United States: Canada's Anti-Spam Law, Poised To Take Effect, Requires Action Now

The Bottom Line

Advertisers that have not yet begun to do so should develop plans and procedures to comply with the CASL for Canadian residents on their email marketing lists. Those plans must include confirming or re-opting-in users, methods to obtain express consent for receiving future CEMs, systems to remove people who withdraw their consent or do not provide it in the first instance, and ways to adjust to new regulations as they are issued and take effect. The penalties are potentially too severe to delay any longer.

Canada's "opt-in" anti-spam law (the CASL) takes effect on July 1, 2014. Although certain of the provisions phase in after July 1, advertisers that use "Commercial Electronic Messages" (CEMs) – a term that includes email but that is not limited to email – should immediately begin to take steps to comply since they may be unaware that their existing email marketing lists may no longer be compliant with Canadian law.

Key Features

The CASL is one of the more stringent anti-spam laws ever enacted, governing CEMs sent from or accessed in Canada (but not those that merely are routed through Canada). Industry Canada explained in its Regulatory Impact Analysis Statement regarding the CASL regulations and explanatory website that the CASL was intended to deter "spam" and other damaging and deceptive electronic threats such as identity theft, phishing, spyware, malware, and botnets from occurring in Canada – and to "help drive spammers out of Canada." It is not certain that the CASL will reach its goals, but it most certainly will require companies to re-examine their email marketing efforts.

As Of July 1st, Marketers:

• Must not send CEMs unless consumers have expressly opted-in orally or in writing – including electronically – or impliedly have consented to receive CEMs from them, as can occur with certain narrowly and explicitly defined existing relationships;
• Must include their own prescribed contact information and a free unsubscribe mechanism in CEMs they send;
• Face penalties up to $10 million as well as potential civil charges – including for officers and directors – for violating CASL.

Express Consent

Consent is at the heart of the CASL. Marketers in the United States are familiar with the "opt-out" regime set forth by the CAN-SPAM Act which permits a company to continue sending commercial emails until a recipient chooses to opt-out of receiving further emails. CASL, on the other hand, is an "opt-in" law which, in most cases, requires prior consent from a recipient before the first CEM is sent. Somewhat circularly, messages that request consent to send further CEMs are classified as a CEM that would require consent to send.

Before the July 1, 2014 effective date, companies can send emails asking for recipients to provide express consent, provided they comply with the existing Canadian privacy legislation. Under CASL, this request for express consent must contain the name of the company seeking consent, specified contact and other information about the company seeking the express consent and similar information about any third parties for whom express consent is sought. The request must have an explanation of the purpose for the request for consent, and must state that consent may be withdrawn.

CASL will impose similar disclosure requirements on CEMs. CEMs sent after CASL comes into effect will be required to contain the name of the company who sent the message, if different, the name of any company on whose behalf they sent the message, and specified contact and other information about one of those companies. In addition, recipients must be provided with an ability to unsubscribe from further messages – or any specified class of further messages, – from the sender of the message or the person on whose behalf the message is sought. The unsubscribe mechanism must operate through the same electronic means as the CEM (for example, email and a website link) must operate easily and at no cost to them.

Implied Consent

The CASL permits consent to be implied in a narrow range of circumstances and for a finite period of time, such as where a company has an existing business relationship with a recipient of a CEM. Under the CASL, "existing business relationship" is a strictly defined term, and a company has an existing business relationship with a recipient who has purchased or leased a product from the company, entered a contract regarding something other than a purchase, lease, or business opportunity with the company within the two years prior to the message, or made an inquiry or application regarding a purchase or lease to the company within the six months prior to the message.

Where a company has an "existing business relationship" as defined in CASL that exists prior to July 1, 2014 and the relationship includes the sending of CEMs as of that date, CASL includes a transitional provision that deems these pre-existing consents to last for three years, until July 1, 2017, notwithstanding the provisions regarding the expiry period for these relationships that arise after CASL is in effect.

Implied consent also can exist where a person has published his or her electronic contact information on a social media site or business website without stating that communications are not welcomed, as long as any CEMS that are sent relate to the recipients' business. Implied consent may always be withdrawn.

Phase-In

Canadian regulators have recognized the burdens imposed by the CASL and their implementing regulations, and have provided a phase-in period for some of the most troublesome provisions.

In particular, the CASL sections that provide for enforcement of the CASL through a private right of action will not come into force until July 1, 2017 – although the CASL is enforceable by the authorities beginning this July 1st.

Limited Exclusions

There are some limited exclusions under the regulations. For example, excluded from all requirements of the CASL are CEMs that are:

• Sent within an organization and relate to its activities;
• Sent between organizations that already have a relationship, where the message concerns the activities of the organization to which the message is sent;
• Sent and received within limited access secure and confidential accounts to which only the provider of the account can send messages, such as many banking websites;
• Solicited or sent in response to complaints, inquiries, and requests;
• Sent due to a legal obligation or to notify or enforce a legal right; or
• Sent by or on behalf of registered charities for fundraising purposes.

The regulations also provide an exclusion for "third party referrals." This exclusion applies where there is an existing "personal," "family," "business," or "non-business" relationship – as each is defined for the purposes of CASL – between a business and an existing client and the existing client refers a prospective client to the business by providing the prospective client's electronic address information. In a case like this, the regulations permit the business to send a single message to the prospective client, as long as that message includes the full name of the referring party, states the message was sent as a result of the referral, and the message includes the identification and unsubscribe requirements required by the CASL for other CEMs.

Moreover, the regulations provide that when consent to receive messages from a third party has been withdrawn by an individual, the original requestor must notify each third party to whom the consent was provided that the consent has been withdrawn.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.