OHA BACKGROUNDER Canada s Anti-Spam Legislation (CASL) May 2014 In December 2010, the federal government passed Bill C-28, the Fighting Internet and Wireless Spam bill, referred to as Canada s Anti-Spam Legislation (CASL), which is designed to reduce the damaging and deceptive forms of spam as well as other activities discouraging electronic commerce. The federal Minister of Industry issued a final Regulation on December 4, 2013 and announced that CASL will be coming into force in phases. Most of CASL and its regulations will come into force on July 1, 2014 but the sections related to computer programs and the private right of action will come into force on January 15, 2015 and July 1, 2017 respectively. Click here to access CASL and here to access the final regulations. Legislation Commercial electronic messages (CEMs) CASL will only apply to certain electronic messages (emails, text messages, etc.); specifically, it will apply in respect of a commercial electronic message (CEM). The Act defines a CEM as an: electronic message that, having regard to the content of the message, the hyperlinks in the message to content on a website or other database, or the contact information contained in the message, it would be reasonable to conclude has as its purpose, or one of its purposes, to encourage participation in a commercial activity The definition of CEM also explicitly includes electronic messages that: Offer to purchase, sell, barter or lease a product, goods, a service, land or an interest or right in land; Offer to provide a business, investment or gaming opportunity; Advertise or promote anything noted above; or Promote a person as being a person who does or intends to do anything noted above. While, at first glance, this definition may seem not to apply to hospitals, the definition of commercial activity is very broad and could encompass a hospital s communication activities. In CASL, commercial activity is defined as: any particular transaction, act or conduct or any regular course of conduct that is of a commercial character, whether or not the person who carries it out does so in the expectation of profit
The above definition of commercial activity is contextual. Electronic messages will not be excluded from the application of CASL simply because the organization is a not-for-profit corporation. Exemptions CEMs that are sent between family and personal contacts are exempt from the application of section 6 CASL (provisions related to CEMs) entirely, as are messages that are inquiries to a person regarding the commercial activity of the recipient. CASL allows further exemptions to be set out in regulations. Where a particular message is exempt, the technical requirements under CASL relating to consent, sender information and the unsubscribe mechanism (see the next section for details) do not apply. Further exemptions are provided in the CASL regulation. A number of these exemptions are relevant to hospitals, including: CASL will not apply to work messages sent within an organization or between organizations that have a relationship; CASL will not apply to messages that are soliciting donations for registered charities (N.B., this exemption may apply to hospital foundations); CASL will not apply to messages sent in response to a request, inquiry or complaint, or that are otherwise solicited by the recipient; and Messages sent to a person to satisfy a legal obligation will be exempt. Additionally, the regulation provides an exemption for consent for the first CEM where the recipient s address is a referral from an existing business, non-business, family or personal contact and that person is identified in the message. Prohibitions on unsolicited CEMs, altering data, and installing computer programs CASL will prohibit unsolicited CEMs unless the sender has the prior consent (either explicit or implicit) of the person receiving the message, and the message meets the requirements set out in the Act regulations. These requirements include identifying information about the sender and identifies the person on behalf of whom the message is sent; information which enables the receiver to contact these persons; and an unsubscribe mechanism. Importantly, electronic messages seeking consent for sending CEMs are themselves considered CEMs. CASL includes detailed provisions governing consent for the purposes of the Act. To receive express consent, the person requesting consent must clearly and simply communicate: (1) the purposes for which consent is being requested; (2) the identifying information required by the Act; (3) and any other information required by the regulations. Organizations will be able to rely on implied consent where: (1) there is an existing business or non-business relationship between the sender and receiver and the relationship has been active within the preceding two years (see CASL subsections 10(10) and 10(13) for the specific definitions of existing business relationship and existing non-business relationship );
(2) the receivers electronic address has been conspicuously published and the publication does not include a statement indicating the receiver does not wish to receive unsolicited messaged; (3) the receiver has provided his or her electronic address to the sender without an accompanying wish that the receiver not receive unsolicited messages and the message is relevant to the receiver in an official capacity; or (4) in other circumstances set out in regulations. (Note: no regulations have been made with respect to these sections at present.) CASL also includes a transitional provision such that consent is implied for three years for past business and non-business relationships that included the sending of CEMs when CASL first comes into force. The required unsubscribe mechanisms must: (1) allow receivers of CEMs to indicate, at no cost, they no longer wish to receive any CEMs or classes of CEMs from the sender of the CEM; and (2) must include an electronic address or link to which the indication may be sent. The address or link must be active for 60 days following the receipt of the CEM. Where a person unsubscribes, the person sending the CEMs must give effect to that request within 10 business days. Additionally, CASL prohibits two other activities. It prohibits the alteration of data related to telecommunications/network functions whereby electronic messages are rerouted without the consent of the original sender, and the installation of computer programs (e.g. spyware) without express consent. Penalties, offenses, and a private right of action CASL provides a number of mechanisms to enforce the Act, including detailed provisions related to the levying of administrative monetary penalties by the Canadian Radio-television and Telecommunications Commission (CRTC). Administrative monetary penalties include amounts up to $1 million for individuals and $10 million for corporations. CASL also includes provisions for failure to comply with administrative directions to preserve data and obstruction of investigations offences that may be prosecuted by the federal Commissioner of Competition. These offences are subject to fines of up to $10,000 for a first offence and $25,000 for subsequent offences for individuals, and fines of up to $100,000 for a first offence and $250,000 for subsequent offences for corporations. Additionally, CASL will allow private persons to sue individuals or corporations that have violated the Act in Court (the private right of action). CASL includes detailed provisions specifying the amounts that courts can award for unsolicited CEMs, altering transmission data, and/or installing computer programs. Key Questions for CASL Implementation The degree to which an individual hospital may be affected by CASL will be dependent on the amount and type of online communications in which a hospital engages. It is advisable to ensure that hospital IT departments and providers are aware of the upcoming changes. (See below for a list of key questions to consider when determining if CASL applies to a hospital s
electronic communication). It will be important to ensure any CEMs hospitals send meet the requirements set out in CASL and its regulations. The following questions will aid in determining whether CASL applies and what particular actions must be taken in terms of compliance. The more a message resembles a CEM and where it is unclear that an exemption applies, it is advisable to seek recipients express consent and include the information and unsubscribe mechanism required by CASL. 1. Assess whether CASL applies for each list/type of electronic message: a. What form of electronic messages does the organization send? b. Is the electronic message commercial i.e. relate to buying or selling, promote the organization or something else, etc.? c. Who is sending these messages? d. Do any exemptions apply? e. What kind of consent is needed (if no exemptions apply)? Key exemptions: 1) Business to business communications: Does the sending organization and the recipient s organization have a current relationship and is the message relevant to the recipient s business? 2) Solicited messages: Is the electronic message in response to a request, inquiry or complaint or is it otherwise solicited by the recipient? 3) Fundraising: Is the message being sent by or on behalf of a registered charity and does the message have fundraising as its primary purpose? 2. Does the organization and recipient (or recipient s organization) have a business or non-business relationship currently or in the past? 3. Has the organization sent a CEM to the recipient in the past? 4. When was an email list created? Where did the addresses in the list come from? 5. Is it identifiable whether or not consent was received from the recipients on a given list? Is it possible to differentiate between those recipients for which the organization has received consent and those for which it hasn t? 6. Is it known when any such consent was received? 7. Does the organization record this information, i.e. the type of consent received, and when that consent was received? 8. Do the organization s electronic messages include the necessary information, e.g. contact information, address, etc.?
9. Do the organization s electronic messages include a valid unsubscribe mechanism? 10. Who is accountable for the organization s email lists or a specific list? Is he/she aware of the requirements of CASL? For additional information, please contact Jeffrey Bagg, Legislative Advisor, at jbagg@oha.com or 416-205-1374.