Wow, that hour went fast! The estimable Shaun Brown, partner, nNovation LLP, a law firm based in Ottawa, Ontario, Canada, spoke about the new Canadian privacy legislation – referred to as Canada’s Anti-Spam Legislation (CASL – an acronym that many speak like the word “castle”) – that has many email marketers confused on compliance requirements and timing. Listen to the November 10th webinar (and we highly recommend it) for free here.
Brown compared CASL to something many of us already know – the U.S. CAN-SPAM law of 2003. Bottom line: In many areas – permission, notice, coverage and risk – CASL is much broader.
- Scope: CASL covers not just anti-spam, but also anti-malware, anti-hacking, and through related amendments to other legislation, control of content and misleading information, as well as privacy of personally identifiable information (PII) (harvesting, dictionary attacks).
- Application/Jurisdiction: CASL covers any message sent from or accessed by a computer in Canada (regardless of where the sender is located). We are talking about all electronic messaging – email, instant messaging, SMS, social – plus anything new that comes along. (Fax and voice are covered by Canadian do no call regulations.)
- Note that there is no minimum number of messages. So sending one message is enough to put you under jurisdiction of the law.
- Coverage: CASL applies to commercial activity, defined pretty broadly. For example, Brown said in the webinar, if you are promoting a person who normally promotes a product or service or business opportunity – even if you are not specifically promoting that product, service or business opportunity in the message – then your message is covered.
- Note also that any message sent to seek consent is considered commercial – so you can’t send a request for consent. There are no exceptions for research studies, for example. “This will have to play out in the courts in deciding what is ‘commercial,’” Brown said. “I would not be surprised if this was challenged.” As the law is enforced, Brown says, we will have more guidance on what is considered “commercial” under the Act.
Compliance with the anti-spam aspects of CASL encompasses three broad categories:
- Prior consent – defined as either express or implied. Both are acceptable for all situations and of equal value. (Implied does expire, though.)
- a. Express: Must include clear notice and the provision of a set of prescribed info from subscribers when providing consent. The owner or any authorized user of the email address must give the consent.
b. Implied: The Act deems implied consent when there is an existing business relationship (e.g.: a customer who has purchased in the past two years, or if there is a contract or a subscription which has been active in the past two years.)
c. Once consent is implied (e.g.: a purchase), you generally have two years to send messages in compliance (or obtain an express opt in). An express consent never expires, and is valid until the individual withdrawals consent.
- a. Must include contact information for the sender and the subscriber. It is not clear in the law what this must include.
b. Regulations are expected to define this further.
- a. An unsubscribe opportunity must be provided in all messaging and be available for 60 days post delivery.
b. Unsubscribe requests must have no cost, and use the same means by which the message was sent (unless impractical), either via replyto: or a link.
c. Must be processed “without delay” (and within 10 days) with no messages sent after the request. This aspect may also be defined further with regulation. “Senders must be able to demonstrate that you put forth a best effort to act on unsubscribe requests quickly, with the intent to stop messages,” Brown advises.
CASL was created with both public and private enforcement opportunity. The Canadian Radio & Telecommunications Commission (CRTC) is charged with enforcement. This is a civil enforcement agency, there are no criminal provisions. There is a private right of action available to any individual impacted.
Right now, the law is not in force. It was passed in December 2010 and regulations were published for comments this past summer. The Government is still working through those comments (there were many!). No timetable is published for a second set of regulations; however Brown expects something by early 2012. The government is also setting up a Spam Reporting Center, which will be a website to gather evidence and monitor trends as well as provide consumer education.
In preparation for enforcement, Brown recommends three primary areas for marketers and senders:
- Check your lists. Do you have consent – and evidence of consent? The burden is on the sender to prove consent.
- Check location of subscribers where possible. The law doesn’t care what the domain of the address is, or if the sender has a clue where the recipient is. If the message is received on a computer in Canada then it applies. If a sender does make an attempt to gather this data, This may be a factor in exercising the due diligence defense, where no one can be charged if they have shown due diligence to comply. “Be sure you have a business objective in NOT complying with the Canadian legislation,” Brown says. Note that reconfirmation of some permission grants may be necessary.
- Watch for regulations re: content of messages. The regulations will clarify the information required when obtaining consent as well as when sending a message.
As with any legislation, the devil is in the details. The Email Experience Council recommends that you have legal counsel review the law and determine the next best steps for your organization. In the webinar, Brown gave his thoughts on some key business issues and applications:
- Liability of service providers. Telecom/ISPs are generally going to be exempt from liability under the anti-spam provisions where they merely provide the telecommunications service allowing the message to be delivered. However, it’s not clear if this applies to email delivery service providers. “If you are merely providing a ‘do it yourself’ service and the customer manages the li
st and the unsubscribe, then it may be that the delivery provider is covered under the Telco exemption,” Brown says. “This may be different if you offer a full service offering.”
- Ownership of the message, for example, placing ads in an editorial newsletter or providing the name of the email delivery vendor in the message itself is not directly addressed in the law. “In my view it doesn’t make sense from any perspective to say that the ESP is sending on your behalf, for example identifying the ESP in the message,” Brown says. There were a number of comments on this as the regulations were reviewed this past summer, and Brown hopes that some clarity will be offered in future revisions.
- This brings out the question of where an agency or service provider is vulnerable by trusting their client. If the agency or ESP sends unsubscribe data to the sender, is the agency responsible if the client doesn’t take action? “The law is broad, so if you are aiding or causing company to avoid compliance, then you are potentially responsible. The way to manage risks like this is to inform your customers of their obligations, make sure you have the appropriate language in your agreements, and ensure the relationship agreements are clear who is taking responsibility for managing unsubscribes requests,” Brown advises.
- Transactional messages. The legislation does not refer to “transactional” messages. The law does cover some types of messages that could be considered transactional (e.g.: service notices or warranty information). The law states that these types of messages require an opt out. “This somewhat confuses the issue, by listing out messages that, in many cases, are likely not commercial electronic messages and therefore not covered by the Act to begin with,” Brown explained.
- Point of Sale. What if you ask verbally for consent at the POS? Brown says that the original draft regulations from the summer declare that consent must besought in writing only. However, this may be removed based on the amount of comments against it. “I would like to think that if you are entering this into a system form, and there is a date stamp, that this would meet the evidentiary burden under CASL,” he says.
- There is no legal requirement to send a follow up message, but “It’s always good idea to remind people of their subscription and why they have provided consent. It’s more of a relationship issue than a compliance issue,” Brown says.
- Is list rental dead? A properly compiled permission based list is quite valuable, and the law does not forbid the rental of them. “It’s not dead, but CASL places a higher onus on list owners and senders to make sure it’s done properly,” Brown says.
- The act of appending is not covered under CASL. It is likely covered under privacy laws, particularly if you are making changes to PII footprint without consent. There may be some situations where appending data is allowed under CASL. If you have a business relationship – e.g. purchases in the past year – then this append may be in compliance with the CASL legislation.
- Mobile Access. No one anticipates that certain one-off situations will be covered under CASL (e.g.: a US citizen goes to a coffee shop in Toronto and checks his Gmail account). Brown expects that the government also did not intend to the law to apply to Blackberry users worldwide when accessing email (e.g., through RIM servers located in Canada). “I think the intention is not to apply the legislation so broadly,” he said. It’s not clear how data centers for companies that are not Canadian based will be treated – although Brown expects that they will need to comply just as if the entire company was based in Canada. Messages sent from those centers will be “Canadian” under this law.
Many thanks to Shaun Brown and nNovation LLP for an excellent presentation and generous review of so many audience questions. nNovation LLP is a pre-eminent Canadian law firm that advises companies, industry associations and other private and public sector parties in their business relationships and practices, and in connection with a broad range of Canadian regulatory regimes. With several years of experience both in the public and private sectors, Shaun’s practice focuses on emarketing, ecommerce, privacy, and access to information.
Thanks also to the eec’s Deliverability & Compliance Roundtable, led by Matt Rausenberger of Return Path and Dennis Dayman of Eloqua, for sponsoring and organizing this event.
If you are not an Email Experience Council member, please join us for free access to these kinds of event and resources. If you are a member and would like to join one of our member Roundtables (committees), please email Ali.
– Stephanie Miller