isn’t as sexy as spam, and the malware provisions don’t come into force until January 15, 2015, so we’ll just ignore that stuff for now.
If I want to send a CEM, what do I have to do?
You have to ensure that the recipient has consented to receive it. This consent can be express or implied.
Yes, your CEM has to include the following information: name and contact info of the person sending the CEM, and the name and contact info of someone sending the email on behalf of someone else (if applicable). The CEM must also have an unsubscribe mechanism using electronic means (at no cost to the recipient) and have a link to a web page to unsubscribe.
Wait, can you go back to that express or implied consent business? WTF does that mean?
Sure, sorry to have buried the lede there. Express consent is pretty easy to define – someone tells you expressly they want to receive a CEM from you, by for example clicking a box saying “I want to receive news and offers from Company X”. Implied consent is a little more complicated, so let’s go to the law:
10. (9) Consent is implied (…) if
(a) the person who sends the message, the person who causes it to be sent or the person who permits it to be sent has an existing business relationship or an existing non-business relationship with the person to whom it is sent
Yes, the bolded part is the important part. Do I know what a business relationship is? Fuck and no. But the government tries to define it, in the section right after. Basically buying or leasing something from the business in the last two years, or accepting an investment or business opportunity, or if there is some sort of contractual relationship. You know, business. A “non-business relationship” is also defined, as making a donation or volunteering for a non-profit, or being a member of a club or association.
There are other ways to have implied consent. Basically if the recipient publishes their electronic address, or gives it to you, and they never say “I don’t want to receive a CEM” and the CEM is relevant to the recipient’s “business, role, functions or duties in a business or official capacity”, whatever that means, you’ve got your implied consent.
Are there exemptions for certain kinds of CEMs or certain organizations?
Yes, many! There are all sorts of situations where you don’t need to have consent, or where CASL just won’t apply. There are so many, we’ll have to go to the bullet list:
- B2B Communications. CEMs within an organization are exempt. CEMs between organizations are exempt if (I repeat, IF) the two organizations have a “relationship” (again, whatever that means), and the CEM “concerns the activities of the organization to which the message is sent”;
- CEMs sent “in response to complaints, inquiries, and requests”;
- The message is sent by a registered charity for the purposes of fundraising;
- The message is sent by a political party or candidate seeking to raise funds;
- The message is sent by a “club, association or voluntary organization” to its members;
- There is a family relationship between the sender and recipient;
- The CEM is sent as a result of a third-party referral, IF the person sending the CEM discloses in the CEM who the third party is who made the referral, AND the third-party referrer has an existing personal or family or business relationship with both the sender and the recipient of the CEM.
There are plenty more! Most of them are pretty useless, and kind of convoluted. I love this one for example:
3. Section 6 of the Act [ed.’s note: Section 6 is the main section about consent and form requirements for CEMs] does not apply to a commercial electronic message
(c) that is sent to a person
(ii) to provide notice of an existing or pending right, legal or juridical obligation, court order, judgment or tariff
Do you see the problem here? How can a message about a court order or some other judicial right be “commercial” in nature in the first place? You’ve exempted something that didn’t need exempting! This Act is all sorts of F’ed up. Whoops sorry, we’ve gotten away from the purely informational nature of this post…
What happens if I don’t comply with CASL?
You will be in trouble! More importantly, you will lose a lot of money. The Act provides for fines for up to $1 million for individuals and $10 million for organizations. Also, recipients of CEMs who didn’t consent will be able to sue you, though this right to sue is delayed until 2017.
Any other fun tidbits in CASL I should know about?
Sure I guess. One of the fun things is that the burden of proof is on the sender of the CEM. When they come after you, it will be up to you to prove that you had consent to send the CEM. Also, justices of the peace will have authority to issue warrants to have the authorities come into your place of business to determine if you are complying with CASL. That will be fun!
So what do I do now?
No seriously, what do I do now?
Take a deep breath. You’ve got 204 days to prepare. Then panic, because 204 days is really not a lot of time. Here’s some practical advice*:
- Determine the nature of your existing mailing lists. How were they compiled? If they were just cobbled together from assorted sources, you’re going to have to get consent from all those recipients somehow;
- Make sure all your sign-ups are opt-in, and you specify what kind of messages (commercial ones!) you will be sending in the future;
- Keep good records of these new consents;
- Make sure you understand what needs to be in your future CEMs as of July 1, 2014;
- I hate to write this because it makes me look like a dick, but consult an attorney!
*not official legal advice, so you can’t sue me ;)
Where can I get more info?
The Government of Canada has set up a spiffy new website, Fightspam.gc.ca, to answer all your questions. It contains a comprehensive guide for businesses with very helpful step by step instructions as to how to comply with CASL. HAHAHAHA. No it does not. It has absolutely nothing for businesses wanting to comply. It’s completely useless. The government is leaving it to the lawyers I guess.