Happy Belated CASL…umm…I mean Canada Day!02/07/2014
The Canadian government made a big bang on Canada Day…only not with fireworks. The Canadian Anti-Spam Legislation, or CASL, came into force on July 1, 2014, and it has many scrambling to figure out ways to comply with the legislation. One of the main problems is that it’s broadly worded, arguably clutching within its grasp much more than what the public would traditionally perceive to be “spam”.
Among other prohibitions, CASL prohibits the sending of commercial electronic messages, or CEMs, unless the consent of the recipient, express or implied, has been obtained and the message meets certain form and content requirements. Under CASL, a “commercial electronic message” is defined as an electronic message that, having regard to the content of the message, the hyperlinks in the message to content on a website or other database, or the contact information contained in the message, it would be reasonable to conclude has as its purpose, or one of its purposes, to encourage participation in a commercial activity. This could include the sending of holiday greeting cards, company newsletters and blog updates, emails to past contacts indicating the desire to catch up or to schedule a lunch (depending on the circumstances), etc. Furthermore, CASL captures not only bulk transmissions, but even a single contravening commercial electronic message.
Small and medium sized businesses are especially concerned. Effective compliance with the legislation will entail a complicated and costly undertaking, and non-compliance attracts strict liability and steep “administrative monetary penalties”, or AMPS: up to $1,000,000 in the case of an individual, and $10,000,000 in the case of any other person (e.g., a small business). It is immaterial whether the intended recipient ever actually receives the CEM, and employers are vicariously liable for violations committed by their employees acting within the scope of their employment. Further, the names of persons who commit a violation can be made public under CASL, which can be potentially detrimental to the reputation of those ensnared by the legislation.
CASL does provide, however, that a person must not be found liable if they establish that they have exercised due diligence to prevent the commission of a violation. That, alone, is reason enough to put your best foot forward when revamping your policies for CASL compliance. The issue, given the most recent CRTC Compliance and Enforcement Bulletin and their earlier Information Session, is that your best foot may not be good enough. The former describes an ideal corporate compliance program as including senior management involvement, risk assessment, a written corporate compliance policy, record keeping, a training program, auditing and monitoring mechanisms, a complaint-handling system, and an organizational disciplinary code to address contraventions.
The information session, although more helpful than the bulletin, provided one key take-away: be cautious about relying on anything the CRTC says in its information sessions. The slide deck used in the information session begins with this key message:
This presentation has been prepared by Commission staff to provide general information with respect to Canada’s Anti-spam Legislation. This material is not to be considered legal advice nor is it binding on the Commission itself. Further, it does not reflect an interpretation of CASL and/or its accompanying regulations by the Office of the Privacy Commissioner, the Competition Bureau or Industry Canada.
It is unsettling that the very entity administering the legislation that has caused ubiquitous concern is unwilling to stand behind its interpretations. But, given the state of the statute, the CRTC’s position is understandable. The legislation is riddled with uncertainties and is convoluted, despite its relatively short length, which will make compliance a difficult task. For instance, there are an inordinate number of exemptions, not all of which are complete exemptions. While some fully exclude certain types of CEMs from liability, some others exclude CEMs from the consent requirement only, and not from the form and content requirements. Further, there are various grounds on which consent is deemed to be implied. Some types of implied consents are time-bound (2 years or 6 months, depending on the scenario), and therefore require the tracking of key information necessary to establish these time periods (e.g., in one scenario, the time limit depends on when a contract, between the sender and the intended recipient of the CEM, came to an end).
Information tracking is the key to CASL compliance. All information relevant to exemptions and consents needs to be tracked, stored in a tickler system, and available for cross-checking before sending any electronic message. This is the biggest problem with CASL. It either: 1) requires everyone to be a CASL expert with a series of intricate and complicated exemptions, scenarios, time-limits, and rules at the forefront of their thoughts each time they send an electronic message, the application of such information potentially depending on a complete knowledge of past events and dates; or 2) requires companies to invest in expensive customer-relationship management (CRM) software to track all required information, and to possibly integrate with existing messaging platforms to intercept outgoing messages in order to apply CASL policies. Both require detailed record-keeping by all staff, including, e.g., records of when business cards were received. Compliance with CASL is therefore onerous and burdensome, which is unfortunate when weighed against the CEM “problem” CASL attempts to address: spam. The CRTC’s Compliance and Enforcement Bulletin is too high-level to provide any helpful information pertaining to how such information should be effectively tracked, stored and cross-checked.
Further, the bulletin and information session did not address what appears to be a fundamental mistake in the legislation. The CEM prohibition hinges on the definition of “commercial electronic message”, and the determination of whether a message is a CEM depends, in part, on “the content of the message [and] the hyperlinks in the message to content on a website.” The focus is on the hyperlinks, when it seems that the focus of the analysis should be on the hyperlinked content. After all, how much can one analyze a hyperlink? This appears to be a significant misstep by the drafters of the legislation, especially as the CEM definition is the touchstone of the entire anti-spam regime.
There are also other aspects of the legislation requiring clarification that have not been addressed by the CRTC’s guidelines or information sessions. For instance, section 1(5) states that “a reference to the person to whom an electronic message is sent means the holder of the account associated with the electronic address to which the message is sent, as well as any person who it is reasonable to believe is or might be authorized by the account holder to use the electronic address.” In other words, the sending of a CEM to Employee X could be deemed the sending of a CEM to Company Y, for which X works (it is reasonable to believe that Y is authorized by X to use X’s email account). Does this mean that if consent has not been received from Company Y, then the receipt of express consent from Employee X is not sufficient grounds to send X CEMs? Or does consent from an individual employee amount to consent by the company for which he or she works? This remains unclear.
Despite the above, the information session did provide many helpful (albeit non-binding) clarifications. That said, some of the information provided caused further confusion. Clarification of the transitional provision of CASL was provided (section 66). The transitional provision provides that consent is implied for three years (unless it is withdrawn earlier), starting July 1, 2014 if, as of July 1, 2014, there is an existing business or non-business relationship (as those phrases are defined in the legislation), which relationship includes the exchange of CEMs. Section 66 also specifies that the definitions of “existing business relationship” and “existing non-business relationship” are to be read without regard to the limitation periods mentioned therein. Counsel for the CRTC interpreted this to mean that one could go back 25 years in theory, in order to evidence that relationship. A plain reading of the legislation, however, reveals the opposite.
Looking, for instance, at the “existing non-business relationship” scenario, when the relevant section of CASL (section 10(13)(c)) is read without regard to the limitation period mentioned therein, the transitional provision applies if, as of July 1, 2014, those persons have an existing non-business relationship that includes the exchange of CEMs. The plain meaning is that the relationship needs to be in existence (i.e., “existing”) as of July 1, 2014, and therefore, reliance cannot be had to a past relationship that had ended prior to July 1, 2014. When section 10(13)(c) is read in its original form, the meaning of “existing” is expanded to mean a relationship that existed within the past two years. When read in light of the transitional provision, using principles of statutory interpretation, “existing” takes on its plain and ordinary meaning (i.e., “current”), as the expanding aspect of the provision is ignored. Reading the definition of “existing non-business relationship” in section 10(13)(c) of CASL “without regard to the period mentioned in that subsection” does not broaden its scope to encompass relationships that existed 25 years ago, it limits it to the plain meaning of “existing”.
Perhaps the one shining light coming from the information session was that the CRTC plans to enforce the legislation in a flexible manner, assessing each complaint case-by-case. Not all violations will result in AMPs. Rather, depending on the circumstances, appropriate corrective action may entail education, outreach activities, warnings, etc. But remember, they’re not bound to this either.
Ultimately, the information session, while informative, doesn’t provide all the answers, and, in fact, raises further questions. The Compliance and Enforcement Bulletin, while indicative of the expectations put on Canadian businesses to comply with CASL, does very little to alleviate the anxiety that CASL has caused in Canadian SMEs who depend greatly on their valuable and hard-earned contact lists to make business work. Ultimately, the CRTC “guidance” is of little assistance since it is not binding. We’re just going to have to tough it out and wait for the courts to weigh in on the matter before we have any authoritative interpretation on which we can rely.
Ridout & Maybee LLP gratefully acknowledges the contribution of former professional Steve Hundal to this article.
This article is for information purposes only and does not constitute legal or professional advice.