Lynne Perrault, and Ryan Caron of the CRTC gave a talk to members of IT-Can and the Toronto Computer Lawyers Group on the CRTC regulations and guidelines related to CASL. Kelly Anne Smith of the CRTC joined by phone. (I summarized these documents in a blog post, CRTC Issues CASL (Canada’s Anti-Spam Law) Guidelines, background and commentary.) The slides presented at the meeting are set out below.
The following are some highlights from the talk and the Q & A that followed. Note, some of the remarks were also made at an earlier talk to ITAC members that I reported on in a previous blog post, CRTC clarifies questions about CASL.
- The Guidelines are not intended to be mandatory. The use of the word “should” suggests methods of implementation that would be compliant; in some cases best practice. However, the Guidelines are not mandatory and compliance can be achieved in other ways.
- The Guidelines describe various methods of obtaining oral consents. Other methods would also be acceptable.
- There is no need to provide users with the right to unsubscribe from “all messages”. This reference in the General Guideline was intended to refer to CEMs.
- Message recipients only need to provide express consents on one occasion. Unless the consent has been revoked, no further consents are required.
- An express consent received before CASL comes into force is valid, even if the information that will be required to be provided when CASL comes into force under s.10(1) was not provided.
- There is no need to provide message recipients with receipts to confirm that a consent has been given.
- CASL applies only where a CEM is sent to an electronic address. This would include an e-mail, SMS or IM message. CASL would not apply to electronic messages sent to Twitter or RSS feeds or that are received through general web browsing, or that are posted on a Facebook wall, for example, because these messages are not sent to an electronic address. They left open the issue as to whether an IP address such as an IP address associated with a set top box would be an electronic address.
- Cookies are computer programs to which the malware/spyware provisions apply. They are subject to the exception in s10.8, however.
- Section 6(6) has also raised problems of interpretation. There had been some speculation that the word “solely” deemed all messages in the subsection to be CEMs to which the unsubscribe provisions of CASL applied. They clarified that s.6(6) only applies to messages that are CEMs. Accordingly, an electronic message such as a pure service message would not be subject to any of CASL’s formalities including its unsubscribe requirements merely because it might be listed as a category of message under s.6(6). However, if the service or other such electronic message also contains promotional or other information that would make it a CEM, then the unsubscribe provisions would apply.
- The CRTC staff maintained their views expressed in the Toggling Guideline that a pre-checked box could not satisfy the requirement for express consent, even if a user manifests consent by clicking one or more icons to agree to all of the information on the screen. The CRTC staff admitted that they had not reviewed the many click-wrap agreement cases that do regard a click or similar action as a manifestation of express consent.
- It would be acceptable when structuring an application download process to enable a user to download an app and then to provide the necessary disclosures and obtain the necessary consent before the application installation process begins.
- They also expresed the view that an electronic message that merely provides a link to a company’s home page would be a CEM.
The slides from the talk are set out below.
For more information about CASL, see, CASL: the unofficial FAQ, regulatory impact statement, and compliance guideline.
3 comments
Barry thanks for capturing these notes from the presentation.
I’m still not convinced about the issue of an existing express consent under PIPEDA being grandfathered, despite their assurances. First, they talked as if PIPEDA requires opt-in – but opt-out permission is acceptable under PIPEDA under some circumstances. So if permission was obtained under PIPEDA on an opt-out basis – is the CRTC going to say it was not express consent?
And take a look at the Industry Canada commentary on page 6 of their release of the Industry Canada regs, Industry Canada seems to say that since CASL has a higher threshold for consent, PIPEDA consents will not be sufficient.
The other thing I’m not convinced about is their stance on social media. The CRTC focus seems to be on email, SMS and IM – but to me a DM sent on Twitter or a message to one person on facebook is technically caught.
Thanks for capturing this. Some of the wording is terrible. Everything on the web has an electronic address so would appear to be covered. The key point is – are you sending to someone else’s personal address? Twitter and such are sending to your own account which people can then subscribe to. They’re not going to someone else’s address.
Evidently the news has been suggesting Twitter and facebook are impacted. This came up quickly in a search to correct that notion. Much appreciated.