From Canada’s Anti-Spam Legislation (CASL) Guidance on Implied Consent
If your business or organization sends commercial electronic messages (CEMs), such as emails promoting a product or service, you must comply with CASL'sFootnote 1 requirements to: obtain consent, provide identification information, and include an unsubscribe mechanism in each message. There are two forms of consent you can rely on to send CEMs: express or implied consent. The following guidelines provide direction and clarification on whether you can rely on implied consent to send CEMs.
Express versus implied consent
What's the difference between express and implied consent?
Express consent means that a person has clearly agreed to receive a CEM, either in writing or orally. The recipient must take a proactive action to indicate their express consent (in other words, express consent must be obtained through an opt-in mechanism, e.g. signing up at your website). Remember that an electronic message that contains a request for express consent is also considered to be a CEM under CASL and therefore is not a method through which express consent can be obtained. Express consent is not time-limited: once express consent is obtained you are able to send CEMs until the recipient notifies you that they no longer want to receive them. For more information on requirements for obtaining express consent, please see Compliance and Enforcement Information Bulletin CRTC 2012-549.
You may rely on implied consent for sending CEMs if it is done under certain conditions, as set out in section 10(9) of CASL. This may include having an existing business relationship (EBR) based on a previous commercial transaction with the recipient; or having an existing non-business relationship based on, for example, membership in your club, or if the recipient participated as a volunteer for your charitable organization; or where a person makes their email address publicly available by publishing it on a website. In the latter case, this conspicuous publication of their email address must not be accompanied by a statement indicating they do not want to receive CEMs at that address. If the statement is not present, in order to send a CEM, the message must relate to the recipient's business role, functions or duties in an official or business capacity. There is a time-limitation attached to the life of the implied consent (more on this below).
If your situation does not meet the categories of implied consent set out in CASL, then you cannot rely on implied consent to send CEMs. The only way to obtain express consent via e-mail is if you have implied consent to send the message.
What if the recipient asks to stop receiving CEMs?
No matter what type of consent you have, if a recipient asks to stop receiving CEMs through your unsubscribe mechanism or by another form of communication, you must respect their request and stop sending them CEMs within 10 business days.
What happens to consent if my business is sold?
When a business is sold, the purchaser can rely upon express consents obtained by the seller if the contract of sale of the business includes a provision transferring the list of email addresses for which consents have been obtained as part of all its assets. Therefore, the new owner will be able to continue sending CEMs to the recipients that gave express consent, as long as the other requirements of CASL are met. CASL also specifically indicates, at section 10(12) that, with the sale of a business, any existing business relationships (EBR) are considered to now be with the new owner of the business.
Selling only the list of email addresses for which consent has been obtained does not constitute the sale of a business, and in such case the new owner of the list could not rely on those express consents. Therefore the selling of a recipient list, except as a business asset described above, may not be compliant with CASL.
It is important to remember that the onus of proving consent, be it express or implied, is on the person who claims they have consent. Therefore, this onus would transfer to the new owner who sends CEMs and relies on those consents. With this in mind, as a best practice, the purchaser should verify with the seller the parameters of the express consents it is acquiring (e.g. by obtaining the consent records).
What is an existing business relationship (EBR)?
If you answer YES to any of the following questions, you may have an existing business relationship in which case you will be able to send CEMs for the period specified (either 2 years or six months following the last transaction date):
- Has the recipient made a purchase or lease of goods, services, land or interest in land within the two-year period immediately before the day on which the message was sent?
- Has the recipient accepted a business, investment or gaming opportunity offered by you within two years immediately before the day on which the message was sent?
- Has the recipient made an inquiry or application on any of the items above within the six month period immediately before the message was sent?
- Has the recipient entered into a written contract which is still in existence or expired within two years immediately before the day on which the message was sent?
For more information, please see sections 10(9), 10(10) and 10(14) of CASL for more details.
Here are examples of how an existing business relationship can or cannot be used as implied consent.
- A business may send CEMs to a customer who has previously registered for a professional training course if the customer provided their email address to the business when registering for the course and if the customer has not made a request to unsubscribe from receiving CEMs sent by the business since then.
- If the employee purchases the training for themselves, and does not purchase it in the name of the business (their employer), then the existing business relationship would likely be seen to be with the employee directly.
- On the other hand, if a representative of the employer, with authority to bind the business, purchases training for one or more employees of the business, then the existing business relationship would most likely be seen to be between the training company (the sender of the CEMs) and the business (the employer). If this is clearly the case, you may also be able to rely on the business to business exemption set out in the GIC Regulations at section 3(a)(ii), if you can demonstrate that the organizations have a relationship. Of course, any CEMs sent to the business (the employer) under the business-to-business exemption must concern the activities of the organization to which the message is sent.
What is an existing non-business relationship?
If you answer YES to any of the following questions, you may have an existing non-business relationship (non-EBR):
- Are you a registered charityFootnote 2, a political party or organization, or a candidateFootnote 3 for publicly elected office, and has the recipient made a donation or gift to you within the two-year period immediately before the day on which the message was sent?
- Are you a registered charity, a political party or organization, or a candidate for publicly elected office, and has the recipient performed volunteer work for you or attended a meeting organized by yourself within the two-year period immediately before the day on which the message was sent?
- Are you a club, association or voluntary organization and is the recipient a member?
For the definition of a membership, club, associate or voluntary organization see the CASL Governor in Council Regulations.
Does an existing business or non-business relationship have to be created before July 1st, 2014 or can it be created at anytime between July 1st, 2014 and July 1st, 2017 for the transitional period to apply?
The relationship, whether business or non-business, must have been created prior to 1 July 2014 in order to rely on the 3 year transitional provision set out at section 66 of CASL. Section 66 deems implied consent for a period of 36 months, starting 1 July 2014, if there is an existing business or non-business relationship with the recipient. In order to rely on the transitional provision, the parties' relationship must also have included communication via the sending of CEMs.
Any business or non-business relationship created after 1 July 2014 is subject to the time periods specified in the implied consent provisions (sections 10(10) and 10(13) of CASL), and the three-year transitional period cannot be relied upon.
Can I send CEMs to an email address I find online?
It depends on the situation. You can only rely on this conspicuous publication—or in other words, when someone posts or publishes their email address—when:
- There is no statement in connection with the address that the person does not want to receive CEMs at that address;
- The content of your CEM is relevant to the recipient's business, role, functions, or duties in a business or official capacity.
Not sure whether your content is related to a recipient's business, role, functions or duties in a business or official capacity? Here's an example for clarification.
A company conspicuously publishes on its website the email addresses of its employees, including the chief operating officer (COO) and the marketing officer. There are no accompanying statements that the employees do not want to receive CEMs at those email addresses.
Example 1: A training company sends a CEM to the COO. This CEM promotes a course on how to be an administrative assistant. This CEM is not relevant to the recipient's business, role, functions or duties in a business or official capacity. Accordingly, the training company cannot rely on conspicuous publication as a form of implied consent for the sending of this CEM.
Example 2: A training company sends a CEM to the marketing officer. This CEM promotes a course on how to develop social media platforms for e-marketing. In this case, the CEM is relevant to the recipient's business, role, functions or duties in a business or official capacity. Therefore, the training company could rely on conspicuous publication as a form of implied consent for the sending of this CEM.
Remember that under CASL, the sender of a CEM has the onus of proving consent. Therefore, if relying on conspicuous publication, the sender has the responsibility of demonstrating, if needed, how its situation meets the criteria for implied consent.
How can I prove I have consent?
You must be able to prove that you have consent of the recipient before sending CEMs. If you're relying on implied consent, you need to prove that your situation meets the criteria for implied consent under CASL. The CRTC issued guidance to help businesses develop corporate compliance programs, which may help facilitate compliance, reduce the likelihood of violating CASL, and help businesses establish a due diligence defense in relation to a violation prescribed by CASL. If you continue to send CEMs over time, based on implied consent, there is an ongoing need to maintain accurate records.
Here are some examples of situations in which you would need to prove that you have obtained implied consent:
Example 1: A company collects email addressesFootnote 4 from websites or other media publications. If the company wants to rely on conspicuous publication as a form of implied consent, then the company must be able to prove that there were no statements against receiving CEMs on the website or in the advertisement where the email addresses were collected, and must demonstrate how the CEMs were relevant to the recipients' business, role, functions or duties in a business or official capacity. For example, to prove there were no statements against receiving CEMs a company could record screenshots or have a contemporaneous record of the publication where the address was listed, including information such as the date, email address and URL.
Example 2: A company uses a third party which provides the company with a list of email addresses. These addresses were collected from websites or other media publications where they were conspicuously published. Even though the company did not create the list, as the sender of the CEMs, it must still be able to prove that consent was implied, in accordance with the requirements of CASL. The company should therefore take all reasonable steps to assure itself that the list it is relying on meets the requirements set under CASL.
Example 3: A company acquires a business where the contract included provisions transferring a list of email addresses for which consent has been obtained as part of all its assets and wants to send a CEM to a person that purchased a product from the original business one year ago. The onus of proving consent rests with the person sending the CEM. In this case, the acquiring company must be able to prove consent by demonstrating that the EBR existed and that the person has not since unsubscribed, or that they exercised due diligence when sending the CEM. To prove consent, a company's records should be made within a reasonable period of time from when consent was obtained, and should include information such as the electronic address, the date and the method that consent was received (e.g. acquired through purchase of another business).
Example 4: A company receives implied consent from a person disclosing their email address verbally or in writing, perhaps by providing their business card at a tradeshow. To create a record of the implied consent, the company could, as an example, send the person an email referencing the conversation and date where the disclosure was made, and then keep this email (and any response) in their records. Keep in mind that the confirmation email sent may be considered a CEM. As a result, the company must ensure that proper identification information and an unsubscribe mechanism are included in the message.
Note that these examples are not exhaustive and you may have alternative records that demonstrate consent.
What records should I be keeping?
Good record-keeping practices may help businesses: (i) identify potential non-compliance issues, (ii) investigate and respond to consumer complaints, (iii) respond to questions about the business' practices and procedures, (iv) monitor their corporate compliance program, (v) identify the need for corrective actions and demonstrate that these actions were implemented, and (vi) establish a due diligence defence in the event of complaints to the Commission against the business.
A company should consider maintaining hard copy and/or electronic records of the following:
- commercial electronic message policies and procedures;
- all contemporaneous unsubscribe requests and resulting actions;
- all evidence of express consent (e.g. audio recordings or completed forms) from consumers who agree to receive commercial electronic messages;
- commercial electronic message recipient consent logs;
- commercial electronic message scripts;
- CEM campaign records;
- staff training documents;
- other business procedures; and
- official financial records.
For more information on record keeping, see the CRTC's guidance on corporate compliance programs.
So I have implied or express consent, what now?
You can send CEMs as long as you include the required identification information and an unsubscribe mechanism in each message. Remember that implied consent can expire, and that you should be able to prove any consent you are relying on to send your CEMs.
You may also have obligations relating to the collection, use and disclosure of electronic addresses under the Personal Information Protection and Electronic Documents Act ("PIPEDA"), including with respect to address harvesting. For more information on PIPEDA, as well as address harvesting, please refer to the website of the Office of the Privacy Commissioner of Canada and the OPC Address Harvesting E-Guide.
- Date modified: