Area of Law: Internet and Cyber Law
Answer # 345
Is spam email legal? Canada’s Anti-Spam Legislation (CASL)Region: Ontario Answer # 345
What is CASL?
Spam is the phrase applied generally to any unwanted email. In the same way as paper-based flyers and advertisements might be considered junk mail, spam is the electronic equivalent. Until recently, most spam was not illegal in Canada nor could you do much to stop it arriving in your email inbox. However, on July 1st, 2014 Canada’s Anti-Spam Legislation (CASL) came into force. CASL is federal legislation that applies across Canada. Its purpose is to help protect Canadians while ensuring that businesses can continue to compete in the global marketplace.
This law directly impacts the ability of businesses to send commercial electronic messages (CEM) to customers, clients and even to other businesses. This not only includes emails, but also instant messages, text messages, and some social media communication. The CEM is defined as an electronic message whose purpose is to encourage commercial activity. That would include something involving a purchase, sale, barter or lease of goods or services. It would also include an offer to provide a business or an investment opportunity, and all advertising and promotion in that regard.
How to comply with CASL – obtain consent
In order to send CEMs legally, the sender must first obtain consent from the recipient. Consent can be obtained directly, called express consent, through an opt-in; or indirectly, through implied consent.
Express consent means that a person has clearly agreed, either orally or in writing, to receive a CEM. Unless the recipient withdraws his or her consent, express consent is not time-limited.
In order to comply with the rules regarding obtaining express consent, organizations should follow a number of steps before sending communications.
In particular, the communication should:
- ask for permission to send future electronic messages, and
- show that the recipient can easily unsubscribe at any time, preferably with one click
Under the new legislation, businesses are able to rely on implied consent to send emails where:
- there is an existing business relationship, or
- goods or services were purchased in the previous 2 years, or
- the recipient has entered a written contract that expired within the previous two years, or
- the recipient has accepted a business opportunity within the previous two years.
The law also permits businesses to send commercial messages to recipients who have published or provided their electronic address without stating that they do not wish to receive messages, if the message is relevant to their business or professional role.
There are also categories of implied consent within an already existing, non business relationship. These might include a donation, a membership in a club, or a volunteer activity. For example, if you received a business card from someone, it is likely an implied consent to send them a CEM.
End of the three-year implied consent transition rule for existing customers
On July 1, 2017 the implied business consent transition rule for CASL expired. The rule allowed for a three-year transitional period that allowed businesses to acquire consent from customers. Specifically, the rule provided the sender an implied consent where the sender had both:
(i) done business with the recipient at any time prior to July 1, 2014 and
(ii) had sent that party at least two electronic messages before that same date.
What information should be included in a CEM?
In order to comply with CASL, a CEM must contain the following information:
- the sender’s full name, or business name if different from sender’s name, and the name of any other business or person on whose behalf the sender is sending the message,
- the sender’s mailing address,
- one of the following: a valid email address, phone number, or web address (each must be valid for at least 6 months from the date of sending), and
- an ability to unsubscribe to the electronic message.
As it is up to the sender to prove consent was obtained, businesses should always keep a record of what type of consent, implied or express, was obtained.
Exemptions from compliance with CASL include CEMs:
- relating to a family or personal relationship,
- where a business responds to direct inquiries, requests or complaints,
- within an organization, or between organizations that already have an existing relationship,
- with a legal or judicial obligation attached to them,
- sent by, or on behalf of, a registered charity or for fundraising purposes, or
- sent by a political party, or organization.
In short, a CEM can be sent, if it applies to an existing transaction, relates to factual information about an ongoing account, relates to employment information, or deals with personal or family relationships. How does one deal with referrals? Referrals can be tricky under CASL. The person who gave the referral must have an existing relationship with the person to whom you intend to send the CEM. The CEM must include the full name of the person giving the referral and disclose that the CEM is being sent as a direct result of the referral.
Data and computer programs
The legislation prohibits the alteration of transmission of data in CEM’s without consent, and prohibits the installation of computer programs in the course of commercial activities without consent. The consents must be separate for each specific purpose. So, for example, if you want to install a geo-locator, that requires a specific consent and also a separate consent from a licensing agreement.
Reporting spam, enforcement and penalties
The legislation has penalties for non-compliance. Individuals, businesses and other organizations can now make a complaint about receiving unsolicited emails to the Government of Canada’s Spam Reporting Centre. Legitimate complaints may then be referred to the Canadian Radio-television and Telecommunications Commission (CRTC) for investigation.
Corporate directors, officers, and agents can be liable, and corporations are liable for the actions of their employees. It is important, therefore, to ensure that your company has a CASL protocol and a compliance policy in place. For corporations, fines can be up-to $100,000 for the first offence, and $250,000 for repeat offences. For individuals, fines can be $10,000 for a first offence, and $25,000 for subsequent offences. Penalties for violating the legislation can be as severe as $1 million for individuals and $10 million for businesses.
For more information about Canada’s Anti-Spam Legislation, refer to the Canadian Radio-television and Telecommunications Commission (CRTC), or to report a case of unsolicited email, visit fightspam.gc.ca.
You now haveoptions: