Spam now so you can Spam later

CASL - the new Canadian anti-spam act - comes into force July 1.  It contains extensive, complex provisions that apply to the sending of any email that has a hint of a commercial purpose (a “CEM”).  In the short term it may increase the amount of email we get.  We have all received emails from mail lists we are on asking us to confirm our consent.  But there is another reason we may get more.  The reason goes like this:

CASL requires express or implied consent from the recipient before a CEM can be sent.

The act contains a transitional provision that gives up to 3 years to get express consent. (The section is below.) To take advantage of that, there must be a current or prior business or non-business relationship with the recipient AND that relationship must include communication of CEM.

Couple that with the fact that after July 1 you can’t send an email to request consent (unless there is implied consent).

So to pull as many email addresses as possible into the transition provision, maximize express consents, and give the longest possible time to obtain them, the tactic is …?

Before July 1, pull together every email address you can get from every person that you can fit into the business or non-business relationship category, and send CEM to them.

The transition section:

66. A person’s consent to receiving commercial electronic messages from another person is implied until the person gives notification that they no longer consent to receiving such messages from that other person or until three years after the day on which section 6 comes into force, whichever is earlier, if, when that section comes into force,

(a) those persons have an existing business relationship or an existing non-business relationship, as defined in subsection 10(10) or (13), respectively, without regard to the period mentioned in that subsection; and

(b) the relationship includes the communication between them of commercial electronic messages.

Cross posted to Slaw.

Anti-spam bill impact will be immense

For the London Free Press – February 10, 2014

Read this at

The Canadian anti-spam act comes into force July 1, 2014. If you think it won’t affect your business or not for profit because you don’t send mass e-mails trying to sell random products, you would be wrong.

It defines spam — the act calls it commercial electronic messages — so broadly that it will affect how most organizations communicate. The definition goes far beyond what the average person would consider spam. It then layers on a series of complex exceptions and implied consents that allows commercial electronic messages to be sent in certain circumstances.

Volume is irrelevant. One e-mail sent to one person can be spam, and subject the sender to a fine of up to $10 million. Starting in 2017, remedies will include a private right of action (the right of recipients to sue the sender) that allows for the payment of statutory damages. In other words, there will be no need to prove actual damages were suffered from receiving the message.

Depending on the nature of the message and the relationship between the sender and recipient, some commercial electronic messages can be sent without any conditions, some require an unsubscribe mechanism, and some can’t be sent at all.

Unfortunately the act’s biggest impact will be the compliance headache it will cause the average business or not for profit.

In the short term, we can expect to receive a deluge of e-mails requesting that we consent to receive e-mails from various entities for various things. In many instances recipients may be confused or perhaps ignore those requests, based on the thought that they are already getting the messages or have already consented.

Recipients may not understand that subtle differences in how consent is requested, granted or tracked.

Some things worth noting include:

  • Directors and officers can be personally liable if they participate in or acquiesce to violations under the act.
  • Charities benefit from some additional exemptions, but the act still applies to many things most charities do.
  • Commercial electronic messages are defined broadly to include more than e-mail — such as certain social media messaging tools.
  • The onus of proof is on the sender, meaning that the sender must track and document compliance on an individual recipient basis in order to defend itself from alleged violations of the act.
  • Consents to receive commercial electronic messages must be obtained in specific ways and by disclosing specific information.
  • Consents one already has that are sufficient for privacy legislation may or may not be grandfathered, as valid consents depending on the circumstances.
  • the act includes a three-year grace period for consents — but only in certain defined situations.
  • Sending an e-mail to request consent is itself considered spam.

Given the complexity of the Canadian anti-spam act and the consequences for non-compliance, businesses and not for profits can’t afford to ignore this. Legal help is available to assist. More information on the act can be found on the author’s blog by searching for “anti-spam” at


Some CASL Clarification

Todays Slaw post.

CRTC and Industry Canada representatives provided some insight into their thoughts on CASL (the new anti-spam law that kicks in July 1) in an IT-Can forum on Monday.

To come under the complex CASL rules, the email must be a “commercial electronic message” or CEM.  It does not take much to cross that threshold.  An example of a law firm emailing details about a new court decision was discussed.  If a pure case summary was part of or attached to an email (eg The Supreme Court of Canada today released a decision that decided…), and the email had a standard footer that includes a logo and link to the law firm’s web site, then the wording of the act is broad enough that the mere link makes it a CEM.

The regulator’s view was that while technically you could interpret that as a CEM under CASL because of the link, they would not consider that of a commercial nature. But all it takes to turn that into a CEM is any hint of a promotion of the law firm’s services, such as a sentence that says “We can help…”

In practice, mass emailings may be the easiest type to deal with, as CRM and mailing tools are available to manage the process and track permissions.

The daily emails that employees of organizations send will be more difficult to deal with.  Knowing the difference between sending an email that is OK to send because it is not a CEM or is a routine customer interaction, one that requires some sort of consent and an unsubscribe mechanism, and one that you simply can’t send at all, will not be easy for the average person doing their jobs.

CASL (Anti-Spam Act) and Charities

CASL (the anti-spam act) will apply to charities when it comes into force on July 1, 2014. The good news for charities is that the recently published Industry Canada regulations say that electronic messages are not spam if they are:

sent by or on behalf of a registered charity as defined in subsection 248(1) of the Income Tax Act and the message has as its primary purpose raising funds for the charity

That means that if a charity sends an email asking for a donation, it is not spam. But the Act does apply to emails a charity might send where that is not the “primary purpose”. The Act applies to any electronic message a charity sends that “is of a commercial character”, which means that one of its purposes is to “encourage participation in a commercial activity”.  That includes the promotion of or offer to sell a product or service. For example, a charity that is in the arts that sends an email promoting an upcoming exhibit, play or concert would have to comply with the Act. It is unclear at this time the extent to which “primary purpose raising funds for the charity” saves emails from being of a commercial character.  A request for a pure donation would.  Soliciting attendance at a paid fundraising event may or may not.  Hopefully we will get some guidance on this from the CRTC. The grandfathering and transitional provisions will apply to charities similar to anyone else.  Charities do however benefit from some additional definitions of implied consent by virtue of the definition of “existing non-business relationship” which includes

  • anyone who has donated within the past 2 years; or
  • volunteers who performed work or attended a meeting within the last 2 years.

The bottom line is that any charity that sends emails or other electronic messages that are of a commercial character for any reason other than a primary purpose of raising funds must comply with the Act just like any other business. For more detail about CASL see my previous blog posts, particularly the 5 part article series.

Anti-spam act (CASL) timing

The final regulations for CASL were published in December.  Here are some key dates to keep in mind.

  • The Act’s provisions affecting the sending of spam become effective on July 1, 2014.
  • The Act’s provisions requiring specific permission to install certain types of software become effective on January 15, 2015.
  • The Act’s provisions providing a private right of action remedy (the ability for anyone to sue anyone violating the Act) become effective July 1, 2017.

One key issue is whether existing consents to send electronic messages that are valid under privacy laws will be grandfathered.  The answer to that seems to be “it depends”.

FAQ’s published by the CRTC say:

If you obtained valid express consent prior to CASL coming into force, you will be able to continue to rely on that express consent after CASL comes into force, even if your request did not contain the requisite identification and contact information.

The uncertainty in that is the reference to “valid express consent”, especially since the CRTC insists that consent can only be given by a positive step (ie opt in), but under PIPEDA it is possible in some circumstances to get opt-out consent.  So the test is not the strict CASL requirement, but not all consents acceptable under privacy law might be sufficient.

CASL also has a transitional provision (section 66).  The CRTC’s FAQ on that says:

Section 66 deems implied consent for a period of 36 months (unless the recipient withdraws consent earlier) where there is an existing business or non-business relationship and the relationship includes the communication of CEMs. During the transitional period, the definition of existing business or non-business relationship is not subject to the limitation periods (6 months and 2 years) that would otherwise be applicable under CASL, for implied consent to exist.

That is not as simple as it sounds, as one must look to the definitions of ”business relationship” and “non-business relationship” to see if the recipient fits. And the sender must have sent the recipient electronic messages prior to July 1.

The grandfathering and transitional provisions are helpful, but the safest practice would be to try to get explicit permission that complies with CASL requirements before July 1.  One reason to do that is that after July 1 it will be considered spam to email someone to ask for their permission unless you already have implied or express consent.

Keep in mind that the onus to prove a sender has consent is on the sender.  That means that if the sender is accused of violating the act and sending spam, the sender must prove that it had explicit consent, or that it had implied consent by virtue of one of the exceptions in the Act.

For more detail about CASL see my previous blog posts, particularly the 5 part article series.


CASL – Bah Humbug to holiday greetings

Today’s Slaw post:

We all receive – and many of us send – electronic holiday greetings this time of year.  They can range from a simple email to animated cards to elaborate videos.

Next December the new anti-spam law (aka CASL) will be in force.  Depending on how we send holiday greetings, what is in them, and who we send them to, CASL will act like the Grinch to classify some of them as spam, and make the sender subject to a massive fine or other remedies.

Figuring out whether a Christmas card is spam, like any other electronic message, will not be easy.  That is going to be one of the most frustrating and burdensome parts of the legislation.

If one of the purposes of the greeting is “to encourage participation in a commercial activity”, then it is spam.  The boundaries of that are not clear, but it is clear that it doesn’t take much to cross it.  I suspect many holiday greetings from law firms or business would be considered somewhat promotional and thus be considered spam.

So the first challenge will be to design messages that are not commercial.  While most corporate cards are primarily meant to offer genuine good thoughts, there is a promotional aspect to them as well.  Would, for example, our Harrison Pensa card below that links to a web page be considered commercial?

If it might be of a commercial character, then you have to look at every single person you send it to determine if they fit within one of the many exceptions.  My spam isn’t necessarily your spam.  The family and personal relationship exceptions may surprise many in the narrowness and complexity of application.  The implied consent exceptions are numerous but technical.

CASL will push many corporate holiday greetings into centrally managed databases and out of the hands of individual lawyers or employees.  So basically, one has to engage a lawyer to determine what your Christmas greeting can say, and who you can send it to.  Bah Humbug.

Anti-spam law regulations

Todays Slaw post:

I just listened to an IT.Can teleconference with Barry Sookman commenting on the final anti-spam regulations.  This post summarizes a few key issues that arose.

As you probably know, the CASL regulations are now final.  The anti-spam portions of the act come into force on July 1 2014.  This is a shorter grace period than many had expected.

Many business were waiting for these regs before figuring out how it affected them.  Unfortunately the regs did not remove most of the compliance burden.  Businesses need to start working towards compliance very soon.

The provisions that deal with permissions required for software do not apply to January 2015.

Private rights of action, including class actions, are not available until Jan 1 2017.  That is welcome, as the thought of class actions with severe potential penalties is a scary one in light of all the uncertainty over CASL’s interpretation.

A RIAS (Regulatory Impact Analysis Statement) was published to try to help with understanding CASL.  Other FAQ type stuff has been and will be published.  These will be helpful, but don’t have the force of law, and in some cases seem to be more restrictive than what CASL and the regs actually say.  Abiding by the RIAS won’t save you if a court or regulator decides to interpret the act differently, but may be helpful to show diligence.

The RIAS tries to help with the definition of CEM, for example.  There had been comments by the CRTC that said even a link in an email was enough to make it a CEM.  The RIAS tries to soften that, but doesn’t help much as while a mere link doesn’t make it a CEM, anything in it encouraging commercial activity will.

Grandfathering of existing consents under PIPEDA are only partially accepted, depending on the nature of the consent.

The exception in the regs re family and personal relationships will be important particularly for small enterprises.  The final regs actually narrowed the definition of family relationships, even though government said they were going to expand it.  Those provisions must be read carefully as the definitions are narrower than most people would think would be caught by the family and personal concepts.

Given the broad definition of CEM and the ban all approach, exceptions are crucial.

The regs include some helpful exceptions, such as those that apply to:

  • B to B communications for existing business relationships.
  • Exclusion of certain messaging systems
  • Messages over certain ecommerce portals
  • Some situations where recipients are in foreign states

The software permission parts don’t come into effect for a year, but the concern is that the CASL effect on software is wide ranging and applies not only to typical computer software, but also to any software that is on any device – ranging from thermostats to appliances to cars.  There will be huge problems complying with those for many reasons. And they are far beyond anything required in any other country.

Anti-spam act (aka CASL) in force July 1, 2014

Todays Slaw post: The latest word is that Canada’s anti-spam legislation will be in force on July 1, 2014, with the software provisions coming into force in January 2015.  The final regulations will be published in the Canada Gazette on December 18. More information about the law can be found in previous articles here. Proponents of the law feel that it is going to have a substantial effect on the fight against spam.  But as I have said before, my personal view is that the legislation as drafted is ill-conceived and will be a compliance nightmare for businesses and charities. Stay tuned as we digest the regulations after they are published.

Anti-spam law – update on timing

Today’s Slaw post

On Monday I chaired a joint LSUC /IT-Can afternoon on IT privacy law.  One of the panels was on the anti-spam act, including representatives from the CRTC and Industry Canada.  While there is no clear implementation date yet, Industry Canada expects the final Industry Canada regulations will be out in late summer or early fall.  When those come out, an implementation date will be announced.  Industry Canada is recommending that there be an implementation delay of several months to allow business to comply, but that decision is ultimately in the government’s hands.

The legislation is very complex, with exceptions layered on exceptions.  The CRTC, which is the prime enforcer of the law, has published some guidelines, will publish more, and will also publish FAQ’s.  So essentially, to understand the legislation, one has to look at the act, the regs, CRTC and perhaps Industry Canada guidelines and explanatory material.

That’s fine when dealing with the CRTC’s enforcement, but makes me nervous as one might rely on that, then be faced with an individual lawsuit or class action where a judge disagrees with the CRTC’s interpretation.