This marks the first video in a new series called “The Brief: The Business of Digital Marketing”, in which I’ll be talking with experts across the business world about trends and hot topics in technology and digital marketing. Today’s subject: Canada’s Anti-Spam Legislation (CASL), which comes into effect on July 1, 2014.
In one of our recent videos, we brought forward some ideas and resources for how to survive CASL as a Canadian business. What we found, though, the more we dug into the subject, is that there are a lot of grey areas around the legislation. So we decided to talk to a legal expert to get their perspective. I hope you find this interview with lawyer Porter Heffernan of Emond Harnden Law as useful as I have in figuring out how this applies to everyone both inside and outside the corporation.
Porter Heffernan practices in all areas of labour and employment law, with a particular focus on rights arbitration, civil litigation, and privacy law. He holds an LL.M in Labour Law from Dalhousie University, and is the recipient of many awards. He has been with Emond Harnden LLP since 2008.
Andrew Milne: If you were to round it out and give a short description of what the CASL legislation is, how would you describe it?
Porter Heffernan: It’s based on two main requirements for commercial electronic messages. The first, is that if you’re sending a commercial electronic message, a CEM, you have to have the consent of the recipient, “express” or “implied”. The second is that you have to incorporate certain elements into the form of that message: contact information (in a variety of forms) and an unsubscribe mechanism.
AM: We talk a lot about consent here. Can you break down the different types of consent for us?
PH: The Act contemplates two different types of consent. The first is express consent, which we call the gold standard under the Act. That’s when someone specifically opts-in to receiving CEMs. Express consent is indefinite in duration; it lasts until someone unsubscribes from receiving messages in the future. So, it really is the most valuable form of consent. If you don’t obtain express consent, the Act does provide for implied consent in certain specific circumstances. So those include, for example, where you have an existing business relationship with an individual, so they’ve purchased something from you within the last two years or engaged in another transaction, or even requested a quote or requested information about your organization within the last six months.
AM: A lot of the people we work with have monthly emails, bulletins, other regular communications that go out. And inside that, there’s often some sort of solicitation for engagement. When people sign up for those, does that fall under this law, or do we need to go and get further proof of engagement?
PH: It depends on the format in which consent was collected initially. The Act provides both for implied consent in certain specified circumstances and express consent, so someone can explicitly give consent to receive CEMs. And one of the ways in which the Act is stronger than virtually any other legislation in the world, is that it’s not enough to have someone purchase something from your website, for example, and click “I agree to the terms of this transaction” where there’s a pre-checked box that says “I agree to receive commercial electronic messages”. To get express consent that’s valid under the Act, someone has to actively check that box and then agree to the terms of the transaction. They call it opt-in consent, as distinguished from the pre-checked box, opt-out consent.
AM: How far back does that go? Say, for instance, that I signed up for an electronic engagement three years ago, and I’ve been receiving those bulletins every week.
PH: The fact that you’d signed up initially and the fact that you’ve been receiving those bulletins is not enough to count as implied consent, unfortunately. So you have to go back and scrub your database, meaning you have to try to obtain express consent from as many of those people in the database. Where you can’t obtain express consent, you have to look and see whether the other individuals might fall into one of the exemptions under the Act for implied consent. And if they don’t, then you have to either remove them from your database or carry the risk that you may breach the Act by emailing them.
AM: Third party lists… While they aren’t a great way to start an engagement, they do exist, and a lot of people do use them for garnering new members or relationships. How’s that going to work out?
PH: If you’re buying third-party lists now with this legislation in force, then you need to seek legal advice, is the bottom line answer. Third party lists now carry substantial risks for organizations that have been purchasing or leasing them. As an organization, if you send a message to a contact in your database and that message is in breach of the Act because that contact hasn’t given consent, you’re liable for that message and you’re exposed to the risk of those fines up to $1 million or $10 million for the organization. The CRTC doesn’t care where the list came from in applying those fines, so it’s no excuse to say, “but I bought it from an organization so I didn’t collect it, I didn’t seek consent”. The CRTC is going to look at your actions in sending an email without consent.
Part of what that means in practice for organizations is that they have to do more due diligence if they’re going to be buying or leasing lists. They have to look at incorporating provisions in their contracts with list providers, where the list provider provides some assurances and perhaps even an indemnification in order to reassure the organization that the list was collected in compliance with CASL, and the organization isn’t going to acquire any liability by using the list.
AM: This is going to change how businesses work. People now either have to have a relationship or have been working with them in the last two years. Besides that you have to find a new way to communicate with them.
PH: There’s no question it’s going to have a serious impact on the way many organizations do business. There’s a great deal of concern in the business community about the impact this is going to have not just on mass email marketing, but on day-to-day business communications. The law is not restricted to bulk emailing. The law applies to individual unsolicited emails as well, so there was concern that this might impact a business’s ability to communicate with its suppliers or its business partners.
One of the most significant exclusions day-to-day is what I’d refer to as the intra-company and the inter-company exclusion. There’s an exclusion for messages sent by an employee of an organization to another employee of the organization that concern the organization’s activities. So, your internal communications among your employees are generally not going to be captured by the scope of the legislation. There’s also a similar exclusion for communications between employees of different organizations that have an existing relationship. So, if you’re communicating with your supplier, your contractor, your business partner, you’re not going to have to worry about the application of CASL to your day-to-day communications with that individual or individuals employed by that organization as long as your communications are about the business activities of that organization or your shared enterprise. So those exemptions are perhaps the most significant in my view.
AM: How does that play out for membership? If we’re looking at members and membership groups, and they’re soliciting more activity — definitely pushing a commerce relationship — how does CASL effect that?
PH: You will normally have an exemption for your communications, or rather have consent for communications, with your members and your existing clients as long as there is a contract in force between the two of you. When you’re talking about transactional clients, or single purchase, single lease, single rental, you have implied consent to email that individual for a period of up to two years after the transaction. Where we’re talking about potential clients, so if you’re engaged in marketing or business development, your leads, you have a period of six months from the date of any inquiry they make, or a request for a quote or any communication they have with you in that respect, you have a period of six months to send commercial electronic messages.
AM: Social media networks…how do you see those being effected by CASL? We’ve got these independent networks that are outside of our digital communications to our inbox. They notify us, but there’s integration happening there. Do those play out the same way?
PH: The answer to that is a little grey. They are focused almost exclusively, in that the thrust of the legislation is on its application to email. The legislation is clearly applicable to text messages as well, and its broadly applicable to electronic messages generally. When we talk about social media, that’s one area that still remains a little grey. It’s not clear how the CRTC is going to interpret messaging through social media. Some of the commentary is suggesting that simply posting something on your wall on Facebook or tweeting something, is not going to be captured because you are broadcasting the message in that case to people who have subscribed to follow you to receive your messages. But when you send a targeted message, a direct message through Facebook, through Twitter, through LinkedIn, through any social media platform, the suggestion is that’s likely going to be captured, because you’re still sending a message and the message itself would be unsolicited so it would fall within the scope of the legislation.
AM: Internationally, we’ve seen laws like this come into play, so Canada’s late to the game. But, this is the harshest law that we’ve seen across the other countries. So is CASL the result of what we’ve learned from other countries and now we’re applying a tougher legislation? Do you have any insight on that?
PH: There’s no question they’re late to the game. It’s hard to say what drove the harshness of the legislation. I think there’s no question that it is the toughest legislation is the world. If you compare it to the US CAN-SPAM Act, which has been in force for a number years, this has harsher requirements and the potential penalties under this law are far more significant than in the US. As for what’s driving that, I would speculate that it’s an effort by the Canadian government to be a leader in this field. I’m not sure that the outcome has struck the right balance, I’m not sure that it’s, in the end, a positive development for Canadian businesses given the burden that it imposes and the risks that it carries. But I think it’s well intentioned. It is Canada trying to be a leader in this field, particularly after coming late to the party, as you say.
AM: Are there any positives in this? I’m not saying that it’s a negative situation — spam’s going to decrease, and I’m going to have to start really thinking about what I receive in my mailbox, which is great. But are there any other positives that you see coming out of it?
PH: I think there are certainly some positives. One personally for me, is that I now have a stock template response to spam that I receive. I say: “That’s very interesting. I have no interest in receiving your product, but are you aware that CASL comes into force on July 1. Perhaps we could assist you in complying and avoiding sending messages like this in the future.” So I think that from the user’s perspective, from the recipient’s perspective, there are some positives. Commentators are divided on whether this legislation is a good thing, looking at it from the user’s perspective; or a bad thing, looking at it from a business perspective where it imposes more regulation, more risk, more red tape.
AM: We talked a lot about different approaches today, different things that people need to pay attention to. What do you think the key points are before we leave today?
PH: First, don’t underestimate the risk involved in the legislation. Second, get moving on compliance right away, and make it a top-down exercise, from the Board of Directors all the way down. And third, make sure you’re doing everything reasonably possible to comply, so that you can take advantage of the defense of due-diligence if a complaint is filed.
AM: So, this is all great information… Porter, how do you guys help? How does EH Law get involved with a corporation to help them get ready for this?
PH: There’s a few things we can do to help, and we have been doing with our clients. The first step, the most significant in my mind, is helping organizations understand what they have to do here. This legislation is not a masterpiece of draftsmanship. It’s clumsy and it’s difficult to navigate, so for a layperson it can be hard to look at the face of the law and understand what they have to do to make sure they are compliant. So, we’ve been assisting clients with training and presentations for senior management, the Board of Directors, or for marketing and sales people to help them understand. So that’s the opening thing we can do to assist our clients.
The next step is to assist them with their due diligence. Due diligence provides a defense to complaints under the Act, and due diligence requires managing your employees, ensuring your employees are trained and have the tools they need to maintain compliance. So we’ve assisted a number of our clients with the development of policies that can be applied throughout the organization, policies that require standard conduct from employees in sending commercial electronic messages, and give clear guidance to these employees that they are required to comply, and if they don’t comply, that there may be consequences for them, including disciplinary consequences. So, if is a complaint is ever filed against an organization and they have one of these policies in place, and they’ve trained their employees on the application of these policies, they can stand before the CRTC and say, “we’ve done our due diligence, we’ve done everything we can, and the fact that an employee chose to breach the legislation or didn’t adhere to our policy, that’s not something we can prevent. What we will do is take steps to address that situation and do what we can to reeducate our employees on our policies”, and I think the risk to the organization then from the CTRC will be lower as a result.
AM: Porter, thank you for the conversation today. I think we’re just at the infancy of understanding what this is really going to be. It’s great to see that you’re handling it from the policy side, from the business side, helping groups and individuals to see how this is going to apply for them. This is going to be a big change for all of us. I’m really interested to see what will happen as of July 1.
Do you have questions about CASL? Or maybe you have a suggestion for a topic for The Brief. Don’t hesitate to contact me, email@example.com or call me at 613-231-2802 x351. I look forward to your comments.