What is CASL?
CASL stands for Canada’s Anti-Spam legislation. This anagram is the unofficial name for a new law that came into force across Canada on July 1, 2014. Because it is a federal law, it will apply to not-for-profit organizations and, with some limited exceptions, to registered charities across Canada.
While the unofficial title of the Act targets spam, it is actually much broader in scope. CASL deals with commercial electronic messages (CEMs) and it regulates a broad range of activities including:
- unsolicited commercial messages such as emails, texts and tweets;
- hacking, malware and spyware;
- “phishing” and other fraudulent or misleading practices;
- invading privacy through a computer; and
- collecting email addresses without consent.
Commercial Electronic Messages
A Commercial Electronic Message or CEM is an electronic message that has as its purpose encouraging participation in a commercial activity and that is sent from or received by a computer in Canada. A “commercial activity” means a transaction or act that is of a While the unofficial title of the Act targets spam, it is actually much broader in scope. CASL deals with commercial electronic messages (CEMs) and it regulates a broad range of activities… commercial character, whether or not it is done with an expectation of profit.
Exception for Registered Charities
There is a limited exception for registered charities. Any electronic message sent by a registered charity for the primary purpose of raising funds is exempt from the provisions of CASL. However, the definition of raising funds is unclear at this time. And, if a request for donations is placed within a newsletter, or some other form of communication with the public, it may be found that the primary purpose of the CEM was not to raise funds. This limited exception does not apply to not-for-profit organizations or Registered Amateur Athletic Associations.
Consent is really the key concept to be aware of in CASL. The Act creates a permission-based scheme under which consent is required before a CEM can be sent. Consent can be either express or implied.
Express consent means that a recipient has voluntarily agreed to receive a CEM and this consent is documented. Consent can be either oral or in writing, and “in writing” includes both paper and electronic forms of writing. The CRTC has set out guidelines that state the information that must be in a request for express consent:
- The purpose or purposes for which consent is requested;
- The name of the person seeking consent and the name of the person ,if it is different, on whose behalf consent is asked;
- A statement indicating which person is asking for consent and which person on whose behalf consent is being asked;
- If the person seeking consent and the person, if different, on whose behalf consent is sought are carrying on business under different names, the names of those businesses;
- The mailing address, and either a telephone number providing access to a person or a voice messaging system, an email address or a web address for the person asking for consent, and if different, the person on whose behalf consent is asked; and
- A statement that the recipient of the CEM can withdraw consent at any time in the future by using this contact information. This is called the “unsubscribe mechanism”. You will find more information about the unsubscribe mechanism at the end of this section.
Once express consent is obtained, it does not expire, unless the person giving consent withdraws it at any future time.
The CRTC has issued Compliance and Enforcement Bulletin 2012-549 that gives guidance about obtaining express consent and gives two Consent is really the key concept to be aware of in CASL. The Act creates a permission-based scheme under which consent is required before a CEM can be sent. Consent can be either express or implied.examples of forms that are acceptable. You will find these forms here. The Bulletin also states that since express consent must be positive or explicit, an opt-out mechanism is not acceptable, nor is a “toggle box” where permission to send CEMs is already checked off.
Under CASL, consent can be implied in three situations:
- where there is an existing business relationship, or an existing non-business relationship;
- where the recipient has “conspicuously published” their electronic address without saying that they do not want to receive unsolicited CEMs and the message they receive has to do with their business, role, functions, or duties in their business or official capacity;
- where the recipient has disclosed their electronic address to the person who is sending the message; again, without saying that they do not want to receive unsolicited CEMs and the message they receive has to do with their business, role, functions or duties in their business or official capacity. An example of this could be a person who receives a CEM from a person to whom they gave their business card, with their email address on the card.
Generally speaking, implied consent lasts for two years, providing an opportunity for organizations to change an implied consent to an express consent. CASL includes a transition period that allows for implied consents to remain active until July 1, 2017. In addition, where there is an existing business relationship, each transaction renews the implied consent, so that the two-year existing business relationship starts over.
It is important to note that after July 1, 2014 CEMs may only be sent with the explicit or implied consent of the recipient. Because a message seeking explicit consent is, in itself, a CEM, after July 1, 2014 these can only be sent to people or organizations with which you have an implied consent relationship.
Existing Business Relationship
An existing business relationship between the sender of the CEM and the recipient will be found if, within the previous two years the recipient has:
- purchased, leased or bartered a produce, goods, services, land or an interest in land from the sender;
- accepted a business, investment or gaming opportunity offered by the sender;
- entered into a written contract or made inquiries about other matters with the sender for another matter not listed above;
- within the previous six months, made an inquiry or an application about any of the matters listed above.
The existing business relationship is renewed with each transaction, so that the two-year existing business relationship starts over.
Existing Non-Business Relationship
Existing Non-Business Relationships are of particular importance to registered charities and not-for-profits. An organization has an existing non-business relationship with a recipient if the recipient has, within the previous two years:
- In the case of a registered charity, made a donation or gift, or has performed volunteer work for the charity;
- In the case of a not-for-profit, has been a member of the organization, such as a club or association.
Each time that a recipient makes a donation or gift, or volunteers, the two-year implied consent period begins again. It is the same case for not-for-profits. Each time a member renews, the two-year implied consent period begins again.
Excluded Messages (1)
There are a number of CEMs to which CASL does not apply. These include messages sent:
- to someone with whom the sender has a personal or family relationship;
- to someone in a commercial activity making an inquiry or application about the activity, such as quotes or estimates;
- to another employee, representative, consultant or franchisee of an organization about the activities of the organization;
- to an employee, representative, consultant or franchisee of another organization, if the organizations have a relationship and the message is about the activities of the receiving organization;
- in response to a request, question or complaint, or is otherwise initiated by the recipient;
- by or on behalf of a registered charity and the message has as its primary objective raising funds for the charity;
- by or on behalf of a political party or a political candidate for publicly elected office, for the primary purpose of obtaining a donation or contribution.
Excluded Messages (2)
These types of CEMs are excluded from the provisions of CASL except that they must conform to the rules about providing sender identity information and an unsubscribe mechanism so that the recipient can opt not to receive future CEMs. These messages must solely:
- facilitate, complete or confirm a commercial transaction that the recipient previously agreed to enter into with the sender;
- provide warranty, product recall or safety and security information about a product or service that the recipient has used or purchased;
- provide product, goods or services updates or upgrades that the recipient is entitled to receive;
- provide ongoing information about a subscription, loan, membership or account that the recipient is currently participating or enrolled in;
- provide information directly related to an employment relationship or benefit plan in which the recipient is involved or enrolled.
There is some uncertainty at the moment about the meaning of “solely” at this time. Further clarification is expected from the CRTC.
Third Party Referrals
There is another limited exemption to the consent provisions of CASL for third party referrals. The CRTC states that the consent provisions do not apply to the first commercial electronic message that is sent by an individual for the purpose of contacting a recipient following a referral by someone who has:
- an existing business relationship;
- an existing non-business relationship;
- a personal relationship; or
- family relationship with the individual who sends the message as well as these relationships with the individual to whom the message is sent.
Third Party Referral messages must disclose the full name of the individual or individuals who made the referral and state that the message is sent as a result of the referral. These messages must also comply with the sender identity information and unsubscribe mechanism requirements. Only one Third Party Referral message may be sent under these terms, so it should contain a request for future consent.
The Unsubscribe Mechanism is one of the most important components of the CASL scheme. Every CEM that an organization sends must provide a way for recipients to unsubscribe from receiving messages in the future. A Regulatory Policy from the CRTC states that the mechanism must be “readily performed” meaning that it must be accessed without difficulty or delay and should be simple, quick and easy for the consumer to use. It must also be free of charge to the user. The means to contact the sender must be operational for at least 60 days, and the unsubscribe request must be completed within ten business days.
An example of an unsubscribe mechanisms created by the CRTC can be found here (under “Sample Forms” near the end of the page).
The Unsubscribe Mechanism is one of the most important components of the CASL scheme. Every CEM that an organization sends must provide a way for recipients to unsubscribe from receiving messages in the future. It is be very important for all organizations affected by CASL to set up a system to track and monitor unsubscribe requests, so that they know what electronic addresses cannot be sent future CEMs. This could be a system as simple as a spreadsheet or as sophisticated as a fully integrated database. Note too, that the tracking system should also be set up to watch for the expiration of the two-year period for implied consents. Failure to do so that results in CEMs being sent to parties who have unsubscribed or have not been active with the organization for two years could lead to Notices of Violation from the CRTC, with the possibility of significant fines for the organization, and the officers and directors. After July 1, 2017, there is also the possibility of lawsuits by private citizens who allege harm and claim damages.
Relationships with Third Parties
Under CASL organizations must also be aware of what contracts they have entered into that may involve a third party sending CEMs on their behalf. Some examples of these contracts could include:
- advertising agencies;
- social media management companies;
- public relations or media advisory companies;
- sales or distribution agents;
- professional fundraising companies;
- investor services;
- suppliers of referral/contact lists.
If your organization has contracts with parties such as these, the contracts should be reviewed to make sure that any CEMs they send on your organization’s behalf are CASL compliant. The contracts should contain clauses that ensure that the service provider will meet all applicable CASL requirements, will notify you if it is cited by CRTC for a violation, and will keep your organization indemnified for any costs or damages arising out of a breach. You should also ask your service provider to inform your organization of all unsubscribe requests and to keep records of CASL compliance.
For an example of how the CRTC is handling complaints under CASL, please see the following case comment on the Porter Airlines case by Martin Kratz, QC.