Anti-Spam Requirements- Preparing to Comply with CASL Chris Oates, Associate, Gowling Lafleur Henderson LLP Prepared, January 15, 2014

Outline Canada’s anti-spam law To what does the law apply? How do you ask for consent? What do electronic messages need to contain? How do you maintain your contact list when the law comes into force? Disclaimer This presentation is intended to assist you in flagging legal issues relating to Canada’s Anti-Spam Law. This is ONLY a guide and legal counsel should be consulted for specific situations.

Canada’s Anti-Spam Legislation

Canada’s Anti-Spam Legislation Legislative Background: CASL comes into force on July 1, 2014 and will take a prohibitive approach to “Commercial Electronic Messages”, prohibiting all but those messages that comply with its requirements. In some cases, existing, valid consent may not survive when CASL is in force. Under CASL: Electronic messages require consent from the recipient, either express or implied; The message must contain prescribed disclosure; and The message must contain an unsubscribe mechanism in prescribed form.

Canada’s Anti-Spam Legislation To which messages does CASL apply? Commercial Electronic Messages - a message sent by any means of telecommunication, including a text, sound, voice or image message, to an “electronic address” including: an electronic mail account; an instant messaging account; a telephone account; or any similar account. CASL will only apply to electronic messages that are “commercial”. This will include all messages that, based on their content, including links, and contact information, have as one of their purposes encouraging participation in commercial activity, regardless of whether this is done with the expectation of profit.

Canada’s Anti-Spam Legislation Is the Electronic Message Commercial? CASL will only apply to electronic messages that are “commercial”. This will include all messages that, based on their content, including links, and contact information, have as one of their purposes encouraging participation in commercial activity, regardless of whether this is done with the expectation of profit. Messages that offer to sell a product; Messages that advertise a product; Messages that promote a person or corporation; Messages that seek to gather consumer or market information; Messages that seek consent to send further messages. “commercial activity” « activité commerciale » “commercial activity” means any particular transaction, act or conduct or any regular course of conduct that is of a commercial character, whether or not the person who carries it out does so in the expectation of profit, other than any transaction, act or conduct that is carried out for the purposes of law enforcement, public safety, the protection of Canada, the conduct of international affairs or the defence of Canada. Meaning of commercial electronic message (2) For the purposes of this Act, a commercial electronic message is an electronic message that, having regard to the content of the message, the hyperlinks in the message to content on a website or other database, or the contact information contained in the message, it would be reasonable to conclude has as its purpose, or one of its purposes, to encourage participation in a commercial activity, including an electronic message that (a) offers to purchase, sell, barter or lease a product, goods, a service, land or an interest or right in land; (b) offers to provide a business, investment or gaming opportunity; (c) advertises or promotes anything referred to in paragraph (a) or (b); or (d) promotes a person, including the public image of a person, as being a person who does anything referred to in any of paragraphs (a) to (c), or who intends to do so.

Canada’s Anti-Spam Legislation What is not a Commercial Electronic Message? CASL will not apply to several classes of message: Interactive two way voice communications; Messages sent via facsimile to telephone accounts; and Voice recordings sent to a telephone account. These messages are currently subject to the CRTC’s oversight via the Telecommunications Act and the Do Not Call List. CASL contains a provision that permits the government to repeal this exception AND the National Do Not Call List at a later date. If exercised, this would make unsolicited commercial telephone calls subject to the CASL requirements.

Canada’s Anti-Spam Legislation Which messages will be exempt? The Regulations provide exceptions for the following message classes: messages sent between employees of an organization relating to the affairs of the organization, and messages sent between two organizations with a relationship, where the message relates to their affairs messages that respond to an inquiry, complaint, or other solicitation from the recipient fundraising messages sent by a registered charity messages where the person sending the message reasonably expects it to be received in a foreign state listed in the Regulations, if the message complies with the law of that state messages sent to a secure account to which only the person providing the account may send messages messages sent on a platform that includes compliant disclosure and an unsubscribe mechanism in its interface are exempt from the message requirements, but not the consent requirements. messages sent to satisfy a legal obligation

Penalties Administrative monetary penalties for violations: A fine of up to $1,000,000 for a violation by an individual. A fine of up to $10,000,000 for a violation by a corporation. CASL also creates a private right of action for persons who allege they have been affected by a violation. If the action is successful in court, the court may order: Compensation equal to the actual loss or damage suffered; and $200 for each contravention, not exceeding $1,000,000 for each day on which a contravention occurred. The private right of action has a delayed coming into force date, and will not be in place until July 1, 2017.

Express Consent Under CASL Requirements for a Request for Express Consent Provide the purpose for which the consent is sought; Provide the name under which the person seeking consent carries on business, and if different, the name under which the person on whose behalf consent is sought carries on business; If applicable, identify which person is seeking consent, and on whose behalf consent is sought; Provide the mailing address, and one (or more) of a telephone number, website, or email address of either the person seeking consent, or if different, the person on whose behalf consent is sought State that consent may be withdrawn. Requests for consent may be oral or in writing. Requests for consent may be made orally (e.g. through personal and direct contact, at the point the relationship began) or in writing (incl. electronic forms). In all cases these disclosures must be made.

Express Consent Under CASL In all cases, the burden of proof to establish consent rests on the party claiming to have consent. For example, a party may demonstrate oral consent in cases where: it can be “verified by an independent third party”; or “where a complete and unedited audio recording of the consent is retained by the person seeking consent” (or a client of the person seeking consent). Note that audio recording and the purpose for it must be disclosed under existing privacy law. Written consent can be satisfied where either paper or electronic form consent is obtained, including by checking a box on a web page to give consent (with a record of the date, time, purpose, and manner of consent stored in a database).

The CRTC’s Position on Express Consent The CRTC takes the position that express consent must be “positive or explicit”. The CRTC indicates means in addition to a check box are also acceptable provided they are “positive and explicit”. For example, these include entering an email address only if you wish to receive emails.

The CRTC’s Position on Express Consent “Assumed” consent through a pre-checked box or an opt-out system would not be accepted. The CRTC indicates means in addition to a check box are also acceptable provided they are “positive and explicit”. For example, these include entering an email address only if you wish to receive emails.

Implied Consent Under CASL Requirements for Implied Consent There is an existing business or non-business relationship between the sender and the recipient, or The recipient has conspicuously published their address, or has disclosed it to the sender and: has not indicated they do not wish to receive commercial messages; and, the message is relevant to the recipient’s business, role, functions or duties

Implied Consent Under CASL Both “existing business relationship” and “existing non-business relationship” are narrowly defined in the legislation: “Existing business relationships” exist only where the recipient: Purchased, leased or bartered products, goods, services or land from the sender within two years before a message is sent; Accepted a business, investment or gaming opportunity from the sender within two years before a message is sent; Has a existing written contract with the sender about a matter other than i or ii or such a contract expired in the two years prior to the message; or Made an inquiry or application for products, goods, services, etc. within six months before the message “Existing non-business relationships” exist only where the recipient: Made a donation, gift or volunteered for a registered charity or political party who sends the message; or Is a member in a club, association or voluntary organization that sends the message and is operated for social welfare. (13) In subsection (9), “existing non-business relationship” means a non-business relationship between the person to whom the message is sent and any of the other persons referred to in that subsection — that is, any person who sent or caused or permitted to be sent the message — arising from (a) a donation or gift made by the person to whom the message is sent to any of those other persons within the two-year period immediately before the day on which the message was sent, where that other person is a registered charity as defined in subsection 248(1) of the Income Tax Act, a political party or organization, or a person who is a candidate — as defined in an Act of Parliament or of the legislature of a province — for publicly elected office; (b) volunteer work performed by the person to whom the message is sent for any of those other persons, or attendance at a meeting organized by that other person, within the two-year period immediately before the day on which the message was sent, where that other person is a registered charity as defined in subsection 248(1) of the Income Tax Act, a political party or organization or a person who is a candidate — as defined in an Act of Parliament or of the legislature of a province — for publicly elected office; or (c) membership, as defined in the regulations, by the person to whom the message is sent, in any of those other persons, within the two-year period immediately before the day on which the message was sent, where that other person is a club, association or voluntary organization, as defined in the regulations.

Exceptions to the Need for Consent CASL creates an exception to the need for consent for certain “transactional” messages. This exception will apply to messages that solely: provide a quote or estimate for the supply of a product or service; facilitate, complete or confirm a previously agreed upon commercial transaction; provide warranty information, product recall information or safety or security information about a product the recipient uses or had purchased; provide notification of factual information about the ongoing use by recipient of a product or a service offered under a subscription, membership, account, loan or similar relationship by the sender. The precise clause reads as follows: Exception (6) Paragraph (1)(a) does not apply to a commercial electronic message that solely (a) provides a quote or estimate for the supply of a product, goods, a service, land or an interest or right in land, if the quote or estimate was requested by the person to whom the message is sent; (b) facilitates, completes or confirms a commercial transaction that the person to whom the message is sent previously agreed to enter into with the person who sent the message or the person — if different — on whose behalf it is sent; (c) provides warranty information, product recall information or safety or security information about a product, goods or a service that the person to whom the message is sent uses, has used or has purchased; (d) provides notification of factual information about (i) the ongoing use or ongoing purchase by the person to whom the message is sent of a product, goods or a service offered under a subscription, membership, account, loan or similar relationship by the person who sent the message or the person — if different — on whose behalf it is sent, or (ii) the ongoing subscription, membership, account, loan or similar relationship of the person to whom the message is sent; (e) provides information directly related to an employment relationship or related benefit plan in which the person to whom the message is sent is currently involved, is currently participating or is currently enrolled; (f) delivers a product, goods or a service, including product updates or upgrades, that the person to whom the message is sent is entitled to receive under the terms of a transaction that they have previously entered into with the person who sent the message or the person — if different — on whose behalf it is sent; or (g) communicates for a purpose specified in the regulations.

Message Content under CASL Commercial Electronic Message Content under CASL: Message Content Identify the person who sent the message and, if applicable, the person on whose behalf it was sent; Provide prescribed contact for one of these persons; and Include an unsubscribe mechanism. The required contact information must remain current for a minimum of 60 days after the message is sent.

Message Content under CASL Prescribed Disclosure Requirements for Electronic Messages The name under which the person seeking consent carries on business, and if different, the name under which the person on whose behalf consent is sought carries on business; If applicable, an indication which person sent the message and on whose behalf it was sent; The mailing address, and one (or more) of a telephone number, website, or email address of either the person sending the message, or if different, the person on whose behalf it is sent; and An unsubscribe mechanism. The Regulations do not make any exceptions for service providers sending electronic messages on behalf of third parties.

Unsubscribe Mechanisms The unsubscribe mechanism included in a CEM must: (i) allow recipients to indicate that they no longer want to receive any CEMs or any class of CEMS from the sender or – if different – the person on whose behalf the message was sent; (ii) using the same electronic means (or if not possible any other electronic means enabling the same result); and (ii) specify an electronic address or web link to unsubscribe. The electronic address or webpage for unsubscribing must be valid for a minimum of 60 days. Recipients who unsubscribe must also be unsubscribed “without delay” and no later than 10 business days after asking to be unsubscribed. The CRTC Regulations require that an unsubscribe mechanism must be “set out clearly and prominently” and “must be able to be readily performed.” According to CRTC guidelines, for an unsubscribe mechanism to be “readily performed” it must be “accessed without difficulty or delay and should be simple, quick and easy for the consumer to use”.

Third Party Mailing Lists CASL expressly provides for consent obtained on behalf of an unknown third party; however, it limits how this consent may be obtained and used: The party that seeks consent is required to comply with the standard CASL requirements for obtaining consent, including stating the purpose for the collection, and providing their name and contact information. A person who relies on such a consent must meet additional disclosure requirements for the message content.

Third Party Mailing Lists Message content when consent is obtained from a third party. When a consumer list is purchased from a third party, it is essential that such a list be used separately from the company’s own opt-in lists, as messages sent pursuant to such consent are subject to additional disclosure requirements: The message must identify the person who obtained the original consent as well as the person who sent the message. The unsubscribe mechanism must allow the recipient to remove consent from both the person who sent the message, the person who obtained the original consent or any other person authorized to use the consent.

Exceptions to the Disclosure Requirements The General Exception “If it is not practicable to include the information (…) in a commercial electronic message, that information may be provided by a link to a web page on the World Wide Web that is clearly and prominently set out and that can be accessed by a single click or another method of equivalent efficiency at no cost to the person to whom the message is sent.” This exception will be essential for electronic messages that are subject to space restraints such as text messages. It is not likely to apply to messages not subject to such restraints, such as email.

The Family and Personal Relationship Exception Neither the requirement to obtain consent, nor the requirement to disclose information regarding the sender, will apply where an electronic message is sent by or “on behalf” of a person who has a “personal” or “family” relationship with the recipient. “Family” “Personal relationship” Marriage; A common-law partnership; A legal parent/child relationship; where: Those persons have had a direct voluntary two way communication. Must have had direct, voluntary two way communications; Must be reasonable to conclude the relationship is personal considering relevant factors. This exception will only apply in unusual cases. Examples we have seen include refer-a-friend type promotions, and customizable holiday greeting cards.

Referral Messages The Regulations include an exception that permits a single referral message to be sent where: The referral is made by an individual who has an existing business relationship, existing non-business relationship, family, or personal relationship with the message recipient; The referrer has one of those relationships with the sender of the message; The message states the full name of the person who made the referral, and states that the message was sent as a result of the referral

Maintaining Contact Lists CASL will narrow the ability to rely on Implied Consent CASL expressly provides for reliance on implied consent primarily in cases of existing “business relationships” or “non-business relationships”. These are defined categories that are much more narrow than the ability to rely on the “reasonableness” test for implied consent under the federal privacy legislation, PIPEDA. Under PIPEDA, where a consumer sends a request for information by email, it would be reasonable to conclude that you have their implied consent to respond using their email address. Under CASL, a consumer question regarding a potential purchase would constitute an “existing business relationship”, provided a response is sent within six months from the date of the question. Further, a response (as opposed to other commercial messages) would also be subject to an exception in draft regulations.

Maintaining Contact Lists The regulatory impact statement for the Regulations confirms Industry Canada’s position that valid express consent obtained before CASL comes into force “will be recognized as being compliant with CASL”. However, Industry Canada also expressly noted that in some cases email addresses that may be used under the current privacy legislation may no longer be used under CASL. This is most likely to occur where an organization is relying on ‘implied’ consent under PIPEDA- implied consent under CASL is much more narrow. Organizations should consider the manner in which their current email list had been established to assess the ability to continue to use it after CASL comes into force. Prior to July 1, 2014, organizations will have an opportunity to seek express consent in cases where implied consent is currently relied on.

Transitional Provisions When CASL comes into force on July 1, 2014, there will be an extended period of three years during which implied consent will survive in cases of “existing business relationships”, as defined in CASL that include the sending of commercial messages. After this period, the existing business relationships will survive for two years following a purchase, or six months following an inquiry. The transitional period provides an extended timeline for perfecting existing implied consent (as defined in CASL) by seeking express consent. Any attempts to perfect consent within this period would need to be carried out in compliance with CASL.

Application Compliance with CASL will become a legal requirement on July 1, 2014. Organizations should be bringing their electronic marketing practices into compliance now, both due to the magnitude of the potential penalties, and to help establish an express consent list that will survive the coming into force of the Act.

Chris Oates Associate Gowling Lafleur Henderson LLP chris.oates@gowlings.com 416-369-7333