Last Wednesday I had the pleasure of chairing a conference on Canada’s anti-spam/spyware law (CASL). The Lexpert conference covered the anti-spam, computer program and Competition Act aspects of the new law. The speakers brought useful insights into interpreting CASL and its regulations as well as practical guidance on implementing compliance programs. The slides from some of the speakers are set out below.
The conference was attended by Philip Palmer, a former Justice Canada lawyer and one of the individuals who played a lead role in drafting CASL and the initial regulations. He was on an “Ask the Experts” panel with David Canton and I. In the course of the conference and during the panel discussion he provided some helpful personal opinions about CASL that are worth sharing. Among them:
1. Express consents obtained before CASL comes into force that comply with the common law standard for such consents will remain valid under CASL. (At common law, an express consent is one that is given in a clear and unmistaken manner.)
2. S.6(6) of CASL regards the types of electronic messages listed under that section as CEMs for the purposes of providing the identification and unsubscribe information. However, because these messages do not require any consents to send them, they can continue to be sent even if the recipient has previously asked to be unsubscribed from receiving CEMs. The risk though remains that the CRTC will consider the failure to give effect to an unsubscribe message (s. 11(3)) to be a separate violation under s. 6.
3. An IP address is not an electronic address, even if the IP address can be connected to a recipient. Behavioral advertising linked to an individual’s IP address is not covered by CASL.
4. S.66 of CASL grandfathers certain implied business and non-business existing relationships without regard to the time period referred to in ss.10(10) or 10(13). That means that such relationships are grandfathered for the three year transition period regardless of when the act that gave rise to the relationship occurred.
5. The only time where a request for consent must be sought separate from the general terms of use or sale is when requesting a consent to install a computer program that has the “spyware” or “malware” features listed in s10(5). It is not required when obtaining consents to send CEMs, as suggested in the CRTC Interpretative Guidelines.
6. An opt-out consent is not an express consent that would be compliant with CASL. As such, a pre-checked opt-in box would not be an express consent. However, a pre-checked opt in box could might be CASL compliant if the user was required to expressly confirm agreement with all of the options displayed in a sign up page.
7. S.11 of CASL requires CEM senders to provide an option for recipients to unsubscribe from receiving all messages from the sender. The sender is regarded as the legal entity sending the message and not the division or part of the business sending the message. The requirement to provide an unsubscribe option for “any specified class” of messages is optional. The range of choices including to provide the option or not, and the types of options, are at the discretion of the CEM sender.
8. S.67, which purports to grandfather consents for existing computer programs does so by implying a consent. However, to provide an update or upgrade to a computer program a prior express consent is required. The transitional provision accomplishes this by implying the necessary express consent.
9. Ss.10 and 11 and the CRTC regulations prescribe message identification and unsubscribe requirements where messages are sent “on behalf of” third parties. The term “on behalf of” is intended to address agency or representation arrangements. The term was not intended to extend to co-branding, co-marketing, or affiliate marketing arrangements, even where one entity provides input over the content of the marketing or the message recipients.
10. CASL does not apply to the core activities of educational institutions such as colleges or universities. The Office of the Privacy Commissioner reached a similar conclusion with respect to PIPEDA.
11. The computer program provisions which apply only where a person installs a computer program on another person’s computer systems applies to downloads e.g. applications that are pulled as well as those that are pushed.
12. The B2B exception can apply to individuals who conduct a business as a sole proprietorship, as a sole proprietorship is an organization.
13. CASL would survive a Charter or other constitutional challenge. He did mention a potential problem with s.6(6), something he has written about before.
Other presenters also had insights in CASL. Many of them are in their slides which are set out below.
Dominic Jaar from KPMG gave the following presentation.
Wally Hill from the CMA gave the following presentation.
Monica Papendick from the CIBC gave the following presentation.
Dan Glover from McCarthy Tetrault gave the following presentation dealing with the computer program changes .
Mike Fekete from Oslers and Howard Fohr from BlackBerry gave the following presentation dealing with the computer program changes.
Oliver Borgers from McCarthy Tetrault gave the following presentation on changes to the Competition Act.
For more information about CASL, see, CASL: the unofficial FAQ, regulatory impact statement, and compliance guideline.
5 comments
Thanks for all this Barry. Great info. I am still confused on something though. You write:
“The only time where a request for consent must be sought separate from the general terms of use or sale is when requesting a consent to install a computer program that has the “spyware” or “malware” features listed in s10(5). It is not required when obtaining consents to send CEMs…”
Who said that? Mr. Palmer? Does this not directly contradict Paragraph 16 of the CRTC guidelines?
“16. The Commission considers that requests for consent contemplated above must not be subsumed in, or bundled with, requests for consent to the general terms and conditions of use or sale. (…) For example, persons must be able to grant their consent to the terms and conditions of use or sale while, for instance, refusing to grant their consent for receiving CEMs.”
I know you have commented in the past that you don’t think separate consent for CEMs and Terms is required (because you’d get implied consent under the business relationship exception) but I’d like to know if the CRTC would just delete paragraph 16 already.
It does conflict with the CRTC Guideline which we both believe is not a requirement if CASL. Perhaps the CRTC sees it as a best practice.
Hi Barry. Great information. Thanks.
I was wondering about your comment:
10. CASL does not apply to the core activities of educational institutions such as colleges or universities.
I attended a CASL information session in Halifax (March 2014) and asked the question of the presenters from Industry Canada, Privacy Commissioner Office and CRTC and they said at the time that the only College and University activities exempt from CASL was our fundraising as long as it was through a registered charity setup. I asked for clarification re recruiting and other marketing activities and was told that we need to comply with CASL. Colleges Ontario and ACCC have also been working on behalf of Colleges to provide information and the information through those organizations also indicate that Colleges fall under CASL requirements. Could you provide further details on your statement? It would be great if we are somehow exempt for our core activities.
Thanks
Brian
Great Article, but the CASL plan still bothers me. I still don’t see how this going to stop spammers outside of Canada where most of the spam comes from and in 2015 they are talking about paying people to report companies of violation, so I can only imagine the circus this is going to produce. I think this will not only slow down sales for some companies but it also ties the hands of sales people using paid for lists from companies like zoom info, i-sell and scott’s directory because at that point I don’t see how you can receive implied consent from 3rd parties even if you paid $1500 for one list. Here’s a thought why not stop the companies like Linkedin and Facebook from selling everyone’s personal information including email addresses.
The CASL legislation is ridiculous.
Canada is not a significant global originator of spam, yet we now have the most onerous legislation in the world.
This legislation will not reduce the amount of spam that is sent by spammers that already operate on the dark side.
Companies that currently use best email practices (targeted, researched, relevant business contact) to communicate with prospects about new and innovative business solutions will have their email hands tied. They (like us) will cease reaching out to Canadian businesses. Canadian business people will receive fewer unsolicited emails (yah!) but their opportunity to learn about and adopt new technologies and solutions in the marketplace will be hindered.
The legislation was passed by the Government of Canada, who operate Canada Post, who deliver thousands of pieces of printed spam (and earn a pretty penny by doing so) to my mailbox every year.
The penalties are way out of proportion to the perceived crime. Who has ever or will ever experienced $1 million worth of suffering and inconvenience as the result of an unwanted email?
Once the rights to legal action begin in 3 years, we will see the advent of the “Spam Hawks”, who will seize upon the great financial opportunity afforded by the receipt of anything even vaguely resembling an unsolicited email in order to launch a $1 million, or better yet, $10 million legal action against some poor business person or company that may have violated CASL, perhaps even by accident. Spam Hawking will generate a better ROI than ambulance chasing, or lottery tickets, and will courtrooms will be clogged with lawyers seeking their 30% of the judgments.
There are plenty of other issues that provide evidence of this being a poorly-thought out piece of legislation, and a considerable over-reaction to a trivial matter (my inbox is crowded with unwanted messages, Oh, the Horror!) that can be and will be more effectively dealt with by more sophisticated anti-spam algorithms and technologies.
The CASL is a huge waste of time and resources, and will eliminate many legitimate and relevant business outreach tactics.
Shame on Canada.