Bill C-28, or CASL, as it’s become known, received Royal assent in December 2010, and while Canada arrived late to the anti-spam party — it was the last of the G7 nations to enact legislation dealing with the issue — it’s been making up for lost time since, quickly establishing itself with some of the toughest provisions the world has seen.
The act bars senders from delivering unsolicited commercial electronic messages, which includes text messages and e-mails, without receiving express or implied consent from the recipient. The broadness of the legislation has challenged common conceptions of spam, and forced businesses to rethink the way they market themselves and sell to the public.
“Anti-spam legislation is typically considered as something that goes after the bad apples. People think of those in-the-depths-of the-night type e-mail spammers who are running scams or sending viruses,” Wilson says. “This legislation has quite a broad scope and it will capture many regular business operations by legitimate operators, so in-house counsel are starting to realize that this imposes additional requirements that they’re going to need to take into account.”
To give it some muscle, the government has backed up its new measures with some impressive potential fines. Individuals who breach the law can face penalties of up to $1 million, while corporations are liable for as much as $10 million. Officers and directors may also be held liable if they participated in or acquiesced to the breaches. The act also creates a private right of action for CASL violators, paving the way for potential anti-spam class actions, with remedies capped at $1 million per day.
Those headline-grabbing numbers have been enough to attract the attention of many legal departments, but at the Globe and Mail, legal counsel Logan Willis says they’re not the only things that should concern them. “Penalties can be very high, but there are also reputational risks associated with non-compliance. At the Globe, for example, two-way engagement with our readers and the users of our media is very important to our business, so it’s critical we live up to their expectations as well. Those expectations will be shaped by this legislation in the future,” Willis says. “We’re treating compliance very much as a priority, and getting prepared is a lot of work.”
U.S. companies with Canadian customers face an additional headache, says Wilson, because CASL applies to any commercial electronic message sent from or received by a computer in Canada, and sets a higher bar for consent than its U.S. equivalent, the 2003 CAN-SPAM Act. “It’s difficult for U.S. businesses. Most are very compliance oriented, but they have the additional difficulty of having to locate recipients to confirm they are Canadian, as well as making sure they comply with the law,” Wilson says.
At the Globe, Willis has established an anti-spam team, with representation from across the company, to educate personnel on the requirements of the new law. They are then tasked with cascading the information down through their own departments. “We’ve found with other legislation that making sure people understand it is really the best defence for ensuring there’s no non-compliance in the future,” Willis says. The Globe is also conducting an audit of all existing communications the company has with clients and users to identify which relationships meet the strict consent requirements and which raise compliance concerns.
At Johnson & Johnson Inc., Andrea Freund, the company’s vice president of law, has taken a similar audit-based approach. But Freund says her company and others have been handicapped by uncertainty over when exactly the legislation will come into force, and what regulations will come under it. “The problem is since the regulations haven’t been finalized, we can’t put in place the final processes, training, and implementation plans. The audit itself is a large undertaking, and I think unless the regulations change, there’s going to be a significant amount of work still to do for many businesses.”
After the legislation passed Parliament in 2010, Industry Canada and the Canadian Radio-television and Telecommunications Commission, the bodies tasked with enforcing the law, released draft supplementary regulations the following summer. There was hope in the business community that the regulations would narrow the scope of the legislation and provide for exemptions, but Alexander Adeyinka, senior regulatory counsel at Rogers Communications, says it didn’t live up to expectations. “Unfortunately, when the draft regulations came out, frankly they didn’t do anything about the concerns that industry mentioned about the scope of the legislation itself,” says Adeyinka, who has also been active in the Canadian Wireless Telecommunications Association’s response to the legislation. “In fact, the regulations themselves in our general view went overboard in terms of some of their compliance requirements.”
As they currently stand, the regulations require senders of commercial electronic messages to make requests for express consent in writing. Consent can be implied where the recipient has had a business relationship with the sender in the last two years. There is also a “business card exemption” that allows senders to use e-mail addresses disclosed in the course of doing business, as long as the recipient does not object to receiving unsolicited messages.
Once consent has been obtained, all commercial electronic messages must also comply with form requirements, which means that the name, mailing address, web site, and phone number of the person sending the message, as well as any business on whose behalf they’re sending it, are contained in the message. Messages must also have a mechanism that allows recipients to unsubscribe from future messages.
The draft regulations attracted a barrage of comments, with more than 50 trade and public interest organizations making their concerns known, most from critical businesses and industry associations bristling at the compliance burden they will impose. Wally Hill, the vice president of the Canadian Marketing Association, says his members were particularly disappointed that consents obtained in the past under the Personal Information Protection and Electronic Documents Act would no longer be considered good enough for compliance with CASL. If the requirements are to change, he suggests old lists should be grandfathered to minimize disruption and costs. “Otherwise, companies are put in a position where they have to go out and re-qualify their entire database,” he says.
Susan Copland, director of the Vancouver-based Investment Industry Association of Canada, says the new rules could impede her members from acting on client referrals, and calls the “in-writing” requirement for consent requests “highly impractical” in an increasingly electronic world. “It basically precludes you from using electronic communication to get consent, or even verbal consent over the phone. The reality of business is that communication is instant, and people get impatient when they face a two-second delay when they’re sending e-mails, so it really doesn’t make sense,” Copland says.
Adeyinka is keen to stress that he, and most of the commenters, support the broad goals of CASL, but want to see more done to combat what he calls its “unintended consequences.” He says it’s unnecessary for the draft regulations to capture innocuous communications such as the text messages Rogers Communications sends to welcome new customers or to warn them when their pre-paid balances are low. “It may sound like businesses crying, but the way the regulations are right now, it will create inconveniences for customers as well,” he says. “We are extremely concerned about spam, and it’s in our interest to protect customers from being on the receiving end of it from anyone.”
John Lawford, counsel for consumer organization at the Public Interest Advocacy Centre, says he has little sympathy for those critical of the regulations. “They don’t want to face up to the fact that you can’t e-mail people you don’t know. Some of the marketers have woken up and realized that this thing may actually apply to them, so they’re attacking the regulations,” Lawford says.
Michael Osborne, a partner at Affleck Greene McMurtry LLP, says the tumult around CASL is unlikely to end with its coming into force. He calls the legislation Canada’s “biggest restraint ever on freedom of speech” and says he expects various provisions to be challenged in court. “If I want to send a flyer to your house, I can do it. That’s part of the trade-off for living in a free economy, and I don’t see why e-mail would be any different. I don’t like getting junk at my door or in my inbox, but if I want to live in a free economy, I think I have to accept that,” Osborne says.
And while startup companies struggle to market themselves, and law-abiding companies shell out cash to upgrade their databases and track their communications, Osborne says he expects CASL to have a negligible effect on the inboxes of ordinary Canadians. “True spammers will thumb their noses at this. They’ll carry on sending e-mail for unlicensed pharmaceutical products and the like,” he says.
While the debate rages on over the regulations, larger companies are positioning themselves so that they’ll be ready to comply, whatever the final regulations say. Craig McTaggart, director of broadband policy at Telus Communications Co., says the real compliance problems will be for smaller companies. “Telus and other major companies have the resources to come to grips with this legislation now, but I’m convinced there are a lot of industries and companies that still don’t really know much about this legislation. There’s so much unknown, even among those who are fairly up to speed, so my view is the government is going to have to give a reasonable time for businesses and other organizations to bring themselves into compliance,” McTaggart says.
The backlash against the regulations has set back the “in-force” date for CASL until at least early 2012. Industry Canada and the CRTC are working on a second set of draft regulations, and some believe it may be 2013 before all the loose ends are tied up. Even if the legislation does come into force before then, many commentators say a transition period will be needed to give companies a chance to fully comply. “Anything less than six months would be mind-boggling,” says Hill.