Here is a longer version of my article published in the Financial Post this morning titled Delete this anti-spam law.
Canadians don’t like spam. They also don’t like malware. But the more they learn about Canada’s new, but not yet in force, anti-spam law commonly referred to as CASL (for “Canada’s Anti-spam Legislation”), they don’t like it much either. The root of the problem is that the law starts with the assumption that all Canadians are spammers and purveyors of malware and works back from there by banning legitimate and illegitimate activities with vague rules and incomplete exceptions.
When CASL was passed in 2010, most organizations assumed that legislation intended to fight spam and malware had to be a good thing. But when they got down to reading it, and trying to understand how to apply it, they realized that in its present form, it will actually cause more harm than good. Its few remaining supporters have probably never had to try to comply with it.
The discord was on display in many recent submissions to Industry Canada from organizations representing all sectors of the Canadian public including charities, not-for profit and educational institutions, private individuals, small, medium and large businesses, retailers, publishers, financial institutions, technology and telecom companies, and others. They describe a burdensome regulatory regime that will stifle the use of electronic communications and innovation, hurt consumers, and the Canadian economy.
Imagine Canada, an organization that represents charities, says CASL will “place undue financial and administrative burdens on charities and public-benefit nonprofits” and restrict their “ability to carry out activities that further their missions to serve Canadians and communities”. The Ontario Nonprofit Network highlights the enormous burden that CASL compliance will place on organizations that, for the most part, would never knowingly send spam in the first place. They observe that small and mid-size charitable and nonprofit organizations “cannot comply with CASL and its regulations and undertake their day-to-day work.”
Sole proprietorships and small businesses are understandably worried that CASL will handicap them in building new businesses that can challenge entrenched competitors. The Canadian Federation of Independent Business told the government that its members believe that CASL could “impede them from otherwise legitimate business practices” and “impede business growth”. This from a law whose (very) long title says that it is intended to encourage reliance on electronic means of doing business.
The Information Technology Association of Canada (ITAC), an organization that represents Canada’s high tech and communications industries, warns that some of CASL’s unprecedented and unusual rules will put those sectors in a position where they can’t compete with foreign competitors. They predict that cloud computing, computer services outsourcing, and the software distribution businesses will suffer because of CASL.
The Coalition of Business and Technology Associations (CBTA), a group of trade associations representing an enormous swath of Canada’s business community, warns that consumers will end up being hurt by CASL. Incredibly, they warn it could become illegal to send consumers information they want and need including alerts that could save them money on cellphone roaming charges, or remind them of their options as a mortgage or other financial product is nearing the end of its term. They add that it will undermine innovations in ecommerce and mandate clumsy new restrictions on the use of extremely popular short messaging systems like BlackBerry’s BBM that do not suffer from the spam problems of Internet email. That fact does not seem to matter.
But that’s not all.
CASL will undermine cyber security as the telecom sector and other organizations that operate networks will be less able to secure their computer systems and networks against cybercriminals.
CASL will also make it illegal to send emails and other messages that, among other things, refer to buying, selling, or sponsoring anything to friends (except perhaps best friends), neighbours, schoolmates, acquaintances, colleagues, and certain extended family members without obtaining their okay offline first. CASL not only imposes surprising formalities on these kinds of messages, but also bans seeking consent by electronic means. Trivial things like offering to buy or sell a baby crib, mowing a lawn for school money, or a child promoting a corner lemonade stand could, unbelievably, lead to prosecution by the CRTC.
Every organization and individual will have to invest in expensive processes to comply with new across the board requirements for express consents, disclosures, and unsubscribe formalities. They have to start now, too – the misleading “three-year transition period” is ineffective and barely helps. This was pointed out by the Canadian Bar Association and others in submissions to Industry Canada. Moreover, even the (now retired) Industry Canada lawyer that drafted the anti-spam law and the regulations wrote to the Government recommending that PIPEDA consents be grandfathered during the transition period because the pre-existing business and non-business relationship exceptions would not provide for an effective transition period.
Organizations will be surprised to learn that they will not be able to rely on consents they already have under Canada’s privacy legislation, PIPEDA. They will have to develop duplicate and overlapping systems for obtaining consents under CASL before it comes into force (unless they plan to stop signing up new customers or members). At a certain point, complying with CASL will start to feel like punishment for spam that they never sent, and never would send.
Anyone reading the above litany of problems might believe the problems are overstated. However, they are not. The problems stem from the internationally unprecedented approach that CASL takes to spam and malware.
CASL makes it illegal to send any commercial electronic message (a CEM) or to install any computer program on any device without express, opt-in consent and other formalities unless the message or program falls into a narrow and closed set of categories.
The types of messages caught include messages sent from organizations to consumers, organizations to other organizations, and individuals to other individuals. What is covered is an open-ended spectrum of messages that, directly or indirectly, have as one of their purposes to “encourage participation in a commercial activity,” whether for profit or not. Anything in the message, including hyperlinks, can turn the message into a CEM.
According to the CRTC, merely including a hyperlink to an organization’s home page in an email can make it subject to CASL. A newsletter, ebook, video, or video game that bears a corporate logo or information about how to buy a warranty could be illegal to send over the Internet without complying with CASL.
It will not be enough for the sender to be satisfied that a given message is not spam. Every single message will have to be run through a complex decision tree to determine whether it is a CEM or not, and even then, there is no way to be certain.
CASL’s has the potential to chill legitimate and desirable commercial speech that benefits consumers and others by, among other things, reducing the dissemination of information that is essential to making informed choices. Many lawyers, for good reasons, think CASL is unconstitutional and would violate fundamental freedoms of speech that the Charter of Rights and Freedoms guarantees.
One would expect that all the burdens CASL is expected to visit on Canadians in the name of fighting spam and malware would be outweighed by the benefits. However, as the CBTA points out, most real threats from spam and malware originate outside of Canada, well out of the practical reach of CASL. These threats, the coalition observes, “will not be addressed by treating all Canadians and Canadian organizations as if they were originators of spam, malware and spyware, as CASL does.”
No country has legislation that is so sweeping, with so few exceptions, and with such high thresholds for obtaining consents. The U.S. CAN-SPAM Act targets only a limited set of messages and only targets those that are fraudulent or misleading, that do not contain prescribed information, or were sent in violation of an opt-out request.
The European Union law only targets direct marketing messages. It permits opt-in or opt-out consents for messages sent to organizations, and has broader exemptions, permitting, for example, opt-out consent by consumers where they have bought a good or service from the vendor (with no two year time limitation like CASL has).
Singapore also targets a much narrower class of message and the prohibition is limited to messages that are sent in bulk. Hong Kong only prohibits unsolicited messages sent using automated means or with the intent to deceive or mislead. Australia only targets a closed list of messages and consent can either be express or inferred. The Australian law also has broader exemptions, such as for charities. None of these more sensible approaches was adopted in CASL
Similarly, anti-malware laws usually only target actual malware or spyware. CASL, on the other hand, treats all computer programs, good or bad, as if they are malware and treats all Canadians as if they are cyber threats.
There are many anti-spam/malware models for Canada to choose from. CASL was designed to be more encompassing than any laws on the planet. When it was introduced it was heralded as being a new “best practice” benchmark. Regrettably, its imbalance between fighting spam and malware and locking down communications would make it the worst anti-spam law anywhere, not the best.
Legislation designed to address spam and malware should be a good news story. It should have broad support. It shouldn’t do more harm than good, and it shouldn’t treat all Canadians as spammers and malware purveyors. The broad and vociferous opposition to CASL, including from people who would benefit from a good anti-spam law, should be evidence enough that CASL ought to be scrapped and replaced with something balanced and workable or fixed before it becomes law.
4 comments
There appears to be an assumption in many circles that charities and other not-for-profit organizations are somehow different and should be exempted. No! What they send is spam and should be subject to the same restrictions as Viagra merchants.
Wow … another case of exceeded expectations! The treatment is killing the patient, doctor; would you revise your protocol?
I think it’s a little much to do all of this but there’s a lot more people on the Internet now so you have to have laws against spam. The problem is they don’t really know they’re spamming. There should be a handbook or something when you buy your first domain.
I read a lot of crying over how burdensome the law will be in terms of implementation, but no discussion of how Industry Canada’s pointed exemptions address many of the concerns raised.
Charities are exempt; RAFs are exempt under the personal relationship exemption (but not from identifying info), and existing valid express consent agreements under PIPEDA give companies 3 years to figure out how to update consents.
It’s great to see a discussion of grievances but take them to be somewhat exaggerated given IC’s very detailed impact assessment and updated *final* regulations.