Lynne Perrault, and Ryan Caron of the CRTC gave a talk to members of IT-Can and the Toronto Computer Lawyers Group on the CRTC regulations and guidelines related to CASL. Kelly Anne Smith of the CRTC joined by phone. (I summarized these documents in a blog post, CRTC Issues CASL (Canada’s Anti-Spam Law) Guidelines, background and commentary.) The slides presented at the meeting are set out below.
The following are some highlights from the talk and the Q & A that followed. Note, some of the remarks were also made at an earlier talk to ITAC members that I reported on in a previous blog post, CRTC clarifies questions about CASL.
- The Guidelines are not intended to be mandatory. The use of the word “should” suggests methods of implementation that would be compliant; in some cases best practice. However, the Guidelines are not mandatory and compliance can be achieved in other ways.
- The Guidelines describe various methods of obtaining oral consents. Other methods would also be acceptable.
- There is no need to provide users with the right to unsubscribe from “all messages”. This reference in the General Guideline was intended to refer to CEMs.
- Message recipients only need to provide express consents on one occasion. Unless the consent has been revoked, no further consents are required.
- An express consent received before CASL comes into force is valid, even if the information that will be required to be provided when CASL comes into force under s.10(1) was not provided.
- There is no need to provide message recipients with receipts to confirm that a consent has been given.
- CASL applies only where a CEM is sent to an electronic address. This would include an e-mail, SMS or IM message. CASL would not apply to electronic messages sent to Twitter or RSS feeds or that are received through general web browsing, or that are posted on a Facebook wall, for example, because these messages are not sent to an electronic address. They left open the issue as to whether an IP address such as an IP address associated with a set top box would be an electronic address.
- Cookies are computer programs to which the malware/spyware provisions apply. They are subject to the exception in s10.8, however.
- Section 6(6) has also raised problems of interpretation. There had been some speculation that the word “solely” deemed all messages in the subsection to be CEMs to which the unsubscribe provisions of CASL applied. They clarified that s.6(6) only applies to messages that are CEMs. Accordingly, an electronic message such as a pure service message would not be subject to any of CASL’s formalities including its unsubscribe requirements merely because it might be listed as a category of message under s.6(6). However, if the service or other such electronic message also contains promotional or other information that would make it a CEM, then the unsubscribe provisions would apply.
- The CRTC staff maintained their views expressed in the Toggling Guideline that a pre-checked box could not satisfy the requirement for express consent, even if a user manifests consent by clicking one or more icons to agree to all of the information on the screen. The CRTC staff admitted that they had not reviewed the many click-wrap agreement cases that do regard a click or similar action as a manifestation of express consent.
- It would be acceptable when structuring an application download process to enable a user to download an app and then to provide the necessary disclosures and obtain the necessary consent before the application installation process begins.
- They also expresed the view that an electronic message that merely provides a link to a company’s home page would be a CEM.
The slides from the talk are set out below.
For more information about CASL, see, CASL: the unofficial FAQ, regulatory impact statement, and compliance guideline.