Do you have any information to share regarding Canada's Anti-Spam Legislation?
Email Deliverability (EDG), Outbound Emails
This answer is part of the Email Deliverability Best Practices doc community. Each answer's intention is to contribute to the betterment of the email community. These answers are only related to outbound messages, and do not have any impact to the improvement of inbound deliverability. For more information regarding deliverability's role at RightNow, please review the following answer page: Answer ID 2195: Email Deliverability Group (EDG) and Spam Considerations and Policy.
Furthermore, this is not intended as legal advice and you should consult with your own legal counsel for questions regarding compliance. This answer provides a high level summary but may not reflect the latest requirements. You should always discuss in greater detail with your legal counsel to ensure you are in compliance.
Canada's Anti-Spam Legislation (CASL)
Enter into force on July 1, 2014 and it generally prohibits the:
- Sending of commercial electronic messages without the recipient's consent (permission), including messages to email addresses and social networking accounts, and text messages sent to a cell phone;
- Alteration of transmission data in an electronic message which results in the message being delivered to a different destination without express consent;
- Installation of computer programs without the express consent of the owner of the computer system or its agent, such as an authorized employee;
- Use of false or misleading representations online in the promotion of products or services;
- Collection of personal information through accessing a computer system in violation of federal law (e.g. the Criminal Code of Canada); and
- Collection of electronic addresses by the use of computer programs or the use of such addresses, without permission (address harvesting).
There are three general requirements for sending the CEM to an electronic address. You need:
- Identification information (Location details)
- An unsubscribe mechanism
Consent can be Express (explicit) consent or implied consent - via prior business relationship. HOWEVER you cannot use pre-checked boxes in signup processes:
"The manner in which you request express consent cannot presume consent on the part of the end-user. Silence or inaction on the part of the end-user also cannot be construed as providing express consent. For example, a pre-checked box cannot be used, as it assumes consent."
Also Implied consent is only valid for 2 years after the purchase, or until the recipient opts out of messages.
The Unsubscribe process should be simple, quick and easy for the end-user and honored in a timely fashion.
There are three government agencies responsible for enforcement of the law. When the new law is in force, it will allow:
- The Canadian Radio-television and Telecommunications Commission (CRTC) to issue administrative monetary penalties for violations of the new anti-spam law.
- The Competition Bureau to seek administrative monetary penalties or criminal sanctions under the Competition Act.
- The Office of the Privacy Commissioner to exercise new powers under an amended Personal Information Protection and Electronic Documents Act.
It will also allow all three agencies to share information with the government of a foreign state if the information is relevant to an investigation or proceeding in respect of a contravention of the laws of a foreign state that is substantially similar to the conduct prohibited by this Canadian law.
The law will also allow individuals and organizations who are affected by an act or omission that is in contravention of the law to bring a private right of action in court against individuals and organizations whom they allege have violated the law. Once into force, the private right of action will allow an applicant to seek actual and statutory damages. Statutory damages may not be pursued if the person or organization against whom the contravention is alleged has entered into an undertaking or has been served with a Notice of Violation.
Before filing a lawsuit against an individual or organization, get legal advice. An individual or organization could be responsible for paying considerable legal fees incurred by the alleged violator if they file an improper claim or one that is not considered to have merit.
There are three general requirements for sending the CEM to an electronic address. You need (1) consent, (2) identification information and (3) an unsubscribe mechanism. The questions under this heading relate to the first requirement, namely consent. There are two types of consent under CASL - express and implied.
Consent can be obtained either in writing or orally. In either case, the onus is on the person who is sending the message to prove they have obtained consent to send the message.
The CRTC has issued information bulletins to provide guidance and examples of recommended or best practices. Compliance and Enforcement Information Bulletin CRTC 2012-548, among other things, helps explain what information is to be included in a request for consent. The Bulletin also suggests some key considerations that may make tracking or recording consent easier, and therefore, may make it easier to prove consent. They are:
- Whether consent was obtained in writing or orally
- When it was obtained
- Why it was obtained
- The manner in which it was obtained
The examples provided in the information bulletin are not exhaustive. They are simply examples of recommended or best practices. They may not necessarily be appropriate in every situation. Compliance will be examined on a case-by-case basis in light of the specific circumstances of a given situation.
The manner in which you request express consent cannot presume consent on the part of the end-user. Silence or inaction on the part of the end-user also cannot be construed as providing express consent. For example, a pre-checked box cannot be used, as it assumes consent.
Rather, express consent must be obtained through an opt-in mechanism, as opposed to opt-out. The end-user must take a positive action to indicate their consent. For example, this can be done by providing a blank box which a user can check off to indicate consent.
How do I prove Consent?
The onus is on the person who claims that they have consent to prove that they have such consent. Compliance and Enforcement Information Bulletin CRTC 2012-548 provides a few examples on how one can prove they have obtained express consent. Note that the examples provided are not exhaustive; they are simply practices that the Commission considers to be compliant with the legislation. Other practices may satisfy legal requirements imposed by CASL. However, their adequacy will be evaluated on a case-by-case basis in light of the specific circumstances of a given situation.
There are three general requirements for sending a commercial electronic message (CEM) to an electronic address. You need (1) consent, (2) identification information and (3) an unsubscribe mechanism. The questions under this heading relate to the second requirement - identification information.
There are three general requirements for sending a commercial electronic message (CEM) to an electronic address. You need (1) consent, (2) identification information and (3) an unsubscribe mechanism. The question under this heading relates to the third requirement - unsubscribe mechanism.