This is part two of a multi-part series reviewing Canada’s Anti-Spam Legislation in practice since its introduction in 2014 and the beginnings of enforcement in 2015. Crosslinks will be added as new parts go up. Here’s Part 1, Terminology.
Before we dig into what CASL does, let’s look at what it’s for. This whole series kicked off as a work-related question around student subscriptions to Faculty newsletters,1In a nutshell: we use Mailchimp for newsletters, which comes with a baked-in unsubscribe function; we’ve also developed a process to scrape the school database to auto-update student lists so that it periodically “automagically” recalibrates for students who have left, new students who have joined, etc. That in turn would refresh the lists in a way that pushes students who unsubscribe – which they really shouldn’t do in the first place – back into the mailing list, and administrators, appropriately concerned, asked if that was even CASL compliant. Hence (gestures around). so that’s a jumping off point for what I’ll be exploring here.
Oh! Yes! I am not a lawyer and this is not legal advice. Just a reminder (and a catchy tune, if I do say so myself).
The first organizing question, then, is “are school newsletters subject to CASL?”
The most safe answer is “yes.” But that’s not an entirely accurate answer. If you are very diligent about content and ensuring you’re always on the right side of not including CEMs (see below), it’s feasible to have a newsletter program that – by diligently avoiding CEMs entirely – is outside of CASL’s scope.
Law firm Borden Ladner Gervais prepared an overview for Colleges Ontario, vexingly not available on their site but available on some college sites, including that of Algonquin College.
It is very much a document that errs on the side of caution, and is very prescriptive; to understand it, it’s necessary to understand some of the basic premises of CASL.
All commercial messages are forbidden, and CASL creates exceptions to a general prohibition.
All commercial electronic messages (CEMs) are forbidden by default.
This isn’t a situation where they are allowed, with some prohibited: they are all forbidden, except under circumstances that the law lays out.
This might seem obvious but was kind of hard for me to wrap my head around. Going into this, I had the general sense that the law hews toward a “if it’s not forbidden in the law, it’s okay”, or as WR Lederman put it:
What is not forbidden is permitted, but certain things must be and are forbidden.2W R Lederman, The Nature and Problems of a Bill of Rights, 1959 37-1 Canadian Bar Review 4, 1959 CanLIIDocs 21, <https://canlii.ca/t/t5qk>, retrieved on 2023-05-24
I kind of assumed it was like a sign at a park about dogs. “Dogs Welcome!” Generally speaking, you can bring your dog there. And then it specifies that some types of dogs, or certain breeds, are not allowed (“No Pit Bulls”, or “No Aggressive Dogs,” or “No Dogs Over 10 lbs.”). Dogs are permitted, generally speaking, and there are rules governing outliers.
CASL is actually like a sign that says no dogs allowed and then goes on to say “except these specific breeds” or “except dogs of a certain size”. CEMs fall under the “…but certain things must be and are forbidden.” end of Lederman’s sentence above.
The legislation carves out exceptions to a prohibition, rather than prohibiting elements of a broadly allowed behaviour.
CEMs are prohibited. Period. The only exceptions under which CEMs are allowed are those detailed in CASL.
What is a CEM?
I’d recommend you open the Act in a new tab before continuing: http://laws-lois.justice.gc.ca/eng/acts/E-1.6/index.html
Before we get to how the Act defines a CEM, let’s hop through a couple of other definitions from Part 1 of the Act:
1(1)
commercial activity: means any particular transaction, act or conduct or any regular course of conduct that is of a commercial character, whether or not the person who carries it out does so in the expectation of profit, other than any transaction, act or conduct that is carried out for the purposes of law enforcement, public safety, the protection of Canada, the conduct of international affairs or the defence of Canada.
(…)
electronic address: means an address used in connection with the transmission of an electronic message to
(a) an electronic mail account;
(b) an instant messaging account;
(c) a telephone account; or
(d) any similar account.
(…)
electronic message: electronic message: means a message sent by any means of telecommunication, including a text, sound, voice or image message.
Putting it all together for a definition of a CEM:
1(2)
For the purposes of this Act, a commercial electronic message is an electronic message that, having regard to the content of the message, the hyperlinks in the message to content on a website or other database, or the contact information contained in the message, it would be reasonable to conclude has as its purpose, or one of its purposes, to encourage participation in a commercial activity, including an electronic message that
(a) offers to purchase, sell, barter or lease a product, goods, a service, land or an interest or right in land;
(b) offers to provide a business, investment or gaming opportunity;
(c) advertises or promotes anything referred to in paragraph (a) or (b); or
(d) promotes a person, including the public image of a person, as being a person who does anything referred to in any of paragraphs (a) to (c), or who intends to do so.
The law also extends the request for consent itself to be a commercial electronic message.
This is vexing for people who are permission-seeking, but makes perfect sense from a consumer standpoint: it closes a loophole of the permission-seeking being the ad. If they didn’t do this, “May we send you messages about CreamerSquirtz (a squeezable creamer container that will revolutionize how you put cream in your coffee, now on sale at your local grocer for $2.99, buy it today!)?” would be viable. Hence:
1(3)
(3) An electronic message that contains a request for consent to send a message described in subsection (2) is also considered to be a commercial electronic message.
CASL regulates all electronic messages, not just email
While “Spam” is right there in the name, it’s not really just about email spam (or text spam). As defined above in 1(1), an electronic message is a message sent by any means of telecommunication.
There’s an implied element of directness in there: a billboard cannot be a CASL violation, for instance. It governs messages send to an “electronic address” (see above):
6 (1) It is prohibited to send or cause or permit to be sent to an electronic address a commercial electronic message unless
(a) the person to whom the message is sent has consented to receiving it, whether the consent is express or implied; and
(b) the message complies with subsection (2).
Any commercial message contaminates a non-commercial message
The content of school newsletters, at least where I work, is almost entirely non-commercial. Upcoming key exam dates, or an announcement that a club is looking for members, or summaries of recent news articles, don’t fall under the definition of a CEM.
But some things on the periphery do qualify, and that’s why understanding contamination is important.
Just like you can’t have a shop that stocks mostly soda pop and just a smidge of toxic waste, and think that’s okay because it’s mostly soda pop, you can’t have a “mostly” non-commercial message with a bit of commercial messaging.
The law is clear: all commercial messages are de facto forbidden. A school e-newsletter that’s 90% announcements but also 10% promoting a clothing sale that kicks back some profits to the school is considered a CEM – the latter contaminates the former, as it’s a commercial message.
There are no exceptions for non-profits or charities
Right back up to 1(1): “…whether or not the person who carries it out does so in the expectation of profit…”. Just because you’re a school – or a church, or a Scout troop, or whatnot – a CEM is a CEM is a CEM.
There is no “private right of action” (i.e. tort/lawsuits)
At one point, the federal government was going to introduce a “private right of action” – i.e. empowering lawsuits – over CASL violations. It was removed before the law finally came into full force, but it’s not impossible to see it being reintroduced.
Consent is implied if a recipient is in an existing business or non-business relationship
This is something I’m still actively poking at, because it feels like the mechanism under which school newsletters might work, but it also feels… tricky.
One of the challenges with CASL implementation – which we’ll see when we get into examining actual cases, especially those resulting in AMPs – is that there just isn’t that much jurisprudence in the “interesting” zones around the fringes of the flagrant examples of unsolicited, no-question-it’s-spam spam. Like many things in law, a Real Lawyer (and I am not one) can confidently say “the law says this” but it’s still ultimately up to the courts to decide how the law is applied when a use case is operating on the fringes.
I feel there’s a strong argument, when you look at s10 (9) and (10), that students at a university are in a business relationship with their school.
Implied consent — section 6
(9) Consent is implied for the purpose of section 6 only if (a) the person who sends the message, the person who causes it to be sent or the person who permits it to be sent has an existing business relationship or an existing non-business relationship with the person to whom it is sent (…)
Definition of existing business relationship
(10) In subsection (9), existing business relationship means a business relationship between the person to whom the message is sent and any of the other persons referred to in that subsection — that is, any person who sent or caused or permitted to be sent the message — arising from
(a) the purchase or lease of a product, goods, a service3emphasis mine, land or an interest or right in land, within the two-year period immediately before the day on which the message was sent, by the person to whom the message is sent from any of those other persons (…)
On its face, it seems clearly arguable that a student is purchasing a service, or really a broad set of services, from a university. Money is exchanged, the student receives instruction and grades and so on.
To date, there hasn’t ever been anything that addresses this or is comfortably adjacent to it. So I personally feel confident that consent is implied when a student is paying a college or university for the services of education (or residence, or gym use, etc.) but it’s… fuzzy. I’ve got a lot of notes for a dive into this topic as its own thing, and hope to get to it.
This interestingly dovetails entirely with another area of active interest for me – the interweaving of FIPPA and PIPEDA on campuses, with for-profit PIPEDA eligible activity nested inside larger FIPPA-regulated structures, but that’s a whole ‘nother thing.
Coming up: actual numbers, 2018-present
Up soon… let’s look at the actual numbers of what CASL has done since it started taking recorded actions. There will be charts.
- 1In a nutshell: we use Mailchimp for newsletters, which comes with a baked-in unsubscribe function; we’ve also developed a process to scrape the school database to auto-update student lists so that it periodically “automagically” recalibrates for students who have left, new students who have joined, etc. That in turn would refresh the lists in a way that pushes students who unsubscribe – which they really shouldn’t do in the first place – back into the mailing list, and administrators, appropriately concerned, asked if that was even CASL compliant. Hence (gestures around).
- 2W R Lederman, The Nature and Problems of a Bill of Rights, 1959 37-1 Canadian Bar Review 4, 1959 CanLIIDocs 21, <https://canlii.ca/t/t5qk>, retrieved on 2023-05-24
- 3emphasis mine
