Canada's Anti-Spam Legislation and Regulations

Disclaimer

"The views expressed are those of Innovation, Science and Economic Development Canada only and are not to be interpreted or understood as reflecting the views of the Canadian Radio-television & Telecommunications Commission, the Competition Bureau or the Office of the Privacy Commissioner of Canada. Accordingly, the views expressed by Innovation, Science and Economic Development Canada are not intended, nor are they to be relied upon, for the purpose of compliance and enforcement matters before the relevant agency. Further, the information provided herein does not constitute legal advice and should not be used as a substitute for seeking such advice."

Purpose

  • Innovation, Science and Economic Development Canada
    • Provide a high level overview of what the Act applies to and what it requires, so that business can understand their obligations.
  • CRTC
    • Provide an overview of how the CRTC will interpret the Act and regulations, with a view to being transparent and predictable.

Contents

  1. What you need to know if your business sends Commercial Electronic Messages
  2. What you need to know if your business installs software on other people's devices

1) Sending Commercial Electronic Messages

  • CEMs and Requirements
  • ID and unsubscribe
  • Consent
  • Exemptions
  • Special Cases
  • Coming into Force

Do I send "Commercial Electronic Messages"?

A Commercial Electronic Message (CEM) is a message whose purpose is to encourage participation in a commercial activity

CASL does not apply to:

  • non-commercial activity
  • voice, facsimiles or auto-recorded voice calls (robo-calls)
  • broadcast messaging including tweets and posts

Sending to An Electronic Address?

Under CASL an electronic address could be

  • An email account
  • A telephone account
  • An instant messaging account
  • Any similar account

What Must be Included in Each CEM?

  • Clearly identify yourself
  • Provide a method where the recipient can readily contact you
  • Provide a working unsubscribe mechanism:
    • Functional for 60 days
    • No cost
    • Same means unless impracticable
    • Include either electronic address or link
    • Must process without delay

Do I Have Consent?

Express Consent

  • Did the recipient say "yes" to receiving your CEM?
  • An individual must take action to "opt-in" to a stated purpose

Implied Consent

  • Can you show that you have an existing business or non-business relationship?
  • Did the recipient disclose their address to you?
  • Is the address published? Is there a statement saying they don't wish to be contacted?

Can you show where you got each electronic address?

You need to track how you obtained consent of each individual to whom you send CEMs.

Note: A message sent seeking consent to send CEMs is also considered a CEM.

When is Consent Not Required?

  • Quotes or estimates
  • Messages that facilitate or confirm transactions
  • Provides warranty, recall, safety or security information
  • Provides information about
    • ongoing use or ongoing purchases
    • ongoing subscription, membership, accounts, loans or similar
    • employment relationships or benefit plans
    • Delivers a product good or service, including updates and upgrades

Is My Message Exempt?

CASL does not apply to messages if:

  • You have a Personal Relationship with the recipient
    • individuals have a personal relationship (taking into consideration any relevant factors); and
    • you've had direct, voluntary, two-way communication.
  • You have a Family Relationship with the recipient
    • marriage, common-law partnership or any legal parent-child relationship; and
    • you've had direct, voluntary, two-way communication.

CASL does not apply to messages that are sent:

  1. Within or between business, where there's an ongoing relationship;
  2. In response to a request;
  3. To enforce a legal right or obligation;
  4. Via closed messaging systems;
    1. Proprietary system
    2. Messaging systems where ID and unsubscribe included on platform
  5. To a foreign jurisdiction in compliance with their spam law; (see Schedule 1 in the ECPR)
  6. By registered charities raising funds
  7. By political candidates or organizations, soliciting political contributions

Special Cases – Unknown Third Parties

A person can get consent on behalf of yet to be determined third parties

  • All parties relying on consent obtained by others are accountable for managing that consent.
  • ID and unsubscribe requirements still apply
Image text: Susan: 'Send me CEMs AND let Third Parties send me CEMs', Air Club shares Susan's email address, Rent-a-Car and the Hotel can send CEMs to Susan
Description of Figure 1

Image of a woman sitting at a computer with one solid line to demonstrate her relationship with Company A (the air club) and her consent to receive CEMS from them, and a dotted line to demonstrate that a recipient provides to Business A (an air club) their consent to receive CEMs from Business A and Third Parties. Business A shares the recipients email with Business B (a car rental company) and C (a hotel).

Image text: If Susan no longer wishes to receive 3<sup>rd</sup> party CEMs, Air Club must inform Rent-a-Car and the Hotel
Description of Figure 2

Image of a woman sitting at a computer to demonstrate that if a recipient no longer wishes to receive CEMs from third parties, the recipient can inform Business A (the air club) which must then inform Business B (car rental company) and Business C (a hotel).

Image text: Susan can withdraw consent from Rent-a-Car directly, who must inform Air Club and other 3rd Parties as necessary
Description of Figure 3

Image of a woman sitting at a computer to demonstrate that if a recipient no longer wishes to receive CEMs from third parties, the recipient can inform the third party Business B (car rental company) directly, who must then inform the original Company A (air club) and other third parties as necessary (Business C the hotel).

Special Cases – Third Party Referrals

  • You may refer a prospective client to another person if you have an existing relationship with the prospective client
  • If you receive a referral, you may send one CEM to the prospective client
    • CEM must include the full name of the individual who made the referral
Image of a diagram depicting Special Cases – Third Party Referrals
Description of Figure 4

Image of three people in a triangle: an Agent/sender, a potential client and an individual providing the referral. There is a two way dotted arrow from the individual providing the referral to the potential client indicating a relationship between those individuals. There is also a two way dotted arrow between the Agent/sender and the individual providing the referral indicating a relation between them. There is a solid, one way arrow from the Sender to the Potential Client indicating one commercial electronic message being sent.

When Do I Need To Be Ready?

Coming Into Force

  • Most of the Act comes into force July 1, 2014
  • You will need consent from any new client and each CEM must include ID and an unsubscribe mechanism

Transitional Provisions

  • Implied consent to continue sending CEMs to existing contacts for 3 years

What Should I do to Prepare?

  • Examine your messages
    • Do you send CEMs?
    • Are they covered by CASL?
  • Provide ID and unsubscribe mechanism
    • Clearly identify yourself
    • Provide an unsubscribe mechanism in every CEM
  • Get consent
    • Clear express consent or implied consent
  • Manage your contact list
    • Make sure you can demonstrate consent for every recipient
    • Be able to act on unsubscribe requests

2) Installing software on other people's devices

  • Consent
  • Special Cases
  • Coming into Force

When Do I Need Consent?

  • You need to have express consent when installing a computer program on someone else's device
  • The only exception is when you are acting in accordance with a court order

Do I Need To Seek Consent?

There are certain categories of programs where a person is considered to have provided express consent to installation:

  • When TSPs install software to
    • Protect their networks
    • Upgrade or update their networks
  • When addressing a failure in the system software or hardware
  • If the program you're installing is a
    • A cookie,
    • HTML code,
    • Java Scripts,
    • An operating system,
    • A program executable only through the use of another computer program that you previously obtained consent to install

When Seeking Consent

Does your program:

  • Collect personal information?
  • Interfere with the owner's ability to control their device?
  • Change settings or preferences without the owner's knowledge?
  • Interfere with data, preventing the owner from accessing it?
  • Cause the device to communicate with another without the knowledge of the owner?
  • Install any software that can be activated by a third party?

If YES, you must make this clear when requesting consent and it must be separate and apart of the licence agreement or EULA

  • This ensures people understand what they're consenting to

Consent for Program Updates

Consent is required to install program updates or upgrades

  • Consent can be assumed for updates and upgrades that fall into previously discussed categories
  • Consent to updates or upgrades may be sought in advance of the actual installation
  • Requests for consent for updates and upgrades must respect additional requirements if triggered

When Do I Need to be Ready?

Coming into Force

  • Software provisions come into force January 15, 2015

Transitional Provisions

  • 3 year transitional period for updates and upgrades to existing computer programs
    • For any software installed prior to January 15, 2015

What Should I do to Prepare?

Examine your software

  • Are you installing on another computer?
  • Is it a type of program for which you can assume consent?
  • Does the program include functions that trigger enhanced requirements when seeking consent?

Get consent

  • If necessary, develop a mechanism to seek and obtain consent before installing the program

How Can I Report Spam?

As of July 1st 2014 you'll be able to report spam and other violations at Fightspam.gc.ca

Where Can I Get More Information?

Fightspam.gc.ca