The “anti-spam” portion of Canada’s anti-spam/spyware law (CASL) came into on July 1, 2014. The “malware/spyware” computer program provisions come into force on January 15, 2015.
Most organizations are having very difficult times adapting to CASL’s confusing and prescriptive rules. According to a recent mini-survey conducted by the Canadian Chamber of Commerce of over 160 of its members, from responses to questions answered over 90% of Canadian organizations believe that CASL should be scrapped, amended, or at least be subject to a Parliamentary review before it becomes law. Over 80% believe it will not be effective against the most harmful sources of spam. 63% believe that it will make business more difficult for them. Most believe CASL’s consent, disclosure and unsubscribe requirements are disproportionate and unreasonable. 56% believe CASL will impede the creation of a business environment driven by entrepreneurs that encourages jobs, growth and long term prosperity for Canadians.
In spite of all this, CASL will become law and organizations need to comply with it to avoid the completely excessive AMPs that theoretically can be $10 million for each CASL violation and the personal vicarious liability of officers and directors. Moreover, contrary to what some have suggested, CASL compliance is not straight forward. The law and regulations are confusing and in some cases are technically or commercially impossible or impractical to comply with, at least without making costly investments in new technologies and platforms or renegotiating existing partner and service provider relationships.
The CRTC and Industry Canada have published materials to help guide CASL compliance including to help under understand the Act, the CRTC Regulations (the CRTC regs) and the Industry Canada Regulations (the GIC regs). When the Industry Canada regulations were finalized, Industry Canada published a Regulatory Impact Assessment Analysis Statement (RIAS) providing helpful guidance on some points of confusion. The CRTC published a General Compliance Guideline, the Toggling Guidelines and a Guideline on Implied Consents. After publishing them, the CRTC clarified that the guidelines are “best practice” guidelines and do not necessarily have to be followed to be CASL compliant. The CRTC also published and later revised a short FAQ on CASL. It also published some slides and a transcript from public information sessions on CASL as well as a Compliance and Enforcement Bulletin. It also published guidance on the grandfathering of existing CASL consents.
The CRTC also held information sessions to help explain the computer program provisions. It later published an FAQ specifically dealing with the program provisions. It committed to publish its slides and a transcript of one of those information sessions, but I haven’t been able to find them on the CRTC’s website. It also publishes information on its enforcement activities on a webpage with links to its guidance on CASL.
The advice offered to date by Industry Canada and the CRTC does not address many of the thorny CASL compliance issues. Also, because much of the advice, especially from the CRTC is “best practice”, little guidance is available on what practices short of “best practices” would comply with the law.
To help organizations continue to think through CASL compliance issues and the impacts of the law, I offer below an unofficial FAQ and compliance guideline. I also illustrate below some of the real impacts CASL will have on organizations conducting activities in Canada and some of its impacts on consumers. This post takes into account advice offered by Industry Canada and the CRTC. However, unlike other blogs and compliance documents, this FAQ does not purport to be consistent with those documents where I believe them to be either wrong or not required to meet the only binding obligations: those set out in CASL, the GIC regs and the CRTC Regulations.
How will CASL and the Regulations be construed? Like any legislation, under the Interpretation Act, CASL will be deemed to be remedial legislation and will “be given such fair, large and liberal construction and interpretation as best ensures the attainment of its objects”. CASL’s pre-amble and statements made about CASL’s objectives by the Government, as well as constitutional limitations on how freedom of commercial speech can be impinged upon under the Canadian Charter of Rights and Freedoms, all play important roles in determining how CASL will be construed. As I argued in a prior blog post that addressed the principles for establishing regulatory exceptions to CASL, the principles to be used in construing CASL should be the following:
CASL should deter and protect consumers and businesses from the most damaging and deceptive forms of spam and malware from occurring in Canada and help drive spammers out of Canada.
CASL should promote the efficiency and adaptability of the Canadian economy and encourage reliance on electronic means of carrying out commercial activities.
CASL should not impair the availability, reliability, efficiency and optimal use of electronic means to carry out commercial activities.
CASL should not impose unreasonable additional costs on businesses and consumers.
CASL should not compromise or impair, but should promote, the protection of privacy and the security of confidential information.
CASL should not undermine, but should foster, the confidence of Canadians in the use of electronic means of communication to carry out their commercial activities in Canada and abroad.
CASL should be technologically neutral.
CASL should not disadvantage or make Canadian businesses uncompetitive in domestic or foreign markets.
CASL’s prohibitions should comply with the values and constitutionally protected rights of commercial speech under the Charter of Rights and Freedoms. In particular, the limits on commercial speech must be reasonable and justified, minimally impair the free speech right, and be proportionate to the harm that is being targeted by CASL’s prohibitions.
It is likely that a plain reading of CASL and the regulations would violate many of the above principles. I explained why I believe this to be the case in a serious of other blog posts that are collected here. It is almost certain that CASL will not survive a Charter challenge. Nevertheless, until CASL is declared to be unconstitutionally overbroad, the principles set out above should be considered in interpreting some of CASL’s ambiguous provisions.
What is a CEM? Unfortunately, almost every electronic message or category of message must be examined to determine if a message is a CEM. From having sat in endless meetings and having reviewed hundreds of “law school exams” trying to decide what are and what are not CEMs, I can only say that this is one of the most challenging parts of CASL. The importance and difficulties in distinguishing message categories has implications for when messages can be sent without consent and when the identification and unsubscribe options have to be provided.
What messaging systems are covered? An electronic message must be sent to an “electronic address” for it to be a CEM. Messages sent to e-mail, SMS or IM or “similar accounts” can be CEMs. Messages that are not sent to these types of accounts cannot be CEMs. Based on this, messages posted to blogs, messages sent to “timelines” like Facebook, LinkedIn or Twitter timelines, content sent to subscribers through RSS feeds are not CEMs. Some messages sent using social networks such as direct messages or email or IM messages sent to individuals on social networks can be CEMs. However, if users set up their profiles appropriately on social networks to display the identification information required by the CRTC Regs, then these messages can be exempt under the GIC Regs.
Must a message promote buying or selling a product to be a CEM? CASL’s definition of CEM is broader than messages that promote buying or selling products. The definition of CEM has a non-exclusive list of message types that are deemed to be CEMs. Other messages may be CEMs if they encourage participation in a “commercial activity”. This is defined in CASL as being “any particular transaction, act or conduct or any regular course of conduct that is of a commercial character, whether or not the person who carries it out does so in the expectation of profit”.
The term “commercial character” is a term that is also ambiguous. At its broadest construction it could include messages that promote transactions where there is any exchange of consideration. However, given CASL’s potential impingement of commercial speech and in light of the noscitur a sociis principle, the phrase “commercial activity” should be construed by its association with other terms in the list of deemed commercial activities. The listed items in the definition of “commercial electronic message” include “offers to purchase, sell, barter or lease a product, goods, a service, land or an interest or right in land”, “offers to provide a business, investment or gaming opportunity”, and messages that advertises or promotes those activities, or promotes a person who does those things. The term “commercial activity” should be confined to acts, transactions, or conduct that have attributes that are common to these examples.
Are transactional messages CEMs? Section 6(6) of CASL exempts various classes of messages from the consent requirements of CASL. Where it applies the identification and unsubscribe formalities still apply. The wording of the section is tortured. Only CEMs that fall within the list are exempted from the consent requirement. However many of the listed messages would not otherwise be considered CEMs including messages that facilitate, complete or confirm a commercial transaction; provide warranty information, product recall information or safety or security information about a product, goods or a service; provide notification of factual information about the ongoing use or ongoing purchase of a product, goods or a service offered under a subscription, membership, account, loan or similar relationship, or the ongoing subscription, membership, account, loan or similar relationship of the person to whom the message is sent; provide information directly related to an employment relationship or related benefit plan; or deliver a product, goods or a service, including product updates or upgrades.
It is hard to understand why many of the message types listed in s6(6) need to be exempt from the consent requirement and why inferentially these messages need to contain identification and unsubscribe information. Further, if these messages are only deemed to be CEMs even if they wouldn’t otherwise be, it is harder to see how these restrictions on communications can be justified under the Charter or under the Federal Trade and Commerce power.
The better view is that the messages listed in s6(6) are not subject to CASL unless they encourage participation in a commercial activity and are thereby CEMs. If the messages listed in s6(6) are CEMs and are CEMs only by being those message types, they get the benefit of the implied consent exemption.
Is a message with a link to a website home page a CEM? The content available at a link is considered in determining if a message is a CEM because of the way “commercial electronic message” is defined. In this respect, CASL departs from the teachings of the Supreme Court in Crookes v. Newton 2011 SCC 47 which held that content that is accessible by clicking on an ordinary hyperlink is not published by the person making the hyperlink available. Some web pages serve a pure marketing or promotional purpose. Links to these pages run a higher risk of making the message a CEM, particularly if the link is prominent and the message encourages readers to access the content at the link. A home page can serve multiple purposes. It often contains important information identifying the message sender as well as information that describes the business lines and products of the business and links to other pages with more details about those products and services. Undoubtedly, one of the purposes of this information is to encourage participation in commercial activities. However, because of the importance of commercial speech on the Internet, even though the language of CASL might be broad enough to make messages containing links to home pages CEMs, that broad reading of CASL would almost certainly be ruled to be in violation of the Canadian Charter of Rights and Freedoms. Hence, a message containing a hyperlink to a home page that does not have as its main purpose the promotion of products or services so as to encourage participation in a commercial activity should not, as a result of that link, be considered a CEM.
Are surveys and market research CEMs? Surveys that have as their sole purpose collection of information or obtaining feedback are not CEMs. Messages intended to help gather information, even about a company’s products or services or even future products should also not be CEMs. Surveys and market research that are mere covers for promoting a product or service or which also promote a company’s products or services in a way that encourages recipients to buy them are CEMs.
Must a message directly encourage participation in a commercial activity? The definition of CEM is open ended and by itself could include electronic messages that are indirectly intended to encourage someone, even someone other than the recipient, to buy a product or service or participate in a commercial activity. In theory, news and press releases sent to traditional media, blogs or to other public relations influencers to encourage them to write about a product or service could be a CEM. This is another example of CASL’s potential over breadth, especially here as it would indirectly impact the freedom of the press. Messages sent to these types of persons who are not being encouraged to engage in a commercial activity should not be CEMs. CEMs should be limited to electronic messages that encourage the recipient (or the recipient’s organization) to engage in a commercial activity.
Are invitations to corporate events CEMs? It depends on what the purpose of the invitation is. If the purpose is to provide information such as information about market developments or to provide professional development opportunities, the messages should not be regarded as CEMs. It shouldn’t matter if indirectly the host or promoter of the event is a business. However, messages to promote an event to tout the products or services of a business would be CEMs.
Can a single message be a CEM? Yes, unlike more reasonable legislation in other countries, even a single message can be a CEM. There is no requirement that messages be sent in bulk and there is no de minimis exception for single emails in CASL.
Must a message be false or misleading to be a CEM? No, unlike legislation in other countries, completely accurate messages can be CEMs.
Does CASL apply to electronic messages that are accessed in Canada that re stored on or are sent from foreign servers? Yes, CASL applies extra-territorially to every country worldwide from which messages might be sent to or accessed by someone in Canada. It applies even if the message sender has no way of knowing that the message recipients are located in Canada. For example, if a foreign organization has hundreds of thousands of email addresses from individuals around the world in its database including email addresses without any geographic domain identifiers, e,g. gmail.com or hotmail.com, it cannot send any messages out that might be accessed or received by Canadians without risking violating CASL. To avoid liability it would have to use due diligence to purge potential Canadian residents from its email database.
Does CASL apply to CEMs sent from Canada into other countries? Yes. The GIC regs exempt messages, however, if the sender believes the message will be accessed in a foreign state that is listed in the schedule to the GIC regs and the message conforms to the law of the foreign state that addresses conduct that is substantially similar to conduct prohibited under section 6 of the Act. This requires Canadian organizations to know the anti-spam laws in each country in which CEMs are sent in order to avoid the double jeopardy of liability in both Canada and the foreign countries in which the messages are sent.
Does CASL applies to charities? Yes. There is an exemption for a registered charity as defined in subsection 248(1) of the Income Tax Act if the message has as its primary purpose raising funds for the charity. Therefore, charities, like all other organizations, will have to expend resources to comply with CASL for any other activities that have a commercial character. Ad supported newsletters will be affected. Since opt out and other PIPEDA compliant consents are not grandfathered under CASL and because it will be illegal to send out electronic messages to get express consents, one may expect that many individuals will cease receiving newsletters they rely on from charitable organizations including those that provide information related to new products or services that can help people deal with disability or health problems or to stay healthy.
Does CASL apply to politicians seeking campaign contributions? Yes. CASL will impact the ability of some politicians and parties to raise money. It thus will negatively impact our democratic institutions by making it harder for parties and candidates to raise money in order to participate in the free exchange of ideas. The GIC regs contain an exemption for federal and provincial parties and organizations and candidates for publicly elected office if the message has as its primary purpose soliciting a contribution as defined in subsection 2(1) of the Canada Elections Act. It thus discriminates against municipal and regional parties and candidates who do not get the benefit of the exemption. It is telling that the Federal politicians recognized the burdens imposed by CASL and gave themselves an exemption, leaving virtually the rest of the public subject to its burdens.
What is express consent? An express consent is a consent that is clearly and unmistakably stated. The term has the same meaning as “express consent” under PIPEDA which is interpreted as giving “an opportunity for the individual to express positive agreement to a stated purpose”. An opt in consent can be an express consent. An opt-out consent is not.
Can an express consent be obtained by pre-checking a toggle box? The CRTC contends that an express consent requires some affirmative action by the person consenting. It has consistently taken the position that a pre-checked box can never result in an express consent. A pre-checked box by itself that is never affirmatively accepted by a person is not an express consent. However, where the express consent obtained clearly incorporates a choice in a pre-checked box, there would be consent for that choice. An example is a clickwrap agreement where the user by clicking agree also clearly manifests consent to the pre-checked toggle box.
Are prior express consents recognized under CASL even if the request for consent was not obtained by following s10 of CASL and the CRTC Regulations? Yes. The CRTC recently confirmed this in the information sessions.
Implied Consents for CEMs
Are prior PIPEDA compliant implied consents valid under CASL? No. Despite the extensive submissions made to industry Canada for these consents to be grandfathered including by the now retired former chief drafter of the legislation, regulations were not in place that would have made this happen.
Does the term “implied consent” have its usual common law meaning? No. The term “implied consent” is used to refer to a restricted list of exemptions where implied consent is deemed to exist. It does not have the same meaning as “implied consent” under PIPEDA. It also doesn’t include “inferred consent”, an exemption that is available in other countries such as Australia. The only situations in which a person can have an implied consent is where the sender has an “existing business relationship” or an “existing non-business relationship” with another person (as those terms are defined in CASL), or solely in connection with messages that are sent to a person in a business or official capacity, where the “conspicuous publication” or “business card” exemptions apply.
If an individual gives you his or her email address including by giving you a business card, can you send that person a CEM relying on the “business card” implied consent exemption? Incredibility, the answer is no in many circumstances. The exemption only applies if the email or other electronic address relates to a person in a business or official capacity and the message relates to those situations. This another example of CASL’s over breadth. For example, if an individual meets a real estate agent at a party and they discuss potential properties the individual might be interested and then following the discussion the person gives the real estate agent his email address on a napkin without more, the real estate agent could not send the individual information including information that the individual would probably want or receive under this exemption. Of course, the real estate agent could ask the individual at the party for express consent to send information, but also incredibly, the real estate agent would at the time of making the request have to provide all of the identification and unsubscribe information required by the CRTC regulations. You can imagine the individual’s incredulity about any need to receive such information. The real estate agent would, however, be able to send a CEM to the individual if it is sent in response to a request, inquiry or was otherwise solicited by the individual, relying on an exemption in the GIC Regs.
Can you email a business person using an email address you found published on the Internet or in a trade publication? Incredibly, the answer is no in many circumstances. The email address has to have been conspicuously published or caused to be so published by the recipient. One can probably assume that CASL’s drafters intended that a person’s email address published on his/her employer’s website would fit within the exemption, even though the employee may never have taken any steps to publish it or cause it to be published. Publication of an email address by a person on the person’s LinkedIn or Twitter profile would probably also be ok. One would hope that email addresses published by professional bodies such as law societies, medical, engineering, industrial, and other trade associations in directories would be covered, at least where the member consents either expressly or implicitly to such publication. However, the wording of the exemption which requires the person to publish the email address or to cause it to be published, raises questions about this and CASL’s over breadth. The public including consumers of products and services and new businesses need to be able to easily locate those with whom they want and need to communicate with.
Exemptions from CASL for CEMs
Can a person email his her grandparent, uncle or aunt, or cousin asking for a loan to pay medical expenses or to help them with tuition fees without getting a prior express consent to e-mail them? No. Incredibly, CEMS to family members are exempt from CASL only if the recipient falls within the narrow exemption for family relationships. This is confined to individuals who are related to one another through “a marriage, common-law partnership or any legal parent-child relationship and those individuals have had direct, voluntary, two-way communication”.
Can a child send an email to all of his class schoolmates using email addresses supplied by the school offering to sell a baseball mitt or a used bike? Can a child email his parents’ friends offering to mow their lawn or shovel their snow for school money? Can a child send emails out to his/her sister’s friends offering to sell them girl guide cookies or chocolates to raise money for a school trip? Can a person email his/her high school or university acquaintances to ask them to tell their friends and family about a business just started up? No, these messages can only be sent to close friends, without express consent; to do otherwise will be illegal. There is an exemption for “personal relationships”. Yet despite submissions to Industry Canada to broaden it out to not make these kinds of activities legal, it did not do so. A “family relationship” is defined narrowly to be, essentially, close friends. The individuals must “have had direct, voluntary, two-way communications and it would be reasonable to conclude that they have a personal relationship, taking into consideration any relevant factors such as the sharing of interests, experiences, opinions and information evidenced in the communications, the frequency of communication, the length of time since the parties communicated or whether the parties have met in person”.
Can a person write to a not for profit organization to make an application to work for it? There is an exception in CASL to send a message to a person who is engaged in a commercial activity if it consists solely of an inquiry or application related to that activity. If a not for profit is not engaged in a commercial activity, then the exemption would not apply. This exemption was in CASL to ensure that individuals could reach out to businesses to apply for jobs. Assuming these messages are CEMs, then it would be legal for a person to apply for a job at a business, but not for a not for profit organization that does not also engage in commercial activities.
Can an employee of an organization send a CEM to other employees of the organization without obtaining express consent? Yes, under an exemption in the GIC regs, the Act does not apply to a commercial electronic message that is sent by an employee, representative, consultant or franchisee of an organization to another employee, representative, consultant or franchisee of the organization and the message concerns the activities of the organization.
Can businesses send any messages they want to other businesses under the B2B exception in the GIC regs? In particular, under the B2B exemption, can a business with no prior relationship with another business send the business an email letting the business know about its goods and services and propose to do business together? No. Under the GIC regs, CASL does not apply to a commercial electronic message that is sent by an employee, representative, consultant or franchisee of one organization to an employee, representative, consultant or franchisee of another organization, only if the organizations have a relationship and the message concerns the activities of the organization to which the message is sent.
There are thus three key limitations to using this exemption. First, the two businesses must have a “relationship”. That term is not defined in the GIC regs. In its ordinary meaning it would include a level of association, involvement, or connectedness, between two people. Accordingly, it could include, but is not limited, to legal relationships such as any legally recognized legal relationship and other relationships that have a level of association, involvement, or connectedness, between two people. CASL defines categories of relationships such as existing business and non-business relationships. Presumably, as term “relationship” is not restricted to any particular kind of relationship, the indicia that can give rise to other relationships can be relevant in determining if a relationship exists.
Second, CEMs must relate to the activities of the recipient organization. It is unclear how the term activities is to be construed. Organizations, generally carry on multiple activities including research, development, manufacturing, distribution, finance, cash management and investments, marketing, advertising, public relations, procurement, audit, and legal. There is no reason not to recognize all of these as being “activities” of the organization.
Third, the only persons who can take advantage of the exception are organizations. Many individuals carry on business as sole proprietorships. It is unclear if these business people qualify for the exception or if other organizations can send them CEMs relying on the B2B exemption. There is no good policy reason for discriminating against small businesses and hopefully the CRTC and the courts will give the term a broad enough construction so this doesn’t happen.
Can an organization send marketing and promotional materials to a person who was asking about a product even if the two persons don’t have an existing business relationship? Probably, but only certain materials can be sent. The GIC regs has an exemption that permits sending a CEM that is sent in response to a request, inquiry or complaint or is otherwise solicited by the person to whom the message is sent. If the person expressly asked for the materials, then there is no doubt that promotional materials reasonably related to the request could be sent. The exemption does not state that that a request must be an express consent. Accordingly, in appropriate circumstances if it can be inferred from conduct or implied that a person made a request or otherwise solicited materials, they can be sent to the person asking about them.
If a person has unsubscribed from receiving CEMs from an auto leasing company, can the company send the lessee an unsolicited notice that the person’s car lease is expiring that also gives the lessee information about renewal options? The renewal option is likely a CEM. Although the lessee would unlikely not have intended to have elected not to receive information about end of term options, surprisingly the lessor cannot send the information unless an exception applies. The GIC regs contain an exception that permits sending a CEM (i) to satisfy a legal or juridical obligation, (ii) to provide notice of an existing or pending right, legal or juridical obligation, court order, judgment or tariff, (iii) to enforce a right, legal or juridical obligation, court order, judgment or tariff, or (iv) to enforce a right arising under a law of Canada, of a province or municipality of Canada or of a foreign state. If the lessee had a right of renewal or a pending right to receive the notice, then the lessor can send the lessee his/her renewal options, something that undoubtedly the consumer would want to receive. Otherwise, the lessor would have to send the notice by mail or some other inefficient means.
Can a sole proprietor send messages to his/her “LinkedIn Connections” over LinkedIn telling them about a new business without obtaining an express consent? Unless the LinkedIn connections are the person’s close friends, the “personal relationship” exemption would not apply. A message sent to a LinkedIn account would be sent to an electronic address and would be a CEM. But, under the GIC regs, if the message sender configures his or her profile in such a way that the social network conspicuously publishes the prescribed sender information (and the social network interface has a readily available means of enabling the recipients to unsubscribe from receiving CEMs), then the messages can be sent. However, the sole proprietor will be forced to publically disclose his/her address (or spend extra money to rent a P.O. box) on LinkedIn in order to comply with the CRTC regs.
Can a bank send CEMs to customers without complying with any CASL formalities in a bank portal in which only the bank can send the customers CEMs if the customers can send the bank messages back about their banking or other needs? The CRTC says no. It contends that the highly desirable two way functionality takes the banking portal outside of the exemption in the GIC reg which applies to CEMs “sent to a limited-access secure and confidential account to which messages can only be sent by the person who provides the account to the person who receives the message”. The “one way” restriction interpretation of the CRTC belies the policy behind the exemption, which was to remove restrictions on commercial speech where they served no useful purpose and to not regulate secure and confidential banking portals. There is no useful purpose served by preventing the exemption from applying where the portal functionality permits the consumer to communicate with an organization with which it does business.
Can a real estate agent working for a broker send out a CEM based on a referral from a customer to an acquaintance of the customer who is looking for a good real estate agent? No. The GIC regs contain a one time referral exemption. However, it is so narrowly crafted it doesn’t work in many situations in which it would be expected to. To work, the referrer and the intended recipient must be individuals. The GIC regs thus appear to distinguish between persons which include organizations and their employees and individuals. Thus a person acting as an employee may not be an individual who can make a referral or be entitled to get one. The GIC reg requires that the person making the referral have an existing business relationship, an existing non-business relationship, a family relationship or a personal relationship with the person who sends the message as well as any of those relationships with the individual to whom the message is sent. Since those categories are also narrowly drafted they won’t always apply, including in the question above where the recipient is merely a friend, but not a close friend, of the person making the referral.
Getting consents, unsubscribe, and CEM information requirements
If you are speaking to a person over the phone and you ask for his/her express consent to send him/her promotional materials about your products or services have you complied with CASL? No. Under the CRTC regs you have to do much more. CASL recognizes that consents can be given orally or in writing. However, for each, the person requesting consent has to tell the person being asked for the consent, the name by which the person seeking consent carries on business and provide the person’s mailing address, and either a telephone number providing access to an agent or a voice messaging system, an email address or a web address of the person seeking consent. The customer also has to be told that the consent can be withdrawn at any time. This is not a good customer experience.
If a company asks for consent to send people CEMs does the consent extend to your affiliates? No, unless the consent is also requested for the affiliates. If this request is made, then the person seeking consent also has to identify all of the affiliates by name, provide all of the same information about the affiliate that the person has to provide about itself, and tell the person whose consent is being sought that the consent is also being obtained on behalf of the affiliates. Can you imagine the consumer experience if this is done over the phone or in person? An organization can also seek consent on behalf of unnamed affiliates or third parties. But, if they do then Section 5 of the CRTC regs are applicable and they are very onerous and should be avoided if possible.
Must an individual or business have a website to send SMS messages that are CEMs? Yes. The CRTC regs set out the extensive information that must be included in each message that is sent out. The same rules apply, regardless of the medium used. It includes virtually the same information that must be included in every request for consent to send a CEM including the name of the business sending the message, and the sender’s the mailing address, and either a telephone number providing access to an agent or a voice messaging system, an email address or a web address of the person sending the message or, if different, the person on whose behalf the message is sent. An unsubscribe mechanism must also be provided. If it is not practicable to include the information and unsubscribe information in the CEM, that information may be posted on a web page that is readily accessible by the person to whom the message is sent at no cost to them by means of a link that is clearly and prominently set out in the message. Since it is impossible to include the required information in an SMS message, the message sender must have a web site. Many sole proprietors and small businesses do not have web sites. It is therefore illegal for them to send out CEMs in SMS messages. Since it is also impractical to include message content and information about the message sender and how to unsubscribe in 140 characters, it makes SMS messaging almost unusable, except where the sender has a complete exemption under CASL to send the message.
Does a retailer sending out an online flyer about the products and services of a third party have to identify the sender as the retailer or the third parties as the senders and who must provide the unsubscribe mechanism? Under CASL, if a message is sent on behalf of another person, the message must state who the message sender is and on whose behalf the message is sent. Further, the message recipient has to have a right to unsubscribe from receiving CEMs “from the person who sent the message or the person — if different — on whose behalf the message is sent”. The CRTC stated in the FAQ that “only the persons who play a material role in the content of the CEM and/or the choice of the recipients must be identified”. This suggests that if the retailers provided copy for the online flyer they have to be identified as persons on whose behalf the CEMs are sent and must also provide an unsubscribe mechanism. This can’t be right. Consider online flyers from a retailer that contain advertisements for 50 “products on sale that week” of third parties. It would be unreasonable to conclude that the messages are being sent on behalf of all of those third parties. If they were, then all of these entities would have to be identified as the senders along with all of the CRTC prescribed information and each of them would have to make an unsubscribe mechanism available to consumers receiving the flyers. It is apparent that this would be hugely confusing and impossible to administer.
The computer program provisions
What do the program provisions make illegal? It will be illegal to install or cause to be installed a computer program on any other person’s computer system or, having so installed or caused to be installed a computer program, cause an electronic message to be sent from that computer system, unless (a) the person has obtained the express consent of the owner or an authorized user of the computer system and complies with the disclosure requirements of subsection 11(5); or (b) the person is acting in accordance with a court order.
Do the computer program provisions in CASL apply to all computer programs or just those that are really malware or spyware? Unlike the laws of any other country in the world, the program provisions apply to all types of programs, even if they function exactly as users expect them to, if installed in the course of a commercial activity.
Do the program provisions apply to software in everyday machines and devices? Yes, they apply to the hundreds of thousands, if not millions, of computer programs made available to Canadians every day. The programs range from applications on personal computers, tablets and mobile devices to programs that are embedded in consumer products such as automobiles, TV sets, PVRs, home audio systems, household appliances and devices used in homes such as thermostats, security systems, lighting controls, and home networking systems, and an endless variety of other devices including watches, toys, learning systems, hearing aids and other medical devices and so forth. They are also ubiquitous in industrial and business applications.
Do the program provisions apply even if the program is installed from a server outside of Canada? Yes. They also apply to programs installed by a person from Canada onto computers in another country.
Do the functions of a program have to be disclosed when seeking consent to install a program? Yes, when seeking consent, the functions must be disclosed in general terms.
Does CASL ever required more information to be disclosed when obtaining consent? Yes, in some cases an enhanced disclosure is required. If the program performs one of the malware or spyware functions listed in s10(5), the person seeking express consent must, when requesting consent, clearly and prominently, and separately and apart from the licence agreement, (a) describe the program’s material elements that perform the function including the nature and purpose of those elements and their reasonably foreseeable impact on the operation of the computer system; and (b) bring those elements to the attention of the person from whom consent is being sought in the prescribed manner. However, for the enhanced disclosure obligation to apply the computer system must operate in a manner that is contrary to the reasonable expectation of owners and/or users; this operation must be due to a function listed in s.10(5); and the person who installs the program must know and intend that it will operate in a manner that is contrary to the reasonable expectation of owners and/or users. Note, the CRTC’s FAQ suggests this latter condition may not be a requirement.
Can you get consent to install an update or upgrade at the same time you get consent to install the program? Yes. The basic consent and disclosure requirements do not apply to an update or upgrade if (a) there was an original express consent to the program installation, (b) if the person who gave the consent is entitled to receive the update or upgrade under the terms of the express consent, and (c) the update or upgrade is installed in accordance with those terms.
Can you get consent to install an update or upgrade at the same time you get consent to install the program if the upgrade or update has a function requiring an enhanced disclosure? That’s a problem. The update or upgrade cannot be installed without obtaining a new express consent if the update or upgrade has one of the malware or spyware features listed in s10(5) that was not disclosed when the original consent was obtained.
Can a manufacturer get around the consent requirement for updates by “consenting with itself” before selling the device containing software? In the information sessions the CRTC suggested it can. You might not want to follow this strategy until it has been approved by a court.
Are there formalities that a person must comply with when asking for consents for updates and upgrades to programs? An update or upgrade is a computer program, so the usual rules should apply. However, the update or upgrade can be installed if the person who gave the consent is entitled to receive the update or upgrade under the terms of the express consent and, the update or upgrade is installed in accordance with those terms. CASL doesn’t expressly address what rules apply to updates or upgrades to prior updates and upgrades.
Does CASL recognize any implied or inferred consents for the installation of a computer program? No. The limited category of implied consents only applies to the CEM consent provisions. Only express consents are considered to be valid.
Can a software publisher update a program for a person who is disabled or otherwise not in a position to expressly consent to the update based on an implied consent (where there is no prior consent to do so)? No.
Is there an exemption for consents for the program provision where there is an existing business relationship? No. That exemption applies only to the CEM provisions.
Are there any deemed express consents under CASL’s program provisions? Yes, but there are limitations which make relying on them challenging. A person is considered to expressly consent to the installation of a computer program if (a) the program falls into one of the listed categories in s10(8) e.g., it is a cookie, HTML code, Java Scripts (not all Java programs), an operating system, or is any other program that is executable only through the use of another computer program whose installation or use the person has previously expressly consented to, but only if (b) the user’s conduct is such that it is reasonable to believe that they consent to the program’s installation. Neither the RIAS nor the FAQ explains how an organization is supposed to know if it is reasonable to believe all users consent to the program’s installation. They also do not adequately explain what is meant by a program that is “executable only through the use of another computer program”.
Does a person install or cause to be installed a program that is transmitted to a person without the transmission being initiated by the user e.g., a push transmission? Yes
Do CASL’s consent provisions apply to programs that are pre-installed on a machines or devices? Not if the installer installs the program on a device the person owns or has authorization to use.
Do CASL’s program provisions apply to programs a person voluntarily downloads from a website? The RIAS says “CASL will not apply to installations carried out by persons on their own computing devices”. The CRTC FAQ says CASL does not apply (unless the program has some undisclosed secondary function). It gives no reasons. One of the chief drafters of the legislation says that CASL would apply.
I am a retailer, auto dealer or other person who does repairs on products that requires the installation of software. Do I have to comply with CASL’s consent and disclosure requirements even though I may not have the information needed to do so? Yes. You might try having all users sign a form authorizing you to install programs and appointing you an authorized user of the product. As an authorized user you might contend you can give yourself consent, at least according to the CRTC at the information sessions.
Are distributors and resellers of software and devices that include software responsible for CASL compliance? Yes. Many products with embedded programs are distributed through one or more distribution and reseller channels. If these entitles install software, they have to comply with CASL’s provisions.
Can an organization dispense with consent to install a program if it is necessary to protect its network from cyberattacks? Surprisingly, in spite of the epidemic of cyber-security challenges faced by the organizations, not in all cases. The GIC Regs has an exemption that applies to a program that is installed by or on behalf of a telecommunications service provider solely to protect the security of all or part of its network from a current and identifiable threat to the availability, reliability, efficiency or optimal use of its network. Fortunately, there is a good argument that TSP is a broader concept under CASL than in the Telecommunications Act, something that the RIAS and CRTC FAQ agree on. However, neither the RIAS nor the CRTC FAQ has expressly stated that the exemption applies to an organization’s network that is not shared with members of the public.
Can an organization install an update or upgrade to customer premises equipment (CPE) such as set-top boxes or cable modems without the consent of the customers who use this equipment? There is an exemption in the GIC Regs for a program that is installed, for the purpose of updating or upgrading the network, by or on behalf of the telecommunications service provider who owns or operates the network on the computer systems that constitute all or part of the network. Neither CASL nor the GIC Regs define what is meant by the term “network”. The better view is that the exemption should apply to the installation of computer programs on CPE, provided that the purpose requirement is satisfied (i.e. the installation is intended to update or upgrade a network) and the CPE is connected to, and therefore “part of”, the network which is being updated or upgraded.
Can an organization install a program on a computer system without consent to correct a failure in the operation of the computer system or a program installed on it and is installed solely for that purpose? Yes there is an exemption in the GIC Regs that permits this.
Can and organization install an update or upgrade to a computer program already installed prior to January 15, 2015 when the program provisions come into force? Yes. Under CASL there are two ways in which a new update or upgrade can be installed for an existing program. If the update or upgrade is treated as a new program, then express consent would be required. If reliance was going to be placed on a prior consent associated with the first installation, then there would need to be (a) an original express consent to the program installation, (b) an entitlement to receive the update or upgrade under the terms of the express consent and, (c) the update or upgrade is installed in accordance with those terms. There is a transitional provision which provides an “implied consent” to install an update or upgrade for a period of 3 years. That wording is problematic, unless you read the words implied consent to mean, “implied express consent” or read the word “implied” to mean ‘express”. The section is meaningless unless it is given one of these interpretations, something that is implicitly accepted in the RIAS and by the CRTC.
More information about CASL
In the last few years, I have published numerous blog posts about CASL. Many of them are listed below for your reference.
- CASL: getting consents for upgrades to computer programs on pre-installed and resold devices
- CASL: when is a computer program installed or caused to be installed according to the CRTC
- CASL Spamaflop not constitutional
- CASL computer program guidance from the CRTC
- CASL’s inscrutable computer program provisions to be tackled by CRTC
- Michael Geist’s defense of Canada’s indefensible anti-spam law CASL
- CASL: myths about Canada’s anti-spam law
- CASL enforcement against charities clarified by CRTC
- CASL Spamaflop
- CASL’s effect on small business, June 21, 2014
- CASL clarified by CRTC at information sessions, June 8, 2014
- CRTC releases new CASL FAQs, May 8, 2014
- CASL: insights into Canada’s anti-spam law at the Lexpert conference, May 6, 2014
- CASL and Freedom of Expression –The Writing Is on the Wall, May 2, 2014
- CASL don’t forget about the computer program “malware” and “spyware” provisions, Apirl 7, 2014
- Canada’s anti-spam law CASL applies to you even if you aren’t in Canada, March 2, 2014
- McCarthy Tétrault releases CASL compliance toolkit, February 10, 2014
- CRTC FAQ on CASL, December 18, 2013
- The Industry Canada CASL regulations and RIAS: a lost opportunity, December 16, 2013
- Legislative and Judicial Approaches to Internet Regulation: CASL as a case study, December 14, 2013
- CASL Industry Canada regulations: summary and comments, December 4, 2013
- Industry Canada CASL Regulations published, December 4, 2013
- CASL marches towards starting gate, November 13, 2013
- CASL – An FAQ, November 7, 2013
- CASL flaws not Festivus grievances, September 16, 2013
- NSA spying, cyber security and liability under Canada’s anti-spam spyware law CASL, September 9, 2013
- Implications of Canada’s Anti-SPAM Legislation (CASL) for IT Business, June 18, 2013
- CRTC reports on CASL consultation, April 16, 2013
- Charities, non-profits and CASL, February 21, 2013
- The submissions to Industry Canada on CASL, February 19, 2013
- Has the CRTC compromised its judicial independence on CASL?, February 18, 2013
- Evaluating the Industry Canada CASL regulations: my submission to the consultation, February 5, 2013
- Will CASL Hurt Charities? Let Us Count The Ways, February 4, 2013
- Evaluating the Industry Canada CASL regulations: countering cyber-security threats, February 1, 2013
- Evaluating the Industry Canada CASL regulations: defining commercial electronic message, January 30, 2013
- Evaluating the Industry Canada CASL regulations: jurisdictional overreach, January 25, 2013
- Evaluating the IC CASL regulations: the B2B exception (Part II-Non-business entities), January 22, 2013
- Evaluating the Industry Canada CASL regulations: the B2B exception (Part I-SMEs), January 21, 2013
- Evaluating the Industry Canada CASL regulations: family relationships and personal relationships, January 18, 2013
- Evaluating the Industry Canada CASL regulations: how to assess them, January 16, 2013
- CRTC guidance on interpreting its CASL regulations and guidelines at the IT-Can/TCLG meeting, January 15, 2013
- Evaluating the Industry Canada CASL regulations: why they are needed, January 14, 2013
- Industry Canada CASL draft regulations now available, January 4, 2013
- Industry Canada CASL regulations coming, December 20, 2012
- CRTC clarifies questions about CASL, December 11, 2012
- CRTC Issues CASL (Canada’s Anti-Spam Law) Guidelines, background and commentary, October 16, 2012
- New CASL regulations coming but will they fall short?, May 22, 2012
- CASL in force in 2013, April 27, 2012
- Reflections on the new CRTC CASL regulations, March 29, 2012
- CRTC finalizes CASL regulations, March 14, 2012
- Will it be illegal to recommend a dentist under Canada’s new anti-spam law (CASL)?, January 3, 2012
- Fixing CASL: comments on the draft CRTC and Industry Canada regulations, September 7, 2011
- Rethinking FISA (now CASL), May 25, 2011