Canada Issues Final Regulations to Anti-Spam Law

Cooley Alert

In December 2010 Canada passed the Anti-Spam Law ("CASL"), the world's most stringent anti-spam law.1 The Canadian Radio-television and Telecommunications Commission ("CRTC") issued the final version of the Electronic Commerce Protection Regulations ("Regulations") implementing certain portions of the CASL on March 5, 2012, and on March 28 the CRTC issued Telecom Regulatory Policy CRTC 2012-183 (the "Regulatory Policy"), which further explains the Regulation and provides some guidance as to how certain requirements will be implemented.

Although there are many similarities between the CASL and the U.S. CAN SPAM Act of 2003,2 there are important differences that were outlined in an earlier Cooley Alert issued in May 2011. U.S. companies face potential liability under the CASL if they are sending commercial electronic messages to users who reside in Canada. Since it is now expected that the CASL will become effective in early 2013, U.S. companies should review their existing electronic marketing policies and practices to ensure that they comply with the requirements of the CASL and the Regulation.

Information to be included in commercial electronic messages

Unlike CAN-SPAM, which only covers e-mail, the CASL applies to all commercial electronic messages ("CEMs"), which are defined as all electronic messages to an electronic address, including any means of telecommunication, such as text, sound, voice or image, via e-mail, instant messaging, telephone, or any similar account delivered in connection with a commercial activity. The CASL requires that CEMs must be in a form described in regulations to be issued pursuant to the CASL, identify the sender(s), provide contact information, and include an "unsubscribe" mechanism.

The Regulations state that the following information must be included in every CEM:

  1. The name of the person sending the message, or, if it is different, the name by which that person conducts its business;
  2. If the message is sent on behalf of another person, the name of the person on whose behalf the message is sent, or if it is different, the name by which that person conducts its business;
  3. If the message is sent on behalf of another person, a statement identifying the person sending the message and the person on whose behalf the message is sent; and
  4. The mailing address, and either a telephone number providing access to an agent or a voice messaging system, an e-mail address, or a web address of the person sending the message, or, if different, the person on whose behalf the message is sent.

The above information, and the "unsubscribe" mechanism must be set out clearly and prominently, and the unsubscribe mechanism must be able to be readily performed.3

If it is not practicable to include the above information and the "unsubscribe" mechanism in a CEM, the Regulations allow the information to be posted on a page on the World Wide Web that is readily accessible by the person to whom the message is sent, at no cost to that person, by means of a link that is clearly and prominently set out in the CEM.4

Information to be included in a request for consent for the installation of computer programs

The CASL also prohibits the installation of any computer program in the course of a commercial activity unless express consent has been given. Consent is deemed to have been given for the purposes of web functionality (such as in the case of cookies, HTML code, Java Scripts, operating systems, patches and add-ons),5 but otherwise must be express.6 When consent to install is required, it must "describe clearly and simply the function and purpose of every computer program that is to be installed."7

The Regulations provide that a request for consent may be obtained orally, as well as in writing.8 The Regulatory Policy notes that oral consent is a commonly used and accepted industry practice (e.g., call centers, personal and direct contact, and point of sale purchases,) and acknowledges that mandating written consent could result in additional costs for businesses and consumer frustration.9 The Regulatory Policy also clarifies that consent may be obtained "in writing" by electronic forms of consent, such as where a user signifies agreement through a positive action, like clicking on an "I agree" box.10

The Regulations require that a request for consent must be sought separately for the installation of a computer program on any computer system and for each electronic message to be sent from that computer system11 and must include the following:

  1. The name of the person seeking consent, or, if it is different, the name by which that person conducts its business;
  2. If the consent is sought on behalf of another person, the name of the person on whose behalf consent is sought, or, if it is different, the name by which that person conducts its business;
  3. If consent is sought on behalf of another person, a statement indicating the person seeking consent and the person on whose behalf consent is sought;
  4. The mailing address, and either a telephone number providing access to an agent or a voice messaging system, an e-mail address, or a web address of the person seeking consent, or, if different, the person on whose behalf consent is sought; and
  5. A statement indicating that the person whose consent is sought can withdraw consent.12

The Regulations also provide that if the computer program's material elements perform one or more of the functions listed below, the person seeking consent must (a) bring those elements to the attention of the person from whom it is seeking consent separately from any other information provided in a request for consent, and (b) obtain an acknowledgement in writing that the person understands and agrees that the program performs the specified functions:

  1. Collecting personal information stored on the computer system;
  2. Interfering with the user's control of the computer system;
  3. Changing or interfering with settings or preferences on the computer system without the user's knowledge;
  4. Changing or interfering with access to or use of that data on the computer system;
  5. Causing the computer system to communicate with another computer system without the user's authorization; or
  6. Installing a computer program that may be activated by a third party without the user's knowledge.13

These requirements apply to computers and computer servers, as well as any electronic device that allows for the installation of third party programs, such as tablets and smartphones.

Recommendations

The CRTC can impose administrative monetary penalties of up to C$1 million per violation of the CASL for individuals and C$10 million for businesses.14 Officers, directors and agents may be personally liable if they acquiesced in a violation of the law. However, the CASL takes into account "honest mistakes" and it is therefore important for any businesses that may be subject to it to undertake clearly defined actions to comply. As a result, we included a list of actions that we recommended that U.S. based businesses take if they may be sending CEMs to Canadian residents, whether intentionally or not, in our earlier Cooley Alert. This Alert supplements this list by providing further detail about the content that businesses must include in CEMs and in consents required before the installation of any computer programs.

Notes

1 Fighting Internet & Wireless Spam Act, S.C. 2010, c. 23.

2 15 U.S.C. §7701.

3 Regulations, §§2(1), 3.

4 Regulations, §2(2).

5 Neither the CASL nor the Regulations address whether beacons are exempt from these requirements.

6 S.C. 2010, c.23, §10.8.

7 S.C. 2010, c.23, §§10(1), 10(3).

8 Regulations, §4.

9 Regulatory Policy, §§15, 25.

10 Regulatory Policy, §25.

11 S.C 2010, c.23, §8 provides:

"(1) a person must not, in the course of a commercial activity, install or cause to be installed a computer program on any other person's computer system or , having so installed or caused to be installed a computer program, cause an electronic message to be sent from that computer system, unless

(a) the person has obtained the express consent of the owner or an authorized user of the computer system and complies with subsection 11(5); or

(b) the person is acting in accordance with a court order.

(2) A person contravenes subsection (1) only if the computer system is located in Canada at the relevant time or if the person either is in Canada at the relevant time or is acting under the direction of a person who is in Canada at the time when they give the directions."

CASL, subsection 11(5) provides:

"(5) A person who has the express consent of an owner or authorized user to do any act described in section 8 must

(a) for a period of one year after any computer program that performs one or more of the functions described in subsection 10(5) but not referred to in subsection 10(6) is installed under the consent, ensure that the person who gave their consent is provided with an electronic address to which they may, if they believe that the function, purpose or impact of the computer program installed under the consent was not accurately described when the consent was requested, send a request to remove or disable that computer program; and

(b) if the consent was based on an inaccurate description of the material elements of the function or functions described in subsection 10(5), on receipt within that one-year period of a request to remove or disable that computer program, without cost to the person who gave consent, assist that person in removing or disabling the computer program as soon as feasible."

12 Regulations, §4.

13 Regulations, §5.

14 The Competition Bureau, through application to the Competition Tribunal, may also seek administrative monetary penalties under the current regime in the Competition Act, which allows for penalties of up to C$750,000 for individuals and C$1 million per subsequent violation, and up to $10 million for businesses and C$15 million per subsequent violation.

Related Contacts
Adam Ruttenberg Partner, Washington, DC
Diane Savage Of Counsel, Palo Alto
Related Practices & Industries

Technology Transactions