Preparations continue to lay the groundwork for the coming into force of Canada’s anti‑spam law.1 On October 10, 2012, the CRTC published two information guidelines regarding the legislation: Guidelines on the interpretation of the Electronic Commerce Protection Regulations (CRTC) (CRTC Guideline 2012‑548) and Guidelines on the use of toggling as a means of obtaining express consent under Canada’s anti-spam legislation (CRTC Guideline 2012‑549).
The background to the CRTC Guidelines is that on December 15, 2010, Royal Assent was given to Canada’s anti‑spam law. A date for the law’s coming into force will be set in the coming months, with the date now expected to be in mid‑2013. The anti‑spam law will affect any individual, business and organization that:
- Uses commercial electronic messages;
- Is involved in the alteration of transmission data; and
- Produces or installs computer programs.
If you are involved in the operation of a non‑profit or charity why should you care about the anti‑spam law? Increasingly, non‑profit organizations and charities are using electronic means of communicating with people, and the anti‑spam legislation will apply to many, if not all, of those electronic messages. How so?
Prohibition Against Commercial Electronic Messages
The legislation prohibits sending commercial electronic messages to an electronic address unless prior consent has been obtained from the person to whom the message is sent and the message is in the prescribed form. Electronic messages include messages sent by any means of telecommunication, including a text, e‑mail, sound, voice or image message. An electronic address is defined as an address used in connection with the transmission of an electronic message to an e‑mail, instant messaging, telephone or similar account (one can anticipate that a “similar account” will be interpreted to include social media applications such as Twitter and Facebook).
The anti‑spam prohibition applies only to electronic messages delivered in connection with a commercial activity, which the legislation defines to include any transaction, act or conduct, or any regular course of conduct, that is of a commercial character, whether or not the person who carries it out does so with the expectation of profit.
As you can see, the definition of “commercial activity” is broad, and would include, for example, contest offers, advertising or promotional activities. Simply because an organization is a non‑profit organization or a charity does not mean that it will be exempt from the application of the legislation to the electronic messages that it sends. In the context of protecting personal information under PIPEDA, for example, it was found that a non‑profit daycare centre was carrying on a commercial activity, and a similar finding was made with respect to a non‑profit organization that administers university entrance exams.
Exceptions from the Restrictions Imposed on Sending Commercial Electronic Messages
There are a number of situations in which you do not require the prior consent from the recipient of an electronic message that you send as part of a commercial activity. The exceptions include sending an electronic message whose content consists solely of:
- a quote or estimate for the supply of a product, goods, service or land, if the quote or estimate was requested by the recipient;
- facilitating, completing or confirming an existing commercial transaction between the sender and the recipient;
- sending an electronic message that consists solely of warranty, product recall or safety information about a product or services that the recipient uses, has used or has purchased;
- providing notification of factual information about an ongoing subscription, membership, account or loan;
- providing information directly related to an employment relationship or benefit plan; or
- delivering a product, good or service, including upgrades further to an existing relationship.
In addition to being exempt from consent requirements, some messages are also exempt from the form and content requirements, including, for example:
- messages sent to a person engaged in a commercial activity and that consist solely of an inquiry or application related to that activity; or
- messages that are a means of communicating with the recipient for a purpose specified in the regulations.
The “consent” requirement – what is it?
Canada’s anti‑spam law creates an “opt-in” system, meaning that prior consent must be obtained from the recipient in order to deliver a commercial electronic message (in contrast with an “opt‑out” system in which the sender is permitted to send a message without prior consent and the recipient can “opt out” of receiving further messages).
Anyone sending a commercial electronic message has the onus of proving that the recipient’s consent was obtained before sending the message. Consent may be obtained either orally or in writing. The content and methods for obtaining express consent are subject to rules that are set out in regulations made by the CRTC.
Except for circumstances specified in the anti‑spam legislation and its regulations, express consent must be obtained. In CRTC Guideline 2012‑549, the CRTC states that “a positive or explicit indication of consent is required” to comply with the express consent requirements of the anti‑spam law, which precludes the oft used practice of a “pre-checked” box on a computer or smart‑phone screen that assumes the recipient’s consent unless the recipient takes the active step to “un-check” the box. CRTC Guideline 2012‑549 states that such practice is not an acceptable form of express consent. Rather, if a check box is used, the recipient must actively check it to indicate his or her consent. CRTC Guideline 2012‑549 provides other examples of acceptable mechanisms for obtaining consent.
CRTC Guideline 2012‑548 states that that requests for consent may not be “subsumed in, or bundled with requests for consent to the general terms and conditions of use or sale”; the request for consent must be separately and clearly identified.
Consent may be implied in a number of specified circumstances, including where the message is sent in the context of an existing business or non-business relationship between the sender and the recipient. Of particular interest to, among others, non‑profits and charities is the concept of an “existing non‑business relationship.” An existing non‑business relationship will apply if, within the two years immediately preceding the day on which a commercial electronic message is sent,
- the recipient made a donation or gift to the sender of the message and the sender is either a registered charity as defined in subsection 248(1) of the Income Tax Act, a political party or organization or an individual who is a candidate ‑- as defined in an Act of Parliament or of the legislature of a province ‑‑ for publicly elected office;
- the recipient performed volunteer work for, or attended a meeting organized by, the sender of the message and the sender is either a registered charity, a political party or organization or an individual who is a candidate ‑‑ as defined in an Act of Parliament or of the legislature of a province ‑‑ for publicly elected office; or
- the recipient is a member, as defined in the regulations, of the sender and the sender is a club, association or voluntary organization, also as defined in the regulations.
In CRTC Guideline 2012‑549, the CRTC states that an electronic message that contains a request for consent to send a commercial electronic message is, itself, a commercial electronic message, so consent to sending commercial electronic messages cannot be obtained by sending a request for consent by an electronic message, for example by e‑mail.
Form and Content Requirements for Commercial Electronic Messages
The regulations published by the CRTC require that every commercial electronic message set out information that identifies the sender of the message and, if applicable, the person on whose behalf the message is sent. Prescribed contact information for such persons must also be set out in the message. Moreover, CRTC Guideline 2012‑548 makes it clear that when a commercial electronic message is sent on behalf of a number of persons, including on behalf of affiliates, all such persons must be identified.
In addition to the prescribed information about the sender(s), a commercial electronic message must include an “unsubscribe” mechanism. The CRTC Regulations require the unsubscribe mechanism to be set out clearly and prominently in each such message and must be able to be “readily performed.” In CRTC Guideline 2012‑58, the CRTC expresses the view that to be “readily performed,” an unsubscribe mechanism “… must be accessed without difficulty or delay, and should be simple, quick, and easy for the [recipient] to use.” By way of illustration, the CRTC offers the example of a link in an e‑mail that takes the recipient to a web page where he or she can unsubscribe from receiving all or some types of commercials electronic messages from the sender.
Regulation and Enforcement
The CRTC is responsible for administering a number of aspects of the legislation, including the portion of the legislation dealing with commercial electronic messages. Among its powers, the CRTC can make regulations about matters that the legislation states are to be prescribed.
Penalties for non-compliance with the anti‑spam law are sizable, with fines up to $10 million for corporations. Officers, directors and agents may be personally liable if they acquiesced in a violation of the requirements under the legislation, with maximum monetary penalties of $1 million.
In addition to the penalties set out in the legislation, the anti‑spam law also includes a private right of action, allowing a person to commence a lawsuit in court against anyone who violates the legislation.
What should your organization do to get ready? Here are some suggestions:
- Review your electronic communication practices with persons, including distribution of marketing materials, and make necessary changes to ensure that they comply with the new consent (express or implied), disclosure and “unsubscribe” requirements
- Before the law comes into force, obtain express consent from your contacts to receiving commercial electronic messages from your organization; after the law comes into force, as mentioned above, electronic messages seeking consent will, themselves, be considered to be commercial electronic messages and will no longer be permitted
- Identify and tag in your database persons with whom your organization has an existing non‑business relationship (or, for that matter, an existing business relationship), since for these persons you have implied consent based on the previous relationship and you will have three years from the date that the law comes into force to obtain express consent from these persons
- Update your database to add fields for the various types of consent and other information that you will have to maintain for your contacts (clients, suppliers), so that you can determine, depending on the nature of the contact, whether consent is required, and if so, capture express, implied, no consent and unsubscribe instructions
- Ensure that electronic messages that your organization sends have templates to satisfy the identification and unsubscribe requirements
- If you employ third party e-marketing companies, speak with them to ensure that they will comply with the law when sending out electronic messages out on your behalf
- Start training your staff, so that they understand the requirements of the law
- An Act to promote the efficiency and adaptability of the Canadian economy by regulating certain activities that discourage reliance on electronic means of carrying out commercial activities, and to amend the Canadian Radio-television and Telecommunications Commission Act, the Competition Act, the Personal Information Protection and Electronic Documents Act and the Telecommunications Act, S.C. 2010, c. 23. ↩