Do Your Company’s Email Marketing Practices Need to Comply with Canada’s Anti-Spam Law?

Published On June 12, 2014 | By Jon Frankel | General, International

The first provisions of Canada’s Anti-Spam Law (“CASL”) take effect on July 1, 2014, imposing potentially stringent consent and recordkeeping requirements—not to mention penalties of up to $10 million (CAD) per violation— on individuals and companies sending marketing messages to Canadian residents. The consent requirements of CASL differ significantly from the U.S. CAN-SPAM law. CAN-SPAM is a marketing-friendly law that generally permits sending commercial email without obtaining the recipient’s consent so long as the recipient can stop receiving future emails through an unsubscribe mechanism. CASL, on the other hand, makes it much harder to use email for marketing purposes as it generally requires the recipient to agree to receive the marketing email before it is sent. In light of these differences, companies should evaluate their email marketing practices to determine whether they need to take action.

CASL and Consent

CASL regulates the transmission of commercial electronic messages (“CEMs”), broadly defined as messages that are sent to an electronic address (including email addresses and text messaging accounts) that encourage participation in a commercial activity. The message sender is responsible for documenting when and how the recipient consented to receiving the message. Sometimes this consent can be implied—for example, if there is an existing business relationship between the parties. If this implied consent was obtained prior to the July 1, 2014 CASL effective date, then generally such consent can be valid for 3 years until July 1, 2017. email symbol on row of colourful envelopes

Other times, consent must be express—for example, if there is no relationship between the parties. This could arise if the sender obtains a list of email addresses from a third party and does not otherwise have any business relationship with the recipients. And express consent means just that – the user must affirmatively agree to receive the email before it is sent. The sender also must include certain information in the request, such as the name of the business, its mailing address, a phone number, email address or web address, a clear statement that the sender intends to send a CEM, and a notice that the recipient can withdraw consent. Effectively, this means that pre-checked boxes or notices buried in terms and conditions or privacy policies are unlikely to work. Rather, users will need to affirmatively check a box, type in their email address, or engage in some other affirmative action to show they want to receive the CEM and be provided with the above information about the sender.

CASL Likely Will Impact At Least Some Facets of Most Company Email Practices

While the CASL requirements are considered onerous and certainly more restrictive that CAN-SPAM, CASL only applies to CEMs sent to a Canadian resident. Many companies, however, do not know where their email recipients are located because they don’t collect this information. CASL addresses this by requiring companies to perform certain due diligence; thus, if a company cannot “reasonably ascertain” that the recipient is located in Canada, CASL does not apply. It is therefore important for companies to audit their marketing practices to determine whether they may be sending CEMs to Canadian recipients. Initial due diligence could include identifying recipients with “.ca” email domains or physical addresses that indicate Canadian residency and documenting these users’ consent to receive CEMs or removing these users from email distribution lists.

How Will CASL Be Enforced?

While the Canadian government has established an interdepartmental regime to enforce CASL violations, it remains to be seen whether other governments will be willing to cooperate for violators not subject to Canadian jurisdiction. As with other foreign privacy laws, there could be questions as to the ability of regulators to enforce the law against U.S. companies without boots-on-the-ground operations in the jurisdiction. Both the U.S. Federal Trade Commission and Federal Communications Commission have indicated that they will cooperate with Canadian regulators, but it is not clear what this cooperation will entail or how it could bolster the extraterritorial enforcement of the Canadian law. Finally, while the law takes effect on July 1, 2014, the private right of action for violations will not take effect until July 1, 2017.

Featured Photo by Krystian Olszanski from Flickr

About The Author

Jon Frankel has been advising clients on privacy, data security, e-commerce, intellectual property and litigation matters for more than 15 years. Jon provides practical advice to mitigate privacy and data security risks and helps clients navigate a myriad of complex data collection, use and sharing cases. Jon advises on health and children’s privacy; email, SMS and telemarketing; mobile applications; user generated content; contests, promotions, and sweepstakes, online gaming; and requests from law enforcement. Prior to joining ZwillGen, Jon was a partner in the Washington, D.C. office of Bingham McCutchen, LLP, where he co-chaired the Privacy and Security Group.

Comments