CASL, Canada’s anti-spam and anti-malware law, is coming into effect this summer. US businesses operating in Canada face
huge burdens
Among the most daunting developments for US companies doing business in Canada is Canada’s new anti-spam and anti-malware law (CASL), more formally known as the Electronic Commerce Protection Act, most of which comes into effect on July 1, 2014. It has extra-territorial effect, applying whenever a computer located in Canada sends or accesses commercial electronic messages (CEMs) regardless of the destination or the point of origin.
“This means that CASL’s consent and unsubscribe strictures apply to foreign messages such as those sent by foreign organizations to Canadian customers or proposed customers and to messages that are stored on foreign servers and accessed from Canada,” says Barry Sookman in McCarthy Tétrault LLP’s Toronto office. “And the liability is strict. It does not depend on intent or foreseeability.”
What hasn’t received as much publicity, but is equally applicable to US and other foreign companies, is that CASL includes broad prohibitions making it illegal to install any computer program on another person’s computer located anywhere in Canada without making prescribed disclosures and without obtaining consent in the prescribed form. These strictures, which come into force on January 15, 2015, apply to upgrades and updates, regardless of whether a program includes malware or spyware.
“The law is so broad it applies not only to apps, but also to programs in embedded systems including those in vehicles and consumer and industrial products,” Sookman says. “Accordingly, if you sell or service almost any product to Canadians, either directly or through channels, CASL will likely apply to you.”
To be sure, US companies have lived with their version of anti-spam legislation in the form of the CAN-SPAM Act. But CASL is a marked departure from CAN-SPAM.
“Whereas we sought to make sure that our system of privacy legislation was similar to that in the US, we have deliberately gone the other way with our anti-spam legislation,” says Martin Kratz of Bennett Jones LLP’s Toronto and Calgary offices.
Like its American counterpart, CASL seeks to prevent consumers from being misled, gives consumers the right to decline receipt of unwanted emails and seeks to reduce the costs for businesses that have to manage an influx of spam. But the legislation does so in a manner that likely makes it the world’s most comprehensive attempt to restrict unsolicited email.
“The intentions are good, but the implementation is very complex,” says Paul Broad in Hicks Morley Hamilton Stewart Storie LLP’s London, Ontario office. “The legislation is structured as a complete prohibition out of which exceptions are carved, and that is a very hard compliance exercise because, among other things, most existing consents will not suffice.”
Indeed, CASL is a much more expansive and burdensome piece of legislation than CAN-SPAM. Canada’s statute applies not only to email but to other forms of electronic communications, including instant and text messaging, and social media. As well, CASL applies not only to business-to-consumer messages, but also affects business-to-business messages.
“As currently written, the law will have a significant impact on customer and prospect communications across a wide spectrum of Canadian business,” says David Young of Toronto’s David Young Law.
Unlike any legislation elsewhere, CASL is not limited to messages that may be harmful in the sense that they contain some element of fraud or deceit; rather, CASL prohibits the sending of any “commercial electronic message” (defined as any telecommunication including text, sound, voice or image) to an electronic address without the recipient’s prior consent, where the purpose of the message is to encourage participation in a commercial activity.
“In other words, CASL will cover all sorts of marketing and advertising campaigns that depend on electronic messages,” Broad notes.
All of this is not to say that the laws in Canada and the US will be completely at odds. There are important similarities between the Canadian legislation and CAN-SPAM in the sense that the legislative purposes are the same.
But the fact remains that CAN-SPAM is opt-out legislation. CASL, on the other hand, is based on an opt-in principle premised on express consent, with certain exceptions allowing implied consent for existing business relationships, personal and family relationships, business-to-business emails and third-party referrals. These include a broad exemption for business-to-business CEMs where a relationship with the recipient exists; a one-time exception for a CEM based on a referral made by someone who has a prescribed relationship with the recipient; a partial exemption for CEMs to recipients with whom the sender has had an existing business relationship in the previous two years; a partial exemption for CEMs sent to addresses that have been conspicuously published or directly disclosed by the recipient to the sender. There is also an exception for email addresses that have been posted online without a notice that the poster does not wish to receive unsolicited commercial email.
Where the exceptions do not apply, the sender must obtain the express consent of the recipient by setting out the purpose for which the consent is sought, information identifying the person seeking consent, and other information that may be required by regulation.
In addition to the exceptions, the business community has a transition period that could run to 2017 before a business must switch to opt-in consent for its existing customers.
The upshot is that companies engaged in business-to-business communications can take some comfort from the scope of the exemptions. “But if you’re in the consumer space, not much has changed from the initial incarnation of the legislation,” says David Elder in Stikeman Elliott LLP’s Ottawa office. “I’m telling clients to be afraid, be very afraid.”
A great deal of the apprehension arises because CASL’s consent provisions are quite rigid. The statute is very clear that consent is required before a CEM can be sent, which means that businesses can’t even send an email asking for consent without first obtaining consent. By contrast, CAN-SPAM allows an initial mailing, as long as it contains the required information and has a simple unsubscribe function.
“I’m not sure anyone has the answers to the questions that arise from the fact that an electronic message seeking consent is itself an electronic message that CASL prohibits because consent was not first obtained,” Broad observes.
Indeed, the statute does not permit consent for a solicitation to be inferred from publication of an email address even if it would be reasonable to assume the message would be of interest to the individual or their organization or more generally from the conduct of the individual or organizations concerned.
Furthermore, federally regulated industries, like financial institutions, airlines and telecommunications companies, should be aware that CASL does not explicitly recognize consents given under Canada’s federal privacy legislation, the Personal Information Protection and Electronic Documents Act (PIPEDA).
“The regulators have indicated they will recognize consents given before CASL comes into force so long as the consents meet the requirements of federal privacy legislation,” Elder says. “The problem, however, is that implied consents are not recognized under privacy law.”
This means that organizations subject to PIPEDA could experience duplication of effort in obtaining consent; at the very least, they will have to ensure that their means of obtaining consent complies with both statutes.
Other outstanding concerns include the failure to clarify the rights of manufacturers to contact consumers of their products with whom they do not have a direct relationship and the failure to deal with various practical hurdles inherent in the consent requirements.
“CASL will be out of sync with how many US businesses have set up their marketing activities, especially for those who rely on commercial email communications,” Kratz says. “The legislation’s proclamation will require considerable work from US businesses seeking to avoid the substantial liabilities under the new law.”
There’s no doubt the legislation has sharp teeth. Offenders are liable to administrative monetary penalties of up to C$1 million for individuals and up to C$10 million for corporations. Officers, directors and agents are liable if they directed, authorized or participated in the violation. A due diligence defense is available.
The Canadian Radio-television Telecommunications Commission (CRTC) will determine whether a violation has occurred and the amount of the penalty. The legislation provides for appeals to the Federal Court of Appeal. As for prohibited activities that originate outside Canada, CASL gives Canada’s Privacy Commissioner the power to disclose and share information with foreign states; there is a similar provision in the US SAFE WEB Act.
As of July 1, 2017, CASL also provides for a private right of action for individuals affected by offenders. Claimants can receive up to C$200 per occurrence without proving damages, as well as what amounts to non-compensatory punitive damages of up to C$1 million per day.
“There is a huge exposure to class-action liability under this legislation,” says Sookman. “For example, a person that as part of some commercial activity makes malware-free open source software available without charge to hundreds of thousands of Canadians using an ordinary web wrap or click wrap agreement or who, using an automated system, installs a security patch to prevent hacker attacks, could theoretically face threats of damages in the hundreds of million dollars.”
For US companies and others trying to avoid liability, what becomes apparent is that CASL presents a host of practical difficulties that emanate from its complex legal requirements.
“The onus is on the sender of the CEM to show that it has consent or that it falls within one of the applicable exemptions,” Elder says. “But many organizations are struggling to do so, because their contact lists, like many others out there, have been created without any real thought to the considerations that inform CASL.”
US companies that have integrated lists for Canada and the US face particular problems.
“For example, how do you deal with the fact that US law allows your first CEM to go out without consent but that’s not the case in Canada?” Kratz asks. “For this reason and others, companies will have to ask themselves whether they should develop harmonized approaches or separate ones.”
There’s also the question of who owns the consents. Is it the US parent or the Canadian subsidiary? “That’s important because CASL requires you to disclose who sent the email, and naming the sender is a high-level decision involving branding and a whole host of considerations,” Kratz says.
Long-term vacationers, like the proverbial Canadian “snowbirds,” can also cause difficulties.
“Snowbirds could have US credit cards or they may sign up with US retailers,” Kratz points out. “But what happens when they get back home? How then does an American company address the fact that their CEMs will now be received on computers located in Canada and therefore be subject to CASL?”
These are not easy questions to answer. But the key to dealing with CASL on an operational level, lawyers say, is proactivity.
“Businesses should set out immediately to get express consents where they haven’t done so already, so there will be no ambiguity about dealing with Canadian customers and prospects,” says Richard Corley of Toronto’s Goodmans LLP.
Julius Melnitzer is a legal affairs writer in Toronto.