Data Protection, Privacy and Security Alert: Canada’s Anti-Spam Regulator Continues to Issue Advisories, Hunt for Infringers: Key Messages for Business
This fall, more than a year after Canada’s anti-spam legislation (CASL) came into force, it is abundantly clear that the regulator, the Canadian Radio-television and Telecommunications Commission, is taking its new responsibilities very seriously.
In the latest developments, the CRTC recently issued an Enforcement Advisory and further Guidance on Implied Consent.
The CRTC’s message is loud and clear − it will impose penalties, regardless of good intentions.
The latest guidance
In addition to its active enforcement investigations, the CRTC continues to publish advisories and guidance on CASL compliance. On September 4, 2015, the CRTC issued two key documents, an Enforcement Advisory for the Professional Training Service Industry and Guidance on Implied Consent.
The Enforcement Advisory for the Professional Training Service Industry notes that the CRTC has observed businesses are sending commercial electronic messages (CEMs) to email lists gathered from publicly available websites. The CRTC reinforces that the publication of an email address online does not mean the user has provided the requisite consent (express or implied) to receive any particular CEM under CASL. In light of this Advisory, we can expect enforcement activity against email list users to ramp up.
The CRTC’s Guidance on Implied Consent, issued at the same time as the Advisory, reinforces the three governing principles of CASL. To send emails promoting a product or service, an organization must:
(1) obtain consent (either express or implied, depending on the circumstances)
(2) provide sufficient identification information and
(3) include an easy to use unsubscribe mechanism in each and every email.
The key messages in the Guidance for businesses are the following:
- Express consent must be proactive, and provided orally or in writing.
- Consent may not be obtained by email unless there was implied consent to send the requesting email. Otherwise the email request for consent is a CEM sent in violation of CASL.
- Implied consent can be relied upon where there is an existing business relationship with the recipient. This is defined relatively narrowly. The recipient must have transacted business with the sender within the past two years, or the recipient must have made a business inquiry of the sender within the past six months.
- When a business is purchased, the new owner can rely on implied consents (as well as express consents that are clearly assigned to the new owner) by having expressly acquired the existing business relationships of the seller. However, sending emails to recipients on a purchased email list which is not purchased in connection with an entire business is not compliant with CASL unless express consents were obtained by the seller which encompass the purchaser, because the purchaser of a list alone, unless purchasing the entire business, cannot rely on the existing business relationship rule for implied consent.
- Implied consent can be relied upon where a person makes their email address publicly available by publishing it on a website only if the publication was not accompanied by a statement indicating they do not want to receive CEMs at that address, and the message relates to the recipient’s business role, functions or duties in an official or business capacity. It is significant that the CRTC has indicated it will take a granular approach to assessing whether the message content specifically relates to the functions or duties of the precise recipient. Examples provided by the CRTC indicate that it is not enough for the content of the message to have some relation to the general business of the organization in which the recipient is employed. Rather, the content of the message must relate to the precise role of the recipient within the organization. It remains to be seen whether the CRTC’s approach in this area will be enforced by the courts if challenged.
The CRTC has emphasized that the indicia of express or implied consent must be demonstrably proven by organizations to the CRTC’s satisfaction. To prove compliance, a company should consider maintaining hard copy and/or electronic records of the following:
- CEM policies and procedures
- all contemporaneous unsubscribe requests and resulting actions
- all evidence of express consent (e.g. audio recordings or completed forms) from consumers who agree to receive CEMs
- CEM recipient consent logs
- CEM scripts
- CEM campaign records
- staff training documents
- other business procedures and
- official financial records.
It is absolutely key for businesses to remember that you not only have to obtain the requisite consents; you also must prove that you had those consents if called to task by the regulator. Proper record-keeping is crucial. The CRTC will not accept that express consent was obtained based only on evidence of an owner or employee as to the general processes followed by the business.
Class action lawyers are likely following the regulator’s moves closely. CASL grants a private right of action, which will come into force on July 1, 2017. Those who believe they have been affected by non-compliance, including persons who allege they received a CEM without their consent, will have standing to commence a lawsuit, and class actions are highly probable. Notably, there has been much debate in the Canadian legal community as to whether the right of action commencing on July 1, 2017 will be retroactive, such that CEMs dating back to July 2014 will be actionable.