In a previous post,Evaluating the Industry Canada CASL regulations: why they are needed, I suggested that close scrutiny needs to be given to Industry Canada’s new draft Electronic Commerce Protection Regulations. CASL’s “ban all” structure makes it imperative that generous regulations be adopted to ensure that the goal’s of Canada’s new anti-spam/anti-malware law (CASL) are met. In another post, Evaluating the Industry Canada CASL regulations: how to assess them, I proposed a framework for assessing the regulations.
I then evaluated the proposed family and personal relationships exception in the post, Evaluating the Industry Canada CASL regulations: family relationships and personal relationships, finding them very troubling and concluding that without rectification CASL would adversely and surprisingly impair the ability of ordinary Canadians to communicate with extended family, friends and acquaintances and people who know each other from being members of the same clubs and associations, from going to school or engaging in recreational activities together, or from business, professional or other settings. In my last post, Evaluating the Industry Canada CASL regulations: the B2B exception (Part I-SMEs), I examined the proposed new business to business exception, focusing on its failure to remedy CASL’s impairment on the start-up and growth of small and medium sized enterprises.
In this post I will focus on the regulations`failure to correct the flaws in CASL that make it even more burdensome for educational institutions, libraries, archives, museums, hospitals, the health professions, charities, associations, clubs and other non-business organizations to comply with than the compliance burdens imposed on businesses.
The proposed business to business regulation would create a new complete exception from CASL for a commercial elctronic message like an email (CEM) that is sent by an employee, representative, contractor or franchisee of an organization “to an employee, representative, contractor or franchisee of another organization if the organizations have a business relationship at the time the message was sent and the message concerns the affairs of the organization or that person’s role, functions or duties within or on behalf of the organization”.
Industry Canada provided the following background to this regulation:
Since it applies broadly to commercial electronic messages, the Act captures regular business to business communications that are not the types of threats that were intended to be captured within the scope of the Act. To ensure these business communications are not regulated under the Act, the proposed Regulations include exemptions for commercial electronic messages that are.
Since it applies broadly to commercial electronic messages, the Act captures some regular business communications that are not the types of threats that were intended to be captured within the scope of the Act. To ensure these business communications are not regulated under the Act, the Regulations include business to business exemptions for commercial electronic messages that are sent within a business, or sent between businesses that are already in a business relationship, where the messages are sent by an employee, representative, contractor or franchisee and are relevant to the business, role, function or duties of the recipients. These proposed exemptions address many of the most serious concerns raised in the consultations about the unintended application of CASL to ordinary, transactional business communications.
These new regulations are justified for the reasons given by Industry Canada. They should be retained.
The new regulations, however, only partially solve the “ban all” structural flaws in CASL that results in having to recognize and appropriately define exceptions rather than directly targeting truly harmful behavior. This approach to legislation inevitably results in overreach because of the impossibility of identifying all required exemptions. In this case, it is manifested in CASL’s approach to the “business relationship” and non-business relationship implied consent exceptions. CASL gives some business organizations implied consents to send CEMs, while inexplicably denying the same exception to other organizations such educational institutions, libraries, archives, museums, hospitals, charities, associations, clubs and other non-business organizations which do not have business relationships with other persons in many circumstances.
This discriminatory treatment can be seen by examining s.10(9). Pursuant to this provision consent is implied for the purpose of the spam portion of the Act in the following situations:
(a) the person who sends the message, the person who causes it to be sent or the person who permits it to be sent has an existing business relationship (an EBR) or an existing non-business relationship (a non-EBR) with the person to whom it is sent;
(b) the person to whom the message is sent has conspicuously published, or has caused to be conspicuously published, the electronic address to which the message is sent, the publication is not accompanied by a statement that the person does not wish to receive unsolicited commercial electronic messages at the electronic address and the message is relevant to the person’s business, role, functions or duties in a business or official capacity;
(c) the person to whom the message is sent has disclosed, to the person who sends the message, the person who causes it to be sent or the person who permits it to be sent, the electronic address to which the message is sent without indicating a wish not to receive unsolicited commercial electronic messages at the electronic address, and the message is relevant to the person’s business, role, functions or duties in a business or official capacity; (emphasis added)
Business organisations can rely on an “existing business relationship” to avoid obtaining an express consent. The term “existing business relationship” is defined to require “a business relationship between the person to whom the message is sent” and the sender which arises from several prescribed conditions including the purchase of a product, good, or service within a two-year period before the message is sent.
The EBR exemption does not deem a business relationship to exist merely because an organization engages in a transaction or other activity that meets one of the listed conditions. Accordingly, when educational institutions, hospitals, medical providers, charities, clubs, and other non-business organizations provide goods or services to the public they cannot automatically claim the EBR exemption. For example, when a college or university provides educational services to students, when a hospital or physician provides medical services to patients, when a charity provides services to the community, or when organizations such as hospitals and universities collaborate on research, and in the course of those activities send CEMs, none of them will be able to rely on the implied consent EBR exception, unless serendipitously a business relationship happens to arise from these or other interactions.
One might have surmised that organizations with non-business relationships such as educational institutions, hospitals, medical professionals, charities, associations, and clubs would be able to benefit from the same implied consent exception under the “existing non-business relationship” exemption. However, that exception only applies where there is a non-business relationship between the person to whom the message is sent and the sender of the message that arises from certain gifts and donations, volunteer work, and memberships in clubs, associations, or voluntary organizations. It does not include any other type of relationships, presumably under the false assumption that these organizations only send CEMs to donors and volunteers or to persons with whom they contract to buy goods or services. This completely overlooks the plethora of non-business relationships these organizations have with the community.
The structure of the EBR and non-EBR exceptions also fails to take into account the extremely wide definition of CEMs which makes virtually all electronic messages which encourage participation in a commercial activity with the organization or with another organization to be caught by CASL. Yet, the EBR exception is based on a much narrower notion of the existence of a business relationship. For example, when a charity sends out a newsletter by email to a list of subscribers which contains advertisements or which promotes a product or service with a hyperlink to the seller’s website, that newsletter is likely a CEM. A newsletter from the CNIB with such ads or which otherwise encourage subscribers to purchase large print calendars, talking watches, easy-view playing cards, or other accessible products and technologies from third parties that make life with vision loss easier, is an illustration. Yet, the recipients may have no EBR or non-EBR with the charity. This gap inexplicably leaves charities and many other non-business organizations without either implied consent exemption in many cases.
Persons wanting to send to CEMs to non-business organizations without express consent may also not be able to do so, even though the recipient’s name is conspicuously published on the organization’s website. The conspicuously published exception does not extend to all messages sent to an organization that is not a business organization. It applies only where a message is sent to an “electronic address and the message is relevant to the person’s business, role, functions or duties in a business or official capacity”. This hinders communications between businesses and non-business organizations, impediments that do not exist for CEMs sent to a business.
Persons wanting to send to CEMs to non-business organizations without express consent may also not be able to do so, even though the recipient has disclosed the person’s electronic address without indicating a wish not to receive unsolicited messages. The “business card” exception would also likely not extend to all messages sent to an organization that is not a business organization because it applies only where a message is sent to an “electronic address and the message is relevant to the person’s business, role, functions or duties in a business or official capacity”. This also hinders communications between businesses and non-business organizations, impediments that also do not exist for CEMs sent to a business.
CASL also has a three year transitional provision that recognizes implied consents where there is an existing business relationship or an existing non-business relationship. If non-business organizations do not fit into either category for some CEMs for the reasons set out above, then these organizations will be deprived of the same transitional provisions as businesses. They will thus be required to spend more of their scare resources faster to attempt to comply with a law that businesses are given three years to transition to.
The draft regulations continue and do not rectify this discriminatory treatment. They would provide businesses with a complete exemption for a CEM “that is sent by an employee, representative, contractor or franchisee of an organization” to an employee, representative, contractor or franchisee of another organization if the organizations have a business relationship at the time the message was sent and the message concerns the affairs of the organization or that person’s role, functions or duties within or on behalf of the organization”. Non-business organizations may have a variety of relationships with other organizations that would not be characterized as business relationships such as, for example, relationships that focus on education, medical care, charitable services, research, collaboration, and public affairs, but they could not claim the new exemption. Both business and non-business organizations should have the exemption for the reasons given by Industry Canada.
CASL’s “ban all” approach to regulating CEMs will inevitably result in not-for-profit entities, educational, charities, and other organizations finding themselves barred from communicating with others electronically. They can’t send CEMs without express consent and it will be illegal to send an email or other electronic message to even ask for consent. These inadvertent consequences flow from CASL’s flawed “ban all” structure. When all commercial speech is “banned” subject to certain conditions, it is impossible to enumerate or properly craft or fairly develop all of the needed exceptions to prevent truly undesirable consequences; in this case, treating non-business organizations more harshly than business organizations.
There is no good policy reason for treating educational institutions, hospitals, medical providers, charities, and other non-business organizations more onerously than businesses. In fact, there are good policy reasons for giving one or more of these groups complete exemptions from the statute. There are also good reasons for exempting them entirely from the threat of class actions under the private right of action provisions, in the same way that Parliament exempts or limits the award of statutory damages for copyright infringement against educational institutions, libraries, museums and archives.
Ensuring that non-business organizations have at least the same implied consent exception as business organizations would not undermine CASL’s goal of deterring and protecting individuals from the most damaging and deceptive forms of spam. Not according them the same treatment would adversely impact their ability to utilize the most modern and efficient messaging systems to accomplish the important public duties they provide. This is certainly contrary to the goals of CASL. These problems need to be fixed. These fixes are also not “loopholes”.
For more information about CASL, see, CASL: the unofficial FAQ, regulatory impact statement, and compliance guideline.
