CASL confusion: what July 1 really signifies for marketers

David Elder - 

July 1, 2017 is not only Canada’s 150th birthday -- it is also marks three years since Canada’s Anti-Spam Legislation (CASL) has been in force.  While Canadian businesses are unlikely to celebrate the latter anniversary with barbecues and fireworks, July 1 will signify an important change in the way that CASL will apply. 

Unfortunately, there seems to be some confusion about what the approaching deadline really means for marketers.  From a CASL perspective, July 1 is important for 3 reasons:

Private right of action

Let’s start with what it doesn’t mean: July 1 will no longer mark the coming into force of the private right of action contained in the law.  This provision would have allowed civil suits to be filed against individuals and organizations for alleged violations of the law.  In addition to suing for actual damages, the provision also would have allowed plaintiffs to claim statutory damages (which need not be proved) of up to $200 – including for receipt of a non-compliant email message.

The order that proclaimed CASL in force as of July, 2014, had originally set July 1, 2017 as the day on which the private right of action provisions in the law would come into force.  However, the government recently amended this order so as to suspend indefinitely the coming into force of the private right of action. 

In a news release announcing the suspension of the implementation of this statutory cause of action, the government noted that it was acting “in response to broad-based concerns raised by businesses, charities and the not-for-profit sector.”  The precis to the order indicated that the original coming into force date was being suspended “in order to promote legal certainty for numerous stakeholders claiming to experience difficulties in interpreting several provisions of the Act while being exposed to litigation risk.”

Parliamentary review

The second important consequence to the arrival of July 1, 2017, is that CASL includes is a section requiring a general review, after that date, of the provisions and operations of the Act by a parliamentary committee.

The government has indeed announced – when it suspended the private right of action - that it will ask a parliamentary committee to review the legislation, in keeping with this requirement of the law.

While it is difficult to know at this time precisely how that review might unfold, the legislative provision itself is very broad.  Accordingly, we may see in the near future a review that will take into account the law as a whole, followed by recommendations to the government for possible reform.

The law has many detractors in the business community, which have raised concerns relating to issues such as vagueness and impracticality of the law, disproportionate enforcement and penalties and real damage to economic interests.  That said, the law also has many fans, which see the regime as an important new protection for consumers.  As a result, the pending committee hearings are expected to be lively.

Expiry of transition period for prior business relationships

Finally, July 1, 2017 will mark the end of the initial transition period during which organizations are deemed to have implied consent to send commercial electronic messages to recipients based on certain types of business relationships that arose prior to the law coming into force.

The law deems implied consent to exist where the sender of a message has an “existing business relationship” or an “existing non-business relationship” with the recipient.  While there are several narrow scenarios that give rise to these defined relationships, for most commercial businesses, an existing business relationship most commonly arises through the purchase of goods or services.  In such a case, the law normally deems an organization to have implied consent to send electronic marketing messages to a customer for a period of two years after such a purchase, unless they otherwise unsubscribe.

However, for the initial 3-year transition period, CASL deemed implied consent to exist for business relationships that arose at any time before July 1, 2014 (when the law came into force), without regard to the two-year limitation.  In other words, during the transition period, the law effectively deemed an organization to have implied consent to send commercial electronic messages to a customer that had made a purchase at any time before July 1, 2014. 

The stated purpose of this transition period was to provide organizations with the opportunity to obtain express consent.  As a result, in the months leading up to the end of the transition period, many organizations have been reaching out by email to their distribution lists in order to confirm consent.

While such outreach campaigns make good sense for some businesses, seeking express consent at this time is not required in all cases.  The real impact of the expiry of the transition period will vary from business to business, based on a number of factors, including the following:

  1. If an organization is sending commercial electronic messages based on an existing business relationship that arose from a purchase made after the law came into force, then the transition period does not apply.  These types of business relationships are subject to the normal two-year limitation imposed by the law.  Indeed, for transactions that occurred in 2014 and early 2015, this period will have already expired.
  2. If express consent was collected prior to July 1, 2014, in compliance with applicable privacy law, that consent continues to be valid, even if the request did not meet the form requirements now imposed by CASL.  Businesses with reliable records of that type of consent need not reach out now to secure an additional consent.
  3. If an organization is likely to have at least one sale transaction every two years with addressees on its email marketing list, it may elect not to secure express consent, relying solely on implied consent arising from its existing business relationships.  Much depends on the typical business cycles for a particular industry/service category, but many businesses have found that they can reasonably attain marketing objectives solely through reliance on implied consent.  Of course, where a given addressee does not make a purchase within the allowed 2-year period, they must be dropped from the list, but some organizations find this churn to be manageable, and also find that, in any event, marketing offers are less likely to be effective with respect to such “stale” customers.  Recognizing that consent outreach campaigns tend to have a low rate of success, continued reliance on existing business relationships may be an attractive option for some companies.
  4. Organizations that engage in B2B marketing may not be affected by the expiry of the transition period.  The transition period affects only existing business relationships and existing non-business relationships; it does not affect implied consent that may arise under the law as a result of conspicuous publication or direct disclosure of a business electronic address, nor does it affect to general B2B exemption found in the Electronic Commerce Protection Regulations.
  5. Similarly, other types of businesses that rely on exemptions set out in the Regulations need not reach out now to obtain express consent -- for example, registered charities sending fund-raising messages, or messages sent and received on an electronic messaging service where the information and unsubscribe mechanism required by the law is available on the user interface through which the message is accessed.

Businesses are advised to carefully review their own circumstances and to seek advice as to the best approach to deal with the issues arising from the end of the transition period. 

Snoops and gossips beware: Ontario Government to introduce stiffer measures to protect patient privacy

Recently, the Government of Ontario announced its intent to strengthen the rules protecting patient privacy. If passed, these amendments to the Personal Health Information Protection Act (PHIPA) would include:

  • Mandatory reporting of privacy breaches to the Privacy Commissioner and potentially the regulatory colleges;
  • Allow individuals to more easily prosecute offences under PHIPA by removing the 6 month limitation period following an alleged privacy breach;
  • Increasing institutional fines for offences from $250,000 to $500,000;
  • Increasing individual fines for offences from $50,000 to $100,000; and
  • Clarifying how and when healthcare providers may collect, use and disclose personal health information contained in electronic health records.

Changes to PHIPA were originally introduced in May 2013, as part of Bill 78, although the Bill did not pass before the Legislature dissolved that same month.  The new round of legislation also intends to re-introduce protections to the Ontario electronic health record—a system of health records that spans the province and is shared between healthcare providers—and other personal health information.  Among other things, these protections include privacy and security rules, as well as rules for how patients may control or mask their personal information contained in the electronic health record. Protecting individuals’ privacy in Canada is a patchwork of federal and provincial legislation affecting the federal and provincial public sectors, as well as private and health sectors. 

Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA), controls how businesses and healthcare providers may collect, use and disclose individuals’ personal information.  The Provinces, including Ontario, also have legislation specifically addressing privacy in the collecting, using and disclosing of health-related information. 

CRTC clarifies that anti-spam law won't apply to self-installation of computer programs - most of the time

David Elder -

CRTC staff has issued important guidance on its interpretation of section 8 of Canada’s Anti-Spam Legislation (CASL), noting that the law would not apply to most installations initiated by users, including the downloading of mobile apps from popular digital distribution platforms like The App Store, Google Play and BlackBerry World.

While much attention has been paid to the core anti-spam provisions of CASL, which came into force on July 1, less attention has been paid to date with respect to section 8, which governs the installation of computer programs in the course of commercial activity.  However, as the January 1, 2015 coming into force date nears for that provision, many businesses have been struggling to understand their legal obligations and take the necessary steps to comply.

Section 8 of CASL generally provides that a person must not install or cause to be installed a computer program on another person’s computer system without prior express consent.  Both the terms “computer program” and “computer system” are very broadly defined, and would include a wide range of programs and devices.

Given that it has become commonplace for businesses to develop and distribute mobile apps as promotional tools, often free of charge, the computer installation provisions of CASL have been attracting attention from companies well beyond the software industry. 

Accordingly, it will be welcome news to many that the CRTC has indicated that in most cases, self-installed software is not subject to the requirements of CASL, including software installed from a disc or downloaded from a website or mobile app store.  However, business should be aware that even in self-install scenarios, they may still have obligations under the anti-spam law.

In this regard, application developers and distributors may still be subject to CASL as having “caused to be installed” programs on another person’s system.  The Commission’s guidance indicates that it will view businesses as having caused programs to be installed where the installation includes unexpected programs or functionality.  Where a person causes a program to be installed on another’s system, prior express consent must be obtained, in the required form, and certain disclosures must be made, depending on the nature of the programs/features.  In some cases, businesses causing a program to be installed must also ensure that the installing party is provided with an electronic address at which they can request to remove or disable the program, and in must also provide no-cost assistance to the installing party to remove or disable the program.

While these provisions appear to be targeted at spyware and malware, they will have broader application to more legitimate programs and functions.  Unexpected programs could include “tag-along” installations of programs such as browsers, toolbars and anti-virus software that are tied to the installation of a primary program.  Unexpected functionality could include the collection or personal information from a device (even if only to identify the user), the modification of user settings or causing the program to communicate with another computer system, such as where programs report system errors and crashes to the software developer.

The CRTC has indicated that the reasonable expectations of users will be the key to a determination of what programs and features might be “unexpected”, based on a review of all relevant circumstances, including the nature of the program being installed and the nature and extent of the disclosures made by the relevant developer or distributor.

Businesses could also continue to face CASL obligations respecting automatic updates or upgrades to self-installed programs.  The law would not apply to scenarios where a user is notified that an update is available, then takes an active step to install the update (which would be considered to be a self-install), but rather to updates/upgrades that are installed automatically, without user prompting or action.  Auto-updates are generally prohibited without consent, but the law explicitly provides that consent may be collected in advance to future updates.  Accordingly, businesses may want to consider building such terms (and express consents) into the download/installation process for programs, in order to pave the way for future upgrades/updates.

One more province (partially) exempt from PIPEDA

The Federal government has expanded the list of organizations that are exempt from the Personal Information Protection and Electronic Documents Act (PIPEDA) on the basis that similar provincial legislation sufficiently protects the relevant personal information. As of October 10, 2012, health care organizations subject to Newfoundland and Labrador’s Personal Health Information Act (PHIA) are exempt from PIPEDA because provincial legislation is “substantially similar”.

Newfoundland and Labrador is now the sixth province to be granted an exemption from some or all of Part I of PIPEDA, and the third to enact exempted personal health information legislation.

Under s. 26(2)(b) of PIPEDA, organizations or activities subject to provincial privacy legislation that is substantially similar to Part I of PIPEDA can be exempted from PIPEDA for the collection, use or disclosure of personal information within that province. This ensures that organizations will not have to comply with two sets of rules that provide the same or greater protection for personal information.

It is important to note that exemptions from PIPEDA are granted only to relevant organizations for their activities within the relevant province. PIPEDA continues to apply to personal information collected, used or disclosed by federal works, undertakings and businesses, as well as to personal information collected, used or disclosed across provincial or Canadian borders in the course of business. The Newfoundland and Labrador exemption is therefore limited in scope as PIPEDA continues to apply to health care organizations’ collection, use and disclosure of personal health information from/into other provinces.

Newfoundland and Labrador’s PHIA has been in force since April 1, 2011. The legislation provides rules for organizations that collect, use and disclose health information that (i) could identify an individual, and (ii) relates to delivering or administering health care. Such organizations include health care providers and operators, provincial agencies involved in health care and health information, ambulance services, pharmacies and others. PHIA provides that consent from the individual must be obtained to collect, use and disclose health information except in specific circumstances. PHIA also provides that applicable organizations must take reasonable steps to secure health information and prevent its disclosure, failing which a fine of not more than $10,000 or imprisonment for a term not exceeding 6 months is possible. However, an organization will not be liable if they demonstrate that reasonable steps were taken to prevent the contravention.

Comprehensive personal information legislation in three provinces has already been declared to be substantially similar to PIPEDA: the Personal Information Protection Act, in British Columbia, the Personal Information Protection Act in Alberta, and An Act respecting the protection of personal information in the private sector in Quebec. Personal health information legislation of two other provinces, in addition to Newfoundland and Labrador, has been declared substantially similar: the Personal Health Information Privacy and Access Act in New Brunswick and the Personal Health Information Protection Act in Ontario. In light of this most recent exemption, it will be interesting to see if similar exemptions are granted in other provinces, leading to fewer organizations which are subject to PIPEDA.


CRTC clarifies anti-spam regulations: consent can include electronic forms

David Elder -

Following the registration, three weeks ago, of its new anti-spam regulations, the CRTC has issued a regulatory policy explaining the changes made to the draft regulations that it had originally proposed, as well as providing some guidance as to how some of the requirements will be interpreted.

In Telecom Regulatory Policy CRTC 2012-183, issued to coincide with the publication of the Electronic Commerce Protection Regulations (CRTC) in the Canada Gazette, the Commission notes that many of the changes to the originally proposed version of the Regulations were made in response to public comments, and in most cases were amendments intended to be less prescriptive and more technology neutral.

In an earlier post, we had summarized the main changes in the final regulations. Helpfully, the new Regulatory Policy appears to clarify several uncertainties that had been raised by these changes.

Perhaps most significantly, the Commission explicitly indicates in the Regulatory Policy that consent obtained “in writing” includes electronic forms of consent, putting to rest one of the more significant concerns of companies operating over the internet. In other contexts, the Commission has accepted electronic forms of consent where a user signifies agreement through some positive action, such as clicking on an “I agree” box.

Although in their final form, the Regulations are not yet in force. They will come into force on the day on which the core sections of Canada’s Anti-Spam Law come into force, which is expected to occur later this year.

CRTC tweaks anti-spam regulations

David Elder -

Final regulations made by the CRTC under Canada’s Anti-Spam Law (CASL) include a number of revisions that respond to concerns raised by Canadian businesses; but while some additional flexibility has been provided, the Commission appears to have left a number of other concerns unanswered.

On 7 March 2012, the CRTC registered its Electronic Commerce Protection Regulations (CRTC), a final version of draft regulations that were originally proposed in June 2011.  Those regulations, and the related Electronic Commerce Protection Regulations that were proposed by Industry Canada, attracted significant criticism from the business community, which expressed concern that the regulations omitted some important clarifications of the requirements of the law, failed to provide exemptions for certain business and behaviours that should not be caught by the legislation and imposed unworkable and unnecessary requirements that may have had a disproportionate impact on technologies such as text messaging. 

Those hoping for significant additions to the CRTC Regulations will be disappointed, as the revised Regulations remain in the same form, and appear intended to accomplish the same end, as the earlier version: namely clarifying the sender identity and contact information that must be included in commercial electronic messages and requests for consent to send such messages.  However, to be fair to the CRTC, this narrow focus is consistent with the scope of the regulation-making power provided to the Commission under CASL.

The final Regulations include the following changes from those originally proposed:

  • Clarification that persons sending a message, or persons on whose behalf a message is sent, must identify themselves by the name by which they carry on business.
  • Greater choice with respect to the contact information to be provided.  Senders, and those seeking consent to send messages, may now provide either a telephone number providing access to an agent or a voice messaging system, an email address or a web address.  The original proposal seemed to require the provision of all of these, as well as a physical address.
  • Revised requirements that web-based information be “readily accessible” and that the required unsubscribe mechanism must “be able to be readily performed.” The original proposed Regulations specified these requirements with reference to a maximum number of “clicks.”
  • The revised Regulations now indicate that consent for the receipt of a commercial electronic message may be obtained orally, as well as in writing, as the original proposed regulations provided; however, the Regulations do not provide certainty as to whether electronic forms of consent will be considered to be “in writing,” which was the chief concern of many stakeholders with this requirement. See our earlier post for a discussion of this issue.
  • The Regulations still require that when seeking consent, requestors must include a statement indicating that consent can be withdrawn, but no longer requires the requestor to specify through which avenues such a withdrawal of consent could be made.

The publishing of the CRTC Regulations puts the country one step closer to CASL being proclaimed in force.  The other shoes to drop include finalization of the Industry Canada Regulations (a revised version of which is expected to be published in the near future) and the selection of a vendor to run the Spam Reporting Centre contemplated by the Act.

Facebook reaches agreement with German officials over privacy concerns

Yesterday, Facebook reached an agreement with German data protection officials in order to end a dispute over the social networking site’s “Friend Finder” application. Hamburg’s Data Protection Authority received complaints about the feature, which allows Facebook to send unsolicited email invitations to non-members through current members’ address books. The agreement comes as a response to legal proceedings launched by German officials last year against Facebook for accessing and saving the private data of non-members without their permission. For more information, see this article from the Globe and Mail.

How much money is privacy worth?

According to two recent Federal Court decisions, privacy – though protected by the law - is not worth that much money when it comes to actual damage awards.

While most privacy complaints are resolved through the Office of the Privacy Commissioner of Canada, some cases are litigated in court with plaintiffs hoping to receive monetary compensation for privacy violations. Two such cases are Randall v. Nubodys Fitness Centres, 2010 FC 681 (CanLII) and Stevens v. SNF Maritime Metal Inc. 2010 FC 1137 (CanLII).

Randall involved a situation where an employee’s attendance at a fitness club was regularly reported back to his company which paid half of his monthly fees as part of his benefits package. While the Federal Court agreed that this constituted a violation of his privacy rights, the Court did not award any damages stating that only egregious breaches such as video-taping and phone-line tapping warranted compensation. In Stevens, the Federal Court reached the same conclusion and found that while the applicant’s rights were violated when his company accessed his personal account information, the wrong was not malicious and therefore did not warrant an award of damages. The Court noted that the company then voluntarily put into place a confidentiality policy which would help prevent these situations in the future. 

From these decisions, the Federal Court has shown that while privacy violations are readily recognized and condemned, they will rarely result in any monetary compensation. While Michael Geist states that this may have the unintended consequence of diminishing respect for privacy compliance due to a focus on the bottom line, it is important that companies recognize the other costs involved in breaching privacy - such as a damaged reputation and the cost of litigation. It is always advisable for companies to have and follow privacy policies which will protect both themselves and their employees.

Facebook publishes natural language privacy policy

In November 2009, Facebook responded to privacy concerns by publishing a new, natural language privacy policy. The new policy will first be available for public review and comment, before eventually replacing the current “legalese” version. Last August, Facebook was forced to change its privacy policy, in response to a complaint filed by a Canadian law student with Canada’s Privacy Commissioner. The natural language privacy policy reflects Facebook’s goal to improve “transparency and readability”, according to communications and public policy executive Elliot Schrage.

U.S. federal agencies publish final model GLBA privacy form

On November 16, 2009, the Office of the Comptroller of the Currency, Treasury; the Board of Governors of the Federal Reserve System; the Federal Deposit Insurance Corporation; the Office of Thrift Supervision, Treasury; the National Credit Union Administration; the Federal Trade Commission; the Commodity Futures Trading Commission; and the Securities and Exchange Commission (collectively, the Agencies) published a final rule amending the rules that implement the privacy notice obligations under the Gramm-Leach-Bliley Act (GLBA). Pursuant to the final rule, the Agencies are adopting an optional model privacy form that financial institutions may rely on as a safe harbour and that will satisfy their privacy notice obligations under the GLBA. The final rule will come into effect on December 31, 2009.

The model form replaces the “sample clauses” previously contained in the Agencies’ privacy rules and used by many financial institutions in their GLBA notices as a safe harbour. The Securities and Exchange Commission is eliminating the guidance associated with, and the other Agencies are eliminating the safe harbour permitted for, notices based on the sample clauses if the notice is provided after December 31, 2010.

The final rule includes three versions of the model form: (1) a model form with no opt-out; (2) a model form with opt-out by telephone and/or online; and (3) a model form with opt-out by telephone, online and/or mail-in.