The Canadian Anti-spam law known as CASL came into effect on 1 July 2014. It is regulated by the Canadian Radio and Television Commission (CRTC).
CASL Section 6 requires express or implied consent for electronic messages to be sent. Implied consent has to be in the context of an existing business relationship. CASL applies to all messages sent to or received in Canada no matter where they originate. A single message can cause a violation; there is no de minimis exception.
Fines for breaches of the regulations for organisations can be up to $CA 10m per violation with personal liability for directors possible.
The regulations cover B2C and B2B. The definition of “person” includes individuals and companies so it is likely that even messages to info@ addresses would be covered.
“person” means an individual, partnership, corporation, organization, association, trustee, administrator, executor, liquidator of a succession, receiver or legal representative.
There are some exclusions and exceptions for B2B which are laid out in the separate Electronic Commerce Protection Regulations (GIC Regs). These allow messages to be sent on the basis that there is a relationship and the message is related to the activities of the receiving organisation:
Excluded messages — Section 6 of Act
3. Section 6 of the Act does not apply to a commercial electronic message
(a) that is sent by an employee, representative, consultant or franchisee of an organization
(i) to another employee, representative, consultant or franchisee of the organization and the message concerns the activities of the organization, or
(ii) to an employee, representative, consultant or franchisee of another organization if the organizations have a relationship and the message concerns the activities of the organization to which the message is sent;
Definition of implied consent
This term does not have the general application that we would normally expect (i.e. opt-out, it only applies in the context of an existing business (or for charities non-business) relationship.
Implied consent — Section 6 of Act
(9) Consent is implied for the purpose of section 6 only if
(a) the person who sends the message, the person who causes it to be sent or the person who permits it to be sent has an existing business relationship or an existing non-business relationship with the person to whom it is sent;
(b) the person to whom the message is sent has conspicuously published, or has caused to be conspicuously published, the electronic address to which the message is sent, the publication is not accompanied by a statement that the person does not wish to receive unsolicited commercial electronic messages at the electronic address and the message is relevant to the person’s business, role, functions or duties in a business or official capacity;
(c) the person to whom the message is sent has disclosed, to the person who sends the message, the person who causes it to be sent or the person who permits it to be sent, the electronic address to which the message is sent without indicating a wish not to receive unsolicited commercial electronic messages at the electronic address, and the message is relevant to the person’s business, role, functions or duties in a business or official capacity; or
(d) the message is sent in the circumstances set out in the regulations.
Definition of “existing business relationship”
The existing business relationship has to be in line with the definition in CASL i.e.
(10) In subsection (9), “existing business relationship” means a business relationship between the person to whom the message is sent and any of the other persons referred to in that subsection — that is, any person who sent or caused or permitted to be sent the message — arising from
(a) the purchase or lease of a product, goods, a service, land or an interest or right in land, within the two-year period immediately before the day on which the message was sent, by the person to whom the message is sent from any of those other persons;
(b) the acceptance by the person to whom the message is sent, within the period referred to in paragraph (a), of a business, investment or gaming opportunity offered by any of those other persons;
(c) the bartering of anything mentioned in paragraph (a) between the person to whom the message is sent and any of those other persons within the period referred to in that paragraph;
(d) a written contract entered into between the person to whom the message is sent and any of those other persons in respect of a matter not referred to in any of paragraphs (a) to (c), if the contract is currently in existence or expired within the period referred to in paragraph (a); or
(e) an inquiry or application, within the six-month period immediately before the day on which the message was sent, made by the person to whom the message is sent to any of those other persons, in respect of anything mentioned in any of paragraphs (a) to (c).
Transitional provisions and time limits on consent
There is a three year transitional period during which previously obtained implied consent can be relied upon if an existing business relationship was in place prior to 1 July 2014 and previous emails have been sent/exchanged.
Existing business or non-business relationships
66. A person’s consent to receiving commercial electronic messages from another person is implied until the person gives notification that they no longer consent to receiving such messages from that other person or until three years after the day on which section 6 comes into force, whichever is earlier, if, when that section comes into force,
(a) those persons have an existing business relationship or an existing non-business relationship, as defined in subsection 10(10) or (13), respectively, without regard to the period mentioned in that subsection; and
(b) the relationship includes the communication between them of commercial electronic messages.
There is a 6 month window to respond to enquiries made in the course of an existing business relationship.
Implied consent obtained from a business relationship formed after 1 July 2014 will need to be renewed before the expiry of a 24 month time period.
Express consent does not expire.
How does this affect data sources
• Third party opt-in data
This data can be used (as specifically set out in the GIC Regs) if the consent obtained by the list owner was a true opt-in (i.e. express consent).
To be valid an express consent has to clearly stated
Pre-ticking is not acceptable for secondary uses of data.
• Directory data
This would be likely to fall into the “conspicuously published, or has caused to be conspicuously published” condition so long as the messages are relevant to the person’s business, role, functions or duties in a business or official capacity and they have not unsubscribed from communications.
• B2B Televerified (reception level)
Use of this data would depend on the wording employed at the point of collection.
If express consent was obtained this will still be valid (an organisation can give express consent on behalf of its employees).
If there is no explicit consent, it may be possible to rely on the B2B exception in the GIC Regs. This could be valid on the basis that there is a “relationship” in place as a result of the televerification. This is less onerous that the requirement to prove implied consent validated by an “existing business relationship” in CASL itself.
The person (in this case the organisation on their behalf) to whom the message is sent must have disclosed the email address without opting out. The emails sent must be relevant to the business, role, functions or duties. This consent will expire on 1 July 2017.
It would be advisable to obtain express consent when televerifying in the future.
• Data in the public domain
As above for Directory Data.
It should be noted that whilst the use of addresses derived from the internet is permissible under CASL, an amendment to Canada’s main data protection law (PIPEDA) brought in at the same time bans email harvesting from the internet.
1. Would professional B2B e-messaging fall into Spam definition or not? Yes
The definition of a Commercial Electronic Message (CEM) is very broad. It includes “offers to purchase, sell, barter or lease a product, goods, a service, land or an interest or right in land”; “offers to provide a business, investment or gaming opportunity”, messages that advertise or promote those activities.
True transactional messages are exempt but have to meet specific listed criteria e.g. delivery of warranty, recall or product update to an existing customer.
2. Does the fact that a company has already emailed these people with an unsubscribe link etc. mean they can continue i.e. can they imply any consent from this? No.
This is not an implied consent and would not be covered by the exception in the GIC Regs as it would be hard to claim a “relationship” exists on the basis of the previous email.
3. What permissions are needed in future from Data Providers?
Directory Data and Public Data which has been collected within the last 2 years do not require consent (although this may be challenged as case law develops).
Other cold lists will have to have express consent to use by third parties and the list owner will need to be able to prove consent was obtained and that it covered the kind of approach to be made.
4. What is risk? Likely fines? How active are the regulators likely to be?
Fines are up to $CA10m for organisations and $CA1m for individuals but the regulator has said these will be reserved for violations causing significant harm. Class actions by individuals are possible.
The CRTC has put in place an online spam reporting tool and will concentrate on following up complaints. They have stated they will take a “proportionate approach” to enforcement. The Privacy Commissioner will focus on illegal collection and email harvesting.
It is likely that high profile consumer violations will attract more attention than B2B as a whole.
5. Does the fact that a company is emailing from outside territory – i.e. UK change the position? No
CASL applies extra-territorially to every CEM that is sent to a Canadian address or accessed in Canada. The fact that the sender cannot identify the address as Canadian (i.e. it is a .com address) does not provide a defence.
It will, however, be difficult for CRTC to pursue expat senders except with the help of local Regulators which it has said it will seek.
6. Any other requirements
If relying on the B2B exception, the messages must be relevant to the activities of the recipient. An unsubscribe should be provided nonetheless.
The Regulations require that a CEM set out, among other things, the mailing address of the person sending the message or, if different, the mailing address of the person on whose behalf the message is sent; “mailing address” consists of the sender’s valid, current street address, postal box address, or general delivery address. This address must be valid for a minimum of 60 days after the message has been sent.
There must also be either a telephone number providing access to an agent or a voice messaging system, an email address or a web address.
Emails to third party data must offer unsubscribe from the company and from the list owner; if the list owner unsubscribe is activated they must suppress the contact and inform all users to do the same.
If it is not practicable to include the contact information and the unsubscribe mechanism they can be made accessible by means of a link that is clearly and prominently set out in the message.
7. Anything else relevant to continue email marketing
As noted above there is a requirement to reconfirm implied consent from existing individuals within 3 years.
If the company continues to rely on implied consent when collecting data in the course of a business relationship from 01 July 2014 onwards, there is a requirement to reconfirm consent from these buyers/enquirers within 2 years.
If using express consent to collect data on the telephone in the future, the guidelines suggest that the name, mailing address and a contact number, email or web address will have to be provided in the course of the conversation as well as a reminder that consent can be withdrawn. A recording should be retained as proof.
1 An Act to promote the efficiency and adaptability of the Canadian economy by regulating certain activities that discourage reliance on electronic means of carrying out commercial activities, and to amend the Canadian Radio-television and Telecommunications Commission Act, the Competition Act, the Personal Information Protection and Electronic Documents Act and the Telecommunications Act
Published September 2014
The information provided and the opinions expressed in this document represent the views of the Data Protection Network. They do not constitute legal advice and cannot be construed as offering comprehensive guidance on the EU General Data Protection Regulation (GDPR) or other statutory measures referred to.