Canada's Anti-Spam Law: How Does It Apply in Survey Research?
Thursday, February 27, 2014
Canada Anti-Spam Law: Summary of Application in Survey Research Context
A Memo from CASRO General Counsel, February 25, 2014
Canada's new anti-spam law (“CASL”) was passed in December 2010. As passed, CASL provided for a delayed effective date, including for the issuance of regulations to clarify certain provisions of the law. The main sections of CASL come into force on July 1, 2014. Sections related to the unsolicited installation of computer programs or software come into force on January 15, 2015 and sections related to a private enforcement right come into force on July 1, 2017.
CASL is widely recognized by commentators as being one of the toughest national anti-spam laws, although, as discussed below, the Industry Canada department of the Government of Canada (“GOC”) has recognized an exception for survey research.
CASL applies to any “commercial electronic message” (“CEM”), which is broadly defined as a message (including text, sound, voice or image) sent by “any means of telecommunication” to an “electronic address” (including email, instant messaging account, telephone account, or “other similar account”) that has “as its purpose, or one of its purposes” to encourage participation in commercial activity.
Generally, CASL applies to messages that are sent to recipients in Canada and to messages that are sent from Canada to recipients outside of Canada, unless (i) the recipient’s foreign jurisdiction is one of many listed in the statute (including the U.S.), (ii) the jurisdiction has anti-spam legislation, and (iii) the message complies with those foreign laws that address conduct substantially similar to the conduct prohibited by CASL with regard to CEMs.
CASL generally requires (i) the recipient’s affirmative consent (opt-in) to receive the CEM and (ii) certain information to be included in the CEM, such as identity of the person who sent the message or on whose behalf the message was sent, information permitting the recipient to “readily” contact that person, and an opt-out mechanism.
The statutory fines are significant, with maximum statutory fines for a violation of up to $1,000,000 for an individual and $10,000,000 for an entity. Finally, violations will be subject to a private right of action beginning on July 1, 2017.
Although CASL and its regulations do not expressly exclude market research from CASL’s application, in response to the question “Why is the government not exempting surveys and market research?” the GOC has stated, “Those doing surveys and market research are not affected by [CASL] as long as they are not trying to sell something, so the electronic message is not considered to be a commercial message. The government is concerned that an explicit exemption for surveys and marketing research would easily be abused.”
Accordingly, CASL should not apply to electronic messages used in legitimate survey research. However, strict observation of a full separation of survey research and marketing of any kind seems important to ensure compliance with CASL and to avoid inadvertent violations. As noted above, to qualify as CEMS under CASL, electronic messages need only have as “one of its purposes” the encouragement of participation in commercial activity. The commercial purpose need not be its only purpose or even its main purpose.
So, for example, one Canadian legal commentator, in citing the GOC’s guidance on the exception of CASL’s application to survey and market research, notes that “individuals should exercise caution when relying on this exception given that an activity can be defined as commercial even if the person carrying out the activity has no expectation of profit. For example, an email relating to a contest could be considered commercial in nature.” That same concern could conceivably extend to incentives offered for survey participation, though, given the language of the FAQ cited above, such an interpretation seems unlikely.
Other express exceptions to the consent requirement (but not the content requirement) include a CEM that (i) responds to a request or inquiry by the recipient; (ii) facilitates, completes or confirms a commercial transaction to which the recipient had previously agreed; (iii) provides information about the recipient’s ongoing membership or account with the Sender, including ongoing use of a service offered under a membership; and (iv) delivers goods or services that the recipient is entitled to receive under a prior transaction with the sender.
Furthermore, the GOC has stated that the CASL CEM requirements (including consent and content) do not apply to a message that is “sent on platforms where the required identification and unsubscribe information is conspicuously published and readily available to the recipient on the user interface, and duplication in each message would be needlessly repetitious.”
If not relying on CASL consent exceptions, CASL permits consent through direct, implied, and third-party methods. For direct consent, the CEM must “clearly and simply” provide (i) the purpose for which the consent is being sought and (ii) the identity of the person seeking consent or on whose behalf consent is being sought (which is information that would need to be required in a CEM anyway).
Among the circumstances that qualify for implied consent is when the sender and recipient have an “existing business relationship”, which can be established under a few different criteria, including when the recipient has made an inquiry or application to the sender within a six-month period.
CASL allows businesses to seek consent to allow other businesses to send CEMs, even where those other businesses are not yet identified when the consent is sought. The "unknown third party" consent requires the person who obtained the original consent to ensure that CEM sent from the third party (i) identifies the person who obtained the original consent and (ii) provides an opt-out mechanism that enables the recipient to unsubscribe from third party messages attributable to the person who originally obtained the “unknown third party” consent. In addition, the person who originally obtained the “unknown third party” consent must then notify all such third parties of the withdrawal. Important to note is that the person obtaining the original consent—and not just the third-party sender relying on the original consent—must ensure that CEMs sent by the third-party sender comply with the identification and opt-out requirements (and, if applicable, ensure that the withdrawal notification is provided to third parties).