Excluded Commercial Electronic Messages
In addition to the implied consent exception, CASL provides for a number of other exemptions that relieve senders from the burden of adhering to the legislation.
Business-to-Business Exemption
The IC Regulations at section 3(a) provide an exemption for CEMs sent by employees, representatives, consultants, or franchisees “within organizations or sent between organizations that already have a relationship,” where the messages concern the activities of the organization receiving or sending the message.
According to the RIAS, these exclusions were enacted in response to “the most serious concerns raised” in relation to the broad, and potentially undesirable, effects of CASL. The business-to-business exemptions, however, are intended to shelter businesses from the effects of CASL by excluding “ordinary, transactional business communications” and other “internal” communications concerning the “activities of an organization” from the scope of the Act.
Extra-Jurisdictional CEMs
The ambit of CASL extends to messages sent from, or accessed by, computer systems located in Canada, giving the Act extra-territorial application. According to the RIAS, CASL does not apply to CEMs that are simply routed through Canada.
According to the RIAS, faced with concerns that some businesses in Canada would be obliged to comply with both CASL and the laws of foreign jurisdictions, an exclusion was incorporated into the IC Regulations at section 3(f) and Schedule (Paragraph 3(f) explicitly exempting CEMs sent from Canada that a sender “reasonably believes” will be accessed in one of the prescribed foreign states (e.g., the United States, Spain, etc.). As a caveat to the use of the Extra-Jurisdictional CEM exemption, the IC Regulations at section 3(f) require that the CEMs sent from Canada must comply with the local laws of that prescribed foreign state. According to the RIAS, these particular IC Regulations were created to reduce the burden on businesses sending CEMs to recipients in prescribed foreign states by recognizing the existence of legislation in those states that regulates the conduct prohibited by CASL. Unfortunately, all businesses that operate in Canada, including U.S. subsidiaries or foreign-owned companies, must undertake this analysis to determine whether CASL requirements apply to their e-mail.
Registered Charities, Political Parties, and Candidates
The IC Regulations at sections 3(g)–(h) also exempt messages that are sent by or on behalf of registered charities, political parties, or candidates so long as the primary purpose behind such messages is fund-raising or soliciting contributions. Not-for-profit corporations, however, remain subject to CASL’s consent and content obligations.
Personal and Family Relationships
The rules at section 6(5)(a) of CASL regulating the transmission of CEMs relieve individuals that are in a personal or family relationship from having to comply with CASL. The IC Regulations at section 2(b) define “personal relationship” as a relationship where, taking into consideration any relevant factors such as the sharing of interests, experiences, and length of time the individuals have been communicating, it would be reasonable to conclude the individuals are involved in direct, voluntary, two-way communications as part of a personal relationship.
In contrast, to be exempt from CASL on the basis of a “family relationship,” the section 2(a) of the IC Regulations narrowly require that the parties be related to one another through “marriage, common-law relationship or any legal parent-child relationship.”
Enforcing Legal Rights
The RIAS also references an exemption for CEMs that are sent to “enforce legal rights.” Thus, according to the IC Regulations at section 3(c) where a message is sent to satisfy a legal or juridical obligation to give notice of or enforce such an obligation, court order, judgment, or legal right, the CEM need not comply with the consent and content requirements of CASL.
Additional Exclusions
The IC Regulations at 3(b) and (e) also contain exemptions for: (i) messages sent in response to a request or inquiry, or those otherwise solicited by the person to whom the message is sent; and (ii) messages sent over a limited-access secure and confidential account.
Other Exceptions to CASL
Additionally, the following CEMs are exempt from the consent requirements of CASL under sections 6(6)(a)–(f), although the form requirements remain:
- replies to requests by the recipient of the CEM for quotes or estimates for the supply of goods, property, or services;
- messages that facilitate, complete, or confirm commercial transactions in which the recipient is involved;
- messages that provide warranty, product recall, safety, or security information regarding products or services the recipient uses or has purchased;
- messages that provide factual information about products or services purchased by the recipient as part of an ongoing subscription or membership, or information about that subscription or account;
- messages pertaining directly to employment or benefit plans in which the recipient is involved; and
- messages delivering products, goods, services, or updates to which the recipient is entitled under the terms of a transaction previously entered.
Lessons Learned
Unlike the detailed legal analysis and findings provided by Canadian privacy regulators, to date the CRTC’s reasoning/analysis contained in its CASL undertakings and other CASL orders has been exceptionally sparse. Accordingly, the following section is based entirely upon the author’s own observations and analysis and should be read in this light.
Avoid Being a Tempting Target
The first notice of a CASL violation involved 3510395 Canada Inc. (d.b.a. Compu-Finder), who received an administrative monetary penalty (a fine) of $1,100,000 (CAD) ($859,442.14 USD) for repeatedly sending CEMs without recipients’ consent, as well as sending CEMs without a properly functioning unsubscribe mechanism. Between July 2, 2014, and September 16, 2014, Compu-Finder was found to have spammed potential customers with offers of unsolicited training courses, although the company had also received complaints for its marketing activities prior to the implementation of CASL. Compu-Finder was clearly acting very badly (“flagrantly violating the basic principles of the law,” in the CRTC’s own words) because they apparently accounted for 26 percent of all complaints submitted to the CRTC’s Spam Reporting Centre. It is therefore not surprising that the CRTC chose to make an example of them, and the company clearly proved to be a very tempting target. The moral here: if a company acts egregiously and draws too much attention to itself, it should not be surprised if it becomes a target for CRTC compliance and enforcement.
No Fish Too Small
In the second CASL case, PlentyofFish Media Inc. (PoF), the operator of the well-known Canadian dating website “Plenty of Fish,” voluntarily entered into an undertaking with the CRTC’s Chief Compliance and Enforcement Officer in order to settle several alleged violations of CASL. These included sending CEMs to registered users of its own website that contained an unsubscribe mechanism that was not set out “clearly and prominently” and was not able to be “readily performed.” PoF was fined $48,000 CAD ($37,502.93 USD), was obliged to comply with and ensure that any third party authorized to send CEMs on their behalf complies with CASL, and further agreed to implement a compliance and training program.
Many Canadian commentators found this second CASL case to be an odd choice on the part of the CRTC. After a rousing start against a bona fide spammer like Compu-Finder, it seemed strange that the CRTC was turning its big guns against such a small fry (pun intended) as PoF, a dating website that was mainly annoying its own members. Upon reflection, it seemed that this case was really about sending the Canadian business community several messages. First, in the interest of administrative fairness, the CRTC was making the point that CASL is not just a law that applies to large companies – even smaller ones should adapt their business practices and behavior to comply with the Act. The CRTC clearly expects every entity to be compliant, no matter how small. Second (and as will be discussed more fully below), if the CRTC does catch a company being noncompliant, assuming that the company is willing to admit its errors, publicly cooperate, and take active steps to ameliorate its practices, then the CRTC likely will show more leniency regarding the levying of fines, etc.
Cooperate or Else
It is no surprise that Compu-Finder was given a large fine by the CRTC, under its authority to encourage “changes of behavior,” while both Porter Airlines Inc. (Porter) and Rogers Media Inc. (Rogers), two large, well-known Canadian companies that voluntarily entered into undertakings in return for admitting their wrongdoing, were let off rather lightly in comparison. Lesson learned: cooperation with the CRTC buys a company goodwill, much lower fines, and even less public disclosure about what a company allegedly did to contravene the Act. So long as companies are willing to fall on their swords and publicly change their practices, the CRTC practices leniency, given that the marketing value in obtaining cooperation definitely outweighs and arguably offsets the value of levying large fines.
Porter also entered into a voluntary undertaking with the CRTC in a decision published in June 2015 (available at http://www.crtc.gc.ca/eng/archive/2015/ut150629.htm) after Porter was found to have sent CEMs to e-mail addresses for which it did not have proof of consent, as well as sending CEMs that did not provide complete contact information as required under the Act and CRTC Regulations. Other CEMs sent by Porter either contained no unsubscribe mechanism or one that was not set out “clearly and prominently,” and there was at least one instance where the unsubscribe mechanism was not given effect within 10 business days as required by CASL. It is also clear that Porter was also being punished for failing to obtain (and be able to evidence) proof of consent for each and every CEM that it sent. As Porter’s errors were considerably more serious than PoF, its fines ($150,000 CAD ($117,196.66 USD)) were naturally higher, although they still fell well short of those of Compu-Finder. Porter was obliged to take corrective measures, such as updating its mailing list and ensuring that its CEMs met form requirements, as well as implementing a compliance program.
Similarly, Rogers, a company related to Rogers Communications, one of Canada’s largest Canadian telecommunications and media companies operating in wireless communications, cable, telephone, Internet, mobile, and home monitoring, voluntarily entered into an undertaking with the CRTC in a decision published in November 2015 (available at http://www.crtc.gc.ca/eng/archive/2015/ut151120.htm). Rogers paid the CRTC an administrative penalty of $200,000 CAD ($156,262.21 USD) for failing to give effect to unsubscribe requests within 10 business days and for sending CEMs for which the unsubscribe mechanism did not contain an electronic address that was valid for a minimum of 60 days after the message was sent. Rogers also undertook to update and implement a compliance program, including measures such as the review and revision of its written policies, the development of training programs, and registration and tracking of all complaints related to CEMs and their resolution. Rogers also confirmed, in writing, the implementation of these measures to the CRTC within a specified timeframe and provided a written report of its compliance program annual review if requested.
Form Matters!
It is worth noting that every single one of these early CASL decisions involved violations of the CRTC Regulations pertaining to CEMs content (i.e., regarding information that must be set out in any CEM) and form (i.e., the requirement that the information be set out “clearly and prominently” and that the unsubscribe mechanism in each CEM be “able to be readily performed”). Porter was additionally chided, for example, for sending some CEMs that contained two unsubscribe links, one of which did not function properly (the CRTC determined this to be an unsubscribe mechanism that was not clearly set out because it was not apparent which mechanism was functional). It is also worth noting that the CRTC pounced on Rogers for failing to meet these form requirements beginning July 3, 2014, less than a week after the CEM aspects of CASL came into force. By referencing these violations, the CRTC is confirming and signalling the importance of these form requirements for CASL compliance and is again demonstrating that that companies of all shapes and sizes are still universally required to comply with them.
CRTC Decisions Make for Lean Reading
As indicated above, although one can try to read the CASL tea leaves, the Notice of Violations and Undertakings (available at http://www.crtc.gc.ca/eng/DNCL/dnclce.htm) that have been published by the CRTC regarding CASL so far have provided absolute minimum details about the alleged violations of CASL themselves. Citing bare facts, the decisions mainly reference which sections of CASL and its accompanying regulations, if applicable, were breached. As a practitioner, it would be helpful to know more about how a company was unable to provide proof of consent for some of its e-mail addresses. Was it a failure to purge an old database? When preparing for CASL compliance, did the company outsource these efforts to a third-party company that got it wrong? Without sounding ghoulish, more detail would be helpful so that legal practitioners and clients alike can at least reason by analogy as to best practices if the CRTC is not going to advise definitively.
More Guidance, Please!
Lastly and on a related point, there is still much that Canadian practitioners do not know about interpreting CASL, and the regulators are not making it easy. In contrast to the plethora of guidance documentation (interpretation bulletins, fact sheets, check-lists, tools, or other materials) published by the Office of the Privacy Commissioner of Canada and its provincial regulatory counterparts, the CRTC, for example, has only provided very minimal guidance documentation since the Act came into effect. In fact, the CRTC’s own FAQs remain quick to say that they are not meant to offer meaningful advice – even examples mentioned in their own Compliance and Enforcement Information Bulletins are not to be relied on. For example, when discussing Compliance and Enforcement Information Bulletin CRTC 2012-548, which, among other things, helps explain what information is to be included in a request for consent, the CRTC’s online FAQ reads that the examples used in that bulletin “may not necessarily be appropriate in every situation. Compliance will be examined on a case-by-case basis in light of the specific circumstances of a given situation.” Although this kind of language provides the CRTC with considerable flexibility, it does little to provide meaningful guidance to legal practitioners, individuals, or businesses that are just trying to navigate some very complex legislation. As one of the CRTC’s explicit goals is to “deter others who may be tempted to violate the law, so they understand what is required to comply and what the consequences are if they fail,” one would think that the CRTC would want to take steps to publish some meaningful commentary on the law to better achieve these ends. Accordingly, it is not surprising that the Cloudmark study found that more than 60 percent of respondents believe the CRTC has failed to provide small and medium enterprises with adequate information about the Act. Despite a round of information sessions, businesses still lack guidance on how to comply with the law.
Best Practices
Even though certain aspects of CASL interpretation remain a “work-in-progress,” in the past year and a half certain key CASL themes have emerged from the existing jurisprudence as described above. If you think that CASL applies to your organization, it is preferable to take steps even now to put in place remediation efforts after the initial compliance deadline. Accordingly, the following “best practices” to manage CASL requirements are recommended:
- Create a compliance team, whether the same person or people who look(s) after privacy compliance in your organization, but your marketing team should definitely be involved.
- Audit current practices by reviewing and categorizing what types of e-mails and electronic messages are currently sent and why they are sent. The purpose is to identify which are CEMs and which are not.
- Inventory existing databases for contacts who receive CEMs in Canada. Check all possible sources of electronic mailing lists in your organization – customers, business/association partners, suppliers, etc.
- Review all current electronic mailing lists and CEMs that are sent to determine:
- whether there is an “existing business relationship” that would qualify for the three-year transition period in CASL;
- what type of consent is required; and
- what consent has been obtained.
- Review your current express consent language and revise it to be compliant with CASL.
- Update documents and templates that may be used with external contacts so they include express consent. Include wording in terms and conditions of use, purchase orders, contracts, and other agreements to include express consent.
- Keep a database of implied consents so you can identify when an implied consent expires. The database must be able to have a “stop send” date where CEMs will no longer be sent to a contact who has given implied consent after the expiration of the two-year or six-month period. Also, if express consent is subsequently given, there must be a mechanism to update this information.
- Update your unsubscribe mechanism to ensure it is compliant with CASL in all respects (form, ease of use, speed (giving effect within 10 business days), and validity for a minimum of 60 days after the message was sent).
- Train all employees that send CEMs regarding CASL and its compliance requirements.
- Review compliance procedures with third-party service providers who have access to or utilize electronic addresses/contacts. Make sure these third-party suppliers are contractually obligated to comply with CASL. For example, if you purchase mailing lists, ensure the provider has obtained express consent. Do not assume all U.S. providers will be compliant with CASL. Require any contracts with such providers to contain warranties and indemnities in the event of any noncompliance.
- For new contacts, establish a mechanism to obtain express consent (not by CEMs).
- Scrub/purge contacts for whom you do not have express consent, implied consent, or for whom there is no exemption.
- Document your CASL policy, which will be very important to show due diligence – a defense for directors, officers, and employees. Literally days before the Act came into effect, the CRTC released guidelines for CASL compliance programs that are extensive and detailed (available at http://www.crtc.gc.ca/eng/archive/2014/2014-326.htm).
Lastly, if you plan to stop sending CEMs to Canada and resort to making cold-call marketing calls instead, you should know that the CRTC also has jurisdiction over telemarketing and unwanted calls and has established detailed Unsolicited Telecommunications Rules (available at http://www.crtc.gc.ca/eng/trules-reglest.htm) and a national do-not-call list. These telemarketing prohibitions are also enforced. For example, on March 10, 2016, the CRTC issued Notices of Violation to three Canadian-based companies and two Indian-based call centers with penalties totalling $643,500 CAD ($503,048.78 USD) for failing to respect the Unsolicited Telecommunications Rules. Thus, seek legal advice to ensure your compliance with these additional telemarketing requirements.
See also: “FAQs: About the Law”, Canada’s Anti-Spam Legislation, (January 20, 2013) http://fightspam.gc.ca/eic/site/030.nsf/eng/h_00050.html.