UPDATE: Canada’s anti-spam law is now in force.
Don't be fooled by its name. You don't need to be a spammer, or even be located in Canada, for legislation known as "Canada’s anti-spam law" or "CASL" to regulate important elements of your business.
Many everyday activities – such as sending an email message to a customer, operating a company website and making a mobile application available for download – are now subject to detailed rules that will likely require you to make significant changes to your operational practices or face significant fines.
The rules are enforced by three regulators with active enforcement offices and by the courts. Anyone who believes they have been affected by your non-compliance will have standing to commence a private action. Class actions are widely expected.
The time to comply with CASL rules is now. The Minister of Industry issued final Regulations on December 4 2013, most of CASL came into force on July 1, 2014 and the provisions related to computer programs came into force on January 15, 2015. The Private Right of Action will be enacted on July 1, 2017.
Michael Fekete discusses anti-spam legislation coming into effect and provides advice for mitigating risks.
What does CASL Mean for Business?
CASL is perhaps the most onerous legislation in the world to regulate the use of commercial electronic messaging. It goes much further than regulating the bulk, unsolicited email communications often referred to as “spam”.
Rather, it creates an express consent-based regime that will apply to almost all electronic messages sent for a commercial purpose. Whereas the US CAN-SPAM Act relies on opt-out consent (i.e., a functioning unsubscribe
mechanism), CASL requires express “opt-in” consent. Additionally, all requests for consent and almost all commercial electronic messages must meet prescriptive sender and contact person identity and withdrawal of consent requirements. The same opt-in consent standard also applies to the installation of a computer program on a computer, smart phone or other computing device. Almost all computer programs are covered, regardless of whether or not the program is installed for a malicious purpose. And there are prescriptive requirements for the form and content of certain user notices and acknowledgments.
Additional activities regulated by CASL include the use of address harvesting tools, the inclusion of misleading sender and subject matter information in an electronic message, and the alteration of transmission data in an electronic message. The scope of CASL is not limited to activities in Canada. CASL applies to electronic
messages where the computer system used to send or access the message is located in Canada. In the case of computer programs, CASL applies if the computer program is installed on a computing device in Canada or if the person who installs or causes the installation of the program is in Canada. This means that organizations located outside of Canada that send messages to computers located in Canada or install computer programs on devices in Canada will also face CASL requirements.
For more detailed information on CASL’s impact and requirements please see our articles:
Anti-Spam Legislation Casts a Wide Net – Requires all Organizations to Take Action
CASL’s Computer Program Rules Cover Much More than Spyware
What Do I Need to Do?
CASL will likely create significant compliance challenges for all businesses, whether large, medium or small. The requirements for sending electronic messages and installing computer programs have the potential to impact
operations across all businesses. In addition, the prescriptive nature of the rules in CASL regarding requests for consent, withdrawals of consent and the content of messages will require an organization to revisit its “pre-CASL”
policies and day-to-day practices regarding electronic marketing, customer communications and software and network management practices. To address these challenges, it is critical to develop a comprehensive compliance plan.
For most organizations, this will require that you work through the seven steps set out below:
- Identify a compliance team
- Identify the CASL requirements that apply to the organization
- Audit and document current practices
- Resolve preliminary “interpretation” issues
- Develop and document a CASL compliance plan
- Implement the CASL compliance plan
- Monitor, track and update the CASL compliance plan
In addition, a number of specific compliance activities will need to be undertaken. Please see our Top 10 List to help guide you:
Top Ten CASL Compliance Planning Activities