Canada’s new anti-spam laws (CASL), (S.C. 2010, c. 23), will come into force on July 1, 2014, and is the toughest anti-spam law in the world. Whether or not your client is located in Canada, CASL may affect your client. Even if your client isn’t a spammer, CASL will affect your client’s business operations in and from Canada.
Why should U.S. lawyers and their clients care about CASL? The answer is that CASL has considerable extra-territorial reach. CASL applies where "a computer system located in Canada is used to send or access" an electronic message. So, by way of example, CASL will apply if an e-mail is sent from the United States to a Canadian who receives and opens it on a computer located in Canada. In light of the long statutory reach outside of Canada and because of the unprecedented toughness of CASL, anyone involved in online commercial communications flowing into Canada needs to consider compliance with CASL.
A violation of CASL attracts significant administrative monetary penalties of up to $1 million for individuals and $10 million for others. Corporate directors and officers may be personally liable if they direct, authorize, or assent to, or acquiesce or participate in, a contravention of CASL, subject to a due diligence defense. Employers may be vicariously liable for violations of CASL by their employees, subject to a due diligence defense. It is also an offense under CASL to aid, induce, procure, or cause to be procured the doing of any acts contrary to certain sections of CASL, including the sections relating to CEM’s.
CASL regulates “commercial electronic messages” (CEM) which are defined broadly and includes any electronic message that has as its purpose, or as one of its purposes, the encouragement of participation in a commercial activity. An electronic message would include e-mail, text messages, and social media messaging and text, sound, voice, or image messages. Even if the electronic message itself is not related to a commercial activity, it may still be a CEM, having regard to the hyperlinks to other content or websites or the contact information contained in the message. Commercial activity is defined in CASL to mean any transaction, act, or conduct or any regular course of conduct that is of a commercial character, whether or not the person who carries it out does so with the expectation of profit. Common business activities, including sending e-mail messages to customers, operating a website, or making an application available for download, will therefore be subject to CASL.
CASL is fundamentally different than the U.S. Can-Spam Act of 2003, (15 U.S.C. ch. 103, Public Law No. 108-187, was S. 877 of the 108th United States Congress), because, unlike the Can-Spam Act, which is based on an “opt-out” model which assumes that recipients of unsolicited electronic messages have implicitly consented to their receipt until and unless they take steps to opt-out of the receipt of such messages, Canada is moving to an “opt-in” consent regime. This will prohibit the sending of CEM’s unless the recipient has given his or her express or implied consent, subject to limited exceptions. Problematically, a CEM cannot be used to request this consent which means companies will need to obtain express consent without using e-mail.
In addition to the obligation to obtain express or implicit consent to the sending of CEM’s, CASL also regulates the content and form of CEM’s. Every CEM must identify the sender, include prescribed contact information for the sender, and provide a specific unsubscribe mechanism which must permit the recipient to indicate, at no cost, that the recipient no longer wishes to receive CEM’s from the sender. The sender must comply with requests to unsubscribe to CEM’s “without delay,” and in any event within 10 business days. Prescribed contact information for each CEM includes the name and mailing address of the person sending the CEM, and a telephone number, e-mail address, or web address of the person sending the CEM. Where the CEM is being sent on behalf of another person, such as by a third-party service provider, the name of the third party as well as the name of the person on whose behalf the CEM is being sent must also be included.
CASL establishes a right of private civil action which may be commenced by any individual or organization affected by a contravention of CASL; however, this private right of action will not come into force until July 1, 2017. Class actions are also possible. These actions are of significant concern for anyone doing business in Canada or communicating online with Canadians. CASL also regulates the unsolicited installation of computer programs or software; however, these provisions will not come into force until January 15, 2015.
As a result of consultation with many different stakeholders, the three sets of regulations to CASL include many important exceptions that have to be assessed carefully by clients when implementing a compliance program. It is also important to consider Industry Canada’s Regulatory Impact Analysis Statement (RIAS) which clarifies questions raised during the consultation process, although the RIAS is not legally binding. Given the complexity and novelty of CASL, compliance with CASL will be complex and must be tailored for each client’s specific operations and processes.
The first phase of CASL’s implementation commences July 1, 2014, with the balance of its provisions being phased in over the following three-year period. U.S. lawyers and their clients will want to act quickly to assess whether the client needs to comply with CASL and if so, the process for compliance with CASL. Given the extremely high administrative monetary penalties, it is critical to act now.