This post recaps a webinar delivered by Maanit Zemel, Esq on June 22, 2017. Maanit is partner at Zemel van Kampen, LLP, a law firm that specializes in technology law, specifically around the Canada Anti-Spam Law (CASL).
More than 750 people participated in this webinar. Given that the next CASL deadline comes into effect on July 1, 2017, many participants were anxious to be sure they understood what it means to be compliant. We had a lively Q&A session afterwards, which you can hear in the webinar recording starting around the 1 hour 13 minute mark.
If the talk of multi-million dollar fines makes you nervous, don't panic. The steps toward ensuring compliance are fairly straightforward. There are many publicly available resources such as this webinar and the CRTC's CASL page that are helpful in developing a working knowledge of the law, and consultations with legal experts such as Maanit can help ensure that you have the right policies and procedures in place.
Overview of CASL
Although it has "anti-spam" in the title, Canada's Anti-Spam Legislation (CASL) isn’t aimed at what we would traditionally consider to be spam. Instead, CASL regulates all “commercial electronic messages” (CEMs) sent or accessed from a computer in Canada. CASL also regulates a broad range of online activities including the installation of computer programs, misleading advertising and marketing practices, privacy invasion via your computer, and email harvesting.
Because nonprofits can unwittingly violate CASL by sending out the same CEMs they have always sent out, this webinar focused primarily on CEM regulations.
CASL Violation and Enforcement
CASL came into effect July 1st, 2014 and is enforced by three government agencies: the Canadian Radio-television and Telecommunications Commission (CRTC), the Privacy Commissioner, and the Competition Bureau.
Anyone can file a complaint against organizations or individuals they believe to be in violation of CASL. Individuals can be fined up to $1 million for violations, whereas the upper limit for fines for corporations (a category that includes nonprofits and registered charities) is $10 million.
It’s important to recognize that a violation of CASL doesn’t automatically trigger these fines; rather, a complaint has to be filed and the regulatory bodies will then decide the most appropriate course of action on a case-by-base basis.
In addition to the fines, there are other significant potential consequences for non-compliance. If one of your employees or volunteers violates CASL, the organization can be held vicariously responsible. At the same time, if you’re an executive director, officer, or board member and your organization commits a violation, you can be held personally responsible.
CASL also gives regulatory bodies sweeping investigative powers to search and seize evidence in organizations that are not compliant.
If this all seems frightening, you can take heart that Maanit knows of no nonprofits or charities that have been prosecuted under CASL since its enactment three years ago. The biggest (public) CASL cases so far have gone after big for-profit companies and the fines have been mere fractions of the maximum possible fines.
July 1st, 2017 and the Suspension of Private Rights of Action
Three years ago, the government announced that starting July 1st, 2017, individuals would gain “private rights of action” that would enable anyone to file a lawsuit against any individual or corporation believed to be in violation of CASL. In early June 2017, the private rights of action provision was suspended indefinitely.
Some people have misinterpreted this decision and believe that CASL has been suspended in its entirety. This is not true. CASL is still in place, and the July 1st, 2017 deadline is still significant.
Starting July 1st, 2017, implied consent will only be valid for two years rather than three. More on this below.
The Due Diligence Defense
If you can demonstrate that you have developed and implemented a comprehensive and effective CASL policy (similar to privacy policies, social media use policies, etc.), then you have a complete and absolute defense to CASL.
Maanit recommends working with a lawyer to draft up an ironclad CASL compliance policy.
Commercial Electronic Messages (CEM)
What Is a CEM?
A CEM is a message sent by electronic means (i.e. email, text, instant message, tweet) intended to encourage participation in a “commercial activity.” The number of recipients is irrelevant -- a CEM can target one person or a million. (Note that this webinar focused primarily on email communications rather than social media.)
So what does “commercial activity” entail? The legislation defines it as “any particular transaction, act or conduct that is of a commercial character whether or not the person who carries it out does so in the expectation of profit.”This last clause makes it clear that CASL applies to nonprofits and charities.
In nonprofit communications, emails that do the following are considered CEMs:
- Ask for donations
- Sell tickets to or promote an event
- Promote services (if there is some commercial character to those services)
- E-newsletters that promotes the organization, an event, and/or asks for donations
For an email to not be considered a CEM, it has to be purely educational in both purpose and content.
To send a CEM that is CASL-compliant, you must fulfill three requirements:
- The receiver has already consented (opted-in) to the receipt of the CEM
- The CEM contains certain prescribed information (your organization’s contact info and a means of contacting the sender)
- The CEM contains a clear unsubscribe mechanism
More on each of these below.
Consent: Express vs. Implied
Understanding CASL’s concept of consent is fundamental to achieving compliance.
As stated above, CEMs can only be sent with the express or implied consent of the recipient. The onus of proving consent is upon the sender, and because an email requesting initial confirmation of consent would be considered a CEM, such emails are prohibited.
Express consent: When someone expresses explicit consent to receive communications from you, they have given you express consent. They might subscribe to your newsletter from your website, sign up for communications at one of your events, etc. While consent can be expressed either in writing or verbally, it is always better to get it in writing (either digitally or on paper).
Your sign-up process must be clear and straightforward (in other words, people shouldn’t be surprised that in handing over their email address to you, they are signing up to receive email communications). And you need to make it clear that they can opt out any time.
Express consent is indefinite, meaning that it doesn’t expire. However, the instant someone opts out of communications from you, express consent is revoked.
Implied consent: There are two types of implied consent: indefinite and definite.
Indefinite implied consent: If a person has:
- “conspicuously published” his/her email address (e.g. on a website),
- has not expressed a desire not to receive CEMs (yep, that’s a double-negative),
- AND the content of the CEM is relevant to the recipient’s business role in a particular organization,
then you have the implied consent of the person and you can send him/her CEMs.
There’s another way to achieve indefinite implied consent. If someone has:
- disclosed their email address to you (for example, they gave you a business card at an event)
- AND the content of your message is relevant to that person’s role in an organization,
then you can send that person CEMs.
Indefinite implied consent does not expire after a certain period of time.
Definite implied consent: If:
- You are a registered charity and someone has either made a donation or volunteered with you in the preceding two years
- OR you’re a nonprofit (not registered as a charity with the CRA) and the recipient has been a valid member of your organization in the preceding two years
- OR the recipient has executed a financial transaction with your organization (a purchase, lease, investment, etc.),
Then you have implied consent and can send CEMs to this recipient.
As of July 1st, 2017, definite implied consent expires two years after the recipient’s most recent “interaction” -- whether that’s making a donation, volunteering, being a member, or doing a financial transaction with your organization. The two-year clock restarts after every such interaction.
Implied consent can always be revoked via an unsubscribe.
Other CEM requirements in depth
Your CEMs must include full contact information for your organization and a means by which to contact the sender. If there isn’t space within the CEM to include this, you must include a link to a webpage where this information is prominently displayed (such as your website).
You’re also required to provide an unsubscribe mechanism within each CEM. This mechanism must be electronic (i.e. you can’t require anyone to call, write, or fax in to unsubscribe). It also must be valid for at least 60 days following the CEM -- the link can’t expire until two months have passed. And finally, you legally must remove the recipient from your lists within 10 days of the request.
The Charities Exemption
There are several exemptions to CASL’s CEM requirements. Maanit focused on one -- the registered charities exemption.
According to this exemption, you don’t have to comply with the above CEM requirements if:
- You are a registered charity with the CRA (if you’re unsure, call your accountant!),
- AND the primary purpose of the specific CEM in question is for raising funds (and that those funds will go to the charity rather than another recipient).
Note that this exemption occurs on a CEM-by-CEM basis; qualifying for it for one CEM does not mean that you are always exempt.
Also, even though the “primary purpose” must be to ask for money, a CEM can still serve other purposes (such as education). This means that your ask must be made in a prominent way.
So what if you’re a registered charity and one of your corporate sponsors has agreed to donate a portion of its sales to your organization -- are you allowed to promote that sponsor’s products or services? Maanit says this is still a grey area and that you shouldn’t rely on an exemption here.
Maanit also reminds us that there have been no test cases yet, so we can’t know how the courts will interpret the charities exemption. She speculates that the courts will tend to side with the recipient over the organization, which means that you should not exclusively rely on the charity exemption to protect yourself from liability. Instead, develop a consent-based policy and designate someone to vet the content of the CEM to ensure that you’re covered from all angles.
These are CASL best practices Maanit recommends instituting immediately:
- Get your board on board. Don’t just dump all of this on your comms team’s shoulders -- CASL compliance policy needs to be shaped at the highest level of the organizations.
- Conduct an audit. Ask yourselves: what types of electronic communications do we send out and to whom? Do we communicate on behalf of other organizations and to whom? Do third-parties communicate on our behalf? What is the purpose in sending out these communications? What kind of shape is our email list in?
- Develop and implement a CASL compliance policy and procedure. Having this in place will equip you with the due diligence defense.
- Train your people -- that includes people within your organization and people outside of it sending communications on your organization’s behalf -- on CASL and your compliance policies.
- Review your contracts with third parties. Require CASL compliance and include indemnification provisions for non-compliance.
- Consider buying insurance for CASL.
- Consult with IT specialists.
Zemel van Kempen LLP is a boutique law firm that specializes in CASL compliance.