What the New Canadian Anti-Spam Legislation (CASL) Actually Means

By , September 30, 2013

Last week I became aware of a flurry of attention around forthcoming Canadian Anti-Spam Legislation. ITBusiness.ca ran a twitter round-up under the hashtag #BeCASLReady and suddenly it seemed this was the next big internet legislative thing to be aware of up here in Canada.

So after our cursory examination of the text of the legislation, here is our take on it and what it means (usual disclaimers apply, we aren’t lawyers).

 

The new law will cover two main things: sending commercial email, and installing software on people’s computers.

The basic upshot is that once the legislation comes into effect, you may not send commercial email to anybody without having an explicit consent (or “opt-in”) from the recipient. You may not install or cause to be installed on somebody’s computer a computer program without explicit consent.

Further:

  • The purpose of the email communications be clearly stated.
  • It must be clear who the messages are from.
  • There has to be an unsubscribe mechanism.

Covers nearly all commercial email.

Under Section (2), a commercial electronic message is defined as:

(2)For the purposes of this Act, a commercial electronic message is an electronic message that, having regard to the content of the message, the hyperlinks in the message to content on a website or other database, or the contact information contained in the message, it would be reasonable to conclude has as its purpose, or one of its purposes, to encourage participation in a commercial activity, including an electronic message that

(a) offers to purchase, sell, barter or lease a product, goods, a service, land or an interest or right in land;
(b) offers to provide a business, investment or gaming opportunity;
(c) advertises or promotes anything referred to in paragraph (a) or (b); or
(d) promotes a person, including the public image of a person, as being a person who does anything referred to in any of para- graphs (a) to (c), or who intends to do so.

Further, any message that contains a request for consent to receive any commercial message, i.e. In my mind this means adding “please join our mailing list” to your email .signatures or non-commercial mailings to customers, makes it one:

(3) An electronic message that contains a request for consent to send a message described in subsection (2) is also considered to be a commercial electronic message

Exclusions and Implied Consent

There are a few exclusions or circumstances where express consent is implied and it is these sections which I think are most relevant to existing organizations and their database of customers.

Service providers are excluded:

6(7) This section does not apply to a telecommunications service provider merely because the service provider provides a telecommunications service that enables the transmission of the message.

Pre-existing Business Relationships Imply Consent

This means that if you already have a relationship with your customer, user, client, etc. then explicit consent is implied. Pre-existing relationships are defined under Section 10(9) and 10(10) such as:

10) In subsection (9), “existing business relationship” means a business relationship between the person to whom the message is sent and any of the other persons referred to in that subsection — that is, any person who sent or caused or permitted to be sent the message — arising from

(a) the purchase or lease of a product, goods, a service, land or an interest or right in land, within the two-year period immediately before the day on which the message was sent, by the person to whom the message is sent from any of those other persons;

 

What Is Considered “Software”

The sections that apply to software specifically exclude:

  • a cookie
  • HTML code
  • Javascript
  • an operating system

(8) A person is considered to expressly con- sent to the installation of a computer program if

(a) the program is

(i) a cookie,
(ii) HTML code,

(iii) Java Scripts,
(iv) an operating system,
(v) any other program that is executable only through the use of another computer program whose installation or use the per- son has previously expressly consented to, or
(b) the person’s conduct is such that it is reasonable to believe that they consent to the program’s installation.

It is specifically prohibited to install software that causes a person’s computer to send email messages. My read on this is that this is designed to address malware that turns computers into zombies participating in a spam-sending botnet.

 

Fallout for ISPs

The Act provides various provisions where telecommunications providers are required to preserve and make data available for various reasons, including to prove compliance with the Act itself or to assist foreign law enforcement agencies with an investigation.

It becomes specifically prohibited to “alter transmission data” without a court order, which includes diverting a copy of a message to a destination not specifically intended by the sender (or caused to be resent by the recipient) – in other words, no digital wiretaps on email unless:

7. (1) It is prohibited, in the course of a commercial activity, to alter or cause to be altered the transmission data in an electronic message so that the message is delivered to a

(a) the alteration is made with the express consent of the sender or the person to whom the message is sent, and the person altering or causing to be altered the data complies with subsection 11(4); or
(b) the alteration is made in accordance with a court order.

Fallout for Marketers and Businesses

The onus is on the sender to prove they have a valid consent to receive – that means timestamps and IPs of opt-ins or proof of a pre-existing business relationship.

Transition Period

Once the legislation takes full effect there is a 3-year transition period during which anybody with a pre-existing relationship with, or anybody who has exchanged emails with an organization is deemed to have given implied consent:

66. A person’s consent to receiving commercial electronic messages from another person is implied until the person gives notification that they no longer consent to receiving such messages from that other person or until three years after the day on which section 6 comes into force, whichever is earlier, if, when that section comes into force,

  • (a) those persons have an existing business relationship or an existing non-business relationship, as defined in subsection 10(10) or (13), respectively, without regard to the period mentioned in that subsection; and
  • (b) the relationship includes the communication between them of commercial electronic messages.

 

Conclusions

To be honest, I don’t find anything earth shaking in here. Certainly not the shock to the system I was expecting after seeing some of the “will your business be ready? #BeCASLReady!” hoopla I’ve seen online.

I don’t think there is much in here that legitimate businesses do not already do, in some shape or form. Pretty well every commercial mailing I get from “real” businesses already:

  • clearly identify who they are (or who it was sent on behalf of)
  • are not misleading in their subject lines
  • give me a clear path to unsubscribe

While it’s true that some businesses are clueless (some hopelessly so) a lot of them either get LART-ed into shaping up by their own customers or select themselves out of the gene pool by failing because they’re so inept anyway.

In other words, what Section 3 aims to do:

3. The purpose of this Act is to promote the efficiency and adaptability of the Canadian economy by regulating commercial conduct that discourages the use of electronic means to carry out commercial activities, because that conduct


(b) imposes additional costs on businesses and consumers;

(emphasis added)

Is precisely the effect that this legislation will have on businesses and consumers.

All this really does is add yet another layer of regulatory burden to businesses, the vast majority of which already have best practices in-place which accomplish all the other goals of this legislation. In fact current best practices go one better than the legislation and usually provide for “double-opt-in” or “opt-in and confirm”

Meanwhile, the real culprits behind the underlying problems: spammers and malware rings, don’t follow the law anyway.

It’s common outcome of government regulation: put the burden of compliance on those who are already legitimate and law abiding, while doing nothing to tackle the real problem.

In other words, while there may be a mini-boom in consultants prepping businesses and organizations in becoming CASL compliant, this isn’t going to stop one single piece of spam from hitting our mailboxes or one single trojan from being installed on your grandmother’s windoze box.

– See more at: http://blog.easydns.org/2013/09/30/what-the-new-canadian-anti-spam-legislation-casl-actually-means/#sthash.AJ7JqTi3.dpuf

Comments are closed