By: Michael Raine
For just about anyone with an email address, deleting spam has become part of the daily routine. A long lost great uncle has $10 million in an unclaimed bank account! Delete. Half price Viagra! Delete. Win a free trip to Aruba! Delete. And while spam rates have been trending slightly downward in recent years, it is still estimated that over 70 per cent of emails sent globally are spam. So when the Canadian government announced in 2004 that it was setting up a “Canada Anti-Spam Action Plan,” there was a fair bit of positive reaction.
Fast-forward 10 years and we now have Canada’s anti-spam legislation (CASL), which took effect on July 1, 2014. While those stereotypical malicious spammers are targeted – dubious vacation offers, credit card scams, and the like – CASL is a far broader piece of legislation that impacts anybody who sends messages for commercial purposes. So what does this mean for retailers?
There are five key elements that businesses and individuals must understand to comply with CASL:defining spam, obtaining consent, keeping records, conforming to form requirements, and allowing unsubscriptions.
What is Spam?
First, nowhere in CASL is the word “spam” used. It instead applies to “commercial electronic messages (CEMs).” So while email is receiving the bulk of people’s attention, CASL also applies to other forms of electronic communication such as text messages and direct messages via social media sites. According to the Canadian Radio-television and Telecommunications Commission (CRTC), the government body tasked with enforcing CASL, “a CEM is a message that encourages participation in a commercial activity, including, but not limited to: offering, advertising or promoting a product, a service or a person.” A pretty broad definition, indeed.
“Where it gets particularly vague is that it also applies to messages that generally advertise or promote goods or services or firms that provide those goods or services,” says David Elder of Stikeman Elliot LLP, who is a former legal counsel for the CRTC and was involved in the development of CASL. “That is where it gets into a grey area, I think. What sorts of promotional activities would and wouldn’t be seen as a commercial electronic message?”
To debunk a common assumption, CASL applies to both mass CEMs, which could be blasted to thousands of people, and to single CEMs between two individuals. So whether a CEM goes to one person or 10,000, it must comply with CASL.
“By colloquially naming the law an anti-spam law, it’s created an impression in people’s minds about what the law says. Spam is a very subjective thing,” says Ryan Black, a lawyer for McMillan LLP and the co-author of the guidebook Internet Law Essentials: Canada’s Anti-Spam Law. “I think of spam, for example, as the political forwards that my crazy uncle sends me; this law does not address that. You would think that an anti-spam law might, but it doesn’t. Whereas, I don’t think of spam as someone giving me their business card at a trade show and then me emailing them to follow-up; however, this law regulates that if I am following-up for a commercial purpose.”
Elder says a good litmus test for determining if a message is a CEM is to ask, “Is it being sent out of your marketing department?” If yes, it is likely subject to CASL regulations.
The overall purpose of CASL is to stop CEMs from being sent to people with no interest in receiving them; therefore, probably the largest aspect of complying with CASL is gaining consent. Consent under CASL regulations comes in two forms: express and implied.
Express consent can be written/electronic or verbal and is when the recipient provides “a positive or explicit indication of consent” that they wish to receive the specific information you wish to send them. This is why people’s inboxes were bombarded prior to July 1st with emails asking for their consent to be sent more emails. Once express consent has been given, there is no expiration date; it only ends when the recipient withdraws their consent (i.e. clicks the “unsubscribe” function on a CEM, which we’ll get to shortly).
Seeing as how July 1 has passed, what happens with all those email addresses for which there is no express consent? Are they worthless? Not quite, but as Black says, “I probably still have an exception for most of them but now I need to do some homework to figure out who I can email and who I can’t.” This is where implied consent comes in.
According to the CRTC, implied consent is when a “recipient has made, or enquired about, a purchase or lease of goods, services, land or interest in land, a written contract or the acceptance of a business, investment, or gaming opportunity from you.” For the purposes of retail, this means that any customer has provided implied consent by engaging in business with your company. This is because “existing business relationship” is one the listed exceptions that provide implied consent. This is good news for retailers, particularly if you collect email addresses at the cash register in order to send newsletters, coupons, event notifications, etc. As well, someone who has sent an email to the company to, say, ask about a product has also provided implied consent.
Unlike express consent, which has no time limit, implied consent is limited. “If you had an existing business relationship with someone prior to July 1st, without regard to how long ago it was and you had been sending them commercial electronic messages, you can continue to do so after July 1st for a period of three years; so until July 1, 2017. But, if someone bought something from you after July 1st, you can only send it for two years,” Elder explains. “If they make a purchase within that time period, it would start a two year window again. It is a rolling two year period. So if you have regular customers that are buying things at least every two years, you never have to get their express consent.”
Here is the tricky part of verbal express consent and most forms of implied consent: if the CRTC is investigating a complaint, the onus is on the CEM sender to prove they had consent from the recipient. So while you may have had express verbal or implied consent in a manner that conforms with CASL, proving it to the CRTC could be difficult. For this reason, it is imperative to keep records of consent, preferably in a way that makes clear when consent was given and in what manner. So, for example, even if a customer provides an email address at the cash register at the time of purchase and verbal consent to be sent newsletters and promotions, the safest bet is to still have them sign a paper or electronic form confirming their consent. There are many ways these records of consent can be collected, but the basic principle to keep in mind is that you must be able to prove you have either express or implied consent from the recipient.
Form Requirements & Unsubscribe Mechanisms
There is some basic sender information that is required in every CEM. Luckily, these are not too onerous. Under CASL, as the CEM sender, you must always “identify your name and business, the name of anyone else on whose behalf you are sending the message, and a current mailing address. Also include a phone number, email address, or web address. Ensure they are accurate and valid for a minimum of 60 days after sending the message.”
The other item that must be included in every CEM is a functioning unsubscribe mechanism that the sender must act on within 10 business days. This is quite easy to include and was already a best practice for things like newsletters and promotional emails. Where this becomes confusing, Black explains, is for one-to-one messages. “If someone gave me their business card and I send them a message [to follow-up], I have to include that information in the message even though it is just me writing the message. So how do I do an unsubscribe in my personal email? It is a weird concept to me,” he concedes.
Don’t Turn A Non-CEM Into A CEM
A final bit of advice from Elder is to be careful about what you add into a personal or business email that could mistakenly turn it into a CEM. “One of the areas in particular that I think small businesses need to be wary of is what they throw into the signature line of their emails,” he warns. “So it is fine to have your logo and location information about your store and contact details, and even a link to your webpage are all acceptable, but if you start putting in special buttons saying ‘Crazy guitar sale on this month – 50 per cent off,’ that would likely turn the whole message into a commercial electronic message, meaning that you would now either require the consent of the parties or would need an existing business relationship.”
Further information and clarification can be found at the the Government of Canada’s (surprisingly helpful) CASL website at fightspam.gc.ca. The CRTC also has a CASL website at