CANADIAN CASL (ANTI-SPAM LAW) PRECEDENTS
Do you need a precedent or checklist
to comply with CASL (Canadian anti-spam law)?
We offer Canadian anti-spam law (CASL) checklists and precedents to help electronic marketers comply with CASL. These include checklists and precedents for express consent requests (including on behalf of third parties), sender identification information, unsubscribe mechanisms, business related exemptions and types of implied consent and documenting consent and scrubbing distribution lists. We also offer a template CASL corporate compliance program.
For more information and to order, see: CASL Compliance Checklists and Precedents. If you would like to discuss CASL legal advice or for other advertising or marketing in Canada, including contests/sweepstakes, contact us: Contact.
********************
FREQUENTLY ASKED QUESTIONS (FAQS)
ABOUT CANADIAN ANTI-SPAM LAW (CASL) – II
For more CASL FAQs, see: CASL FAQs – I.
********************
SENDER IDENTIFICATION
REQUIREMENTS FOR CEMS
In addition to the consent requirement (whether express or implied), CASL also sets out specific and very prescriptive (i.e., specific) sender identification information that must be included or linked in e-mails, texts or other electronic marketing.
CASL also requires that specific sender identification information also be included in express consent requests, including identifying the sender themselves and any third party senders that consent may be requested on behalf of.
*****************
CASL Compliance Checklists and Precedents: For information about the CASL compliance checklists and precedents we offer, including for sender identification requirements, see: CASL Compliance Checklists and Precedents.
What are the key identification requirements
for CEMs?
The following information must be clearly and prominently included in CEMs that are subject to CASL (e.g., marketing messages for which express consent is obtained): (i) the name (or DBA name if different) of the sender, (ii) if a CEM is sent on behalf of another person (e.g., a corporate affiliate or other third party such as an affiliate marketer), their name (or DBA name if different), (iii) if a CEM is sent on behalf of another person, state which person is sending the message and on whose behalf it is being sent, (iv) the mailing address (which must be valid for a minimum of 60 days after the CEM is sent) and at least one of the following for the sender or, if different, the person on whose behalf it is sent: phone number, e-mail address or web address and (v) a conspicuously posted CASL-compliant un-subscribe mechanism.
UNSUBSCRIBE MECHANISM
In addition to consent and sender identification requirements, CASL also requires that CEMs include a unsubscribe mechanism that complies with the specific requirements set out under the legislation.
The specific requirements for a CASL-compliant unsubscribe mechanism for CEMs include: (i) CEMs must include an unsubscribe mechanism, (ii) the unsubscribe mechanism must be set out clearly and prominently, (iii) the unsubscribe mechanism specifies an electronic address or web link where the unsubscribe request can be made, (iv) for SMS messages, users can choose between replying “STOP” or “Unsubscribe” or by clicking a link to a web page to unsubscribe from some or all messages, (v) recipients can unsubscribe by clicking a link or via a web page where they are given options for unsubscribing from some or all messages, (vi) recipients that request to be unsubscribed are unsubscribed within 10 business days and (vii) the unsubscribe mechanism can be readily performed and is simple, quick and easy.
*****************
CASL Compliance Checklists and Precedents: For information about the CASL compliance checklists and precedents we offer, including for CASL-compliant unsubscribe mechanisms, see: CASL Compliance Checklists and Precedents.
CASL EXCEPTIONS
What are some of the exceptions to CASL?
CASL provides several broad exceptions (to both the consent and identification requirements) and some narrower exceptions (to only the consent requirement – i.e., where the identification and unsubscribe requirements must still be met).
Exceptions to both the consent and identification requirements include: (i) “personal relationships” or “family relationships” (both as defined by the Regulations under CASL), (ii) inquiries for commercial goods and services and (iii) interactive two-way voice communications (telemarketing), faxes or messages sent by phone.
Other exceptions to both the consent and identification requirements are set out in the Regulations under CASL and include messages that are: (i) sent within organizations, (ii) sent between organizations with an existing relationship where the message relates to the recipient’s activities, (iii) that are solicited or sent in response to requests, inquiries or complaints, (iv) to satisfy certain legal or juridical obligations, (v) sent on platforms where the required form and unsubscribe information is conspicuously published and (vi) by charities or political parties for fundraising or political contributions.
CASL also includes the exceptions from the consent requirement only (i.e., the identification and unsubscribe requirements must still be met): (i) providing a quote or estimate for products, goods, services or land if requested by the recipient, (ii) facilitating, completing or confirming a commercial transaction previously agreed to by the recipient, (iii) sending warranty, product recall or safety information about a product the recipient uses, has used or has purchased, (iv) certain information relating to employment or benefit plans, (v) product updates or upgrades following an earlier transaction and (vi) a limited exception for referrals, provided that certain conditions set out in the Regulations under CASL have been met.
*****************
CASL Compliance Checklists and Precedents: For information about the CASL compliance checklists and precedents we offer, including for CASL exemptions, see: CASL Compliance Checklists and Precedents.
What is required to meet the referrals exception?
CASL provides that the consent requirement of the unsolicited CEM section (section 6) does not apply to the first CEM that is sent by a person for the purpose of contacting the individual to whom the message is sent following a referral by any individual who has an existing business relationship, an existing non-business relationship, a family relationship or a personal relationship with the person who sends the message and any of those relationships with the recipient and that discloses the full name of the individual or individuals who made the referral and states that the message is sent as a result of the referral.
What is required to reply to requests or inquiries?
CASL provides a useful exception from the unsolicited CEM section of CASL (section 6) for replying to requests or inquiries (i.e., CEMs that are “sent in response to a request, inquiry or complaint or is otherwise solicited by the person to whom the message is sent”).
This exception, however, is narrow and does not refer to, for example, marketing or information that is not requested by the recipient.
This exception to section 6 of CASL (the unsolicited CEMs section) is essentially for responding to inbound and unsolicited inquiries.
Are “friends and family”
promotions exempt under CASL?
There is no blanket exemption for “friends and family” type promotions under CASL (e.g., share with a friend for an additional entry in a promotional contest). While there is an exception to the unsolicited CEM section of CASL (section 6) for messages sent to a person with whom the sender has a personal or family relationship, these terms are very specifically defined in the regulations.
For example, “family relationship” is limited to spouses, common-law partners and parent-child relationships.
“Personal relationship” is defined in a multi-factor and case-by-case fashion, such that it is often impractical to rely on this exception for a broad “friends and family” type promotion.
In sum, electronic marketers need to be aware that there is potential risk for themselves and their clients (e.g., where an agency runs such types of promotions for a brand) in running friends and family type promotions, if they cannot satisfy themselves that the specific definitions of “family relationship” and “personal relationship” under CASL can be met.
To put it another way, electronic marketers could, depending on the type of promotion, essentially be assisting participants in a promotion violate CASL by encouraging electronic marketing for the promotion to third parties from whom consent has not been obtained and for which no CASL exception applies.
The CRTC has set out its position with respect to the “personal relationship” exception as follows: (i) a “personal relationship” requires direct, voluntary, 2-way communication; (ii) the non-exhaustive list of factors set out in the Regulations under CASL (e.g., sharing of interests, frequency of the communication, etc.) will be taken into consideration; (iii) the definition of “personal relationship” should remain limited to close relationships; (iv) legal entities, such as a corporation, cannot have a personal relationship (i.e., someone who sends a CEM on behalf of a corporation may not claim to have a personal relationship with the recipient); (v) a “personal relationship” requires that the real identify of the individual who alleges a personal relationship is known by the other individual involved in such a relationship (as opposed to instances where a virtual identity or an alias is used); (vi) using social media or sharing a same network does not necessarily mean that there is a personal relationship between individuals; and (vii) the mere use of buttons available on social media websites (e.g., clicking “like” on Facebook, voting for or against a link or post, accepting someone as a “Friend” on Facebook or clicking to “follow” someone) will generally be insufficient to constitute a personal relationship.
The above summary of the “personal relationship” exception under CASL by the CRTC illustrates the challenges and risks of relying on this exception in any electronic marketing campaigns.
Is there a blanket CASL exception
for social media?
No. There is, however, an exception under the Regulations under CASL from the unsolicited CEMs section of CASL (section 6) where a CEM is “sent and received on an electronic messaging service if the information and unsubscribe mechanism that are required under subsection 6(2) of the [CASL] are conspicuously published and readily available on the user interface through which the message is accessed, and the person to whom the message is sent consents to receive it either expressly or by implication.”
The CRTC’s position is that whether CASL applies to social media will be determined on a case-by-case basis, depending upon, for example, how the social media platform functions and is used. While CASL does not apply to one-way general broadcast of CEMs on social media, messages sent directly to users through a social media closed two-way direct messaging system could qualify as sending messages to “electronic addresses” and means that CASL could apply.
The CRTC’s position is also that a “personal relationship” (for the purposes of that CASL exception) requires that the real identify of the individual who alleges the personal relationship is known (as opposed to where a virtual identity or alias is used), using a social media or sharing a network does not necessarily reveal a personal relationship between individuals and that the mere use of buttons (e.g., clicking “like”, voting for or against a post, accepting someone as a “friend” or clicking “follow”) will generally be insufficient to constitute a personal relationship. The CRTC’s position is also that a number of relevant factors must be considered in determining whether two individuals have a “personal relationship”.
Electronic marketers cannot, therefore, assume that any and all personal relationships can be relied on for social media platform based marketing or can be relied on to send CEMs in a “friends and family” type promotion (e.g., where contest entrants are incentivized to send marketing to friends to receive additional entries).
CASL AND CONTESTS
AND OTHER PROMOTIONS
CASL is often relevant when running contests or other type of promotions in Canada, including if electronic distribution lists will be used to market the contest/promotion, the contest/promotion will include the collection of e-mails for marketing unrelated to administration of the promotion, if participants’ e-mail addresses will be shared with third parties (e.g., related entities or affiliate marketers) or participants are encouraged or required to “share” information about the promotion with friends or family.
Given the potentially severe penalties for violating CASL, which include administrative monetary penalties of up to $10 million, it is important for those running contests or other promotions in Canada to ensure that they comply with CASL for electronic marketing related to the promotion.
For more information about contests and CASL, see: Contests and CASL and CASL Compliance Errors.
For CASL checklists and precedents that we offer for sale, see: CASL Compliance Checklists and Precedents.
LIABILITY FOR CASL VIOLATIONS
Who can be liable for a violation of CASL?
CASL applies not only to those that send unsolicited CEMS without complying with CASL’s consent, sender identification and unsubscribe requirements, but also to anyone that “aids, induces, procures any act that violates CASL”.
This means that anyone that assists a violation of CASL can also be exposed to both CRTC enforcement action and the significant penalties under the legislation (AMPs of up to CDN $10 million).
The CRTC has taken the position that CASL may be indirectly violated by giving assistance to or enabling a third party to carry out violations of sections 6 to 8 of CASL (e.g., by providing access to the tools or equipment necessary to commit a violation).
According to the CRTC, the following types of intermediaries can potentially violate CASL: advertising brokers, electronic marketers (e.g., advertising agencies or communications companies), software and application developers, software and application distributors, telecommunication and Internet service providers and payment processing system operators.
In assessing whether an intermediary may have violated CASL, the CRTC sets out three factors it will consider:
1. The level of control that an individual or organization has over the activity.
2. The degree of connection between the actions that could violate CASL and sections 6 to 8 of CASL.
3. Whether reasonable steps were taken, including precautions and safeguards to prevent or stop a violation.
Can directors and officers
be liable for CASL violations?
Yes.
CASL contains a director and officer liability section, which provides that “an officer, director, agent or mandatory of a corporation that commits a violation is liable for the violation if they directed, authorized, assented to, acquiesced in or participated in the commission of the violation, whether or not the corporation is proceeded against”.
Section 54 of CASL, however, also provides for a due diligence defence.
INVESTIGATIONS AND PENALTIES
Who enforces CASL?
CASL is enforced by three agencies: the Competition Bureau, the CRTC; and the Office of the Privacy Commissioner of Canada.
How do CASL investigations work?
With respect to investigations, Commission staff, who are designated by the CRTC to conduct investigations into potential CASL violations, may exercise the following powers, among others: (i) produce a notice on a person requiring them to product data, documents or information that is in their control or possession (a notice to produce), (ii) serve a demand on telecommunications service provider requiring it to preserve transmission data (a preservation demand) or (iii) issue a warrant authorizing designated persons to enter a dwelling-house or place of business to examine, copy or remove documents or things (a search warrant).
What are the different types of CASL enforcement?
In the case of non-compliance with CASL, the CRTC may use the following enforcement actions: (i) issue a warning letter, (ii) an undertaking setting out compliance obligations, which may include a provision to pay a specified amount, (iii) serve a notice of violation, which may be accompanied by an administrative monetary penalty, (iv) impose an administrative monetary penalty of up to $1 million for individuals and $10 million for corporations.
What are the potential penalties for violating CASL?
The maximum penalties for violating CASL are CDN $1 million for individuals and CDN $10 million for corporations.
Factors for determining penalties include the nature and scope of the violation, any previous violations, any financial benefit and the ability to pay the penalty.
RECORD-KEEPING
What are some of the key record-keeping
requirements of CASL?
While much of the compliance discussion for CASL tends to relate to its three core requirements – i.e., consent (whether express or implied), sender identification information and a CASL-compliant un-subscribe mechanism for CEMs – back-end compliance is also critical for electronic marketers.
Electronic marketers are required, among other things, to document consent.
In this respect, CASL requires, among other things, that people that request to be unsubscribed be removed from a list within 10 days.
It is also important for marketers to ensure that, unless they have refreshed consent, that existing customers be removed from marketing lists after two years of purchasing a product/service or six months after an inquiry about a product/service (i.e., the existing business relationship category of implied consent is time-limited and, as such, lists must be regularly scrubbed on a rolling basis).
The CRTC recommends that companies consider maintaining copies of the following records: (i) CEM policies and procedures, (ii) all contemporaneous unsubscribe requests and resulting actions, (iii) all evidence of express consent (e.g., audio recordings or completed forms) from consumers who agree to receive CEMs, (iv) CEM recipient consent logs, (v) CEM scripts, (vi) CEM campaign records, (vii) staff training records, (viii) other business procedures and (ix) official financial records.
*****************
CASL Compliance Checklists and Precedents: For information about the CASL compliance checklists and precedents we offer, including a template CASL Corporate Compliance Program, see: CASL Compliance Checklists and Precedents.
********************
SERVICES AND CONTACT
We are a Toronto based competition and advertising law firm offering business and individual clients efficient and strategic advice in relation to competition/antitrust, advertising, Internet and new media law and contest law. We also offer competition and regulatory law compliance, education and policy services to companies, trade and professional associations and government agencies.
Our experience includes advising clients in Toronto, Canada and the United States on the application of Canadian competition and regulatory laws and we have worked on hundreds of domestic and cross-border competition, advertising and marketing, promotional contest (sweepstakes), conspiracy (cartel), abuse of dominance, compliance, refusal to deal and pricing and distribution matters. For more information about our competition and advertising law services see: competition law services.
To contact us about a potential legal matter, see: contact
Templates/precedents and checklists to run promotional contests in Canada
Templates/precedents and checklists to comply with Canadian anti-spam law (CASL)
