By Julian Dobre
Primer on Canadian Anti-Spam Legislation (CASL)
Canadian Anti-Spam Legislation (“CASL” or the “Act”) is a regulatory framework designed to protect Canadians from the misuse of digital technology, including identity theft, phishing, malicious software, and unsolicited marketing. Businesses that market their products and services to Canadians are caught in the anti-spam framework and must learn to navigate it. CASL is very easy to breach. If your business uses digital marketing, you need a plan to avoid significant monetary and other penalties.
CASL is only concerned with consent. It is otherwise uninvolved when it comes to the substance or content of digital advertisements. As discussed by the Federal Court of Appeal in 3510395 v Canada (Attorney General) (2020), CASL does not protect consumers from any unfair business practices beyond the sending of unsolicited commercial messages. Once the consent requirements are satisfied, as far as CASL is concerned, businesses are at liberty to send CEMs at will.
The penalties for breaching CASL are severe. Violations can result in Administrative Monetary Penalties of up to $10 million CAD per violation for a business or $1 million per violation for an individual.
CASL Compliance at a Glance
To comply with CASL, a business that sends Commercial Electronic Messages to Canadians must:
- obtain consent;
- provide their business’ identification information for withdrawal of consent; and
- include an unsubscribe mechanism.
What is a Commercial Electronic Message (CEM)?
Defined in article 1 of the Act, a CEM is an electronic message that hyperlinks to content on a website or other database that reasonably has as its purpose to encourage the recipient to engage in a commercial activity. A CEM may include an electronic message that offers, advertises, or promotes:
- the purchase, sell, barter, or lease a product, good, service, land, or an interest or right in land; or
- a business, investment, or gaming opportunity.
Without consent, a CEM is considered an Unsolicited Electronic Message, as prescribed by article 6 of the Act. It is prohibited to send a CEM unless the person to whom the message is sent has consented to receive it, whether express or implied.
Whether express or implied consent has been obtained is determined by a number of factors, including the sender’s familiarity and proximity to the recipient and the relevance of the message to the recipient’s business or official role or capacity.
Express Consent is obtained for the purposes of article 10 of the Act, only if, when requesting consent, the sender sets out clearly and simply the following information:
- the purpose for which the consent is being sought; and
- the prescribed Business Contact Information of the seller.
Implied Consent is obtained for the purposes of article 9 of the Act, if at least one of three scenarios listed there are found to be true, including:
- whether the sender has an existing business or non-business relationship with the recipient; or
- the contact information was published by the recipient online without a statement that they don’t want to receive a CEM, and the message is relevant to them.
Contact Information Requirement
To comply with CASL, a business must accompany any request for express consent with the following information:
- a description of the types of messages that will be received and the purposes for which consent is being sought;
- the legal name of the person or organization requesting consent;
- the mailing address, telephone number, email address and/or web address of the person or organization seeking consent; and
- a statement indicating that consent may be withdrawn at any time.
Unsubscribe Mechanism Requirement
Any business sending a CEM must include an unsubscribe mechanism to comply with CASL. It must be easy to use and not require too many unreasonable steps. Don’t be the business that makes it purposely difficult to unsubscribe. If the recipient must complete more than two steps to unsubscribe, it is not easy enough.
Article 11(1) of the Act sets out requirements for the unsubscribe mechanism. Its requirements include enabling the recipient of a CEM to indicate, at no cost to them, that they no longer wish to receive any CEMs from the sender. The unsubscribe mechanism must further specify an electronic address, or a link to a page on the internet that can be accessed through a web browser, to which the request to unsubscribe may be sent.
11 tips for CASL Compliance
The following 11 tips cannot substitute for the advice of a knowledgeable lawyer, but can help businesses evaluate their own practices and identify deficiencies:
- Don’t Use Hyperlinks. If the definition of a CEM is an “electronic message that hyperlinks to content…” there is seemingly a gap for marketing content that has no hyperlinks. If it’s not a CEM, it’s not covered by CASL. You may consider going back to the days before embedded hyperlinks, where URL text was copied and pasted right onto the page. You should further consider removing the links from your social media icons as this could make your message a CEM.
- Use email distribution software. Third-party software like MailChimp and Constant Contact (for those banned from MailChimp) make CASL compliance easier. MailChimp adds CASL ‘guard rails’ and typically does not allow you to breach the rules. While MailChimp’s AI will scan the emails you’re trying to send and flag it if there’s a problem, care should still be given to ensure CASL compliance with each marketing campaign.
- Opt-in, not out. It’s a CASL faux pas to pre-check the consent box. This puts the onus on the user to take action to indicate that he or she does not consent. CASL instead wants the user to indicate he or she does consent. Accordingly, express consent cannot be obtained through opt-out consent mechanisms; only yes means yes.
- Use forms and user submissions to get express consent. Express consent is obtained when the recipient has clearly agreed to receive a CEM. The recipient must take some proactive action to indicate their express consent, such as by joining your mail list. Consent should be requested in any instance where the user provides a submission to the website, such as in contact requests, user registrations, form submissions, comments, polls, or surveys.
- Don’t rely on partially completed forms. A website form can track anything a user types into a field, whether they submit the form or not. Many users partially fill out a form and then change their mind, usually when they see that payment or extensive personal information is required. While the CASL Commission has stated that entering an email into a field may indicate consent, there is little guidance on whether typing in an email into a field and then not submitting the form will constitute consent.
- Use software to create your consent form. Use software such as Microsoft Forms or SurveyMonkey to create a form request for express consent and send this to your recipient of choice. Make sure to include the CASL requirements, including a clear opt-in, the required business contact information, and the unsubscribe mechanism. In some instances, your third-party email distribution software may have an integration with your form software, in which case the consent will be applied directly to the emailing software. If there is no integration, you may use the recipient’s form submission as proof of consent if the email software company asks for it.
- Your Christmas email may be a CEM. It is clear that sales emails and advertisements are CEMs. But communication that aim to build rapport and keep clients up to date with your business, such as your company Christmas email, may not be. If the goal of your email is to promote the sale of your products or services, then it is possibly a CEM. Consent may be implied by the nature of your relationship with the recipient, and the message must be relevant to them.
- Be wary of time limitations. If a recipient asks to stop receiving CEMs, you must respect their request and stop sending them within ten business days. Once you have obtained express consent, you are able to send CEMs until the recipient notifies you that they no longer wish to receive them. On the other hand, there is a time limit attached to the life of implied consent of typically two years.
- Public information is fair game. The CASL guidelines explain that if the recipient made their email address conspicuously publicly available by publishing it on a website, there is implied consent. Note that the publishing of their email must not be accompanied by a statement that they do not wish to receive CEMs, and any CEM must still be relevant to them commercially. So, does that mean you can send CEMs to strangers’ emails you find online? Maybe, if it’s relevant to them, and they didn’t ask you not to.
- Keep good records. If dealing with a CASL compliance issue or investigation, you should be prepared to produce the following records:
- commercial electronic message policies and procedures;
- all contemporaneous unsubscribe requests and resulting actions;
- all evidence of express consent (e.g. audio recordings or completed forms) from consumers who agree to receive commercial electronic messages;
- commercial electronic message recipient consent logs;
- commercial electronic message scripts;
- CEM campaign records;
- staff training documents;
- other business procedures; and
- official financial records.
Additional CASL Resources
For more information on CASL requirements and prohibitions, please see CASL’s anti-spam page for existing FAQs and information bulletins.
You may also have obligations relating to the collection, use and disclosure of electronic addresses under the Personal Information Protection and Electronic Documents Act (“PIPEDA”), including with respect to address harvesting. For more information on PIPEDA, as well as address harvesting, please refer to the website of the Office of the Privacy Commissioner of Canada and the OPC Address Harvesting E-Guide.
Julian Dobre is a lawyer at Donna Purcell QC Law who practices Corporate, Entertainment, Internet & Social Media, and Technology & Innovation Law.