Privacy has become a global issue in recent years. In this vein, the law informally named Canada's Anti-Spam Legislation ("CASL") has applied to all electronic communications sent with a commercial purpose (including emails, texts and instant messaging collectively referred to in this article as "CEMs") from Canada or accessed in Canada since mid 2014. The purpose of CASL is to regulate commercial conduct that discourages e-commerce, such as sending CEMs non-consensually (also known as "spamming", though CASL never uses that term).
Failure to comply with CASL can result in penalties of up to $1 million per day up to total of $10 million for businesses, and directors and officers can also be found personally liable for CASL violations. CASL is currently enforced by the Canadian Radio - Television and Telecommunications Commission ("CRTC") which has levied penalties between $15,000 and $1,100,000 for CASL violations to date.
The pending private right of action, originally scheduled to become effective on July 1, 2017 as part of CASL (3 years after the effective date of the legislation), had struck fear among many businesses doing business in Canada. This private right of action would have enabled individuals or groups of individuals to commence civil or class action proceedings against persons alleged to be in contravention of certain provisions of CASL, Canada's Personal Information Protection and Electronic Documents Act or the Competition Act. A collective sigh of relief was heard last week when the Canadian government announced a delay to the private right of action coming into force. This decision followed a period of intense consultation with Canadians, businesses, and organizations and provides some time for the government to attempt to balance the needs of businesses and consumers. We expect that during this period of suspension, the provisions of CASL will be further reviewed and the private right of action may be revisited.
Though the private right of action is no longer an immediate threat, we continue to recommend that businesses take steps to ensure that their CASL compliance regimes are robust. This is especially relevant because the deeming provision of CASL that provided implied consent for any person with whom an organization had regular electronic communications prior to July 1, 2014 expires on July 1, 2017. This is the perfect time for businesses to roll up their sleeves to ensure their operations are fully compliant with CASL.
Investment Fund Managers (IFMs) and CASL Requirements
IFMs, similar to other businesses, market to existing and potential clients but are subject to the requirements of securities legislation with respect to dealer registration requirements or exemptions. It is important to note that CEMs sent by a foreign IFM to Canadian clients or contacts is caught under CASL.
An electronic message will usually be considered to be a CEM under CASL if any portion of the communication encourages the recipient to participate in a commercial activity. For example, any message that contains:
- an offer to purchase or sell a product or service;
- an offer to provide a business or investment opportunity;
- advertising or content that is promotional in nature; and
- content that promotes an entity or individual who does anything referred to above
would be considered to be a CEM under CASL.
Under CASL, a sender must ensure that: (i) prior to sending a CEM, the recipient has consented (either expressly or via implied consent) to its receipt; (ii) the sender's identification and contact information has been clearly and conspicuously provided in the CEM; and (iii) the CEM contains a functioning, easy-to-use unsubscribe mechanism.
CASL requires that express consent be sought separately using an "opt-in" mechanism that requires the recipient to take a positive step to confirm, such as checking a box or inserting one's initials on a consent line. There is a delicate dance conducted around consent. Consent (either express or implied) must exist before the CEM is sent. As a result, it is generally not a practical solution for IFMs to seek to obtain express consent from investors who would be considered as "cold" contacts in a subscription agreement sent to the potential investor electronically, especially if the desire to first approach the potential client is by sending a CEM. It is also a non-starter to send an email requesting express consent as, under CASL, this email would constitutes a CEM that, paradoxically, required consent before it was sent! Therefore, unless the IFM has express or an implied form of consent (which does not expire as of July 1, 2017) for a particular contact, such contact cannot be approached using a CEM after July 1, 2017.
Obtaining or Confirming Consent
As noted above, under CASL consent can be either express or implied and, in some circumstances, consent is not required. CASL has very specific rules governing the circumstances in which CEMs are exempt from the consent requirement and also where consent will be implied (and navigating the limitations of implied consent can be a minefield!). As a result, IFMs should be cautious in all circumstances where they do not have express consent from a recipient.
Express Consent – The Gold Standard
When requesting express consent (which can be done either verbally or in writing) the following must be set out clearly and the recipient's consent must be recorded and capable of being proven at a later date:
- the purpose(s) for which the consent is being sought;
- information as to the identity of the person seeking consent and, if the person is seeking consent on behalf of another, prescribed information that identifies that other person (generally, the name, physical address, an instant contact method like phone, website or email, and, if relevant, the relationship between the sender and the person on whose behalf the consent is sought); and
- any other prescribed information (currently, only a statement indicating that consent may be withdrawn at any time).
Consent may be implied if:
- there is a prior business relationship (usually requiring an
actual transaction between the parties) within the past 2 years, or
there is an ongoing contract between the parties (other than a
purchase or sale) that remains in effect and has not expired during
the previous 2 years;
- there is an existing non-business relationship (generally not applicable to commercial enterprises, primarily used for organizations such as group memberships, political parties and charities);
- the recipient has publicly displayed their contact information (eg, on a website that is accessible to the public) without indicating it is to remain private and the specific CEM is relevant to the recipient's role, duties or functions; or
- the recipient voluntarily discloses their email address (eg by providing a business card) without indicating that they do not wish to receive CEMs, and the specific CEM is relevant to the recipient's role, duties or functions.
As one can see, the circumstances where consent can be implied are limited and, even in circumstances where consent may be implied, the CEM must be relevant to the recipient's business. These factors make the transmission of CEMs based on implied consent inherently riskier than CEMs sent on the basis of express consent.
CEMs Exempt from Consent Requirement
The following types of CEMs are exempt from the consent requirements of CASL:
- correspondence to family and friends (note however, these terms are very narrowly defined under CASL);
- responding to inquiries sent by electronic means;
- facilitating, completing or confirming a commercial transaction that the recipient previously agreed to enter into (as opposed to encouraging participation in a new commercial activity);
- providing warranty information, product recall information or safety or security information about a product, goods or a service that the recipient uses, has used or has purchased;
- the first electronic correspondence based on a referral where the referrer and the recipient have an existing business relationship (in which case the correspondence must reference the referring party).
Consent in a Nutshell
The onus on proving compliance with CASL is on the sender of the CEM. Wherever possible, an IFM should strive to obtain express consent to the receipt of CEMs from its contacts (including clients). An IFM may still be able to make "cold calls" (via telephone or letter) but can no longer send CEMs to "cold prospects". If a person provides their business card to a representative of the IFM and they have not indicated that that they do not wish to receive promotional or marketing messages, a CEM may be sent based on implied consent if the message relates to the recipient's role, functions or duties in an official or business capacity; however, this may be difficult to verify in some circumstances. In terms of updates on social media, IFMs can post generally but to the extent CEMs are sent from instant messaging platforms, CASL applies, express or implied consent must exist and the required identification and unsubscribe mechanisms must be published on the user interface.
The "Unsubscribe" Mechanism
Pursuant to CASL, each CEM must have an unsubscribe mechanism that:
- allows the recipient to withdraw their consent;
- is clear and prominent; and
- is provided in the same electronic means as the original message was sent in, or another more practical method.
The ability to unsubscribe must be given to each contact (both new and existing) in every CEM sent by the IFM.
Refresh of Compliance Manuals, Policies and Procedures
CASL's only statutory defence to violations is to demonstrate due diligence in ensuring compliance with the requirements of the legislation. As the penalties under CASL are potentially severe, we recommend IFMs conduct a thorough review of their existing compliance manuals and policies and procedures to ensure CASL requirements are adequately addressed. Some questions that CCO's of IFMs may wish to consider include:
- Does our compliance manual have a section dedicated to communications with clients and contacts which includes sub-sections on electronic communications and personal communications?
- Is there a database of email addresses maintained (with either express or implied consent confirmed) which is used for the purposes of CMEs? Is it clear how contacts are added to or deleted from the database and how information is generally updated?
- What is the review process for determining if consent from the contact been expressly obtained or can be implied? Is the type of consent flagged for each contact? Has proof of the consent been retained?
- If consent is implied, is it clear when such consent will expire? If there is no CASL-defined existing business relationship, has the recipient's role, functions or duties in their official or business capacity been documented for the purposes of determining the types of CEMs they may receive?
- If express consent has not been obtained from a contact (and there is no basis for inferring implied consent), are there policies and procedures (such as maintaining a separate database) to ensure that a CEM is not sent until such time as consent is obtained?
- Do recipients of all CEMs have the ability unsubscribe from future CEMs? Will all "unsubscribe" requests be acted on promptly, or in any event within 10 days (as required under CASL), by the IFM and its representatives? This may require a review of client communication systems.
- What is the process to ensure all internal records, including databases, are updated on a regular basis?
- Has the IFM's records retention policy been reviewed in light of CASL requirements?
- Is there a clear policy regarding disciplinary action for CASL violations?
- Is there mandatory training on CASL requirements and potential penalties for all new employees and refresher training for existing employees? If so, does this training provide a source where questions can be directed?
We live in a digital world and the sending and receipt of CEMs is a fact of daily life. In order to operate effectively, IFMs operating in Canada or dealing with prospects or investors in Canada must fine-tune their communications and compliance systems to help protect themselves from potential liability under CASL. You can call on us to help protect your business from the legal implications of CASL and will get you through the storm.
The foregoing provides only an overview and does not constitute legal advice. Readers are cautioned against making any decisions based on this material alone. Rather, specific legal advice should be obtained.
© McMillan LLP 2017