U.S.-based businesses that engage in marketing activities directed to Canadian residents – both businesses and individuals – could find themselves on the receiving end of some hefty fines, courtesy of a strict Canadian anti-spam law which went into effect on July 1.
CASL, passed in 2010, is intended to ensure that businesses have the permission of Canadian-based prospects or clients — before sending any kind of a commercial electronic communications, including email, facsimiles, text, sound, voice, or image messages that are sent over a web-based forum, SMS/instant messaging service, telephone account, social media platform (such as Facebook or LinkedIn), or (albeit ambiguous) “any similar account.”
CASL also restricts the manner by which Canadian-based internet users may be “subscribed” to websites and email lists. Because the law applies to any Canadian-based computer system used to receive, route, or access commercial electronic messages, an unsolicited email from a U.S. business to any individual or organization located in Canada may now be unlawful.
Unless a statutory exception applies, commercial electronic messages are only permitted when the intended recipient provides express or implied consent to the transmission and the message includes certain required elements relating to content and “unsubscribe” mechanisms. After July 1, even an electronic message that requests consent to send a commercial electronic message will most likely be deemed “spam” itself.
Unlike Canadian privacy laws such as the federal Personal Information Protection and Electronic Documents Act (“PIPEDA”) and provincial privacy laws, which only apply to personal/health information, CASL applies to commercial electronic messages regardless of whether they contain, or are sent, using personal information.
The penalties that can be imposed are significant. The law grants the Canadian Radio-Television Commission broad authority to assess maximum penalties of $1,000,000 for an individual and $10,000,000 for a business. Directors and officers may be personally liable for their company’s violations. CASL also includes a private right of action (effective 2017) allowing for private enforcement, including class action suits and enabling individuals to seek monetary damages of $200 a day for each violation, up to a maximum of $1 million for each day on which a violation occurred.
Notably, the Canadian anti-spam law is not the same as its U.S. counterpart law, CAN-SPAM. Compliance with CAN-SPAM does not equate to compliance with the Canadian law, which applies to a broader set of electronic communications and calls for an “opt-in” approach. The Canadian anti-spam legislation also governs how consents may be obtained and what information must be included in a commercial electronic message, and requires that unsubscribe mechanisms be made available to message recipients. The burden of proving sufficient consent rests with the sender of the message.
The takeaway?
Ensure that compliance goes well beyond just email communications. Businesses should review their communication tools and marketing strategies to ensure that each type of electronic communication complies with the applicable statutory requirement.
Companies with websites that allow visitors to sign up to receive emails (typically announcements, promotional materials, etc.) need to ensure that the website sign-up is “opt-in,” not “opt-out.” For example, a website consent form that has an opt-in default, such that the visitor has to “click” to turn it off, is no longer permitted.
Those in charge of social media, whether they create the content or respond to comments, need to be aware of the law’s new rules and the liabilities involved.
And certainly, beyond the marketing department, anyone involved in sales directed to the Canadian-market needs to understand that even the simplest email – sent from one individual to a Canadian counterpart, could have serious consequences.
Any U.S-based business that markets to Canada and/or sends any type of electronic message to Canadian-based recipients should review their electronic communication practices; privacy notices and terms of use/terms of service; social media, marketing, and other policies; and corporate websites for compliance with this law. Even if a business purchases lists of prospects, Canadian-based targets should be segregated from those lists.
Khizar A. Sheikh is a partner and chairperson of the Privacy, Cybersecurity & Information Management Group at Mandelbaum Salsburg, a law firm based in West Orange, N.J. Lauren X. Topelsohn is Counsel to Mandelbaum Salsburg.