CASL Two Years In: An Update
By Kelly Morris and Victoria Prince
The main provisions of Canada’s anti-spam legislation, generally known as CASL, came into effect on July 1, 2014. The key component: you cannot send a commercial electronic message (CEM) unless you have consent, whether express or implied, and the CEM must contain certain content about the sender and the right to stop getting CEMs. The advent of CASL caused great discussion and concern and, for many organizations, significant cost as they struggled to get compliant mailing lists and processes in place.
New rules about installing computer programs came into force on January 15, 2015. The next big date for CASL watchers is July 1, 2017, when the sections of CASL that deal with private right of action come into force. It means that at that time, individuals will be able to sue. Until then, the CRTC has a range of options available to enforce the legislation, including financial penalties. There have been several fines issued so far, including a $1.1 million fine levied against CompuFinder for various violations of CASL, including sending CEMs without consent and failing to have a working unsubscribe feature.
It may not be on many people’s lists of “favourite laws ever” but we continue to get questions around the applicability of CASL to certain situations. One thing we have noticed is that the processes and practices people worked so hard to put into place before July 1, 2014 may have evolved over the last two years and, in some cases, are no longer in compliance with the legislation. Perhaps CASL’s second anniversary is a good time to review what you are doing around CASL compliance to ensure your organization is not the next one under review by the CRTC or the Office of the Privacy Commissioner of Canada.
This article provides some basic information regarding CASL and answers some of the frequently asked questions we receive regarding the impact of the legislation on associations. A good starting point is to remember that CASL regulates commercial electronic messages – electronic messages of a noncommercial nature are not caught.
What is the main requirement under CASL?
As a starting point, it is important to remember that under CASL the basic rule, subject to a few exceptions, is that commercial electronic messages cannot be sent unless both the consent and content requirements are met. We elaborate on what this means below.
What is a CEM? Does CASL apply to text messages, voicemails and faxes?
A “commercial electronic message” or “CEM” is an electronic message that, having regard to the content of the message, it would be reasonable to conclude has as its purpose, or one of its purposes, to encourage participation in a commercial activity. It includes messages that offer to sell, advertise or promote any product or service. “Electronic message” means a message sent by any means of telecommunication, and includes email and text messages. It does not include live two-way phone calls, faxes or “snail mail.” “Commercial activity” is broadly defined and means any transaction, act or conduct that is of a commercial character, whether or not there is an expectation of profit.
What is considered “commercial” in the context of associations?
As defined in CASL, the term “commercial activity” means any activity that is of a commercial character, whether or not the person who carries out the activity does so in the expectation of profit. While there will be activities that an association conducts which are noncommercial, such as an email notifying members of a change in address of a meeting, associations will be subject to CASL to the extent they send commercial electronic messages – for example, emails advertising a discount with a sponsor. Note that based on the definition, a CEM need only have one of its purposes be commercial; a message need not be solely commercial to be considered a CEM.
If an electronic message has no commercial purpose, for example an email or text whose content only notifies directors of an issue regarding a governance matter, then that message is not a CEM and does not need to comply with CASL.
What does “express consent” mean? How should we obtain express consent? Are there any best practices that are emerging yet?
The CRTC states that express consent for purposes of CASL means “opt-in” consent – that is, a person actively did something to signify that they consent to receive CEMs. Examples include checking a box (that was unchecked to begin with) or signing a form. Consent cannot be buried in terms and conditions, and a request for consent must be clearly identified to the person from whom the consent is being sought. The request for consent must clearly and simply state the purpose for which consent is being sought (i.e., to receive CEMs). Opt-out consent is, for example, having a box pre-checked to indicate that someone consents to receiving CEMs (so that he or she must uncheck the box to decline). This is NOT express consent.
One of the best practices to use to obtain express consent is to use an unchecked box and to request someone to check it to indicate consent to receiving CEMs from the sender.
Can someone give express consent orally?
Yes. The CRTC has stated that oral consent can suffice as express consent under CASL. For purposes of audit and demonstrating compliance, the association should establish ways to record and verify consents given orally, if it wants to obtain consent that way.
Does express consent ever expire?
No. Express consent is the “gold standard” of consents under CASL because it does not expire unless someone chooses to unsubscribe or withdraw consent.
What if the association has been sending a recipient CEMs for years, there has always been an unsubscribe mechanism, and the recipient has not unsubscribed – does that mean there is implied consent?
No. A failure to unsubscribe or indicate that one does not wish to receive CEMs does not mean that consent is implied. Implied consent is limited to certain circumstances under CASL (see below for more details).
What are the “Content Requirements” of CEMs?
CASL requires every CEM to have certain content, namely: 1) identification information: information about the sender (i.e., name, mailing address, and telephone number, email address or web address). Note that this information needs to be valid for a minimum of 60 days after the message is sent; and 2) an unsubscribe mechanism: A means that allows the recipient to indicate, using the same electronic means by which the CEM was sent, that they no longer wish to receive CEMs from the sender. There also needs to be a link or an email address to which the recipient can send the unsubscribe request. The unsubscribe mechanism must be easy to use and free, and implemented without delay and in any event, within 10 business days.
By way of example, the identification information would look something like this:
ABC Association of Ontario or “ABC association”
123 Main Street, Toronto, Ontario
A1B 2C3
(416) 5551234 [email protected]
www.abcassociation.ca
By way of example, the unsubscribe mechanism would look something like this: You may withdraw your consent and unsubscribe from ABC association’s e-communications at any time by clicking here [with hyperlink.] Please keep in mind that by unsubscribing you may not receive communications of interest and importance to you.
Does the unsubscribe mechanism need to be a link in the CEM, or can it be some other means (e.g., reply to “unsubscribe @association.ca”, or reply with “Unsubscribe” in subject line)?
The unsubscribe mechanism must be able to be “readily performed”, meaning that it is not difficult or time consuming to access. It should be simple, quick, and easy for the recipient to use. For CEMs sent by email, the unsubscribe mechanism can be a link in the CEM to the association’s web page or it can be a “reply to” email address that the recipient sends an unsubscribe request to. Associations should assess their technological and administrative capabilities to determine which mechanism is operational for the association.
Which CEMs need to have the content requirements, including the unsubscribe mechanism?
All CEMs sent with express or implied consent must comply with the content requirements, including the unsubscribe mechanism. Only CEMs sent relying on a full exemption are exempt from both the consent and content requirements.
If an email recipient clicks “unsubscribe”, does that “unsubscribe” apply to all CEMs from the association or only the category of CEMs the “unsubscribe” was selected for, e.g., payment reminders? If a member/donor clicks “unsubscribe”, does that apply to all CEMs from the association?
CASL requires a recipient to be able to unsubscribe from receiving all CEMs from a sender. If an association’s unsubscribe mechanism simply allows a recipient to unsubscribe, that would need to apply to all CEMs sent by the association. However, CASL does not prohibit the association from creating a preference centre whereby the recipient can choose which categories of CEMs it wants to receive or no longer wants to receive. For example, the unsubscribe mechanism can bring the recipient to a webpage where they can choose among a list of CEMs (e.g., membership events, program info, fundraising) and indicate whether they wish to unsubscribe from all CEMs, or a subset of them.
If a recipient unsubscribes, can consent ever be “renewed” through an exemption, or must the recipient give express consent?
The CRTC has indicated (in the CASL Regulatory Impact Analysis Statement, available at http://fightspam.gc.ca/eic/site/030.nsf/eng/00271.html) that implied consent due to an existing business relationship is reinstated with every new or subsequent transaction that would qualify for that exemption. This means that if a donor unsubscribes, but then subsequently donates to the association again, the association would have implied consent to send CEMs based on that subsequent donation (assuming that the CRTC’s statement applies to the existing non-business relationship). There is some uncertainty about this topic, however, because CASL does not specify how an unsubscribe request may be overridden. It would be prudent to obtain express consent before sending a recipient CEMs.
Can the association send CEMs to members?
The existing non-business relationship applies to persons who 1) are current members of a club, association or voluntary organization, and those who ceased to be a member in the two year period immediately before the day the message is sent, and 2) donors or volunteers of a registered charity (as defined in subsection 248(1) of the Income Tax Act (Canada)) who last donated or volunteered within the two year period immediately before the day the message is sent. Members of an association and donors to the association, if the association is a registered charity, fall under this category. The association or registered charity, as applicable, has implied consent to send CEMs to these recipients. The content requirements still need to be included in these CEMs.
There are many nuances to CASL and its implications. We would be happy to assist in an audit of your association’s CASL processes and policies.
Kelly Morris http://www.blg.com/en/ourpeople/morris-kelly
Phone: 416.367.6633
Fax: 416.361.2560
Victoria Prince http://www.blg.com/en/ourpeople/prince-victoria
Phone: 416.367.6648
Fax: 416.361.7384
Victoria and Kelly are both partners at the law firm of Borden Ladner Gervais LLP and work extensively with organizations in the not-for-profit space. Victoria is a frequent speaker at CSAE Trillium events and works with many NFPs, often with the assistance of other lawyers at BLG. Kelly and Victoria have worked together on numerous CASL presentations and consultations.