By Bernice Karn
As readers of The Cassels Brock Report will recall, we have previously written on the progress of Canada’s anti-spam legislation (“CASL”). The articles can be found here: Article #1, Article #2 and Article #3. CASL has not yet been proclaimed in force, and through the public consultations held by both Industry Canada and the CRTC on the draft CASL, it has become apparent that the business community is concerned about the far-reaching and severe consequences of this legislation.
In March of this year, to the surprise of some observers, the CRTC registered the final version of the Electronic Commerce Protection Regulations (CRTC) (the “Regulation”) without conducting a second round of industry consultation. Perhaps as a response to the unease within the business community over the interpretation of the draft version of the Regulation, the CRTC has now issued two interpretive guidelines (the “Guidelines”)1. These Guidelines clarify several provisions of the Regulation and provide examples of compliant behaviour. The salient points of the Guidelines are as follows:
Information to be Included in Commercial Electronic Messages (“CEMs”)
a. Whom to Identify
The Regulation contains detailed requirements about the entities that must be identified in a CEM and the information that has to be provided about them. Given the number of entities involved in the sending and transmission of a CEM, this has understandably posed a difficult issue for some industry players, particularly ISPs. The CRTC now advises:
b. Mailing Addresses
Part of the required CEM information is the sender’s mailing address (and if different, the mailing address of the person on whose behalf the message is sent). The CRTC has clarified that a “mailing address” means a valid, current street (or civic) address, postal box address, rural route address, or general delivery address. It must be valid for at least 60 days after the CEM is sent.
Form of CEMs – The Unsubscribe Mechanism
CASL requires that each CEM contain an unsubscribe mechanism. As originally drafted, the Regulation required that the unsubscribe mechanism be performed in no more than two clicks. In the final version of the regulation, the language was softened to state that the unsubscribe mechanism must be capable of being “readily performed”. The Guidelines now interpret “readily performed” in the following manner:
Information to be Included in a Request for Consent
Section 4 of the Regulation mandates that consent be “sought separately” for each act described in sections 6 to 8 of CASL. This language caused some confusion – did it mean that consent must be obtained for each type of activity or each instance of each type of activity? Thankfully, the CRTC has now advised that it views the requirement as applicable to each type of activity only. The Guidelines provide:
a. Meaning of “Sought Separately”
b. Requests for Consent
c. Oral or Written Consent
The original form of consent prescribed by the Regulation stipulated that it had to be “in writing”. That was subsequently amended to include oral consent. However, questions remained as to whether electronic consents would qualify as meeting the “in writing” requirement, and what type of oral consent would suffice. The Guidelines now provide:
Specified Functions of Computer Programs
The Regulation requires that certain types of computer programs (i.e., those that collect personal information, interfere with the owner’s/user’s control of the computer system or that change, interfere with existing settings, preferences or commands without the owner’s/user’s knowledge) must be brought to the attention to the person from whom consent is sought, separate and apart from any other information in the request for consent. The Regulation also requires that an acknowledgement be obtained in writing that the person understands and agrees that the program performs the specified functions.
The Guidelines now explain the proper method of obtaining this acknowledgement and consent.
Means of obtaining consent:
Often consumers encounter online forms that have consents (usually to receive marketing materials) pre-checked, forcing the user to click another button indicating that he/she does not want to receive marketing materials. The CRTC has also weighed in on this type of consent and whether it qualifies as an “express consent” for the purposes of CASL. The CRTC has clearly stated that it does not consider these type of opt-out mechanisms sufficient to comply with the express consent provisions under CASL.
The Guidelines state that:
These Guidelines should go a long way to guide businesses through the complex compliance regime of CASL. However, as noted above, Industry Canada has also issued a draft CASL regulation and the business community is still anxiously waiting for the promised release of a revised draft of that regulation from Industry Canada. With administrative monetary penalties under CASL of up to CDN$10 million and the creation of a private right of action for breach of CASL, this statute will have a profound and possibly chilling effect on how responsible organizations communicate electronically with their customers and others. We will continue to monitor and report on key CASL developments as they occur.
1 Canada’s Anti-Spam Legislation (10 October 2012), online: Government of Canada.