Information Session on Canada's Anti-Spam Legislation

Presentation

Download the presentation given at the information session.

Disclaimer

This presentation has been prepared by Commission staff to provide general information with respect to Canada’s Anti-spam Legislation (CASL). This material is not to be considered legal advice nor is it binding on the Commission itself. Further, it does not reflect an interpretation of CASL and/or its accompanying regulations by the Office of the Privacy Commissioner, the Competition Bureau or Industry Canada.

Purpose

To offer as much predictability and transparency as we can, within the limit of our confidentiality obligations. This will also enable us to be effective in the discharge of our enforcement mandate.

Highlights

Enforcement of CASL
CASL Regulations
CASL Information Bulletins
Additional Guidance Material
Communications Products

Enforcement of CASL

Overview of CASL - Legislative roles

Administration	Violation	Addressing
CRTC	The legislation includes violations respecting: sending of commercial electronic messages (CEMs) without consent alter transmission data in the course of a commercial activity without consent Installing a computer program in the course of a commercial activity without consent	Spam (s.6) Botnets (s.8) Malware (s.8) Network re-routing (s.7)
Competition Bureau (CB)	Amends the Competition Act to include violations respecting: Misleading and deceptive practices / representations, including false headers, subject lines, etc…	False or misleading representations online (incl. websites and addresses)
Office of the Privacy Commissioner (OPC)	Amends Personal Information Protection and Electronic Documents Act (PIPEDA) to include contraventions involving: The collection and use of personal address information without consent The collection of personal information by illegally accessing, using, or interfering with computer systems	Address harvesting (steal email contacts) Dictionary attacks (Systematically guessing email addresses to spam) Spyware (Personal Info)

CASL Tripartite MOU

Agreement between 3 CASL Enforcement Agencies

CRTC, Competition Bureau and the OPC

The purpose is to set out a framework respecting:

cooperation and coordination among Participants in relation to enforcement activities under CASL; and
the treatment of information that is shared among the Participants for the purpose of facilitating enforcement activities.

Main Elements of the legislation

The legislation addresses the recommendations of the Task Force on Spam with a comprehensive regulatory regime that uses economic disincentives instead of criminal sanctions to protect electronic commerce and is modelled on international best practices. The regime includes:

New Violations
Administrative Monetary Penalties (AMPs)
Domestic and International Cooperation
Extended Liability (follow the money)

Support mechanism:

A Spam Reporting Centre

CRTC Enforcement Process

Consequences of a violation

Administrative Monetary Penalties (AMPs)

maximum penalty for individual = $1,000,000 / violation
maximum penalty for an organization = $10,000,000 / violation

Extended Liability, including:

vicarious liability
director/officer liability

Compliance Continuum

Partnership Approach

The CRTC has developed or is in the process of developing partnerships with: Non-profit organizations, Mail service providers, Telecom service providers, Email service providers & marketers, Reputation and security vendors, Government organizations & alliances.

Non-Profit Organizations
Mail Service Providers
Telecom Service
Email Service Providers & Marketers
Reputation and Security Vendors
Government Organization & Alliances

What is Success?

Direct

Increased compliance with legislation
Change Canada’s reputation as spam haven
Reduction in infected electronic devices

Indirect

Adoption of Best Common Practices (BCP’s)
- Enable / encourage many new Best Practices in the industry
Create a level playing field for companies
Cost savings for Business and Consumers
Reduction in Consumer losses
Increased Consumer protection, empowerment, and confidence in the e-marketplace

CASL Regulations

CASL Contemplates two categories of regulations:

Governor in Council regulations (managed by Industry Canada)
CRTC regulations (for which the Commission is responsible)

Both sets of regulations were published in the Canada Gazette for a 60 day comment period

CRTC Regulations were made in March 2012
GIC Regulations were made in December 2013

CRTC CASL Regulations

The final CRTC regulations were made on March 28, 2012
The Regulations relate solely to the CRTC’s mandate under CASL, namely, Section 6 to 8
They include:
- Reg 2: Information to be included in CEMs
- Reg 3: Form of CEM
- Reg 4: Information to be included in a request for consent
- Reg 5: Specified functions of computer program

Information Bulletins

Purpose of Information Bulletins

The CRTC has published the following two information bulletins to help Canadian businesses better understand CASL and facilitate compliance:

Certain provisions of the Electronic Commerce Protection Regulations (CRTC)
(Compliance and Enforcement Information Bulletin CRTC 2012-548)
The requirement to obtain express consent under CASL when using Toggling
(Compliance and Enforcement Information Bulletin CRTC 2012-549)

The Electronic Commerce Protection Regulations (CRTC) Information Bulletin

Information to be included in a CEM (Reg 2)

Sender(s) must be identified
- Including Affiliates
CEMs must include the sender’s mailing address
- Definition
- Valid for 60 days

This is an example of an unsubscribe mechanism by email. The email says I would like to unsubscribe from receiving: All messages from Company Inc. or, All promotional messages from Company Inc. I will continue to receive notifications consisting of factual information about my account and purchases. At the bottom of the message you may choose to submit your consent.
Form of CEM (Unsubscribe Mechanism) – (Reg 3)

This is an example of an unsubscribe mechanism by text message. The text from Company Inc. says- Special offer! 40% discount on all widgets. Text STOP to unsubscribe. To submit your consent, reply to the text message with the word STOP.
Information to be included in a request for consent – (“sought separately”) – (Reg 4)

Specify functions of computer programs (Reg 5)

Use of Toggling Information Bulletin

What is Toggling?

Additional Guidance Material

Personal and Family Relationships

Section 6 of CASL does not apply to a CEM sent to an individual with whom the sender has a “personal or family relationship”, as defined in paragraph 2(b) of the GiC Regulations.
A “personal relationship” involves direct, voluntary, 2-way communication.
- In each case, the non-exhaustive list of factors set out in paragraph 2(b) (e.g. sharing of interests, frequency of the communication, etc.) will be taken into consideration.
As explained in the RIAS, the definition of “personal relationship” should remain limited to close relationships.
- The purpose is to establish limits and prevent potential spammers from exploiting this concept in order to send CEMs without consent.
A “personal relationship” is one that exists between individuals.
- Legal entities, such as a corporation, cannot have a personal relationship. Someone who sends a CEM on behalf of a corporation may not claim to have a personal relationship with the recipient.

Express consent obtained prior to CASL

If you obtained valid express consent prior to CASL coming into force, you will be able to continue to rely on that express consent even if your request did not contain the requisite identification and contact information
All CEMs sent after CASL comes into force must contain the requisite information, meet all form requirements and contain an unsubscribe mechanism
CASL requires the sender to prove having obtained valid express consent.

Transitional period for implied consent

Section 66 deems implied consent for a period of 36 months (unless the recipient withdraws consent earlier)
There must be an existing business relationship or existing non-business relationship
The relationship must include the communication via CEMs
During the transition period, the definition of existing business relationship and non-business relationship is not subject to the limitation periods (6 months and 2 years) that would otherwise be applicable under CASL, for implied consent to exist.

Business to Business

Commercial electronic messages (CEMs) sent by an employee, representative, consultant or franchisee of an organization to:
- Another employee, representative, consultant or franchisee of the organization
  - Message must concern the activities of the organization
- An employee, representative, consultant or franchisee of another organization
  - The organizations must have a relationship; and
  - Message must concern the activities of the organization to which the message is sent
Consent not required to send the CEM
No requirement to add information requirements, and an unsubscribe mechanism to the CEM

Quotes/estimates vs Requests, inquires and complaints

If you are sending a CEM that is a response to a request, inquiry or complaint, requested by person to whom the message is sent, you do not need to comply with section 6 of CASL. Therefore you do not need consent or to meet the information requirements and add an unsubscribe mechanism to the CEM.
If you are sending a CEM that provides a quote or estimate for the supply of a product, goods, a service, land or an interest or right in land, if the quote or estimate was requested by the person to whom the message is sent, you do not need consent (express or implied). However, you are still required to meet information requirements and to add an unsubscribe mechanism to the CEM.

Messages sent and received on an ‘electronic messaging service’

If a messaging service, by its nature, makes information required under section 6 of the Act readily available to the recipient, then it would be redundant to require such information in each individual message.
Such information must be readily available as part of the messaging service and not as part of the device used to access the message.
In such circumstances, messages sent may be exempt.

‘Limited-access secure and confidential account’

“sent to a limited-access secure and confidential account to which messages can only be sent by the person who provides the account to the person who receives the message”

The only persons who may access such accounts consist of the person who owns or provides the account, and the account-holder.
Further, within those accounts, communication is one-way: messages can only be sent by the person who owns or provides the account. The acct-holder is unable to send messages to the account owner.
Secure portals / financial services / online banking sites hosted by banks are an example of such accounts.

CEMs sent to foreign countries

Paragraph 3(f) of the GiC Regulations excludes some CEMs sent from Canada to a foreign country from the application of section 6 of CASL (e.g. consent & unsubscribe requirements), if certain conditions are met:

The foreign country must be listed in Schedule 1 to the Regulations.
1. These are countries that have their own anti-spam legislation.
The CEM must be sent in compliance with the provisions in the foreign law that address conduct that is substantially similar to the conduct prohibited in section 6 of CASL.
The sender (or person who causes or permits the CEM to be sent) must reasonably believe that the CEM will be accessed in a foreign state listed in Schedule 1.

Registered Charities

Commercial electronic messages (CEMs) sent by or on behalf of a ‘registered charity’ as defined in s. 248(1) of the Income Tax Act, are excluded from section 6 of CASL.
The primary purpose of the CEM must be to raise funds for the charity, you are excluded from section 6 of CASL.
CASL does not apply

Political Parties and Candidates

Commercial electronic messages (CEMs) sent by or on behalf of a political party or a person who is a candidate, for publicly elected office, are excluded from section 6 of CASL.
The primary purpose of the CEM must be soliciting a contribution, as defined in subsection 2(1) of the Canada Elections Act
- ‘contribution’ means monetary or non monetary contribution.
Certain terms in paragraph 3 (h) of the Regulations are defined in the Canada Elections Act, such as “political party” and “candidate.”
CASL does not apply

Third Party Referrals

Consent not required to send the first commercial electronic message (CEM), if sent, following a referral by an individual who has an existing business relationship, existing non-business relationship, family or personal relationship
Any of the above relationships must exist with the person who sends the message AND with the individual to whom the CEM is sent
Full name of individual who made the referral and statement that message is sent as a result of referral must be within the message
Message must still contain requisite contact information and unsubscribe mechanism

Personal Relationships and Social Media

A “personal relationship” requires that the real identity of the individual who alleges a personal relationship is known by the other individual involved in such a relationship (as opposed to instances where a virtual identity or an alias is used).
Using social media or sharing a same network does not necessarily reveal a personal relationship between individuals.
The mere use of buttons available on social media websites – such as clicking “like” on Facebook, voting for or against a link or post on Reddit, accepting someone as a “Friend” on Facebook, of clicking to “Follow” someone on Twitter – will generally be insufficient to constitute a personal relationship.

Specified Computer Programs – Network Security

Solely:

If the computer program is installed for a purpose set out in one of the paragraphs of section 6 of the Regulations, and also for another purpose, then section 6 of the Regulations does not apply.

Network:

This term refers to the telecommunications service (as defined in subsection 1(1) on the Act) that is provided by the TSP to its current clients.
- These services include a feature of a service delivered by means of telecommunications facilities, including network routers and servers, regardless of whether the TSP owns, leases or has any interests in or right to the equipment and software used to provide the telecommunications service.

Failure:

Means that the computer program does not function properly and is not consistent with consumer expectations.

Existing Non-Business Relationship - Membership

You may rely on the existing non-business relationship to imply consent, to members of an association, club or voluntary organization, however, you must still meet the information requirements and add an unsubscribe mechanism to your CEMs.
You should ensure that you are only sending to members.
“Membership” means the status of having been accepted as a member of a club, association or voluntary organization in accordance with its membership requirements.
You should also ensure that your association falls within the following:
- a club, association, or voluntary organization is a non-profit organization
- organized and operated exclusively for social welfare, civic improvement, pleasure or recreation or for any purpose other than personal profit
- no part of its income is payable for the personal benefit of any member unless the member is an organization whose primary purpose is the promotion of amateur athletics in Canada.

Communications Products

Future Informative Guidance Material

Cross Country Information Sessions and Speaking Engagements
Webinars
Information Bulletins
Staff Guidance Material
FAQs posted to the CRTC Website
Infographics and Informative Videos

Date modified:: 2018-08-16