Get Ready For The Next Wave of CASL

Back in 2014 there was a lot of chatter over Canada’s Anti-Spam Legislation, also known as CASL. When it came into force on July 1 of that year, most hoped that something could be done about unsolicited email. But businesses worried about the difficulty in obeying the new rules.

CASL’s impact has not been noteworthy as far as stopping spam goes. My inbox is hardly a scientific sample but I have not noticed a huge decrease in unwanted mail, if any decrease at all. Whether or not the laws have been effective, there are laws. Individuals and businesses are still required to comply or risk big fines. The bad news is that some of the exceptions the new Act granted in 2014 will expire soon, so compliance will become more difficult.

To refresh your memory, the legislation was built on three major legs. First, the law prohibits sending or permitting messages to be sent unless there has been consent. Next, it establishes rules for electronic message content. These include identifying who sent the message, providing contact information, and adding an unsubscribe mechanism. Third, the contact information must remain valid for at least 60 days after the message has been sent.

The first leg, consent, is very important. Unlike countries such as the US, CASL did not allow what I will call a “forgive rather than permit” model. For instance, the United States’ attempt at controlling spam commonly allowed someone to send unsolicited email as long as they removed a person when an objection or complaint was received. This did not work. Even setting aside problems from foreign senders (which any legislation has trouble dealing with), transmitters knew they had at least one free shot at sending spam and could easily circumvent the rules.

Canada took a different approach. Senders needed to obtain consent before they sent electronic messages. What’s more, the consent had to be express, not implied. One could not argue they had always sent messages without objection; they needed to show actual consent by the recipient.

Even more restrictive, that express consent had to be opt-in, not opt-out. Even presenting a potential recipient with a check box that had been pre-filled to indicate consent was offside. The recipient had to do something active, like clicking on that box, to show express consent.

There was a key exception to this express consent requirement. Businesses were allowed to rely on existing relationships for up to three years. For instance, if your business was in the habit of sending an electronic newsletter to customers prior to July 1, 2014, you could continue to send them (assuming they did not specifically object) for another three years.

After July 1, 2017, however, that will change. All businesses will need to have express consent to send electronic messages unless they fall into one of the other exceptions to CASL. Granted, those other exceptions are not trivial. They include things like some relationships developed through volunteer or charitable activities, political parties, or if the recipient’s address has been prominently published without an indication that bulk messaging is unwelcome. Still, many business activities do not fall within those exceptions. The three-year grace period may be the only out available.

Businesses that have not been obtaining express consents are running out of time if they want to avoid electronic messaging restrictions after July 1, 2017. Remember: the consent must be express. You cannot simply send a letter or email to the recipient saying “unless we hear otherwise, we will assume you still want to receive our messages.” Even just slipping a consent into something that they otherwise sign may not be enough.

What should businesses do, then? Again, if there have been policies in place from the start to gather express consents you may be in good shape. Continue that practice and then cull any names from your list after July 1, 2017 if you were not able to get proper waivers.

If you have not yet started, time is not your friend. CASL has dropped from the radar a bit since 2014, although there has been some activity. A Quebec company called Compu-Finder was hit with a $1.1 million fine by the CRTC in 2015. A few others were also sanctioned so the legislation is not completely impotent.

We expect that as we get closer to the expiry of the 3 years, there will be renewed interest in CASL. Because the legislation depends on complaints from the public, that increased exposure will mean more scrutiny and more risk. Like we said 2 years ago, the easy cases will be targeted first. Your job, at the very least, is to make sure you are not one of those cases.