- Compliance with CAN-SPAM Does Not Equal Compliance with CASL
- June 18, 2014 | Author: Roland Hung
- Law Firm: McCarthy Tétrault LLP - Calgary Office
We are approximately a month away from the effective date of Canada’s Anti-Spam Legislation (CASL), July 1, 2014. CASL is widely considered to be among the toughest anti-spam legislation in the world and will have significant implications for businesses. All commercial electronic messages sent (i) by any person within Canada, or (ii) by any person outside of Canada to a person within Canada are captured by CASL, meaning it applies to international senders who send commercial electronic messages to Canada. Those who violate CASL could face significant fines and potential civil action.
We have received many questions related to the differences between CASL in Canada and the CAN-SPAM Act (CAN-SPAM) in the U.S. It is important to note that CASL is in many ways more onerous than its U.S. counterpart and it is important for businesses to understand that compliance with CAN-SPAM will not by default mean that they are in compliance with CASL in Canada.
The following are some of the major differences between CASL and CAN-SPAM:
- Broad Scope. Whereas CAN-SPAM simply targets spam, CASL targets not only spam, but also phishing, and malware.
- Not Just Email. CAN-SPAM applies only to email where the primary purpose is commercial advertisement or promotion, whereas CASL applies broadly to “commercial electronic messages” (including text, sound, voice, or images) that are sent to an electronic address (including email, instant message, or social media) where one of the purpose is to encourage participation in commercial activity.
- “Opt-in” Consent Regime. CAN-SPAM permits senders to procure consents by requiring the recipient to “opt-out” of receiving certain communications. In other words, implied consent is given, unless the recipient opts-out. CASL requires senders to obtain “opt-in” consent before sending any “commercial electronic messages” to recipients. In very limited circumstances, CASL will permit messages to be sent because CASL will assume certain acts or relationships give the sender implied consent to send such messages.
- More Severe Penalties. Penalties under CASL can reach $10 million for violations by organizations and $1 million for violations by individuals, whereas the maximum penalty under CAN-SPAM is $16,000 for each violation.
- Civil Action. In addition to the penalties, CASL creates a private right of action that will allow consumers and businesses to take civil action against anyone who violates CASL. The private right of action provisions will come into effect on July 1, 2017 and not July 1, 2014. A private right of action is also available under CAN-SPAM in the U.S. but is far more narrow, only allowing an action to be brought by a provider of internet access services adversely affected by a violation.
- Liability of Directors, Officers and Employers. CASL expressly states that corporate officers and directors can be held personally liable for corporate violations, and employers can be held liable for violations committed by their employees or agents acting within the scope of their employment or authority. CAN-SPAM does not expressly provide that directors, officers or employers can be held liable.
Tips for Businesses
In response to CASL, businesses will need to change their internet marketing practices. For US businesses that previously sent commercial electronic messages to recipients in Canada, without express consent, until the recipient “opted out” by expressly requesting that the messages cease, they will have to change their practices and obtain express “opt in” consent if they are to continue to send messages to recipients in Canada.
Here are a few guidelines:
- Keep track of express consents obtained. Implement systems to keep track of express consents obtained as the onus will be on the sender to prove they have obtained valid express consent.
- Provide recipients with the prescribed information. Commercial electronic messages will be required to disclose prescribed information that identifies the sender, the sender’s contact information and information about the unsubscribe mechanism.
- Tell recipients how to opt out of receiving future email. Senders will be required to ensure that commercial electronic messages are sent only to persons who have previously given express or implied consent to receive the message, and have not opted out of future messages. The message must include a clear and conspicuous explanation of how the recipient can opt out of receiving future emails. Further, any opt-out mechanism offered must remain operative for 60 days.
- Honour opt-out requests promptly. Businesses must honour a recipient’s opt-out request within 10 days.
- Monitor third parties. Businesses will need to ensure that their third-party service providers are knowledgeable about CASL and in compliance with CASL when assisting with and implementing marketing programs and services.
The time to adapt your communication practices to ensure compliance is now. McCarthy Tétrault offers services to assist you with complying with CASL, including customized presentations and toolkits and developing communication strategies customized for your business to reduce the risk of non-compliance.