CRTC Issues CASL (Canada’s Anti-Spam Law) Guidelines, background and commentary

October 16th, 2012 by Barry Sookman Leave a reply »

Last week the CRTC released its first two “information bulletins” intended to help businesses in interpreting CASL and the CRTC’s regulations under CASL. While certain of the Commission’s interpretations are helpful, some are troublesome as they would impose new requirements not contemplated either by the statute or the CRTC’s own regulations. They would necessitate costly compliance, which would particularly affect small and medium-sized businesses and mobile digital commerce.

Under the Commission’s interpretation of its regulations and the related provisions of CASL, among other things:

  • Users should be given the opportunity to unsubscribe from all messages from the sender, not merely CEMs.
  • Requests for consent to install a computer program cannot be contained in a license agreement or other online terms, even though this was expressly contemplated by CASL (other than for the malware/spyware category).
  • Users must be informed at the time of a request for consent about all of the functions of the computer program listed in S.10(5), not merely those that may have the malware/spyware attributes to which the section applies.
  • Requests for consents to install a computer program have to be obtained before the product or service is used or sold.
  • Businesses seeking oral consent to send CEMs are advised to make and keep a complete and unedited audio recording of the consent.
  • Businesses seeking written consent to send CEMs are advised to record the date, time, purpose, and manner of that consent and store it in a database.
  • Confirmation of a receipt of a consent must be sent to the person whose consent was being sought. In addition to requiring new website functionality, this may necessitate, in the case of consent to install a computer program, the collection of personal information that otherwise would not need to be collected.
  • Consent under CASL cannot be obtained by using pre-checked boxes, even if the user must expressly consent to the information in the checked boxes.

The CRTC’s guidance, coming from the body that will primarily enforce CASL, increases the already widely shared concern that CASL does not properly balance the legitimate need to curb unwanted SPAM and malware with the legitimate need to foster the use of electronic commerce in Canada. David Elder summed up his views about the guidelines saying “while some of the new guidance is helpful, other provisions will likely create significant operational concerns for businesses”. Mike Fekete and Mattew Wanford stated “While the bulletins bring clarity to what the CRTC expects businesses to do, the CRTC’s interpretation of CASL will leave most organizations with no choice but to adopt expensive and disruptive changes to the processes they use now in respect of their use of electronic communications and their installation of computer programs on a consumer’s device.”

Background

On 15 December 2010, Canada’s new anti-SPAM law, commonly referred to as CASL, entered the statute books.1 Legislation to combat SPAM, malware and spyware was long overdue in Canada and the enactment of legislation to address these problems was heralded as a major step forward. However, CASL is not yet in force. It won’t be proclaimed into force until all of the regulations needed to clarify its scope and operation are finalized, likely sometime in 2013.

The CRTC and Industry Canada separately published draft regulations in June/July, 2011. The public consultation process which ensued made it clear that while anti-spam and anti-malware/spyware laws are welcome by Canadians, CASL in its current form without appropriate regulations is not. Almost every sector of Canadian business pointed out that CASL’s unique-in-the-world approach to regulating SPAM and malware would create unprecedented red tape and uncertainty, impose significant compliance burdens and costs, impede innovation in the use of electronic forms of communication in Canada, and place Canada at a competitive disadvantage relative to our trading partners.2

In a blog post published this week on the Guidelines Bernice karn described how CASL in its present form is viewed by the business community:

CASL has not yet been proclaimed in force, and through the public consultations held by both Industry Canada and the CRTC on the draft CASL, it has become apparent that the business community is concerned about the far-reaching and severe consequences of this legislation. With administrative monetary penalties under CASL of up to CDN$10 million and the creation of a private right of action for breach of CASL, this statute will have a profound and possibly chilling effect on how responsible organizations communicate electronically with their customers and others.

When CASL was enacted it was contemplated that regulations would be used to clarify its scope and properly balance all of the objectives behind the new law.3 Industry Canada (the Governor in Council) was given very broad powers to make regulations, including a residual power where necessary for carrying out the purposes and provisions of CASL. By contrast, the CRTC was given the power to make regulations in narrow and specific matters.4

As a direct result of the significant problems identified with CASL during the consultation process, Industry Canada delayed finalizing its proposed regulations to rethink its approach before publishing a new set. The new Industry Canada CASL regulations are expected to be released for comment later this year. These regulations could make a great difference in providing the much-needed balance required to ensure that CASL promotes rather than impedes the use of the Internet, mobile and other digital networks for electronic commerce.

Despite Industry Canada’s pause to reflect on its draft regulations, the CRTC moved ahead to finalize its regulations on March 28, 2012 in Telecom Regulatory Policy CRTC 2012-183 (the “Regulations”). On October 10, 2012, the CRTC published two Compliance and Enforcement Information Bulletins related to CASL:

The CRTC Regulations prescribe the form and certain information to be included in CEMs and requests for consent with respect to the sending of CEMs, the alteration of transmission data in electronic messages, and the installation of computer programs. The Guidelines focus on the CRTC’s interpretation of the Regulations and the related provisions of CASL and provide examples of what the CRTC considers to be compliant behavior.

Commentary on the General Guideline

Who Must be Identified in CEMs

General Guideline Paragraphs 5, 6 and 7: The General Guideline explains what information must be included in CEMs (section 2 of the CRTC Regulations). Part 1(a) of the General Guideline addresses who must be identified in a CEM. It says the following:

a. Whom to identify

5. Section 2 of the Regulations requires that each CEM set out information that identifies the sender of the message and, if applicable, the person on whose behalf the message is sent, and include contact information for such persons.

6. The Commission considers that section 2 of the Regulations does not require that persons situated between the person sending the message and the person on whose behalf the message is sent need necessarily be identified. For example, persons so situated may facilitate the distribution of a CEM but have no role in its content or choice of the recipients. In that event, the Commission considers that they do not need to be identified.

7. However, the Commission emphasizes that when a CEM is sent on behalf of multiple persons, such as affiliates, all of these persons must be identified in a CEM.

Comment: Paragraph 6 aptly describes the status of a pure conduit under Canadian law. One would not have expected that a person whose only role in sending out CEMs is to provide the facilities to enable them to be sent, would be held responsible for their dissemination, and the Guideline supports that position.5

Addresses to be Included in CEMs

General Guideline Paragraphs 8 and 9: Part 1(b) of the General Guideline addresses what mailing addresses must be set out in a CEM. It says the following:

b. Mailing addresses

8. The Regulations require that a CEM set out, among other things, the mailing address of the person sending the message or, if different, the mailing address of the person on whose behalf the message is sent [paragraph 2(1)(d)]. This contact information is also to be included in a request for consent [paragraph 4(d)].

9. The Commission considers that, for the purposes of the above-noted paragraphs of the Regulations, “mailing address” consists of the sender’s valid, current street (or civic) address, postal box address, rural route address, or general delivery address. Pursuant to subsection 6(3) of the Act, this address must be valid for a minimum of 60 days after the message has been sent.

Comment: S.6(2)(a) of CASL provides that a CEM must contain prescribed information that identifies the person who sent the message. S.2(1) of the Regulations arguably went beyond this requirement to also require very detailed address information of the person who sent the message.6 The chief difficulty this requirement imposes is with respect to short message types like SMS messages. S.2(2) of the Regulations attempts to address the problem created by the same Regulations by permitting the information to be posted on the web and reachable by a link that is “clearly and prominently” set out in the CEM and is “readily accessible” by the message recipient. This requires all small businesses who want to use SMS or other short message types to have web sites even though, as the Canadian Federation of Independent Business pointed out to the Government during the consultations, a large percentage still do not. It also requires individuals carrying on business through sole proprietorships (for example, a home-based business) to publish their private personal information on the web merely to send commercial messages – a right that is likely protected as freedom of expression under the Canadian Charter of Rights and Freedoms. The Regulations may also effectively make it illegal to send short message types to people who do not have smartphones or phones with data plans that enable them to readily click on the link to access a website. The General Guideline does not address any of these problems.

Form of Unsubscribe Mechanism

General Guideline Paragraphs 10, 11 and 12: Part 2 of the General Guideline addresses the form of unsubscribe mechanism that must be contained in CEMs (section 3 of the Regulations). It says the following:

 10. Section 3 of the Regulations requires that the information to be included in a CEM and the unsubscribe mechanism referred to in paragraph 6(2)(c) of the Act must be set out clearly and prominently. Section 3 also requires that the unsubscribe mechanism must be able to be “readily performed.”

11. In Telecom Regulatory Policy 2012-183, the Commission stated, among other things, that in prescribing an unsubscribe mechanism that is less prescriptive and more technology neutral than what was originally proposed, the mechanism must be consumer-friendly. Accordingly, the Commission considers that in order for an unsubscribe mechanism to be “readily performed,” it must be accessed without difficulty or delay, and should be simple, quick, and easy for the consumer to use.

12. The Commission considers that an example of an unsubscribe mechanism that can be readily performed is a link in an email that takes the user to a web page where he or she can unsubscribe from receiving all or some types of CEMs from the sender. In the case of a short message service (SMS), the user should have the choice between replying to the SMS message with the word “STOP” or “Unsubscribe” and clicking on a link that will take the user to a web page where he or she can unsubscribe from receiving all or some types of CEMs from the sender.

 

Comment: S.6(2)(c) of CASL requires CEMs to set out an unsubscribe mechanism in accordance with S.11(1) of the Act. S.11(1) sets out what the unsubscribe method must do, but does not give the CRTC the power to prescribe any restriction on how the unsubscribe method has to operate. Notwithstanding this, the Regulations created the “clearly and prominently” and “readily performed” requirements summarized above.

The CRTC interprets “readily performed” to mean the unsubscribe mechanism“must be accessed without difficulty or delay, and should be simple, quick, and easy for the consumer to use.” As noted above, for short messaging systems this may be impossible in the case of some message recipients and would force small businesses to establish websites to be able to legally send certain types of CEMs.

The examples in the images provided by the CRTC also raise some questions about whether the Guideline seeks to regulate messages that are not CEMs. In the first image, the user is given an option to unsubscribe from receiving “all messages”. In the second image that applies to an SMS message the sender is being told to give the user the option of replying with the word “STOP” or “Unsubscribe”. The right to cease receiving “all messages” or the “STOP” option appears to require giving users the right to unsubscribe from all message types, not just CEMs. It is unclear how there could be any legal basis to require senders of SMS messages to stop sending messages that are not CEMs. Perhaps this is merely an oversight in the preparation of the examples.

Information to be Included in Requests for Consents – The “Sought Separately” Requirement

General Guideline Paragraphs 13, 14 and 15: Part 3 of the General Guideline addresses the information to be included in a request for consent (section 4 of the Regulations). Part 3(a) addresses the meaning of “sought separately”. It says the following:

Meaning of “sought separately”

13. Section 4 of the Regulations requires that express consent be sought separately for each of the following acts:

the sending of CEMs (section 6 of the Act);

the alteration of transmission data in electronic messages in the course of a commercial activity (section 7 of the Act); and

the installation of a computer program on another person’s computer in the course of a commercial activity (section 8 of the Act).

a. What does “sought separately” mean?

14. The Commission considers that in order to meet the requirement of seeking consent separately, the person seeking consent must identify and obtain specific and separate consent for each act contemplated by the sections of the Act described in paragraph 13 above. Accordingly, consent for each act above must be sought separately from any other act captured by sections 6 to 8 of the Act. The Commission also considers that the activities captured by each of the above acts are distinct, as are the consequences.

15. For example, the Commission considers that persons must be able to grant their consent for the installation of a computer program while refusing to grant their consent for receiving CEMs. However, the Commission does not consider it necessary for consent to be sought separately for each instance of the acts listed in paragraph 13 above, as long as the consent request is in accordance with subsections 10(1), 10(2), 10(3), and 10(4) of the Act, where applicable.

Comment: S.10(1) of CASL sets out what a person must do to obtain express consent under SS.6 to 8. The only form requirement in S.10 is that the person requesting consent has to “set out clearly and simply” certain information when requesting a consent. The CRTC had the power under CASL to prescribe the form of a request for consent for the purposes of SS.10(1) and (3). In the Regulations the CRTC decided to add the new “sought separately” requirement.

The CRTC’s interpretation of its Regulation may well be reasonable. However, given that it will apply to all Canadian and worldwide businesses that request consent to install a computer program in, or to send a CEM to, Canada it will impose new unique Canada-specific formalities, processes and implementation costs not required to do business elsewhere. These considerations should be borne in mind especially when reviewing what the CRTC believes is required to meet the “sought separately” formality.

General Guideline Paragraph 16: Part 3(b) of the General Guideline goes into more detail as to how requests for consent have to be obtained to comply with the “sought separately” requirement. It says the following:

b. Requests for consent

16. The Commission considers that requests for consent contemplated above must not be subsumed in, or bundled with, requests for consent to the general terms and conditions of use or sale. The underlying objective is that the specific requests for consent in question must be clearly identified to the persons from whom the consent is being sought. For example, persons must be able to grant their consent to the terms and conditions of use or sale while, for instance, refusing to grant their consent for receiving CEMs.

Comment: The Commission’s example abovesuggests thatpersons must be able to grant their consent to the terms and conditions of use or sale while refusing to grant their consent for receiving CEMs. Where a contract is entered into for the purchase of a product or service, a separate consent is not required, as there would be an implied consent to send CEMs under the existing business relationship exception. In this situation CASL does not give a person any right to refuse to grant consent to receive any CEMs.

Assuming, however, that a request for consent is made, it is not clear why if only one consent under CASL is being requested, a consent included in online or other contract terms should not satisfy CASL or the Regulations. CASL requires that the information be set out “clearly and simply”. This could be done as part of online terms, without a separate process being required.

In the statute “separately and apart from the licence agreement” only applies to malware/spyware functions. “Sought separately” in the Regulations, appears only to refer to multiple consents for multiple acts. That doesn’t necessarily mean separately from a governing contract. Construing the Regulations to apply only to acts and not the governing agreement would be consistent with CASL’s structure which, as noted above, only requires a consent be separate from the transaction agreement for the list of malware/spyware functions in Section 10(5) for which consent must be obtained “separately and apart from the license agreement”.

CASL’s rules have been sometimes justified by the government as conforming to existing best practice principles. Yet, the current practice when obtaining consent to install a computer program online, for example, is for a person to be presented with a single online agreement (a EULA) that incorporates all material terms and conditions. The online agreement typically contains any needed consents including those required to comply with PIPEDA. Often the terms are included in specific policies that are presented to users through conspicuous links in the main online terms. The CRTC’s Regulation and Guideline would require websites in Canada and around the world to change their online contracting processes to add a new discrete request or requests for consent. Vendors work very hard to balance the need to obtain valid online agreements that comply with applicable laws with maintaining an efficient user friendly experience. Many users including those seeking to download online apps using mobile devices may not appreciate the extra hurdle that would be required to stand between them and the desired app.

The above guideline creates another prohibition not in CASL or the Regulations. It suggests that vendors who seek to offer terms of service for a business model that is premised on users giving consents to receive CEMs, can be forced to offer to contract for the service while being legally required to let users decline to receive electronic messages that are core to the service offering. This could pose problems, especially with mobile social media applications that depend on the service or other users communicating CEMs.

Information to be Provided When Obtaining Consents

General Guideline Paragraph 17: The CRTC also prescribed information to be provided when obtaining consent for the purposes of Section 8 as follows:

17. The Commission considers that if the acts listed in section 8 of the Act (installation of a computer program) are necessary for the use or proper functioning of a product or service, and consent is not otherwise exempted or deemed by the Act or its associated regulations, the necessary nature of the act (e.g. collecting personal information stored on the computer system) must be indicated in the consent request. Consent for the necessary acts must be obtained before the product or service is used or sold.

Comments: CASL does not require the disclosure of any specific information about the nature of a computer program a person requests consent to install, other than in general terms its function or purpose, unless the program has some of the malware or spyware functions described in S.10(5). S.10(1) and (3) gives the CRTC the power to prescribe information that must be disclosed when requesting consent to install a computer program. The CRTC prescribed information required for programs that fall into those listed in S.10(5), but did not expressly prescribe information for those not falling into these categories. The CRTC’s guideline suggests that any of the listed functions in S.10(5) requires heightened disclosure even if the intent and knowledge conditions of S.10(5) are not met. For the reasons set out below, this reading of S.10(5) is likely contrary to Parliament’s intent.

The CRTC added a new wrinkle with the guideline that “Consent for the necessary acts must be obtained before the product or service is used or sold.” CASL requires that the necessary consent be obtained before the computer program is installed. CASL did not give the CRTC any authority to regulate the timing for obtaining users’ consent and the CRTC did not prescribe any new requirements in its Regulations. The guidance suggests that a program can now be installed before a consent is obtained provided that the consent is obtained before it is used. It is possible that this guideline is meant to apply to pre-installed or pre-packaged software where the user is not given an opportunity to consent before the software or product containing the software is purchased. If so, it is unclear how a person could consent to the use of the program without actually using it to get a request for content.

The CRTC provided examples of requests for consent it regards as compliant as follows:

18. The Commission regards the following means as compliant:

  • a separate tick-box for each of sections 6 to 8 of the Act, which must be proactively checked by the person whose consent is being sought in order to indicate consent (see Compliance and Enforcement Information Bulletin 2012-549);
  • a separate icon for each of sections 6 to 8 of the Act, which must be proactively clicked by the person from whom consent is being sought; or
  • any combination of the above.

Comment: The CRTC’s reference to proactively checking a tick box is commented on further below.

In the second group of screen shots, the CRTC suggests that businesses should disclose how a user can request removal or disabling of computer programs. Yet, neither CASL nor the Regulations require this disclosure with respect to any type of program. Further, as discussed below, CASL’s provisions in S.11(5) that address withdrawal of consent most likely only apply to the malware/spyware category of program to which S.10(5) applies and not to all programs as one might infer from the Guideline.

Disclosure Obligation for Computer Programs When Requesting Consent

General Guideline Paragraph 19: The CRTC also provides guidance on its interpretation of S.11(5) of CASL as follows:

19. The Commission notes that paragraph 11(5)(a) of the Act must also be complied with. This paragraph provides that a person who has the express consent of an owner or authorized user to do any act described in section 8 of the Act (installation of a computer program) must

(i) for a period of one year after any computer program that performs one or more of the functions described in subsection 10(5) of the Act (e.g. collect personal information stored on the computer system) is installed under consent,

(ii) ensure that the person who gave their consent is provided with an electronic address to which that person may send the request to remove or disable that computer program, if they believe that the function, purpose, or impact of that computer program was not accurately described when consent was requested.

The foregoing does not apply if the function of the computer program is one that is referred to in subsection 10(6) of the Act.

Comment: The CRTC’s guideline interprets S.11(5) to apply to all of the listed functions in S.10(5) without reference to the requirement in S.10(5) that the malware/spyware function be performed intentionally and in a manner that operates contrary to the reasonable expectations of the owner of the computer system. As noted below, one might have interpreted the right to withdraw a consent to the installation of a computer program under S.11(5) to apply only to those functions to which S.10(5) applies. The CRTC’s construction of S.11(5) creates a higher burden on providers of software.

General Guideline Paragraph 20: The CRTC also reminded the public about paragraph 4(e) of the Regulation:

20. The Commission also notes paragraph 4(e) of the Regulations, which requires that a request for consent must contain a statement indicating that the person whose consent is sought can withdraw their consent.

Comment: Section 4(e) of the Regulations requires that a request for consent contain a statement indicating that a person can withdraw his or her consent. This requirement makes sense in the context of CEMs and fits within the CASL regulatory regime because there is a right to unsubscribe from receiving CEMs. But CASL does not expressly enable a person to withdraw consent for software that has already been installed with consent. (The heading in S.11(5) refers to a withdrawal of consent, but the section only provides a remedy for consents obtained through a suspected misrepresentation.) Accordingly, it is unclear why this is a requirement in the Regulations.

Requirements for Obtaining Consent Orally and in Writing

General Guideline Paragraphs 21, 22 and 23: The CRTC also provides its interpretation of the requirement to obtain consents orally or in writing. The guideline states the following:

Consent obtained orally or in writing

21. Section 4 of the Regulations requires that, for the purposes of subsections 10(1) and 10(3) of the Act, a request for consent may be obtained orally or in writing, or a combination thereof.

a) Consent obtained orally

22. The Commission notes that oral requests for consent are consistent with the Personal Information Protection and Electronic Documents Act (PIPEDA) (see section 4.3.7 of Schedule 1 of PIPEDA) and the Commission’s Unsolicited Telecommunications Rules (see Part V: Express Consent).

23. The Commission considers the following forms as sufficient to discharge the onus of demonstrating oral consent:

  • where oral consent can be verified by an independent third party; or
  • where a complete and unedited audio recording of the consent is retained by the person seeking consent or a client of the person seeking consent.

For example, a person may request and obtain oral consent in situations where information is collected over the phone (e.g. call centres) or consent may be given at the time that individuals use a product or service (e.g. point of sale purchases).

27. The Commission notes that, pursuant to section 13 of the Act, persons who allege that they have consent to do an act captured by sections 6 to 8 of the Act have the onus of proving it.

Comment: As the CRTC noted, the person requesting consent has the burden of proving that consent was obtained. While some businesses may keep the kind of records the CRTC is suggesting would satisfy the requirement for proof, for many businesses, especially small ones, meeting the burden of proof in the manner suggested would impose significant new costs. The processes for demonstrating consent suggested appear to be derived from the Commission’s Do Not Call regime. However, that regime covers a much more limited subset of entities and marketing processes than CASL and its processes are not easily transferred to requesting consents to send CEMs or to install computer programs.

The requirement to retain a complete unedited audio recording potentially also raises privacy concerns as it would require businesses to record conversations that could contain personal information. A business would be required to ask for consent orally do this during the conversation. If the same standard of proof of consent applies under PIPEDA, as suggested by the CRTC, the person requesting the consent would also have to record that conversation, which presumably could not be done before a separate consent is obtained.

Disclosure of Malware/Spyware Functionality

General Guideline Paragraphs 24, 25 and 26: The CRTC next provides its interpretation of the writing requirement as follows:

b) Consent obtained “in writing”

24. The Commission notes that for the purposes of section 4 of the Regulations, the term “in writing” includes both paper and electronic forms of writing.

25. The Commission considers that the requirement for consent in writing is satisfied by information in electronic form if the information can subsequently be verified.

26. Examples of acceptable means of obtaining consent in writing include checking a box on a web page to indicate consent where a record of the date, time, purpose, and manner of that consent is stored in a database; and filling out a consent form at a point of purchase.

Comment: The CRTC interpretation of the writing requirement also adds a new formality not in CASL or the Regulations. It could be read to suggest the writing must be recorded in a medium from which the information can be accessed to be verified. However, many online providers that use click wrap agreements do not keep the type of records of agreements suggested by the CRTC. To prove agreements, they often maintain records of the click wrap process and applicable terms in place at the relevant time of contracting. The CRTC’s level of proof would likely require businesses, especially small businesses, to make upgrades to their systems to comply with the CRTC’s interpretation of the Regulations.7

General Guideline Paragraphs 28 to 32: The CRTC also provides its interpretation of Section 5 of the Regulations that addresses disclosure of malware/spyware features of computer programs. It states the following:

 Specified functions of computer programs (section 5 of the Regulations)

28. Section 5 of the Regulations requires that a computer program’s material elements that perform one or more of the functions listed in subsection 10(5) of the Act must be brought to the attention of the persons from whom consent is being sought separately from any other information provided in a request for consent. This section also requires that the person seeking consent must obtain an acknowledgement in writing from the person from whom consent is being sought that he or she understands and agrees that the program performs the specified functions.

29. Examples of the functions listed in subsection 10(5) of the Act are as follows:

  • collecting personal information stored on the computer system;
  • interfering with the owner’s or an authorized user’s control of the computer system; and
  • changing or interfering with settings, preferences, or commands already installed or stored on the computer system without the knowledge of the owner or an authorized user of the computer system.

Means of obtaining consent

30. The Commission considers that for the purposes of section 5 of the Regulations, consistent with its statement with respect to subsection 10(4) of the Act, the use of “in writing” includes both paper and electronic forms of writing.

31. The Commission considers that an example of an acceptable means of obtaining consent pursuant to section 5 of the Regulations would be an icon or an empty toggle box, separate from the licence agreement and other requests for consent, that would need to be actively clicked or checked, as applicable, in order to indicate consent to one, several, or all of the functions listed in subsection 10(5) of the Act, as applicable, provided that the date, time, purpose, and manner of that consent is stored in a database.

Comment: The CRTC’s interpretation of its Regulations would impose much more stringentrequirements for disclosure than contemplated by CASL. The amendments made to CASL during Third Reading in the House of Commons after the Parliamentary Committee review of the Bill qualified the disclosure obligations for the categories of features in S.10(5) to make them only applicable if the intent and knowledge conditions in the Section are met. The CRTC’s interpretation of S.10(5) would appear to disregard the important amendments made to this Section by Parliament. Practically speaking, many features that are caught by the definitions in S.10(5) are in fact benign and could not all be adequately disclosed when requesting consent. This was a problem that Industry Canada was aware of and was one of the reasons the Section was amended by Parliament before the Bill was passed.

The Toggling Guideline

Toggling Guideline Paragraphs 4 to 8: The CRTC’s Toggling Guideline provides its interpretation on the use of toggling as a means of obtaining express consent under CASL. The CRTC describes toggling and its applicability to obtaining express consent as follows:

What is toggling?

4. The Commission notes that toggling is a means of switching from one state to another. The Commission also notes that toggling has been used as an opt-out consent mechanism[1] when the default toggle state assumes consent on the part of a person. A common example of such toggling is a pre-checked box on a website. The pre-checked box puts the onus on the person whose consent is being sought to take action in order to indicate that he or she does not consent, generally by unchecking the box. Consequently, inaction on the part of the person whose consent is being sought is considered to be equivalent to that person’s consent.

Figure 1: An example of toggling that assumes consent

 

Can toggling be used as a means to obtain express consent under the Act?

5. The Commission considers that in order to comply with the express consent provisions under the Act, a positive or explicit indication of consent is required. Accordingly, express consent cannot be obtained through opt-out consent mechanisms.

6. The Commission therefore considers that a default toggling state that assumes consent cannot be used as a means of obtaining express consent under the Act for the purposes of sending CEMs [paragraph 6(1)(a)], altering transmission data in electronic messages in the course of a commercial activity (e.g. network re-routing) [paragraph 7(1)(a)], or installing a computer program on another person’s computer in the course of a commercial activity [paragraph 8(1)(a)].

What are acceptable forms of obtaining express consent under the Act?

7. The Commission considers that since express consent requires a positive or explicit indication of consent, express consent can be obtained through opt-in consent mechanisms.[2] The Commission also considers that a CEM in the form of a subscription email, text message, or other equivalent form cannot be used to elicit express consent pursuant to subsection 1(3) of the Act

8. The Commission notes that following receipt of express consent, confirmation of this receipt should be sent to the person whose consent was being sought.

Figure 2: Acceptable express consent mechanisms – Checking a box to indicate consent

Figure 3: Acceptable express consent mechanisms – Typing an email address into a field to indicate consent

Comment: The CRTC is right in making a distinction between opt in and opt out consents and in asserting that an opt in consent requires some affirmative action by the user. However, for a consent to be affirmative it need not be repeated on more than one occasion. At common law, a court would find that a person agreed to terms highlighted by pre-checked boxes by separately clicking “I Agree”, as long as the boxes and check marks are clearly brought to the attention of the user. Accordingly, the CRTC’s interpretation of express consent adds another formality that could impact the user experience, especially on mobile devices where every extra user interaction is more of an effort and inconvenience. Marketers will also have concerns about how this new formality will impact take-up of marketing opportunities.

The CRTC added yet a further formality with its guideline that requires, following receipt of express consent, the sending of a confirmation of receipt to the person whose consent was being sought. This is not a requirement under CASL or the Regulations. This would require service providers in Canada and around the world to add new functionality to their systems to deal with Canadians. Users may also be annoyed at receiving these new kinds of mandated messages, and some will no doubt consider them SPAM.

Further, this the new formality would apply to consents under Section 8 of CASL even though the software provider may not otherwise have to collect personal information from individuals. The new requirement will now mean that every provider seeking to install software will have to collect and retain personal information to send out the confirmation. Subject to specific exceptions, Section 8 applies to just about all computer programs that may be available over electronic networks. It is not likely the whole ecosystem of software providers, big and small, would anticipate such a requirement or implement it.

This is one of many examples of how CASL will create unnecessary inconveniences for consumers and surprising burdens on otherwise compliant businesses. While these are all, ultimately, consequences of the “ban-all” approach taken in the legislation, Industry Canada and the CRTC each have the opportunity to find ways to implement the law in a way that balances the legitimate interests of both consumers and organizations that use electronic messaging platforms for commercial purposes. One would expect that one element of a digital economy strategy would be to ensure that new regulations do not in fact end up impeding the use of the digital platforms that consumers increasingly prefer to use.

For more information about CASL, see, CASL: the unofficial FAQ, regulatory impact statement, and compliance guideline

________________________________

[1] Its formal title is “An Act to promote the efficiency and adaptability of the Canadian economy by regulating certain activities that discourage reliance on electronic means of carrying out commercial activities, and to amend the Canadian Radio-television and Telecommunications Commission Act, the Competition Act, the Personal Information Protection and Electronic Documents Act and the Telecommunications Act”.

[2] See, the following blog posts that document the very significant problems with CASL: Electronic Commerce Protection Regulations – Much Work Remains; Will it be illegal to recommend a dentist under Canada’s new anti-spam law (CASL)?; Fixing CASL: comments on the draft CRTC and Industry Canada regulations; Rethinking FISA

[3] CASL’s objectives are set out in Section 3 which states:

The purpose of this Act is to promote the efficiency and adaptability of the Canadian economy by regulating commercial conduct that discourages the use of electronic means to carry out commercial activities, because that conduct

(a) impairs the availability, reliability, efficiency and optimal use of electronic means to carry out commercial activities;

(b) imposes additional costs on businesses and consumers;

(c) compromises privacy and the security of confidential information; and

(d) undermines the confidence of Canadians in the use of electronic means of communication to carry out their commercial activities in Canada and abroad.

[4] S.64

[5] See Reference re Broadcasting Act, 2012 SCC 4,  Society of Composers, Authors and Music Publishers of Canada v. Canadian Assn. of Internet Providers, [2004] 2 S.C.R. 427, Electric Despatch Co. of Toronto v. Bell Telephone Co. of Canada (1891) 20 SCR 83. One of the criticisms of CASL was that it would impede the use of cloud computing in Canada because it applies to CEMs that are sent anywhere in the world from a computer located in Canada. The General Guideline provides useful confirmation that a pure IAAS or SAAS cloud provider need not be identified in CEMs sent by its customers from Canadian based servers to persons located abroad. That said, it would not necessarily relieve the cloud providers of potential liability under Section 9 of CASL for “aiding” their customers or the direct liability of customers of cloud providers. Unless this is fixed in the Industry Canada regulations, Canada will become an unattractive place from which to provide to cloud or outsourcing services.

[6] With respect to contact information for CEMs, S.6(2)(b) of CASL only required a CEM to contain information to enable a recipient to contact the sender. CASL did not expressly provide for any regulations to further specify any detailed address information.

[7] There are many statutes that require that a document be in writing to be valid or enforceable. The common law has recognized that electronic documents can meet these requirements. To  give more assurance to electronic transactions the Uniform Electronic Commerce Act, which had been adopted in the Provinces throughout Canada, states that “A requirement under [enacting jurisdiction] law that information be in writing is satisfied by information in electronic form if the information is accessible so as to be usable for subsequent reference.” For Federal statutes PIPEDA states “A requirement under a provision of a federal law for a document to be in writing is satisfied by an electronic document if (a) the federal law or the provision is listed in Schedule 2 or 3; and (b) the regulations respecting the application of this section to the provision have been complied with.” PIPEDA does not require, for listed statutes, that a document be accessible for subsequent reference.

 

 

 

 

 

Print Friendly
Advertisement