The Government has published final regulations and the Regulatory Impact Analysis Statement (RIAS) related to Canada’s anti-spam legislation (CASL). It has also published a copy of the Order in Council fixing the date when the Act will come into force. They are available on the fightspam.ca website.
Most of the Act will take effect on July 1, 2014. The sections of the Act related to the unsolicited installation of computer programs or software will come into force on January 15, 2015. The private right of action comes into force on January 1, 2017.
In order to understand what is required for compliance, organizations will need to understand the Act (CASL), the CRTC regulations which are also finalized, the existing Guidelines related to the CRTC regulations and the planned new Guidelines and FAQs on CASL and the just published Industry Canada regulations.
The Government made a number of important changes to the regulations in response to comments made to the previous draft of the regulations. These changes will be welcome across the country by both organizations and consumers who would have been negatively impacted by some of the problems with CASL.
However, important changes including those that could only have been made through legislative amendments have not been made. Instead, in some cases, the Government has attempted to attenuate concerns by providing its interpretations in the RIAS which, while helpful, do not have the same force of law as regulations.
What the regulations cover
At a high level, here is what is covered by the regulations.
Exclusions for certain types of messages
The two proposed exceptions for B2B messages, (within and between organizations) have been retained. The exception for messages between organizations has been broadened. Now instead of being limited to messages between organizations with business relationships, it will apply to messages between organizations that “have a relationship” and can be sent as long as the “message concerns the activities of the organization to which the message is sent”. These two exceptions read as follows:
Section 6 of the Act does not apply to a commercial electronic message (a) that is sent by an employee, representative, consultant or franchisee of an organization (i) to another employee, representative, consultant or franchisee of the organization and the message concerns the activities of the organization, or (ii) to an employee, representative, consultant or franchisee of another organization if the organizations have a relationship and the message concerns the activities of the organization to which the message is sent;
The exceptions permitting one time referral based messages to be sent, messages permitting an organization to respond to complaints, inquiries, and requests, and to satisfy legal obligations has been retained with minor tweaking. There are five new important exceptions for messages:
- sent and received within online portals such as banking websites;
- sent on platforms like instant messaging platforms where prescribed activities are conspicuously published on the user interface, where duplication in each message would be needlessly repetitious;
- sent from Canada to other states that have their own regulatory requirements such as the U.S. UK, EU, Japan, China, Korea, Australia, New Zealand and Canada’s other major trading partners that have their own anti-spam legislation, as long as the CEM complies with those laws “which address conduct that is substantially similar to conduct prohibited under section 6 of the Act”;
- sent by or on behalf of registered charities for fundraising purposes (while this regulation partially resolves challenges that charities and not for profit organizations had with CASL, it still leaves them with many burdens that will likely impede their important functions, see, Charities, non-profits and CASL);
- sent by a political party or a federal or provincial candidate for the primary purpose of soliciting a contribution (as defined in subsection 2(1) of the Canada Elections Act) (it is ironic that politicians now have a major exemption from CASL while most other organizations in Canada do not).
Conditions for use of consents The section remains largely unchanged from the draft regulations. It is still very problematic and onerous, particularly for organizations involved in compiling and selling lists to third parties.
Installation of computer programs The Government amended the exceptions to the consent requirement for the installation of computer programs from the draft regulations. The most important changes are to expand the conditions under which a TSP can act to protect the security of its network and to install a program to correct a failure in the operation of a system or program installed on it. They now read as follows:
(a) a program that is installed by or on behalf of a telecommunications service provider solely to protect the security of all or part of its network from a current and identifiable threat to the availability, reliability, efficiency or optimal use of its network; (b) a program that is installed, for the purpose of updating or upgrading the network, by or on behalf of the telecommunications service provider who owns or operates the network on the computer systems that constitute all or part of the network; (c) a program that is necessary to correct a failure in the operation of the computer system or a program installed on it and is installed solely for that purpose.
There are still significant problems with the computer program provisions. These include:
- The transitional provisions have raised doubts as to whether they apply to programs that are already installed if an express consent had not been obtained. The RIAS says “CASL provides a three year transitional period to continue updates and upgrades to existing computer programs, after which they will be required to get express consent to continue updates in the future, if they don’t fall under one of the exemptions.” The issue is that the transitional provisions only deem the existence of implied consents, not express consents.
- The provisions permitting updates to computer programs are limited. This will create impediments to providing consumers with updates they need and want.
- The provisions apply even where the programs are installed from Canada on computers in other countries. There is no “fix” to this extra-territorial problem as there was for CEMs. This will likely lead to many computer and network service related functions being moved out of Canada. See, Evaluating the Industry Canada CASL regulations: jurisdictional overreach.
Family or personal relationships The definition of family relationship appears, for inexplicable reasons, to have been narrowed. It now seems that sending CEMs between siblings will be illegal without complying with CASL. The definition also apparently now does not include individuals that are collateral descendants from the same grandparents which would make it illegal to send messages to first cousins, uncles and aunts and others “family members” without breaching CASL. One can only fathom that this is a drafting mistake that will be fixed.
The definition of personal relationship has been tinkered with, but is largely the same.
There were problems with these exceptions before. They are now exacerbated. For an analysis of the previous wording, see, Evaluating the Industry Canada CASL regulations: family relationships and personal relationships, Will it be illegal to recommend a dentist under Canada’s new anti-spam law (CASL)?
What the regulations do not address
Perhaps the most interesting read of what was published today, is the long list of items raised by stakeholders that the Government does not plan to address, or address in a manner that will provide Canadians with legal certainty about the scope of CASL. Some of the issues not addressed are described below. Other problems are described in my series of blog posts which are collected at this link.
What is a CEM
The definition of CEM is extremely broad and vague. See, Evaluating the Industry Canada CASL regulations: defining commercial electronic message. The RIAS attempts to clarify what is and is not a CEM. According to the RIAS:
- The mere fact that a message involves commercial activity, hyperlinks to a person’s website, or business related electronic addressing information does not make it a CEM under the Act if none of its purposes is to encourage the recipient in additional commercial activity.
- However electronic messages may come within the definition of a CEM if it would be reasonable to conclude that one of the purposes is to encourage the recipient to engage in additional commercial activities, based on, for example, the prevalence and amount of commercial content, hyperlinks or contact information.
- If the message involves a pre-existing commercial relationship or activity and provides additional information, clarification or completes the transaction involving a commercial activity that is already underway, it would not be considered a CEM since, rather than promoting commercial activity, it carries out that activity.
- Surveys, polling, newsletters, and messages soliciting charitable donations, political contributions, or other political activities that do not encourage participation in a commercial activity would not be a CEM.
- Banner advertising on websites is not a CEM because advertisements are sent to IP addresses which the Government says are not electronic addresses.
The Government does not appear to have any plans to amend the definition of CEM or to fix the section 6(6) problem, even though both are well known to cause compliance difficulties. These issues will impede organisations sending messages to consumers and others in situations that most people would consider desirable.
Grandfathering PIPEDA consents
It had been widely thought that the Government would grandfather existing PIPEDA consents for at least the transition period. This had even been recommended by Phil Palmer one of the architects of CASL while he was at Industry Canada. While prior express consents will remain valid, other forms of PIPEDA consents including implied consents will not be recognized. This remains a major problem with CASL. The Government delivered this very disappointing news as follows:
Some stakeholders have argued that express consents obtained under the Personal Information Protection and Electronic Documents Act (PIPEDA) should be valid as consent under CASL. In some cases, where there is neither an exclusion nor any form of consent under CASL, some businesses that may have been compliant with PIPEDA when seeking consent to collect or to use electronic addresses to send commercial electronic messages may no longer be able to contact those addresses under CASL. Express consents, obtained before CASL comes into force, to collect or to use electronic addresses to send commercial electronic messages will be recognized as being compliant with CASL.
Inferred consents Another major complaint about CASL is that it has inflexible rules related to consents, limiting the implied consents to closed categories. It was hoped that the Government might add a regulation that would bring Canada closer in line with Australia and New Zealand which both have the concept of inferred consent. The absence of this provision will lead to a huge number of inadvertent situations in which it will be illegal to send commercial messages and might, together with the definition of CEM, be the biggest reasons why CASL likely violates the Canadian Charter of Rights and Freedoms. See, Rethinking FISA (now CASL), Evaluating the Industry Canada CASL regulations: why they are needed, Evaluating the Industry Canada CASL regulations: how to assess them. The Government dealt with this issue stating the following:
Some stakeholders sought significant alterations to the entire legislative scheme seeking a change from requiring prior consent (‘opt-in’) to one where no prior consent would be required (‘opt-out’). Changing this framework would be inconsistent with the purposes of the Act as approved by Parliament.
Social media sites There were many concerns that social media sites or parts thereof would be subject to CASL. The Government has stated that they are not in scope “[w]here they are not sent to electronic addresses”. The major difficulty, however, was the concern that some messages sent over social media sites would be sent to electronic addresses. The Government decided to not address the issue.
Providing information about affiliates The Government acknowledged stakeholder concerns, but has not proposed to do anything about the problem, saying:
Stakeholders also expressed concern that it would be difficult to satisfy identification and unsubscribe requirements proposed by the CRTC to identify all their business affiliates in a single CEM. To address this, only persons who play a material role in the content of the message or the list to whom the message is sent are required to be identified as “senders” or “affiliates” under section 6 of CASL. However, when a CEM is sent on behalf of multiple persons, such as affiliates, all of these persons must be identified in a CEM. Where it is not practicable to include this information in the body of a CEM, a hyperlink to a page on the World Wide Web containing this information that is readily accessible at no cost to the recipient may be included in the CEM.
Complying with formalities for short messages In many instances, it is either impossible or practically impossible to comply with CASL’s formalities for short form messages. See the comments by the CWTA on the draft regulations. Despite this, the Government proposes to duck the problem, providing some suggestions from cases where compliance is possible. It says:
Companies in the telecommunications sector also expressed concern regarding the requirements when sending SMS or Common Short Code (CSC) messages. To clarify, as provided in CRTC Regulations, these messages can incorporate required information, such as identification and contact information, and the unsubscribe mechanism in a text message by including a clear and prominent hyperlink to the required information on a website that is readily accessible at no additional cost to the recipient.
Many observers had thought that the Government would provide a year to bring the Act into force once the regulations were finalized. It has only provided six months for the anti-spam provisions, which is a very short time. Now that the regulations are final, organizations will have to dust off or start their compliance programs. Organizations had better get approvals for resources and budgets, if they have not already done so. Developing a compliance program including making necessary IT enhancements can be very expensive, with one time costs alone being in the millions of dollars for some organizations.