The CRTC has issued two sets of interpretative guidelines addressing important parts of Canada’s new anti-spam law (CASL). While guidance on CASL is welcome, these guidelines reinforce the great lengths to which many businesses will need to go to in order to ensure compliance.
The guidelines focus on the CRTC’s interpretation of the regulations it released in March, 2012 and the related provisions of CASL, and provide examples of what the CRTC considers to be compliant behavior.
By way of background, CASL was designed to regulate commercial electronic messages (CEMs) and the installation of computer programs on other people’s computer systems. The scope of CASL extends beyond what many people might traditionally think of as spam or spyware/malware, and the need for compliance will impact most businesses.
CASL has received royal assent. However, CASL is not yet in force to allow time for the aforementioned CRTC regulations and for a revised set of draft regulations from Industry Canada (which are expected later this year).
Overview of Guidelines and Commentary
I. Identification of Sender
- Guidelines: (a) Each CEM must identify the sender (and its affiliates if sent on behalf of multiple persons), but not necessarily persons situated between the person sending the CEM and the person on whose behalf the CEM is sent. (b) Physical mailing addresses of the sender must be included in both the CEM and the request for consent (discussed below).
- Commentary: The mailing address requirement requires very detailed address information to be provided. As this is not practical in short messages (like an SMS), the regulations allow the use of a link to a webpage containing the address information (provided that the link is “clearly and prominently” set out in the CEM and is “readily accessible” by the message recipient). This would require small businesses who want to use short messages (like an SMS) to have websites, even though a large percentage of small businesses still do not. Further, individuals carrying on business as a sole proprietorship (for example, a home-based business) will need to publish their private personal information on the web merely to send commercial messages – a right likely protected as freedom of expression under the Charter of Rights and Freedoms.
II. Unsubscribe Mechanisms
- Guidelines: An unsubscribe mechanism must be “readily performed” which the CRTC considers to mean that it must be accessed without difficulty or delay, and should be simple, quick, and easy for the consumer to use. Examples of an acceptable unsubscribe mechanism include an unsubscribe link within the CEM, or in the case of an SMS, the option to reply “STOP” or “Unsubscribe” or to click an unsubscribe link within the SMS. In each case the linked website should allow the consumer to unsubscribe from receiving all or some types of CEMs from the sender. The guidelines contain visual examples of both of the above.
- Commentary: In the visual examples of unsubscribe mechanisms it appears as though the user is given the option of unsubscribing from receiving certain types of CEMs or “all messages” (not just CEMs) from the sender. It is unclear how there could be a legal basis to require the unsubscribe mechanism to affect messages that are not CEMs – however this may merely be an oversight in the preparation of the examples.
III. The “Sought Separately” Consent Requirement
- Guidelines: A business must seek express consent for (a) sending CEMs, (b) altering transmission data in electronic messages, and (c) installing a computer program on another person’s computer separately. For example, users must be able to grant their consent for the installation of a computer program while refusing to grant their consent for receiving CEMs. Furthermore, requests for consent must not be bundled or subsumed with requests for consent to the general terms and conditions of use or sale. Persons must be able to grant their consent to the terms and conditions of use or sale while, for instance, refusing to grant their consent for receiving CEMs.
- Commentary: This suggests that vendors who seek to offer terms of service for a business model that is premised on users giving consents to receive CEMs, can be forced to offer to contract for the service while being legally required to let users decline to receive electronic messages that are core to the service offering. This could pose problems, especially with mobile social media applications that depend on the service or other users communicating CEMs. Furthermore, the “sought separately” requirement imposes new unique Canada-specific formalities, processes and implementation costs not required to do business elsewhere. These will impose a burden on participating in the Canadian market.
IV. Obtaining Oral Consent
- Guidelines: Businesses seeking oral consent to send CEMs are advised to make and keep a complete and unedited audio recording of the consent, or to ensure the oral consent can be verified by an independent third party.
- Commentary: While some businesses may keep the kind of records the CRTC is suggesting would satisfy the requirement for proof, for many businesses, especially small ones, meeting the burden of proof in the manner suggested would impose significant new costs. This requirement also raises privacy concern as the recordings could contain personal information.
V. Obtaining Written Consent
- Guidelines: Businesses seeking written consent electronically to send CEMs are advised to ensure consent is obtained in a manner that allows the information to be subsequently verified. An acceptable example would include checking a box on a webpage to indicate consent where a record of the date, time, purpose, and manner of that consent is stored in a database.
- Commentary: The CRTC interpretation of the writing requirement adds a new formality not in CASL or the regulations. It may suggest the writing must be recorded in a medium from which the information can be accessed to be verified. However, many online providers that use click wrap agreements do not keep the type of records of agreements suggested by the CRTC. To prove agreements, they often maintain records of the click wrap process and applicable terms in place at the relevant time of contracting. The CRTC’s level of proof would likely require businesses, especially small businesses, to make upgrades to their systems to comply with the CRTC’s interpretation of the regulations.
VI. Use of Toggles/Check Boxes to Obtain Consent
- Guidelines: Express consent cannot be obtained by using pre-checked boxes. The user must give consent through an opt-in mechanism, such as by affirmatively checking a box to indicate consent. The CRTC further notes that confirmation of consent should be sent to the user.
- Commentary: The confirmation of receipt of consent is not expressly a requirement under CASL or the regulations. This interpretation by the CRTC will require service providers in Canada and around the world who want to do business in Canada to add new functionality to their systems to deal with Canadians. Users may also be annoyed at receiving these new kinds of mandated messages, and some will no doubt consider them SPAM.
In addition to the above, the guidelines also address several aspects of the spyware/malware provisions in the regulations and in CASL.