Yesterday, Andre Leduc of Industry Canada, Lynn Perrault of the CRTC, along with Toronto IT lawyers Mike Fekete and Mark Hayes, spoke at IT.Can’s The 2003 Information Technology Law Spring Forum. Their topic was the Implications of Canada’s Anti-SPAM Legislation (CASL) for IT Business.
Andre Leduc, who was involved in the drafting of CASL and the Industry Canada regulations, provided some information about next steps with respect to bringing CASL into force. He stated that:
- Industry Canada has completed its analysis of feeback received on the second draft of the Industry Canada regulations. It is now considering options for the Minister. The Minister must approve the options. Then the options must be approved by Treasury Board.
- The regulations will be published in Part 2. Accordingly, they will be final once published this time around.
- The final regulations are likely to be finalized late this summer or in the fall. Much depends on the political process including when the Minister approves the regulations and when they are approved by Treasury Board.
- The earliest time that CASL could come into force is when the regulations become final. However, Industry Canada will recommend to the Minster that the public be given a reasonable amount of time after the regulations are finalized before CASL becomes law, likely a period of between 8 months and 1 year.
- Andre’s best guess of when CASL will come into force, subject to the decisions of the political masters, is next fall (fall 2014).
- The coming into force date will be in the final regulations.
- Andre spent a good portion of his time summarizing the draft regulations, but except in a few cases did not indicate what changes to the regulations are being proposed. He indicated changes were likely to expand the definition of family relationship and to clarify the exceptions related to computer programs.
Lynne Lerrault explained the role of the CRTC in enforcing CASL. She also said that:
- CASL has the highest level of administrative monetary penalties (AMPs) in any piece of Canadian legislation. Initially, there were concerns about whether it would be constitutional. There is now more comfort that the level of APMs can be defended. (Earlier, Andre Leduc had indicated that for constitutional reasons, CASL’s AMPs cannot be penal. But, to be a real deterrent the penalties had to be significant enough to address the business models of spammers without being penal.)
- Lynn confirmed again that where the CRTC Guidelines uses the word “should” the requirements are not mandatory e.g., should is not the same as must.
- The CRTC is working on FAQs to be posted in the near future. The CRTC is coordinating these with Industry Canada. A FAQ will address the meaning of the term CEM.
Mike Fekete and Mark Hayes then gave a presentation on 10 challenges businesses will have complying with CASL and why CASL is problematic. In summary (one or both of them) said the following:
- CASL’s breadth and structure is a major problem; it applies to almost every entity; the bill is not about SPAM – it is about commercial electronic messages; it is not about malware or spyware – it is about computer programs. CASL’s structure is guaranteed to result in overregulation. The need for exemptions in the Act, more exemptions in regulations, Guidelines and FAQs shows just how problematic its ban all structure is.
- Lack of an exception for inferred consent (which exists in Australia, the legislation after which CASL was modeled).
- The prescriptive and detailed nature of what is required to request consents. These are in CASL, in the CRTC regulations and in the Guidelines. These requirements are not consistent with practices being used today even by multinational companies. It will be very difficult for companies to migrate their practices to CASL.
- The confusing nature of the exemptions. There are different types including complete exemptions, exemptions only from the consent requirements, and implied exemptions for consents. Mark Hayes expressed the opinion he has not seen anyone be able to adequately explain how CASL works to small and medium sized businesses.
- The difficulties in obtaining consents and meeting the disclosure requirements on mobile devices. When you actually try to apply CASL to various scenarios, it can become very challenging.
- The CRTC Guidelines on bundled consents and use of toggle boxes are problematic. There are circumstances when they will not benefit consumers. For example, vendors of security software often use pre-checked boxes to obtain consents from consumers to the installation of upgrades. Few consumers add check marks to un-pre-checked boxes. Thus, ironically, CASL will hurt consumers by resulting in a lower standard of protection against viruses and other malware on consumers’ computers.
- Obtaining consent on behalf of affiliates and other third parties will be difficult.
- Proving that consents have been obtained using the Guidelines recommended by the CRTC will be problematic.
- It will be difficult to determine how to measure whether a person installing a computer program has a reasonable belief that they have individuals’ consent to the installation of computer programs.
I have made similar comments about CASL in numerous blog posts and in my submissions to Industry Canada. See, Canada’s anti-spam law, too much of a good thing, Evaluating the Industry Canada CASL regulations: my submission to the consultation.
For more information about CASL, see, CASL: the unofficial FAQ, regulatory impact statement, and compliance guideline.