Canada, the most apologetic and non-confrontational country in the world, has unleashed a regulation that prompted a chapter in a compliance booklet dedicated to “Controlling the Rage”. Seriously. I can point you to this gem. If you walk past a closed office door and hear fists slamming on the desk you know what they’re working on. Because this regulation isn’t going away and if you do business with Canadians than you need to be ready to comply by July 1, 2014.
What is this regulation which has prompted such rage? It is called the Canadian Anti-Spam Law (CASL).
Here is a much boiled down version of what you need to know. For links to the full text of CASL, FAQs, and two helpful guides straight from the folks who created this regulation go to the bottom of this blog.
Correction to previous version of this blog: CASL applies to certain Commercial Electronic Messages (CEM) sent from or accessed by a computer system which is located in Canada. Simply routing a CEM through Canada (so long as the CEM is not accessed or sent from a system located in Canada) or sending to a Canadian national who is out of the country will not trigger CASL.
What is a CEM?
Basically it is any e-mail whose content, including any links in the e-mail to content on a website or in a database, has as its purpose or one of its purposes, to encourage participation in a commercial activity. In other words, encouraging people to buy from you. It includes e-mails about buying, selling, bartering, or leasing products or services or advertising or promoting a product or service. And it includes any e-mail asking for consent to send an e-mail about one of the above!
There are a few categories of CEMs which this regulation does not apply to. I’ll get into those at the end of this blog. First let’s talk about what this regulation requires for most CEMs.
This regulation means you MUST obtain consent (usually express consent, but in a few instances it may be implied consent) from the Canadian before sending a CEM.
If you have an existing business relationship with the Canadian then consent is implied, but only for a period of three years from July 1, 2014 or up to the point at which the person indicates they want to unsubscribe from receiving CEMS, whichever is earlier. That doesn’t mean there aren’t still parts of CASL you have to comply with pertaining to implied consent, but it does mean you don’t need to get express consent, which is the real rub in CASL, until July 1, 2017. There are a few other examples of implied consent, but this is the one which will most likely apply to for-profit businesses.
What is an “existing business relationship”?
If the Canadian has purchased, leased, or bartered a product or service within the two years prior to the date of the CEM, or has a current written contract in effect with you that doesn’t relate to the CEM, or if the written contract expired within the two year period prior to the date of the CEM, or sent you an inquiry or application within the 6 month period immediately before the day on which you send the CEM, then you have an existing business relationship. Got a channel partner agreement or any other kind of contract with a Canadian entity? You have implied consent to market to them until July 1, 2017 or until they unsubscribe. Someone sent you an inquiry or application between January 1, 2014 and June 30, 2014? You have six months after the date of that inquiry/application to send a CEM using implied consent under the definition of existing business relationship.
For all other instances you need express consent. Here is where Chapter 2: Controlling the Rage comes in.
Before you can market to a Canadian that hasn’t purchased, bartered, or leased from you in the past two years or someone with whom you don’t have a current contract or a contract which only expired in the past two years, you must get the Canadian’s EXPRESS consent before sending a CEM.
That means either:
(1) Filling out a consent form. For example, if you are working a booth at a trade show and collect potential customer e-mails you might want to write a consent paragraph at the top of the contact sheets; or
(2) Checking a box on a webpage. Note: The regulation is crystal clear you may NOT pre-check the box. A pre-checked box is considered implied, not express, consent and is not allowed. Also, if you are providing the box requesting consent along with any general terms and conditions you must offer a check box separate from the check box to agree to the terms and conditions. You may not tie acceptance of the agreement to consent to receive CEMs; or
(3) Typing an email address into a form to receive CEMs; or
(4) Obtaining verbal consent so long as you recorded the entire unedited conversation (please follow any laws in your state/country regarding recording of calls) or have an independent third party who can verify the oral consent. I’m not sure where Canada was going with the “independent third party” bit.
There are very helpful screenshots in the Compliance and Enforcement Bulletins linked at the bottom of this blog showing acceptable ways to obtain express consent and ways that are not allowed. I recommend having Chapter 2 at the ready when your marketing and IT teams read these bulletins.
Computer Programs and Express Consent
You must also obtain express consent to install computer programs on the Canadian’s computer which either collects personal information from the computer, interferes with the owner’s or user’s control of the computer, changes or interferes with settings/preferences/commands on the computer without the knowledge of the owner or user, installs a program which can be activated by a third party without knowledge of the owner or user of the computer, or causes the computer to communicate with another computer or device without the authorization of the owner or user of the computer.
As far as I can tell the methods for requesting express consent for such computer programs fall within the the same guidelines as requesting consent to send CEMs (ex. if a check box is used to obtain express consent this check box must be separate from the box to check to agree to the program’s license agreement) but the content of the request for installation of these computer programs differs. In the consent request you must describe the program’s material elements that perform the function or functions described above, including the nature and purpose of those functions and their reasonably foreseeable impact on the computer program.
I know what you’re thinking. What about cookies? Fear not fair reader! A person is deemed to have expressly consented to the installation if the computer program is a cookie, HTML code, Java scripts, or any other program executable only through the use of another computer program whose installation or use the user previously consented to, and the person’s conduct is such that it is reasonable to believe they consented to the installation.
The express consent requirement does not apply with regard to an update or upgrade of a computer program if the initial installation of the computer program was previously expressly consented to. The same 3 year grace period for existing business relationships applies to computer programs installed before July 1, 2014. Beginning July 1, 2017 you must obtain express consent for those previously installed programs.
Information to Record Relating to Consent and Sending Confirmation of Receipt of Express Consent
Regardless of how you obtain consent you need to record the date, time, and manner of consent. And following receipt of the Canadian’s express consent you must send confirmation you received the consent to the Canadian.
Providing Unsubscribe and Withdrawal of Consent Options- Both CEMs and Computer Programs
So you have consent, either express or implied. What now?
You must provide a way to unsubscribe and withdraw consent. You must unsubscribe the person from CEMs within ten days of the date the person indicates they want to unsubscribe.
With respect to computer programs which require express consent to install, for one year after the date of program installation you must provide an electronic address which the Canadian may send notification that they believe the function, purpose, or impact of the program was not accurately described at the time consent was requested and you must assist in removing or disabling such programs “as soon as feasible” at no cost to the person who gave the consent.
Period of Validity of Contact Information
Contact information for how to unsubscribe must remain valid for at least 60 days after the CEM is sent, no changing who to contact in order to unsubscribe for two months after you send the CEM with that contact information.
CEMs which don’t require Consent to Send
As promised, here are the CEMs which you DON’T need to obtain consent to send. They are: (1) messages sent to a person engaged in a commercial actively which is SOLELY related to that activity. For example, if someone is participating in a webinar about a particular product you may not send them messages about any other product or service or about the product in the webinar if the CEM isn’t follow up related to the webinar, (2) quotes or estimates, (3) messages which facilitate, complete or confirm a commercial transaction which the person previously agreed to, (4) warranty information, (5) product recall information or safety or security information, (6) factual information about the ongoing use or ongoing purchase by that person under a contract, or (7) messages regarding delivery of a products, goods or services including updates or upgrades to that person.
Helpful Reference Material
The CASL Regulation (Heavy Reading, You May Want to Skip Straight to the FAQs and Bulletins First)
Compliance and Enforcement Bulletin- Guidelines on Use of Toggling (contains screenshot examples of how to obtain consent and how not to obtain consent)
Compliance and Enforcement Bulletin- Guidelines on how to interpret CASL (contains screenshot examples of how to obtain consent and how not to obtain consent)