Threat Intelligence Blog

Posted February 20, 2014

By Camille Stewart, Esq.

American companies with Canadian consumers should pay close attention to the new Canadian Anti-Spam Law (CASL) that takes effect July 1, 2014. The law will be rolled out in stages. It is much like the American CAN-SPAM Act, which regulates many routine business activities, such as sending marketing emails, text messages, or other social media messages. However, this law takes the opposite approach of its American counterpart. CASL converts electronic marketing in Canada from an “opt-out” to an “out-in” standard.  The important thing to note is that this law will apply to businesses located in the U.S. if the recipient of the message or download is located in Canada.   

In general, CASL prohibits:

  • Sending commercial electronic messages (CEMs) to an electronic address without consent;
  • Altering transmission data in an electronic message so that the message is delivered to a destination other than or in addition to that specified by the sender;
  • Installing a computer program on a person’s computer system without consent; and
  • Causing a program on a person’s computer system to send an electronic message.

Aiding, inducing, procuring or causing to be procured any of these activities is also an offence under CASL.

What is a “Commercial Electronic Message”?

A “commercial electronic message” (CEM) is a message intended “to encourage participation in a commercial activity.”  This includes marketing, promotional, and advertising messages.  An “electronic address” broadly means an email account, an instant messaging account, a telephone number, or “any similar account.”  An electronic message that requests consent for the delivery of such commercial messages is itself a CEM.

Under the CASL, a CEM must also contain the following:

  • Information (prescribed by regulation) that identifies the person sending the message and the person on whose behalf it is sent, if different;
  • Information that will enable the recipient to “readily contact” the sender; and
  • An unsubscribe mechanism that allows the recipient to indicate, at no cost, their desire to no longer receive any CEMs through the same electronic means by which the message was sent, or, if that is not available, an electronic address or link to a webpage to which the indication can be sent. The opt-out request must be honored within 10 business days.

There are a number of exemptions that allow certain commercial messages that are transactional in nature to be sent without the recipient’s prior consent, without the sender identification, and without the unsubscribe mechanism.

How is “Consent” Defined?

The required consent can be either express or implied. The CASL requires that a request for consent to receive CEMs must express or set forth “clearly and simply” the purpose(s) for which consent is sought, the identity of who is seeking consent and, if different, on whose behalf consent is being sought.

Consent also can be implied where an existing business relationship or personal relationship exists. For this purpose, an “existing business relationship” (EBR) requires the purchase or lease of a product or service (or certain other commercial transactions) within the two-year period immediately before the day on which the CEM is sent.  Alternatively, an inquiry or application, within the six-month period prior to the sending of the CEM, also creates an EBR.

What about Computer Programs?

On January 15, 2015, computer programs, including mobile applications, will also be subject to additional requirements. The provider of the software must “clearly and simply describe, in general terms” its function and purpose.   Disclosures are necessary if the program will cause the recipient’s computer to operate in a manner contrary to the user’s reasonable expectations, such as by collecting personal information stored on the computer, changing settings, or similar malware functions.  Updates and upgrades to a computer program are permissible only if the person who gave the consent to the installation in the first place is entitled to receive the update or upgrade under the terms of the initial express consent.

The law contains an exception that presumes consent to the setting of cookies, to the installation of HTML code and Java scripts, and to the downloading of programs executable only through programs that the user has previously installed or consented to, or a person has conspicuously published the electronic address, and the recipient has not indicated a preference not to receive CEMs at that address.

Be Prepared

American companies serving and especially contacting Canadian customers should begin making preparations to meet the requirements of the CASL. This will likely be a time and resource heavy endeavor so waiting until June is ill advised, especially with the substantial penalties established by the law.

Here are some recommendations on first steps:

  1. Identify what types of CEM the business currently uses, or is planning to use in the next few years.  This inventory should include not only emails, but texts and mobile applications.
  2. Review any software programs the business makes available, including mobile applications, to see whether appropriate consent to updates and upgrades has been obtained.
  3. Attempt to identify the Canadian recipients of such messages, and to figure out how to start converting them to an opt-in regime.
  4. Consider implementing a CASL-compliance policy to ensure compliance, particularly if the organization plans to further invest in the Canadian market.

When the CASL takes effect on July 1, 2014, the law initially will be enforced only administratively.  The maximum penalty for a violation is $10 million, but the regulations may specify that each day on which a violation occurs constitutes a separate violation.  However, the CASL also authorizes private rights of action, including class actions, as of July 1, 2017. Cyveillance encourages business with customers in Canada to review this legislation and plan accordingly.

Additional Posts

Mobile Malware Banking Trojans That Steal Your Money

Kaspersky Report Shows 20X Increase in Last Year Infographic: Kaspersky Labs It's well-known in the ...

Groundhog Day for DNS DDoS Attack Announcements

On February 11, 2014, Prolexic announced that there is increased likelihood of Domain Name Services ...