How to Better Canada’s Digital Economy – Improving Canada’s Anti-Spam Legislation (An Open Letter)
Editor’s Note: This letter is a carbon copy of the official submission Lighten CASL Inc. o/a #LightenCASL made to the House of Commons INDU Committee on December 5, 2017 re: the statutory review of Canada’s Anti-Spam Legislation (CASL).
My name is Andrew Schiestel. I’m a Canadian technology and marketing entrepreneur. I’m the president at tbk Creative, a co-founder of AODA Online, the founder of Lighten CASL Inc. o/a #LightenCASL, and serve as president (chair) on the Board of Directors of the London Chamber of Commerce.
To begin, I’d like to thank the House of Commons INDU Committee for allowing me to appear before the committee as a witness to provide testimony at the October 19, 2017 hearing.
This letter is to share with you my observations of Canada’s Anti-Spam Legislation (CASL). I believe I’m qualified to speak authoritatively and to reach the granularity required on this file for a few reasons: First, I’m a professional digital marketer; I’ve been involved professionally and extensively in the practical applications of the Act in industry and understand the specific nuances businesses must consider when building competitive marketing fronts to compete effectively, both domestically and against foreign counterparts. Second, I have extensive experience in public policy on this subject matter. In 2014, through the London Chamber’s Government Affairs Committee, I was one of the authors of the original Canadian Chamber policy on CASL that became delegate-approved at the 2015 Canadian Chamber AGM. In 2017, I wrote a second Canadian Chamber policy resolution on CASL, and this year, I served on policy taskforces with the Canadian Chamber on this file, along with the Coalition of Business and Technology Associations (a submission made to INDU on this file on November 22, 2017), wrote three articles in the last 18-months related to CASL in The Financial Post (August 16, 2016, May 17, 2017 and November 21, 2017) and I’m the founder of Lighten CASL Inc. operating as #LightenCASL, a not-for-profit organization that studies CASL’s inadvertent implications to industry and educates and informs government and the public on how to improve the legislation. Last, like you, I’m a consumer. I own a home, pay taxes, buy products and services from local, regional, national and online suppliers, and care deeply about how my personal information is collected, stored and shared.
Several people have asked me how I got into the conversation about CASL, and why I care. I thought I’d share, in a sincere and detailed manner, how I got to this point of writing a letter to your committee. I also want to outline what I feel could be done to modify CASL in a way that will improve the competiveness for our Canadian businesses, while still protecting consumers.
A large portion of tbk Creative’s revenue comes by way of web design. In the spring of 2014, several of our clients began reaching out to my company asking for assistance with CASL. Almost every one of them were more or less dumbfounded when it came to complying with the legislation. CASL is a legal conversation, but also a digital one – when developing websites, every user form a web design provider creates must ensure it adheres to the provisions of CASL – general, properly provide company information and offer an opportunity for the user to provide consent if they wish to (along with some other nuances).
My team at tbk Creative has a track record of taking compliance measures beyond the standard call of duty. For instance, in 2013, we felt there was inadequate software and professional collective industry knowledge in the marketplace to help enough companies build websites that would comply with the Integrated Accessibility Standard Regulation (IASR) of the Accessibility for Ontarians with Disabilities Act (AODA), legislation in Ontario that requires certain organizations to become accessible for people with physical disabilities. In that same year, tbk Creative invested substantial resources and developed a commercial software called AODA Online, that helps web development teams build websites that are accessible for people with physical disabilities. Since then, AODA Online has been used by hundreds of groups, including some of Canada’s largest and most recognized brands, and has helped countless organizations better comply with the AODA legislation.
“I started to dig into the legislation and quickly realized CASL was a viperous legal juggernaut.”
We take compliance with our clients very seriously. As we were receiving inquiries from clients re: CASL compliance, I started to dig into the legislation and quickly realized CASL was a viperous legal juggernaut. Although likely not its intention, its overtly confusing for most to understand, it can be extremely difficult for companies to comply with, those that comply lessen their competitiveness in the marketplace, there can be debilitating liability measures such as up to $10 million per corporate offence, allowance for civil legal proceedings (with gratitude, the private right of action provisions were delayed by your government), and an allowance for personal liability for directors and officers of corporations. This legislative chemistry is a ticking time bomb. I remember thinking at the time, why would our government create such legislation that would impede Canada’s competiveness and stifle the potential of our digital economy? I would worry about that later, but at that time back in 2014, I needed to figure out how to immediately help our clients comply with the hand they were dealt.
I probably felt what a lot of companies felt at the time – it would take thousands of dollars in legal fees to work with a lawyer to adequately understand the breadth of the legislation – and that was only for our own company. I had a creative idea instead. I decided I would reach out to a technology lawyer with a business proposition – I would produce a series of short videos for marketers in Canada, and each video would answer one common CASL question that marketers were grappling with. I would get the accuracy of the information confirmed with a business lawyer, who specialized in technology and privacy-based law, and in exchange for her/his counsel, she/he would be a sponsor of the video (displaying their name and firm in the videos and on the blog articles in which the videos were published). I reached out to a partner at Harrison Pensa LLP (London, ON.), David Canton, with the proposition noted above and he said, “Yes”. With Canton’s help, the video series eventually launched, and 13 videos were produced in total. I can’t underscore how fortunate tbk Creative and our clients were in this situation, having received thousands of dollars in legal advice at no cost from a credible senior technology lawyer. However, I knew most of the other 1 million+ businesses in Canada wouldn’t have the same privilege or fortune that we had.
Through the video series and spending dozens of hours with Canton, I gained a strong foundational knowledge of the legislation very early on. Initially to help businesses, I took a pro stance only. I sought to help companies comply with it through the video series, working with our clients, and through writing some educational column articles for the The Globe and Mail (Nov. 25, 2014) and The London Free Press (June 30, 2014). I knew a lot about the legislation and my goal was to help other companies sift through its provisions.
Months went by and as tbk Creative worked on web design and digital marketing projects that looked at the finer details of implementing this legislation into business environments, I began to realize something was deeply wrong. No one could argue the noble goals of the legislation – basically to improve the “efficiency” of our digital economy and as such protect consumers from spam. Inadvertently, however, the legislation overextended its aim and put Canadian businesses in a situation that is both anti-competitive and excessively expensive to comply with.
I’ll explain the foregoing statement with three examples.
EXAMPLE 1 (Rigorous Bar for Consent):
Rigorous bar for consent which creates an anti-competitive environment for our Canadian businesses.
In terms of establishing consent, CASL sets the bar higher than any other legislation in effect in the world. There are many instances that are perfectly reasonable to permit commercial electronic messages (CEMs) to be sent from businesses to consumers. For instance, a retailer may spend money in setting up an online sweepstakes page, money on contest compliance (legals), money on a prize, and money on advertising the contest. The retailer may go through the process of setting up an express consent message on the entry web form with a check box to indicate express consent. In these instances, a large portion (often over 50%) on average won’t take the deliberate action of checking the box to provide express consent when given the opportunity. For this segment, the business doesn’t have express consent (the box wasn’t checked) and it could probably be argued that pursuant to the Act the business doesn’t have implied consent either. One of the closest provisions a business could lean on, but likely come up short, are sections 10(10)(a) and 10(10)(e) which allow for implied consent when an “existing business relationship” is present, with the condition of expiration dates associated to the consent (i.e., 2 year and 6 month purge date rules). But in the instance of a sweepstakes (or similar contest), the consumer hasn’t purchased a product/service, nor inquired about a product/service (so the EBR as outlined in 10(10)(a) and 10(10)(e) wouldn’t apply). Another provision – 10(9)(c) – allows for implied consent to be present when the recipient discloses their contact information to a sender but the provision appears to only apply in a business-to-business capacity. Therefore, the retailer has spent money on all the elements listed above – setting up the contest, legally complying with federal legislation (e.g., Competition Act, Criminal Code, potentially registering the contest with a regulator in the Province of Quebec, etc.), advertising, a prize, etc., at the benefit of the consumers (a consumer’s gain is the prize or a chance to win the prize (after answering a skill-testing question)), and no consent will be present often after consumers have voluntarily provided the business their contact information. This is a unilateral situation and distinct to Canada.
The above situations put our Canadian companies at a competitive disadvantage, because foreign counterparts are able to collect and market to users in which they collected the information in the first place, at a more voluminous pace.
And, this information isn’t only isolated to sweepstakes. The same could be said for the common practice of content marketing where a business – let’s use an accountant as an example – writes a specialized e-report on a given topic and makes it available through a web form on their website for consumers. If users don’t provide express consent, it would probably be argued that there’s no implied consent either (as defined in the Act), since the user hasn’t purchased a service from that accountant, nor have they technically inquired about a service. This is inequitable and unilateral as the accountant used their professional expertise (that can demand hundreds or over a thousand dollars per hour) to produce the e-report, spent money producing the web-based landing page, possibly spent money on advertising, and the legislation creates a situation where the accountant will have consent with less users who provide them information in the first place, than when compared to other regimes around the globe in similar situations.
“It’s unlikely that Canadian legislation will ever materially get this extraterritorial spam under wraps”
One could attempt to counter the preceding “anti-competitive” statements by saying that CASL applies to all parties emailing Canadian consumers (so everyone globally is on the same playing ground), but pragmatically, this just isn’t the case. We have all probably experienced receiving a number of unauthorized CEMs from entities outside of Canada, even reputable ones. Although our regulators have publicized certain memorandums of understandings (MOUs) with other jurisdictions regarding spam enforcement, it’s unlikely that Canadian legislaiton will ever materially get this extraterritorial spam under wraps for at least two reasons: it’s costly to go after companies in various parts of the world through litigation, and CASL is so much more rigorous than its counterpart legislation in other developed countries. It may be difficult to persuade foreign regulators to impart our invented sanctions on their home grown companies since they would be allowing fines to be rendered to their companies for acts that could be perfectly legal in their own country. With our direct neighbours to the south for instance, even without the current political environment as it is, could you see Canada’s regulators succeed at fining a US company $10 million dollars for a violation of CASL that would be perfectly legal under CAN-SPAM Act? It’s highly unlikely, and as such demonstrates the kernel of CASL being anti-competitive policy for our Canadian companies.
At a May 15, 2017 Ontario Bar Association event I attended in Toronto, CRTC panelists confirmed that at that given time, no fines of any form had been levied against foreign companies pursuant to CASL; all fines at that time had been handed out to Canadian entities only.
This appears be corroborated further with evidence provided by CRTC to the INDU Committee hearing on September 26 and November 9 (again only Canadian entities noted; no foreign ones).
EXAMPLE 2 (Unnecessary Purge Dates):
Arbitrary purge dates which are excessively expensive to comply with.
“[The 2-year and 6-month purge dates have] created a financial maelstrom for businesses to actually implement”
CASL has created a label called “existing business relationship” (EBR). An EBR gets formed in a number of instances as defined in section 10(10) but the two most common instances is when a person purchases a product or service (10(10)(a)) or inquires about a product or service (10(10)(e)). The legislation further associated expiration dates to these existing business relationships rules. After 6 months from an inquiry and 2 years from the date of last purchase, a user must no longer receive CEMs from the sender. Optically, creating purge dates probably seemed innocuous enough in drafting the legislation, but in doing so, it has created a financial maelstrom for businesses to actually implement. Let me explain with a common example:
Let’s say you own a software company. You regularly have people inquire about your subscription service but not provide express consent (e.g., they don’t check a consent box when filling out the initial user form). In this instance, you can lean on the 6-month EBR rule (10)(10)(e), essentially needing to purge the lead 6 months after the inquiry unless the user provides express consent, re-inquiries, purchases a product (starting the 2-year EBR rule), or some other exception enacted in the Act. Still sound relatively simple, right? Perhaps for some, but let’s dig even deeper on this example.
Say you have tens of thousands of leads in your database. Because of scale and economic considerations, it’s not practical to manually track the status of each person, so you turn to software to automate. To successfully build this software, here are some of the steps to take and logic you’ll have to ensure is encompassed:
- You’ll require customer relationship management (CRM) or enterprise resource planning (ERP) software to store the leads. You probably already have one of these so the first step is likely already complete.
- As leads come in, you’ll need to store the date the lead inquired; most CRM/ERPs track this out of the box, so at this point, all is still likely copacetic.
- Now comes the customization – as each new lead comes in (or changes semantically based on their behaviour once in the database), you will need to associate (or change) a status label to it: Prospect (6-month EBR), Customer (2-year EBR), Express Consent, Business-to-Business Exception, Personal Relationship Exception, Family Exception, or Unsubscribed. There’s a few more pursuant to the Act (e.g., “Conspicuous Publication” and “Disclosure” could be another two – s. 10(9)(b) and 10(9)(c) of the Act, respectively), but the foregoing list is substantive enough to complete this example.
- A multi-faceted software script will need to be built to change each entry’s label based on a combination of: i) their last behaviour, ii) time the behaviour occurred, and iii) a graduated priority strength of the label.
- After 6 months, if no other action takes place by a lead, the lead will need to be prohibited from receiving any further CEMs.
- If a “Prospect” purchases a product or service in the 6-month EBR period but doesn’t provide express consent when doing so, their label needs to change from “Prospect” to “Customer” and the expiration date needs to re-set to 2 years from the date of that last purchase.
- If a “Customer” re-purchases a product or service, the purge date needs to reset to 2 years from the date of last purchase.
- If a Prospect or Customer provides express consent in their EBR period (i.e., 2-year or 6-month windows), the label needs to change from “Prospect” or “Customer” to “Express Consent” and no purge date is associated with this contact any longer.
- If an entry is labelled as “Express Consent”, and this entry buys another product or service, the script must have the wherewithal to know not to change the label from “Express Consent” to “Customer” as a Customer label would reset a 2-year purge date, whereas the Customer already provided express consent and therefore no purge date should be associated with this contact.
- If an entry is labelled as “Unsubscribed”, and this entry buys a product at some point after it received this label, but doesn’t provide express consent while doing so, the script must change their label from “Unsubscribe” to “Customer”.
- The software solution must allow for manual entries – for instance, the business may make the judgement that an entry falls under a Business to Business exception pursuant to Industry Canada’s regulation (3(a)(ii) of the Electronic Commerce Protection Regulation).
- New purchases and inquires must be automatically updated in a reasonable time period as to avoid sending a CEM to someone who has unsubscribed or their existing business relationship has expired.
- All the data formulated above must be sent ongoing to the company’s email marketing system to ensure emails go out to the correct recipients.
- Inversely, the email marketing system must communicate the results back to the CRM/ERP (namely, anyone who unsubscribes).
- Significant staff training must occur initially and continuously for management of this system to ensure continued compliance. In the cases of phone calls and in-person visits, manual entries or editions to CRM data must occur by staff for proper recordkeeping.
“It’s upwards of over $5 million that they’ve had to invest in technology to update their systems.”
It probably goes without saying, but a software solution like this is sophisticated and will cost businesses in Canada five to six figures to implement, with ongoing costs each year (also likely in the five to six figures) to maintain. Larger companies with thousands of employees, dozens of systems and multiple service lines can reach millions of dollars in compliance costs without trouble. At the November 7 INDU Committee hearing, Kim Arsenault, the Sr. Director of Client Services at Inbox Marker, stated, “Companies that we have advised and spoke to have told us specifically it’s upwards of over $5 million that they’ve had to invest in technology to update their systems so that they can actually track the level of permission that CASL has asked for.”
Those that build a system and comply with the legislation have spent significant sums of money to comply but still can’t overcome the anti-competitive nature of the legislation (touched on in EXAMPLE 1). They’ll still be spending more money than foreign counterparts on compliance and collecting and marketing to leads at a lower rate than their foreign counterparts. Those companies that struggle at compliance (e.g., in a 2017 Canadian Chamber of Commerce survey, 56% of respondents agreed strongly that “the legislation is too complicated and confusing”) will be liable to large monetary penalties (up to $10 million per offence) and potential civil legal proceedings (at actual damages in addition to statutory penalties of up to $1 million per day).
Furthermore, it’ll be difficult to create a universal system to handle the EBR dilemma noted above for a few reasons. First, Canada is a small marketplace for SAAS investment compared to US or global marketplaces. Because CASL is distinct in its rigour, there are no other regions this system would apply to and therefore won’t demand as much interest from technology investors. Second, CRMs/ERPs and email marketing software come in hundreds of shapes and sizes. Many companies are already deeply entrenched with certain CRMs or ERPs (e.g., SAP, Salesforce, Microsoft Dynamics etc.), so it makes it difficult to create one solution that the over 1 million companies in Canada can adopt. Third, many lawyers question CASL’s constitutional validity. In 2013, lawyers Stephanie Provato and Dr. Emir Crowne wrote a published paper titled: Canada’s Anti-Spam Legislation: A Constitutional Analysis, 31 J. Marshall J. Info. Tech. & Privacy L. 1 (2014), and other lawyers, such as Barry Sookman, continue to contest that CASL is unconstitutional and won’t survive a Supreme Court decision on the matter.
EXAMPLE 3 (Overhanded Liability):
The scope of CASL’s sanctions on violators are extensive, punitive, and sizeable.
With the legislation comes many forms of action it can take on those that breach one of its many complicated or difficult to implement provisions:
- Regulatory penalties can occur up to $1 million per personal offence and up to $10 million per corporate offense.
- If the private right of action provisions are re-commissioned, recipients of CEMs can sue senders for alleged violations of CASL, not only damages but statutory – allowing for $200 per electronic message up to $1 million per day (again, above actual damages).
- Directors and officers can be held personally liable for their corporation’s offences.
In principle, creating liability that’s measured and to encourage compliance with legislation is fine and should be one of a number of intentions sought when drafting legislation. However, creating legislation that mainly only Canadian companies attempt to comply with, is difficult and costly to comply with, disadvantages our economy to comply with, and then overly punishes those that may have good intentions but don’t succeed at the onerous threshold set for compliance, can’t be in the best interest of keeping “Canada at the leading edge of the digital economy.”
The Software Company
In April 2017, I sat down with the director of marketing at a software company based in London, ON. that employs approximately 100 people and does global sales through their website. The director told me this story:
The company recently underwent enhancements to its corporate website. When it got to the stage in the project where they needed to build out user contact forms for sales inquiries, they had a decision to make.
As the director described to me, her team had two options:
Option 1: The company would create website user forms to ask a web user what country they are from, and if Canada was selected, different information would dynamically appear on the form (under CASL, additional information is required to technically form express consent; more so than other legislation in effect) and a whole series of software database customization and process establishment would occur to market to these leads after the fact;
Option 2: Alternatively, they would create only one universal user form that doesn’t change based on the user, and for anyone that is Canadian, they would choose not to market to via email while the contact is a lead.
Neither situation is ideal for this Canadian business. In the first instance, they would collect less leads (therefore operate anti-competitively to foreign competitors) and incur additional software customization costs in setting up the dynamic form. In the second instance, they would eliminate marketing via email to leads (a vital medium for this company as they are web-based only) to the entire Canadian marketplace. Not to mention, in the latter example, Canadian consumers aren’t being serviced to the degree that they may wish or expect to be.
With only these two options present, sadly, the company chose the second option (one universal form and not marketing via email to leads based in Canada).
The Insurance Company
In May 2017, I sat down with a senior vice president of an insurance brokerage company that employs over 10,000 people globally and over 1,000 in Canada, with a head office in Europe and over a dozen offices throughout Canada.
In disbelief with the circumstances, he explained to me that because this is Canadian legislation that has very little compliance symmetry to any of their other operating markets, the Canadian division has had to advocate to their foreign counterparts the need for a Canadian-only solution to CASL. The problem as he explained it to me is that many of the decisions in terms of CRMs, email marketing software, processes, etc., are driven at a corporate level (out of Europe), not a Canadian level.
They are in a large technical dilemma where they use a blend of Salesforce (a CRM provider) and Microsoft Outlook (an email provider). The insurance advisors use Salesforce for email marketing and all other staff use Outlook. The reason for the two systems is that Salesforce costs a certain amount per user (or batches of users), so to put the 1000+ Canadian staff members on Salesforce would cost the company a large additional compliance expense. However, for their company to implement a full CASL solution, they may be forced to go this route with additional Salesforce customization to fit their needs, which will accrue further costs.
“He feels personally vulnerable and believes that the situation his company is in is unjust.”
This executive also expressed sincere concern to me over the director and officer liability provisions. As an officer of the corporation, he could be held personally liable for violations his company may make regarding CASL. There’s no other way to describe this situation but to say he feels personally vulnerable and believes that the situation his company is in is unjust.
He continues to act in good faith to strike a solution with their head office and other domestic operations while balancing the need for the company to stay economically competitive, but knows there’s something deeply wrong with the legislation.
To my knowledge, their company still hasn’t successfully implemented a company-wide solution to CASL.
The Financial Company
In April 2017, I sat down with a vice president and a marketing manager of a Canadian-based financial company that employs around 600 people.
Their dilemma was building out the software and processes to ensure that they are properly acquiring consent and tracking the moving purge dates (2-year and 6-month EBR rules) of those that they may have implied consent with.
When asked about how they handle incoming leads, their response was that, as a result of CASL, their marketing department will execute email campaigns to customers but not prospects. They feel more comfortable sending CEMs to customers because customers pay a nominal fee each month for their services, whereas they have made the decision that the potential gain isn’t worth the financial liability risk of not being in compliance to send prospects email campaigns pursuant to the 6-month EBR purge date rule.
By not sending commercial based email campaigns to any prospects, this Canadian company is put in an anti-competitive situation against other Canadian companies who choose not to comply with the law, large national companies who may have spent millions to comply, or companies in other countries (many are fintech companies that are growing in popularity) who may also regularly send CEMs to Canadian consumers for similar services disregarding the Act.
With sincerity, one of the biggest concerns this company expressed was for their corporate client base. They can see what CASL has done to their own business but wondered from a larger, more macro perspective, the impacts CASL may be having on the competitiveness of their corporate clients as a whole in the region. As they put it to me, “When their customers thrive, so do we.”
What Can Be Done
CASL can be fixed through government reform. What follows are five recommendations, that if the government implements to the electronic messaging provisions of the legislation, CASL will become easier to comply with, much of the competitiveness will be restored to Canadian businesses, the excessive software, policy and legal costs will be substantially decreased, and consumers will remain protected.
As an aside, there are legitimate concerns many business groups including the Canadian Chamber of Commerce and the Coalition of Business and Technology Associations have also raised about some of the provisions around software installations. I believe the software provisions in the Act should be given the same degree of care and due diligence, however, the recommendations below focus more on making the electronic messaging provisions more effective given the goals of the Act.
Editorial note: Some of these recommendations (or the spirit of such) are also contained in a recent submission by the Coalition of Business and Technology Associations and further, some of these I wrote about in a November 21, 2017 Financial Post op/ed article.
Broaden implied consent to apply to more practical situations.
The current provisions of consent under CASL are too narrowly prescribed, putting our Canadian businesses at a competitive disadvantage against foreign counterparts who fall under less prescriptive rules. One thing to bear in mind when aiming for balanced policy on this topic (that is, the balance between economic activity and consumer safety) is a recipient can unsubscribe at any time from a CEM. So, it will serve our economy better – and still keep consumers safe – by allowing implied consent to occur in more situations where it is reasonable for consent to be implied.
As a side bar, but related note: Unsubscribing from electronic mail is the simplest method out of the three most common “direct-type” communication channels use (i.e., telephone, print direct mail, and electronic mail). It takes more time for a consumer to join a Do Not Call List (and no such option exists for businesses), and apparently, there’s no legislative option to remove yourself permanently from a company’s print direct mail list. So said another way, telephone (for consumers, not businesses) operates on an opt-out model and print direct mail have no (permanent) unsubscribe mechanism at all.
In expanding the situations where implied consent is present, one of two methods can correct the over-extended narrowness of implied consent as it stands. The first option is to build a suitable derivative from the concept of “inferred consent” under Australia’s Spam Act (2003), hence, changing implied consent to a principles-based versus prescriptive-based concept in the Act (by way of background, other privacy acts, such as PIPEDA, have used principles-based methods to much success for years). Alternatively, a second option is to amend s. 10(9)(c). As 10(9)(c) currently stands, implied consent occurs when one party discloses their contact information to another but the provision appears to apply only to business to business settings (i.e., “the message is relevant to the person’s business, role, functions or duties in a business or official capacity”). Its recommended to amend this section so that implied consent will occur when any person or party discloses their contact information to another and this disclosure is not accompanied by a statement that the disclosing party does not wish to receive commercial electronic messages at the electronic address disclosed.
A litmus test to measure these improvements to implied consent is considering if implied consent would apply in these situations:
- A retailer runs an online sweepstakes. A consumer provides their contact information to enter on the retailer’s landing page. Consider the retailer to have implied consent from all consumers that inserted their information and didn’t check the express consent check box (those that checked the box, express consent would be present).
- An accounting firm holds an educational webinar on an important tax topic. Someone provides their contact information to register. Consider the accounting firm to have implied consent from all consumers that inserted their information and didn’t check the express consent check box (those that checked the box, express consent would be present).
- A prospective client reaches out to a consultant for services. A meeting is scheduled between the consultant, the prospective client representative who initially reached out, and two additional prospective client staff members at the client’s place of Consider the consultant to have established implied consent with all three prospective client staff members.
- Consider any two people who are voluntarily connected on a social networking website (e.g., Facebook, Twitter, LinkedIn, etc.) or instant messaging system (e.g., Skype, Facebook Messenger, Snapchat, etc.) to have formed implied consent.
Eliminate the arbitrary 2-year and 6-month rules around existing business relationships.
In many industries and sectors, consumers often take longer than 6 months to make a buying decision (e.g., vehicles, large electronics, home appliances, etc.) and take over 2 years to repurchase products (e.g., re-buying a home from a realtor, home renovations, etc.). Because 2 years may have lapsed from the date of last purchase doesn’t mean a consumer has lost affinity with a particular sender (i.e., the realtor). You may have purchased a home from a realtor in the past, not providing express consent (its usually unnatural to provide express consent in these settings), and occasionally receive an email campaign from this realtor. A past customer may still have a good relationship with this sender and doesn’t mind receiving an occasional email campaign, but they are just not ready to buy another home yet as its been less than 2 years; under the current version of CASL, the realtor would be forced to not send this past customer any CEMs after 2 years.
By removing the 2-year and 6-month purge dates on EBRs, it will:
- Restore liberty to consumers – let consumers unsubscribe from those commercial electronic communications they wish to.
- Dramatically reduce the costs of software implementation on businesses – businesses will still need software solutions but they won’t be as extensive in scope since they will no longer need to track ever porous 6-month and 2-years purge dates on leads. They would really just need to track if they have express consent, implied consent, a separate exception (e.g., familial or personal) and those who have previously unsubscribed.
Furthermore, pursuant to IMPROVEMENT #1, by making implied consent principles-based to match a version like Australia’s Spam Act or, alternatively, by broadening s. 10(9)(c) to apply to all parties that disclose their contact information to a sender, you wouldn’t require any prescriptive timelines on implied consent as whether consent is implied would be based on the given circumstances in the former improvement, and would have no timeline in the latter. And in all circumstances, the recipient is protected as an unsubscribe mechanism would still be required with CEMs sent pursuant to the Act.
Narrow the responsibility of the Act to the party that is ultimately responsible for the inception of a CEM, so that intermediaries aren’t inadvertently caught.
Throughout the legislation (and as an example in section 6(1)), language is used to the effect that the person responsible for violations is the person that “send[s] or cause[s] or permit[s] to be sent to an electronic address a commercial electronic message”. This language is erroneously broad, and therefore, could unreasonably catch parties that are required for sending a CEM, but are often arms-length from knowing if a CEM is compliant with the law. Some intermediaries, for example, are internet service providers, email service providers, and marketing vendors.
Here is an excerpt taken from a recent submission #LightenCASL made to the INDU Committee on November 24, 2017, that explains one of the core issues with the sender-related language in the Act:
“It’s a regular occurrence for marketing vendors to be paid as independent contractors (often a nominal hourly professional fee) to send out CEMs on behalf of corporate clients. These Intermediaries are put in vulnerable situations where there is a limit to the amount of due diligence they’ll be capable of performing to ensure the corporate client’s email list that’s been provided complies with CASL. At the end of the day, the marketing vendor, even acting responsibly, will still need to rely on assurances by the client to some degree. In CASL’s current version, these Intermediaries [i.e., marketing vendors, email service providers, ISPs] could all get caught under the Act. The due diligence of ensuring CASL compliance should rest with the company, not hired Intermediaries.”
By narrowing the responsibility to the party that is ultimately responsible for the facilitation of the CEM, will ensure innocent intermediaries aren’t inadvertently caught. Moreover, to have these intermediaries get caught, which is at risk now in CASL’s current version, would directly counter one of the Act’s four stated objects, and as such, hinder Canada’s goal of building a thriving digital economy – s. 3(d) of the Act, which is to “[increase] the confidence of Canadians in the use of electronic means of communication to carry out their commercial activities in Canada and abroad.
Exempt transactional messages entirely from the Act.
In CASL’s current version, there’s a practical glitch that’s affecting certain messages and all parties (recipients and senders involved in such). Under section 6(6) of the Act, a transactional message doesn’t require consent (its exempt from 6(1)(a), but counter-intuitively still requires an unsubscribe mechanism. This creates confusion for businesses and potential frustration for consumers which can hurt the relationship between the business and their customers. Here’s why – a business may be required to send the transactional message to a customer pursuant to law or a service agreement between the parties, and it’s permissible to send the message pursuant to 6(6), but then if the recipient unsubscribes, the recipient may not expect to get any further transactional messages from the business. However, pursuant to 6(6), the business can still send this recipient transactional messages. It’s safe to exempt messages that are created to confirm or facilitate a transaction entirely from the Act as there is already a relationship present between the sender and recipient. In theory, if the sender abuses this, the recipient would no longer do business with the sender, so by its nature, has a self-regulating effect.
Narrow private right of action (PRA) to avoid frivolous lawsuits.
If PRA, in its current form, is re-instated, it will allow lawsuits by private citizens, including the potential for class action legal proceedings, for not only actual damages, but in addition to, up to $1 million per day in statutory penalties.
Philosophically, PRA should get to a point where it allows given groups to recover actual damages, and no more to mitigate frivolous lawsuits, except in the cases where the courts believe it’s in the best interest of our society to apply further punitive damages (i.e., in the cases of aggravating circumstances or cyber security threats).
One way to amend PRA is to limit PRA to the hands of email service providers and ISPs only, and to include the ability for consumers to pursue PRA in the cases of cyber security breaches (i.e., maliciousness).
Few doubt that CASL wasn’t created with good intentions. Fewer doubt that at its enactment it didn’t become the toughest anti-spam legislation in the world. The problem is in taking the stance it did, it overreached its intended aim (as defined in s. 3 of the Act). We have several legitimate Canadian companies fined (Rogers Media Inc., Porter Airlines, and Kellogg Canada Inc., to name a few) over the last few years for alleged technical violations. Much of the enforcement to date has been against legitimate Canadian entities and no enforcement to date pursuant to CASL appears to have been against foreign entities – the bulk of where spam and cyber security comes from.
By making the implied consent broader (or principles-based) to apply to more situations where its reasonable that consent is implied between sender and recipient, by removing any purge dates associated to existing business relationships (i.e., the 2-year and 6-month EBR dates), better focusing the Act on the person(s) primarily responsible for the inception of CEMs that violate CASL, exempting transactional-based messages from the Act to remove unnecessary confusion amongst associated parties, and narrowing PRA to better mitigate the risk of frivolous lawsuits, the government will remove a lot of the chill effect that’s occurring within industry. It will also provide Canadian companies a more competitive digital environment to compete on a global scale, reduce a lot of the software, HR training and policies, and legal costs that are required now to manage their CASL compliance programs. Above all, consumers will remain protected; that is, CASL will still be considered an opt-in regime and consumers can still unsubscribe at any time.
There’s a real opportunity to improve CASL to be more measured and balanced – that is to improve the legislation to be easier for companies to comply with while still protecting consumers.
Thank you, INDU Committee, and other government officials for reading this submission and playing your part in making Canada a leader in the digital economy.
Note: In the preceding submission, Andrew Schiestel is writing strictly in his capacity as a representative of LightenCASL Inc. o/a #LightenCASL.