Among the most daunting legal developments for companies doing business in Canada is Canada’s anti-spam and anti-malware law (CASL), more formally known as the Electronic Commerce Protection Act (and Regulations). It has extra-territorial effect, applying whenever a computer located in Canada sends or accesses Commercial Electronic Messages (CEMs) regardless of the destination or the point of origin.
The Canadian Radio-television and Telecommunications Commission enforces the legislation in partnership with Canada’s Competition Bureau and the Office of the Privacy Commissioner (see the CRTC’s website, crtc.gc.ca).
CASL also includes broad prohibitions making it illegal to install any computer program on another person’s computer located anywhere in Canada without making prescribed disclosures and without obtaining consent in the prescribed form. These strictures, which came into force on January 15, 2015, apply to upgrades and updates regardless of whether a program includes malware or spyware.
The statute applies not only to e-mail but also to other forms of electronic communications, including instant and text messaging, and social media. As well, CASL applies not only to business-to-consumer messages, but also affects business-to-business messages.
Unlike any legislation elsewhere, CASL is not limited to messages that may be harmful in the sense that they contain some element of fraud or deceit; rather, CASL prohibits the sending of any “commercial electronic message” (defined as any telecommunication including text, sound, voice, or image) to an electronic address without the recipient’s prior consent, where the purpose of the message is to encourage participation in a commercial activity.
The statute is also based on an opt-in principle premised on express consent, with certain exceptions allowing implied consent for existing business relationships, personal and family relationships, business-to-business e-mails, and third-party referrals. These include a broad exemption for business-to-business CEMs where a relationship with the recipient exists; a one-time exception for a CEM based on a referral made by someone who has a prescribed relationship with the recipient; a partial exemption for CEMs to recipients with whom the sender has had an existing business relationship in the previous two years; or a partial exemption for CEMs sent to addresses that have been conspicuously published or directly disclosed by the recipient to the sender. There is also an exception for e-mail addresses that have been posted online without a notice that the poster does not wish to receive unsolicited commercial e-mail.
Where the exceptions do not apply, the sender must obtain the express consent of the recipient by setting out the purpose for which the consent is sought, information identifying the person seeking consent, and other information that may be required by regulation.
The upshot is that companies engaged in business-to-business communications can take some comfort from the scope of the exemptions. Still, the statute is very clear that consent is required before a CEM can be sent, which means that businesses can’t even send an e-mail asking for express consent without first obtaining implied consent. By contrast, the US legislation, known as CAN-SPAM, allows an initial mailing as long as it contains the required information and has a simple unsubscribe function.
Indeed, the Canadian law does not even permit consent for a solicitation to be inferred from publication of an e-mail address even if it would be reasonable to assume the message would be of interest to the individual or their organization or more generally from the conduct of the individual or organizations concerned.
Other outstanding concerns include the failure to clarify the rights of manufacturers to contact consumers of their products with whom they do not have a direct relationship and the failure to deal with various practical hurdles inherent in the consent requirements.
From an enforcement perspective, the legislation has sharp teeth. Offenders are liable to administrative monetary penalties of up to C$1 million for individuals and up to C$10 million for corporations. Officers, directors, and agents are liable if they directed, authorized, or participated in the violation. A due diligence defense is available.