If you were keeping close tabs three years ago on the advent of Canada’s Anti-Spam Legislation (CASL), you may be forgiven if you lost sight of it in the past three years. After all, you worked hard to ensure that your organization would be able to send commercial electronic messages (CEMs) once July 1, 2014 rolled around.
Well, it’s time to pay attention again, because July 1, 2017 marks the coming into force of a couple of important features to CASL.
End of the Three-Year Grace Period
This July 1st the grace period that accompanied CASL’s coming into force will end. The grace period – three years beginning on July 1, 2014 – allowed your organization to send CEMs based on a prior history of communicating electronically with its contacts. There was “implied consent” to continue sending CEMs to a contact of your organization, if your organization had, as of July 1, 2014, an existing “business” or “non-business” relationship with the contact and the relationship included communication of at least a CEM.
Once the grace period expires, to send CEMs to contacts that fall within the categories of existing business and existing non-business relationships, as the case may be, your organization will have to rely either on express consent or on implied consent.
Unlike the implied consent based on an existing business relationship or an existing non-business relationship afforded by the grace period provision of CASL, however, your organization will have to make sure that the recipient of its CEMs satisfies CASL’s functional and time-based criteria in order to qualify, depending on the circumstances, as an existing business relationship or an existing non-business relationship.
If you’re going to rely on implied consent based on an “existing business relationship,” you’ll have to show one of the following:
- there was a purchase or lease of a product, good, service, land or an interest or right in land, within the two-year period immediately before the day on which the CEM is sent; or
- the recipient previously accepted a CEM from your organization about a business, investment or gaming opportunity within the two-year period immediately before the day on which the CEM is sent; or
- there’s an existing written contract between the recipient and your organization, or there was a written contract between the recipient and your organization that expired within the two-year period immediately before the day on which the CEM is sent; or
- the recipient made an inquiry or application to your organization about one of the items described in the immediately preceding bullets, within the 6-month period immediately before the day on which the CEM is sent.
In like manner, if your organization intends to rely on implied consent on the basis of an “existing non-business relationship,” then one of the following will have to be satisfied:
- the recipient will have made a donation or gift to your organization within the two-year period immediately before the day on which you send the CEM (and to rely on this, your organization must be a registered charity, a political party or organization or a person who is a candidate for elected office); or
- the recipient is a person who will have performed volunteer work for your organization or attended a meeting organized by your organization, within the two‑year period immediately before the day on which you send the CEM (again, to rely on this, your organization must be a registered charity, a political party or organization or a person who is a candidate for elected office); or
- the recipient is a member in your organization within the two-year period immediately before the day on which you send the CEM (to rely on this, your organization must be a club, association or voluntary organization, as defined in the regulations of CASL).
Here’s an example of how this will play out. If your organization intends to send someone a CEM on July 2, 2017, then to do so it must have that person’s “express consent” (obtained before July 2nd), or it must have that person’s “implied consent.”
To rely on implied consent on the basis of either an existing business relationship or an existing non-business relationship, your organization must have had contact with the person of a nature described in the bullets above and that occurred on or after July 1, 2015 (in other words, you won’t be able to rely on a contact earlier than July 1, 2015). Moreover, if you intend to rely on the person having made an application or inquiry about business services from your organization, then that application or inquiry can’t be older than six months from July 1, 2017.
In short, you should be examining your contact list, to ensure that you will be able to satisfy the criteria, both in terms of the nature of the relationship and the kind of contact that has occurred, as well as when the contact occurred.
Private Right of Action
The other big change coming this July 1st is that persons who that have received CEMs without having given their consent, or who have had their personal information or email addresses or both collected or used (or both) by methods of harvesting such information, will be able to seek monetary compensation from the persons that have breached the consent rules in CASL and the collection and use of personal information rules in PIPEDA.
The compensation will be two-fold:
- actual losses or damages suffered or expenses incurred, provided that these damages, losses and expenses can be proven; and
- without proof of loss, compensation of up to $1,000,000.00 for each day a contravention has occurred.
As a general matter there is a due diligence defence available under CASL, which would apply also in the face of a lawsuit from someone alleging contravention of CASL. The defence is that a person will not be found to have contravened CASL if the person can establish that they exercised due diligence to avoid the contravention or the conduct giving rise to the contravention. Due diligence involves not only putting in place policies and procedures to achieve compliance with CASL, but also reviewing them periodically and, if necessary, amending them to ensure that they meet the requirements of the legislation.
What to Do?
Picking up on the last point, due diligence, your organization should review its contacts list to determine which of the contacts you’ll need to seek express consent from, at least in the case of those contacts whose implied consent afforded by the grace period provisions of CASL you’ve been relying on.
Also, take a look at your database, to ensure that it contains the information that will enable you to determine which of your contacts satisfy the criteria necessary to establish implied consent once the grace period is over.
 Personal Information Protection and Electronic Documents Act (S.C. 2000, c. 5)