CANADIAN CASL (ANTI-SPAM LAW) PRECEDENTS
Do you need a precedent or checklist
to comply with CASL (Canadian anti-spam law)?
We offer Canadian anti-spam law (CASL) precedents and checklists to help electronic marketers comply with CASL. These include checklists and precedents for express consent requests (including on behalf of third parties), sender identification information, unsubscribe mechanisms, business related exemptions and types of implied consent and documenting consent and scrubbing distribution lists. We also offer a CASL corporate compliance program. For more information or to order, see: Anti-Spam (CASL) Precedents/Forms. If you would like to discuss CASL legal advice or for other advertising or marketing in Canada, including contests/sweepstakes, contact us: contact.
**********************
FREQUENTLY ASKED QUESTIONS (FAQS)
ABOUT CANADIAN ANTI-SPAM LAW (CASL)
Canada’s federal anti-spam legislation (CASL) is complex and highly prescriptive. There are specific and detailed requirements relating to its core consent, identification and unsubscribe requirements, as well as for categories of implied consent, exceptions and record-keeping obligations.
As such, companies and individuals that rely on electronic marketing as part of their business should obtain specialist legal advice, given that the potential penalties can be severe. There is also regular enforcement by the CRTC, which is one of three regulatory bodies responsible for the administration and enforcement of CASL together with the Competition Bureau and Office of the Privacy Commission.
The following are frequently asked questions relating to the scope and requirements of CASL.
GENERAL
What is CASL?
In general, CASL, which is Canada’s federal anti-spam legislation, requires express or implied consent to send “commercial electronic messages” (“CEMs”). CASL also imposes certain form (i.e., identification) and opt-out (i.e., unsubscribe) requirements.
What is a “CEM”?
CASL defines “CEMs” broadly as electronic messages that encourage participation in a commercial activity, regardless of whether there is an expectation of profit. This includes: (i) offering or advertising to purchase or sell products, goods, services or land; or (ii) offering or advertising to provide business, investment or gaming opportunities.
What is an electronic message?
CASL is technologically neutral. It defines “electronic messages” as those sent by any means of telecommunication, including text, sound, voice or image messages. As such, CASL can apply to a variety of types of electronic media, including e-mail, text messaging, instant messaging and direct messages (e.g., via social media platforms).
What is the jurisdictional scope of CASL?
CASL applies where CEMs are sent from or accessed by computer systems in Canada (i.e., that are not merely routed through Canada). CASL’s regulations also exempt messages sent from Canada to a prescribed list of countries with their own anti-spam legislation, provided messages comply with the applicable foreign laws that are substantially similar to CASL’s consent and form requirements (e.g., the U.S., U.K., EU, Japan, China, Korea, Australia and New Zealand).
What are some of the potential penalties for violating CASL?
Violation of CASL may result in significant penalties of up to CDN $1 million (for individuals) and CDN $10 million (for corporations).
Over the past several years, there has been regular enforcement by the CRTC with penalties ranging from under $100,000 to over $1 million. Many of the cases to date have related to failures to comply with CASL’s core requirements (i.e., consent, identification and an unsubscribe mechanism), including failures to comply with categories of implied consent or exceptions.
How many CEMS are considered to be “spam”?
There is no specific requirement as to what constitutes spam under CASL. As such, sending a single e-mail can constitute spam. Importantly, sending a CEM to request consent can also constitute spam.
KEY REQUIREMENTS OF CASL
What are the key requirements of CASL?
The three key requirements to comply with section 6 of CASL (the CEMs section) are: (i) consent; (ii) identification; and (iii) an unsubscribe mechanism.
CONSENT (EXPRESS OR IMPLIED)
What is consent?
CASL prohibits sending CEMs without a recipient’s prior express or implied consent. Senders have the onus of proving consent. CASL permits both express and certain categories of implied consent. CASL also includes a number of exceptions from the consent and identification requirements. Express consent is the strongest type of consent because it is good unless a recipient unsubscribes.
What are the key requirements of express consent?
The key requirements for express consent are as follows: (i) an express consent request must be a positive opt-in (e.g., clicking a box and not, for example, a pre-checked box); (ii) consent must be uncoupled (i.e., sought separately from requests for consent to general terms and conditions of use or sale); (iii) state the purpose for which consent is sought; (iv) the name (or doing business name (“DBA”) if different) of the person seeking consent; (v) if consent is sought for another person, the name of the other person (or their DBA name if different); (vi) if consent is sought for another person, state who is seeking consent and on whose behalf consent is sought; (vii) the mailing address and at least one of the following for the person seeking consent or, if different, the person on whose behalf consent is sought: phone number, e-mail address or web address (which may be provided on the page itself or via a web link); and (viii) a statement that recipients may withdraw their consent at any time.
A confirmation e-mail should also be sent to the person providing express consent.
How can consent be gathered?
Express consent can be gathered either in writing or orally. Written consent may include both paper and electronic forms (examples of the latter include a box on a web page or filling out a consent form at point-of-purchase). The CRTC’s view is that oral consent is sufficient if: (i) it can be verified by an independent third party; or (ii) where there is a complete and unedited audio recording of the consent. In either case, the onus is on the sender to prove that they had consent to send a CEM.
What is implied consent?
Consent may also be implied for CASL in certain cases, including where there is: (i) an “existing business relationship”; (ii) an “existing non-business relationship”; (iii) where a person has published their electronic address without a statement that they do not want to receive unsolicited CEMs and the message is relevant to their business; and (iv) a recipient has disclosed their electronic address to a sender without indicating that they do not want to receive unsolicited CEMs and the message is relevant to their business.
What is the existing business relationship category of implied consent?
CASL contains a “existing business relationship” category of implied consent. “Existing business relationships” include: (i) the purchase of products, goods, services or land within two years before a message is sent; (ii) the acceptance by the recipient of a business, investment or gaming opportunity within two years before a message is sent; and (iii) an inquiry by the recipient for products, goods, services, etc. within six months before a message is sent.
For existing business relationships, however, a marketing list must be purged on a rolling basis once the above dates have expired unless express consent has been obtained or another category of consent (or an exception) can be relied on.
What is the conspicuous publication category of implied consent?
CASL also contains a so-called “conspicuous publication” category of implied consent, which requires that all three of the following requirements be met: (i) the recipient has conspicuously published their e-mail address (or caused it to be published); (ii) there is no statement that the recipient does not want to receive CEMs; and (iii) the CEM is relevant to the recipient’s business, role, functions or duties in a business or official capacity.
What is the business card category of implied consent?
CASL also contains a so-called “business card” category of implied consent, which requires that a recipient has disclosed their electronic address to a sender without indicating that they do not want to receive unsolicited CEMs and the message is relevant to their business.
What is required to document consent?
Senders have the onus of proving consent under CASL. In this regard, section 13 of CASL provides that “a person who alleges that they have consent to do an act that would otherwise be prohibited under any of sections 6 to 8 has the onus of proving it”.
In general, the CRTC recommends that senders keep records of: (i) whether consent was obtained in writing or orally; (ii) when it was obtained; (iii) why it was obtained; and (iv) how it was obtained.
Some of the CRTC’s specific recommendations for documenting consent include: (i) keeping all evidence of express and implied consent (e.g., completed electronic forms); (ii) ensuring that consent can be verified for all recipients; (iii) recording the date, time, purpose and manner of consent; (iv) recording all unsubscribe requests and resulting actions.
Can consent be gathered for third parties?
In general, CASL permits consent requests for three categories of persons: (i) the person requesting consent; (ii) an identified 3rd party (or multiple identified 3rd parties); or (iii) an unidentified 3rd party (or multiple unidentified 3rd parties). There are specific requirements under CASL for obtaining consent for each of these three situations.
Also, the rules for obtaining consent for unidentified 3rd parties (e.g., future marketing partners that are not yet known when consent is requested) are complex and should be carefully reviewed. Needless to say, consent requests must be drafted with care and all of the prescribed requirements included in a request.
Can third party marketing lists be used to send CEMs?
Marketers can use e-mail addresses obtained from third parties or list providers. However, they should satisfy themselves that the e-mail lists obtained comply with CASL’s consent requirements. For example, if using e-mail lists obtained from the web for B2B marketing, marketers should ensure that not only were such e-mails conspicuously posted with no message against solicitation, but also that any marketing sent is likely to be relevant to the recipient’s business. The same applies to lists acquired from third party list providers. The obligation to ensure that consent has been obtained lies with the sender.
Can marketing lists be shared with third parties?
Some marketers want to share consents for electronic marketing with other parties, whether they are related entities (e.g., affiliates) or third parties. While this is certainly possible under CASL, marketers need to be aware that there are specific requirements that must be met depending on who a list will be shared with (e.g., to expressly identify a third party with whom consent is being gathered on behalf, including the third parties contact information and a number of other requirements if the identity of a third party with whom a list will be shared is not known at the time consent is requested).
Marketers should also be aware that there is potentially not only liability if they violate CASL, but also if they assist a third party violate the legislation based on an “aiding” provision in section 9 of CASL. As such, it is often prudent for marketers that want to share electronic marketing lists to ensure that they have an agreement in place with third parties with whom they intend to share e-mails that includes, among other things, covenants by the third party to comply with CASL and indemnification provisions in favour of the party sharing the list in the event CASL is violated by the third party.
What are some common consent request errors?
Some common consent request errors include: (i) a consent request to receive electronic marketing that is bundled with other terms (e.g., combined with general terms of sale, a privacy policy or terms for a contest or other promotion); (ii) an attempt to gather consent by “passive means” (e.g., where a person merely participates in a contest or other promotion, and the rules/terms state that they provide their consent, or where language is merely included in the footer of a web page that does not comply with the specific identification and opt-in requirements of CASL; and (iii) where consent is being requested on behalf of identified or unidentified 3rd parties without complying with the CASL’s specific disclosure requirements for such requests.
IDENTIFICATION REQUIREMENTS FOR CEMS
In addition to the consent requirement, CASL also sets out specific and very prescriptive (i.e., specific) sender identification information that must be included or linked in e-mails, texts or other electronic marketing.
What are the key identification requirements for CEMs?
The following information must be clearly and prominently included in CEMs that are subject to CASL (e.g., marketing messages for which express consent is obtained on landing pages): (i) the name (or DBA name if different) of the sender; (ii) if a CEM is sent on behalf of other person (e.g., an affiliate or 3rd party), their name (or DBA name if different); (iii) if a CEM is sent on behalf of another person, state which person is sending the message and on whose behalf it is being sent; (iv) the mailing address (which must be valid for a minimum of 60 days after the CEM is sent) and at least one of the following for the sender or, if different, the person on whose behalf it is sent: phone number, e-mail address or web address (which can be provided in the CEM itself or via a web link); and (v) a conspicuously posted un-subscribe mechanism.
UNSUBSCRIBE MECHANISM
In addition to consent and identification requirements, CASL also requires that CEMs include an easy unsubscribe mechanism.
The specific requirements for an unsubscribe include: (i) CEMs must include an unsubscribe mechanism; (ii) the unsubscribe mechanism must be set out clearly and prominently; (iii) the unsubscribe mechanism specifies and electronic address or web link where the unsubscribe request can be made (links must be valid for a minimum of 60 days after the message is sent); (iv) for SMS messages, users can choose between replying “STOP” or “Unsubscribe” or by clicking a link to a web page to unsubscribe from some or all messages; (v) recipients can unsubscribe by clicking a link or via a web page where they are given options for unsubscribing from some or all messages; (vi) recipients that request to be unsubscribed are unsubscribed within 10 business days; and (vii) the unsubscribe mechanism can be readily performed and is simple, quick and easy.
CASL EXCEPTIONS
What are some of the exceptions to CASL?
CASL provides several broad exceptions (to both the consent and identification requirements) and some narrower exceptions (to only the consent requirement – i.e., where the identification and unsubscribe requirements must still be met).
Exceptions to both the consent and identification requirements include: (i) “personal relationships” or “family relationships” (both as defined by the Regulations); (ii) inquiries for commercial goods and services; and (iii) interactive two-way voice communications (telemarketing), faxes or messages sent by phone.
Other exceptions to both the consent and identification requirements are set out in the Regulations and include messages that are: (i) sent within organizations; (ii) sent between organizations with an existing relationship where the message relates to the recipient’s activities; (iii) that are solicited or sent in response to requests, inquiries or complaints; (iv) to satisfy certain legal or juridical obligations; (v) sent on platforms where the required form and unsubscribe information is conspicuously published; and (vi) by charities or political parties for fundraising or political contributions.
CASL also includes the following exceptions from the consent requirement (i.e., the identification and unsubscribe requirements must still be met): (i) providing a quote or estimate for products, goods, services or land if requested by the recipient; (ii) facilitating, completing or confirming a commercial transaction previously agreed to by the recipient; (iii) sending warranty, product recall or safety information about a product the recipient uses, has used or has purchased; (iv) certain information relating to employment or benefit plans; (v) product updates or upgrades following an earlier transaction; and (vi) a limited exception for referrals, provided certain conditions set out in the Regulations are met.
What is required to meet the referrals exception?
CASL provides that the consent requirement of the unsolicited CEM section (section 6) does not apply to the first CEM that is sent by a person for the purpose of contacting the individual to whom the message is sent following a referral by any individual who has an existing business relationship, an existing non-business relationship, a family relationship or a personal relationship with the person who sends the message and any of those relationships with the recipient and that discloses the full name of the individual or individuals who made the referral and states that the message is sent as a result of the referral.
What is required to reply to requests or inquiries?
CASL provides a useful exception from the unsolicited CEM section of CASL (section 6) for replying to requests or inquiries (i.e., CEMs that are “sent in response to a request, inquiry or complaint or is otherwise solicited by the person to whom the message is sent”). This exception, however, is narrow and does not refer to, for example, marketing or information that is not requested by the recipient. This exception to section 6 of CASL is essentially for responding to inbound and unsolicited inquiries.
Are “friends and family” promotions exempt under CASL?
There is no blanket exemption for “friends and family” type promotions under CASL (e.g., share with a friend for an additional entry in a contest). While there is an exception to the unsolicited CEM section of CASL (section 6) for messages sent to a person with whom the sender has a personal or family relationship, these terms are very specifically defined in the regulations. For example, “family relationship” is limited to spouses, common-law partners and parent-child relationships.
“Personal relationship” is defined in a multi-factor and case-by-case fashion, such that it is often impractical to rely on this exception for a broad “friends and family” type promotion. In sum, marketers need to be aware that there is potential risk for themselves and their clients in running friends and family type promotions, if they cannot satisfy themselves that the specific definitions of “family relationship” and “personal relationship” under CASL can be met. To put it another way, marketers could, depending on the type of promotion, essentially be assisting participants in a promotion violate CASL by encouraging electronic marketing for the promotion to third parties from whom consent has not been obtained and for which no exception applies.
The CRTC has set out its position with respect to the “personal relationship” exception as follows: (i) a “personal relationship” requires direct, voluntary, 2-way communication; (ii) the non-exhaustive list of factors set out in the Regulations (e.g., sharing of interests, frequency of the communication, etc.) will be taken into consideration; (iii) the definition of “personal relationship” should remain limited to close relationships; (iv) legal entities, such as a corporation, cannot have a personal relationship (i.e., someone who sends a CEM on behalf of a corporation may not claim to have a personal relationship with the recipient); (v) a “personal relationship” requires that the real identify of the individual who alleges a personal relationship is known by the other individual involved in such a relationship (as opposed to instances where a virtual identity or an alias is used); (vi) using social media or sharing a same network does not necessarily mean that there is a personal relationship between individuals; and (vii) the mere use of buttons available on social media websites (e.g., clicking “like” on Facebook, voting for or against a link or post, accepting someone as a “Friend” on Facebook or clicking to “follow” someone) will generally be insufficient to constitute a personal relationship.
Is there a blanket CASL exception for social media?
No. There is, however, an exception under the Regulations from the unsolicited CEMs section of CASL (section 6) where a CEM is “sent and received on an electronic messaging service if the information and unsubscribe mechanism that are required under subsection 6(2) of the Act are conspicuously published and readily available on the user interface through which the message is accessed, and the person to whom the message is sent consents to receive it either expressly or by implication.”
The CRTC also takes the position that whether CASL applies to social media will be determined on a case-by-case basis, depending upon, for example, how the social media platform functions and is used. While CASL does not apply to one-way general broadcast of CEMs on social media, messages sent directly to users through a social media closed two-way direct messaging system could qualify as sending messages to “electronic addresses” and means that CASL could apply.
The CRTC’s position is also that a “personal relationship” (for the purposes of that CASL exception) requires that the real identify of the individual who alleges the personal relationship is known (as opposed to where a virtual identity or alias is used), using a social media or sharing a network does not necessarily reveal a personal relationship between individuals and that the mere use of buttons (e.g., clicking “like”, voting for or against a post, accepting someone as a “friend” or clicking “follow”) will generally be insufficient to constitute a personal relationship. The CRTC’s position is also that a number of relevant factors must be considered in determining whether two individuals have a “personal relationship”.
Marketers cannot, therefore, assume that any and all personal relationships can be relied on for social media platform based marketing or can be relied on to send CEMs in a “friends and family” type promotion (e.g., where contest entrants are incentivized to send marketing to friends to receive additional entries).
CASL AND CONTESTS AND PROMOTIONS
CASL is often relevant when running contests or other type of promotions in Canada, including if electronic distribution lists will be used to market the contest/promotion, the contest/promotion will include the collection of e-mails for marketing unrelated to administration of the promotion, if participants’ e-mail addresses will be shared with third parties (e.g., related entities or affiliate marketers) or participants are encouraged or required to “share” information about the promotion with friends or family.
Given the potentially severe penalties for violating CASL, which include administrative monetary penalties of up to $10 million, it is important for those running contests or other promotions in Canada to ensure that they comply with CASL for electronic marketing related to the promotion.
For more information about contests and CASL, see: Contests and CASL and CASL Compliance Errors.
For CASL checklists and precedents that we offer for sale, see: Anti-Spam Law (CASL) Precedents.
LIABILITY FOR CASL VIOLATIONS
Who can be liable for a violation of CASL?
CASL applies not only to those that, for example, send unsolicited CEMS without complying with CASL’s consent, identification and unsubscribe requirements, but also to anyone that aids, induces, procures any act that violates CASL. This means that anyone that assists in a violation of CASL can be exposed to both CRTC enforcement action and the significant penalties under the legislation.
In Bulletin CRTC 2018-415, the CRTC states that CASL may be indirectly contravened by giving assistance to or enabling a third party to carry out violations of sections 6 to 8 of CASL (e.g., by providing access to the tools or equipment necessary to commit a violation). According to the CRTC, the following types of intermediaries can potentially violate CASL: advertising brokers, electronic marketers (e.g., advertising agencies or communications companies), software and application developers, software and application distributors, telecommunication and Internet service providers and payment processing system operators.
In assessing whether an intermediary may have violated CASL, the CRTC sets out three factors it will consider: (i) the level of control that an individual or organization has over the activity; (ii) the degree of connection between the actions that could violate CASL and sections 6 to 8 of CASL; and (iii) whether reasonable steps were taken, including precautions and safeguards to prevent or stop a violation.
Can directors and officers be liable for CASL violations?
Yes. CASL contains a director and officer liability section, which provides that “an officer, director, agent or mandatory of a corporation that commits a violation is liable for the violation if they directed, authorized, assented to, acquiesced in or participated in the commission of the violation, whether or not the corporation is proceeded against”. Section 54 of CASL, however, also provides for a due diligence defence.
INVESTIGATIONS AND PENALTIES
Who enforces CASL?
CASL is enforced by three agencies: the Competition Bureau; the CRTC; and the Office of the Privacy Commissioner of Canada.
How do CASL investigations work?
With respect to investigations, Commission staff, who are designated by the CRTC to conduct investigations into potential CASL violations, may exercise the following powers: (i) produce a notice on a person requiring them to product data, documents or information that is in their control or possession (a notice to produce); (ii) serve a demand on telecommunications service provider requiring it to preserve transmission data (a preservation demand); or (iii) issue a warrant authorizing designated persons to enter a dwelling-house or place of business to examine, copy or remove documents or things (a search warrant).
What are the different types of CASL enforcement?
In the case of non-compliance with CASL, the CRTC may use the following enforcement actions: (i) issue a warning letter; (ii) an undertaking setting out compliance obligations, which may include a provision to pay a specified amount; (iii) serve a notice of violation, which may be accompanied by an administrative monetary penalty (AMP); (iv) impose an AMP of up to $1 million for individuals and $10 million for corporations.
What are the potential penalties for violating CASL?
The maximum penalties for violations of CASL are $1 million for individuals and $10 million for corporations. Factors for determining penalties include the nature and scope of the violation, any previous violations, any financial benefit and the ability to pay the penalty.
RECORD-KEEPING
What are some of the key record-keeping requirements of CASL?
While much of the compliance discussion for CASL tends to relate to its three core requirements – i.e., consent, identification and un-subscribe mechanism – back-end compliance is also crucial for electronic marketers. In this respect, CASL requires, among other things, that people that request to be unsubscribed be removed from a list within 10 days. It is also important for marketers to ensure that, unless they have refreshed consent, that existing customers be removed from marketing lists after two years of purchasing a product/service or six months after an inquiry (i.e., the existing business relationship category of implied consent is time-limited and, as such, lists must be regularly scrubbed on a rolling basis).
The CRTC recommends that companies consider maintaining copies of the following records: (i) CEM policies and procedures; (ii) all contemporaneous unsubscribe requests and resulting actions; (iii) all evidence of express consent (e.g., audio recordings or completed forms) from consumers who agree to receive CEMs; (iv) CEM recipient consent logs; (v) CEM scripts; (vi) CEM campaign records; (vii) staff training records; (viii) other business procedures; and (ix) official financial records.
********************
SERVICES AND CONTACT
We are a Toronto based competition and advertising law firm offering business and individual clients efficient and strategic advice in relation to competition/antitrust, advertising, Internet and new media law and contest law. We also offer competition and regulatory law compliance, education and policy services to companies, trade and professional associations and government agencies.
Our experience includes advising clients in Toronto, Canada and the United States on the application of Canadian competition and regulatory laws and we have worked on hundreds of domestic and cross-border competition, advertising and marketing, promotional contest (sweepstakes), conspiracy (cartel), abuse of dominance, compliance, refusal to deal and pricing and distribution matters. For more information about our competition and advertising law services see: competition law services.
To contact us about a potential legal matter, see: contact
For more information about our firm, visit our website: Competitionlawyer.ca
Templates/precedents and checklists to run promotional contests in Canada
Templates/precedents and checklists to comply with Canadian anti-spam law (CASL)
