Canada's Anti-Spam Legislation effective July 1, 2014
July 1, 2014 – this is the day that Canada’s Anti-Spam Legislation, knows as CASL, becomes effective. CASL is considered to be the world’s toughest law against spam and malware. It applies generally to Canadian businesses, but will also affect U.S. companies that have Canadian operations, markets, customers, vendors, business chain partners and plans. Its motivation is to stop annoying cold emails that flood everyone’s computers. And it means business, as administrative penalties can be up to $10 million per violation for organizations, with personal liability for officers and directors of offending companies.
Essentially, CASL requires that persons that send a commercial electronic message (or “CEM”) to a Canadian person obtain such person’s express consent to receive the CEM before it is sent. Specific opt-in consent is the most obvious way to establish evidence of the consent, and so in recent days U.S. persons have received messages from their Canadian providers of newsletters and other digitally sent sources asking for consent to be provided by reply email. The surest system for achieving compliance (as well as substantiating a due diligence defense) is to obtain express opt-ins of recipients. Obviously, this may be practically difficult, even impossible for large companies, to achieve. The Act provides for certain limited exemptions and exceptions. Consent can be implied from an “existing business relationship” or an “existing non-business relationship” – e.g., a U.S. company’s or its Canadian subsidiary’s pre-existing regular customers in the first case, or a U.S. individual’s relatives living in Canada for the second. Exempted are internal communications of businesses with their own employees, representatives, consultants or franchisees, where the CEM concerns business matters, CEMs between businesses if they already have a relationship and the CEM is about the sending organization’s activities, and other specifically stated categories of persons or contexts where a message is unlikely to be considered offensive. Additionally, the Act and its regulations impose certain content requirements for the consent.
For CEMs that are improperly sent, without having obtained advance consent, express or implied, an enterprise should consider taking steps immediately to comply with CASL. A major defense for a business accused of violating CASL is to have in place a robust due diligence system, showing proactive steps, policies and procedures to prevent a company’s employees from sending unsolicited commercial emails to Canadians. A U.S. business that has no reason to believe that a commercial email is being sent to a Canadian resident should have no problem, but when the business understands that Canadians are receiving messages (despite a “gmail.com” or other suffix that is unclear about its destination), it cannot claim ignorance and thus escape the reach of CASL.
Frost Brown Todd’s Privacy Team works with firms around the world to comply with data privacy rules that differ greatly and pose a challenge to multinational business. In Canada, Frost Brown Todd works with several Canadian law firms, including the all-Canada firm of Miller Thomson. For greater depth and Canada-source materials on CASL, please click here. For additional information, please contact Joe Dehner or Jane Shea in Frost Brown Todd’s Privacy and Information Security Law practice group.