Earlier this month the CRTC published its final regulations under the new Canadian Anti-SPAM legislation (CASL). The regulations have now been published in the Canada Gazette. The Commission has now also provided an explanation of its reasons for why it made, or refused to make, changes to its previously issued draft regulations.
Industry Canada has followed a separate route. Rather than finalizing its regulations, it will publish a new set of regulations to obtain further feedback from the public. In view of the significant problems identified by approximately 60 associations, companies, and organizations as well as individuals that filed submissions with Industry Canada and the Commission this approach makes sense.
Overall, the revised regulations help solve some key issues with the Commission’s draft regulations. However, many significant problems within the Commission’s jurisdiction remain unaddressed or have not been fully addressed. However, given the overlapping regulatory powers of Industry Canada and the Commission on certain issues, it is impossible to fully assess the impact of the new regulations without also seeing what Industry Canada proposes. It is unfortunate that the CRTC has moved unilaterally to finalize its regulations. CASL is one piece of legislation. Had the Commission published its regulations in draft form again, the public could have provided comments on both sets of regulations and Industry Canada and the Commission might have been able to act in a coordinated manner to solve outstanding problems.
The following summarizes the Commission’s description of the problems raised with the previous CRTC regulation, its analysis of the problems raised, the new wording of the regulation, and my comments on the new regulation.
For a background of the problems with CASL and the Industry Canada and CRTC draft regulations, see, Will it be illegal to recommend a dentist under Canada’s new anti-spam law (CASL)?, Electronic Commerce Protection Regulations – Much Work Remains, Fixing CASL: comments on the draft CRTC and Industry Canada regulations, Impacts of Bill C-28 (the new anti-SPAM and anti-spyware legislation), Rethinking FISA (Canada’s Anti-SPAM law).
Information to be included in a CEM
CRTC Summary of problem
Many parties submitted that subsection 2(1) of the draft regulations, which addressed the information to be included in CEMs, was unduly onerous. More specifically, parties argued that the draft provision prescribed too much contact information, which would be confusing to consumers and burdensome, both financially and otherwise, on businesses. Further, parties submitted that the requirements would be particularly onerous for small and Internet businesses, which may not have all the forms of requisite contact information and channels of communication required by the draft regulations. Parties also argued that the extent of the contact information contemplated by the draft regulations for CEMs was unnecessary…
Several parties submitted that subsection 2(2) of the draft regulations pertaining to the manner in which the information contemplated by subsection 2(1) of the draft regulations may be accessed on certain devices was impracticable and not sufficiently technology neutral, noting, among other things, that many devices do not operate with ‘clicks.’ In addition, many devices do not have the web browsing capability contemplated by the draft regulations, which would result in users not having the means of accessing the information on those particular devices.
The Commission notes the submissions of those parties who submitted that section 2 of the draft regulations contemplates the prescription of too much contact information. The Commission is of the view that the purpose of the regulation, which is to ensure that sufficient information is made available to allow recipients to contact senders, can be achieved with less prescribed contact information. Specifically, the Commission is persuaded that the requirement to include only the mailing address, instead of both physical and mailing addresses, together with only one of the types of contact information contemplated by the regulation, is sufficient. Accordingly, the Commission has revised subsection 2(1) of the proposed Regulations by reducing the amount of prescribed contact information.
The Commission also notes the submissions of those parties who submitted that the mechanism to access the contact information of the sender of the CEM is not sufficiently technology neutral. The Commission is of the view that more technology neutral wording is appropriate to accommodate the different technology platforms available currently and in the future. Accordingly, the Commission has revised subsection 2(2) of the proposed Regulations by including more technology neutral language.
Revised regulation wording
2.(1) For the purposes of subsection 6(2) of the Act, the following information must be set out in any commercial electronic message:
(a) the name by which the person sending the message carries on business, if different from their name, if not, the name of the person;
(b) if the message is sent on behalf of another person, the name by which the person on whose behalf the message is sent carries on business, if different from their name, if not, the name of the person on whose behalf the message is sent;
(c) if the message is sent on behalf of another person, a statement indicating which person is sending the message and which person on whose behalf the message is sent; and
(d) the mailing address, and either a telephone number providing access to an agent or a voice messaging system, an email address or a web address of the person sending the message or, if different, the person on whose behalf the message is sent.
(2) If it is not practicable to include the information referred to in subsection (1) and the unsubscribe mechanism referred to in paragraph 6(2)(c) of the Act in a commercial electronic message, that information may be posted on a page on the World Wide Web that is readily accessible by the person to whom the message is sent at no cost to them by means of a link that is clearly and prominently set out in the message.
Comments on regulation
- The Commission has reduced the amount of information that must be included in every CEM. However, each message must still include both a mailing address and one other piece of identifying information that must consists of either a telephone number providing access to an agent or a voice messaging system, an email address or a web address of the person sending the message. These requirements still pose two problems.
- It will require small businesses including businesses carried on by individuals to maintain a mailing address, which presumably they must use to receive messages from CEM recipients. They will thus not be able to establish and operate businesses that are purely electronic. Therefore, a law that is designed to promote e-commerce will still require small businesses to operate partly in a bricks and mortar world.
- The Commission’s regulations will still make it virtually impossible, or at the very least impractical, for individuals and Canadian businesses to send messages using modern communications messaging systems like instant messaging, short form messaging systems like SMS, and other messaging systems used on social networks.
- It will often be impossible or very difficult to include all of the information required to be in CEMs in CEMs sent using instant messaging systems or other short form messaging systems e.g. SMS has a 140 character limit.
- In short messaging systems it will be difficult to include message information as well a link that is clearly and prominently set out in the message.
- The regulation (s3(2)) appears to require that the web site must be readily accessible from the link in the message. This will not be operable on older phones or phones on which an individual may have a service bundle that does not include web data.
- As a practical matter, the regulation will require anyone who uses these modern messaging systems to also maintain a web site. For small businesses and sole proprietorships (the kid with the snow shoveling business or who wants to solicit a babysitting job, or a mother seeking to hire a babysitter), this will be onerous.
- It will also require individuals who use the web site option, in violation of their privacy interests, to publically post personal information
Form of electronic message (unsubscribe mechanism)
CRTC Summary of problem
Many parties submitted that the two-click requirement in the unsubscribe mechanism contemplated in subsection 3(2) of the draft regulations is not sufficiently technology neutral. These parties submitted that many devices and platforms do not operate with clicks, not all communication devices or mediums are web-enabled, and mobile devices frequently do not have a mouse or trackpad that allow for clicking on a link.
Several parties submitted that the two-click requirement in the unsubscribe mechanism is unduly prescriptive and that it could preclude reasonable and widely used industry practices (such as user authentication or signing oneself in), as well as review and selection by the consumer of additional options or preferences related to the unsubscribe request. Parties also submitted that it was not clear when the ‘clicks’ began…
Consistent with its view with respect to subsection 2(2), and for the same reasons, the Commission accepts the submissions of those parties that the two-click requirement contemplated in subsection 3(2) of the draft regulations is not sufficiently technology neutral and is unduly prescriptive. Accordingly, the Commission has revised subsection 3(2) of the proposed Regulations by including more technology neutral and less prescriptive language.
In creating an unsubscribe mechanism that is less prescriptive and more technology neutral, the Commission was also mindful of the requirement that the mechanism should be consumer-friendly. In adopting the language ‘readily performed,’ the Commission expects that any unsubscribe mechanism should be accessed without difficulty or delay, and should be simple, quick, and easy for the consumer to use.
The Commission also notes the submissions of parties that the unsubscribe mechanism in section 3 of the draft regulations should be accessible to the recipient of the CEM at no cost and/or that a fee should not be charged as a condition for unsubscribing. The Commission notes that this issue is addressed in subsection 11(1) of the Act which provides that the unsubscribe mechanism must enable the person to whom the CEM is sent to indicate, at no cost to them, that they wish to no longer receive CEMs.
Revised regulation wording
3.(1) The information referred to in section 2 and the unsubscribe mechanism referred to in paragraph 6(2)(c) of the Act must be set out clearly and prominently.
(2) The unsubscribe mechanism referred to in paragraph 6(2)(c) of the Act must be able to be readily performed.
Comments on regulation
- The revised wording alleviates many of the problems identified during the consultations including the unusually prescriptive approach taken previously.
- The regulation is still problematic for short form messaging systems like SMS and instant messaging systems. The requirement that the unsubscribe mechanism be “readily performed” suggests that if the unsubscribe mechanism is accessible through a link, the link must be able to directly access a web site from the message. However, as noted above, some devices will not have this capability. Other devices may have limited plans that permit the receipt of text and instant messages but not the web. The sender of the CEM may not know the kind of device or service plan recipients will have. Therefore, the regulations may well make the use of modern popular messaging systems illegal in Canada.
Information to be included in a request for consent
CRTC Summary of problem
Parties submitted that the requirement to obtain consent in writing, as contemplated in section 4 of the draft regulations, was unduly onerous, and that oral consent should be permitted. Parties submitted that the inclusion of oral consent would be consistent with the Personal Information Protection and Electronic Documents Act and the Commission’s Unsolicited Telecommunications Rules. Parties also submitted that the exclusion of oral consent would be inconsistent with widely used and accepted business practices (e.g. call centres and point of sale purchases) and would impose additional costs and burdens on businesses and result in consumer inconvenience.
Many parties submitted that section 4 of the draft regulations prescribed an unwarranted amount of contact information, generally relying on the same arguments they used with respect to the subsection 2(2) requirements.
Several parties submitted that the requirement to obtain a separate consent for each act described in sections 6 to 8 of the Act, as contemplated in section 4 of the draft regulations, was unreasonable and an unnecessary burden on the sender and the recipient. Parties submitted that consent should be applicable to more than one of the activities captured by sections 6 to 8 of the Act, and that a single consent should be allowed with respect to these activities.
The Commission accepts the submissions of those parties that oral consent should be permitted as a mechanism to obtain consent. The Commission notes that oral consent is a commonly used and accepted industry practice (e.g. call centres, personal and direct contact, and point of sale purchases) and is persuaded that reliance solely on written consent could result in additional costs for businesses and consumer frustration. Further, the Commission notes that the Personal Information Protection and Electronic Documents Act and its Unsolicited Telecommunications Rules provide for oral consent. The Commission also notes that obtaining consent ‘in writing’ includes electronic forms. Accordingly, the Commission has revised section 4 of the proposed Regulations so that a request for consent, for the purposes of subsections 10(1) and (3) of the Act, may be obtained either orally or in writing.
The Commission notes the submissions of parties that section 4 of the draft regulations prescribes too much contact information. Consistent with its view regarding the changes made to section 2, and essentially for the same reasons, the Commission is of the view that the objective of the regulation can be achieved with less required contact information. Accordingly, the Commission has revised section 4 of the proposed Regulations by reducing the amount of requisite contact information.
With respect to the submissions that obtaining a separate consent for each act described in sections 6 to 8 of the Act is unnecessary and unreasonable, the Commission considers that the activities captured by each of these sections of the Act are distinct. In the Commission’s view, the harm that could potentially result from these activities is significant. The Commission considers that consumers should be given the benefit of having their consent sought on a separate basis so that they are in a position to make an informed decision as to whether to consent. Accordingly, the Commission is of the view that it is reasonable and appropriate to retain the requirement in section 4 of the proposed Regulations, that for the purposes of subsections 10(1) and (3) of the Act, a request for consent must be sought separately for each act described in sections 6 to 8 of the Act.
Revised regulation wording
4. For the purposes of subsections 10(1) and (3) of the Act, a request for consent may be obtained orally or in writing and must be sought separately for each act described in sections 6 to 8 of the Act and must include
(a) the name by which the person seeking consent carries on business, if different from their name, if not, the name of the person seeking consent;
(b) if the consent is sought on behalf of another person, the name by which the person on whose behalf consent is sought carries on business, if different from their name, if not, the name of the person on whose behalf consent is sought;
(c) if consent is sought on behalf of another person, a statement indicating which person is seeking consent and which person on whose behalf consent is sought; and
(d) the mailing address, and either a telephone number providing access to an agent or a voice messaging system, an email address or a web address of the person seeking consent or, if different, the person on whose behalf consent is sought; and
(e) a statement indicating that the person whose consent is sought can withdraw their consent.
Comments on regulation
- The regulation removes some of the major problems with the previous regulation.
- The requirement that the request must be sought “separately for each act described in sections 6 to 8 of the Act”, leaves unanswered the question as to whether a request must be made for each act in each of sections 6 to 8 or only that there must be a separate consent for acts falling into sections 6 to 8.
- The scope of the information that must be provided set out in subsection (d), suffers from the same problem as described above with respect to Section 2(1)(d).
- As a practical matter, it is unclear whether consumers (who are usually in a rush or challenged for time) will really be prepared to receive all of the information that must be provided before a consent can be obtained from the person.
Specified functions of invasive computer programs
CRTC Summary of problem
Several parties submitted that the requirement contemplated by section 5 of the draft regulations that the material elements of computer programs that perform certain functions identified in the Act be identified separately from the request for consent, and that the person seeking consent obtain a written acknowledgement with respect to these functions, is excessive, unclear, and not practicable.
With respect to parties’ submissions that the requirements contemplated by section 5 of the draft regulations are excessive, unclear, and not practicable, the Commission is of the view that the invasive nature of the computer programs in question warrant the requirement to identify the material elements of the computer programs separately from the request for consent and to seek written acknowledgement of the programs’ functions. Accordingly, the Commission is not persuaded that it would be appropriate to amend the requirement contemplated in section 5 of the proposed Regulations.
Revised regulation wording
A computer program’s material elements that perform one or more of the functions listed in subsection 10(5) of the Act must be brought to the attention of the person from whom consent is being sought separately from any other information provided in a request for consent and the person seeking consent must obtain an acknowledgement in writing from the person from whom consent is being sought that they understand and agree that the program performs the specified functions.
Comments on regulation
- Several commentators had pointed out the impracticalities of the notice requirements when applied to network platform upgrades and upgrades to security. This has not been addressed by the Commission.
- The Commission regulation will still require a written acknowledgement from the person whose consent is being sought. As the Entertainment Association of Canada (ESA-C) pointed out in its submissions to the consultations, it may be impossible to obtain an acknowledgment prior to the installation of the program. It is also unclear whether the Commission has the jurisdiction to add the new acknowledgment formality.
As noted above, the changes made by the Commission do alleviate some of the problems with its original regulation. Still problems remain. Moreover, there are still very significant problems with CASL that can only be fixed by the regulations that are in the hands of industry Canada. These include the following:
- The proposed regulations fail to address messaging systems where SPAM is not a problem, such as Common Short Code Messaging, Opt-in Instant Messaging and similar systems, and where the additional regulation would impose costs, be impractical or impossible to comply with.
- The proposed regulations fail to address CASL’s territorial overreach, and the consequent very real and substantial risk to investment and innovation in cloud computing and outsourcing in Canada. It seems inconceivable that laws intended to foster e-ecommerce would be enacted that will severely handicap emerging opportunities in this fast growing and critically important space. Yet it appears that CASL, if not fixed, will do just that.
- The proposed regulations fail to properly clarify what is included under the definition of a CEM, thereby subjecting non-CEMs to CASL’s unsubscribe and formality requirements.
- The proposed regulations fail to recognize the value of other, reasonable, approaches to obtaining consent to send CEMs, such as under existing PIPEDA rules. They do not even grandfather exiting PIPEDA consents during the transition period.
- The onerous rules associated with obtaining consents on behalf of unidentified third parties. These restrictions will significantly affect modern, innovative business models on social networks.
- The problems with referrals including “referring a friend” programs.
- The narrow definition of personal and family relationship.
For more information about CASL, see, CASL: the unofficial FAQ, regulatory impact statement, and compliance guideline.