Categories
CASL Consent Law Marketing & Communications Privacy

CASL at 10 – Parameters

This is part two of a multi-part series reviewing Canada’s Anti-Spam Legislation in practice since its introduction in 2014 and the beginnings of enforcement in 2015. Crosslinks will be added as new parts go up.

Part 1: Terminology

Part 2: Parameters

Part 3: Big Numbers

Part 4: Case File – Compu-Finder

Part 5: Case File Anthology, 2015-2016

Part 6: Case File – Blackstone Education

Part 7: Case File Anthology, 2017-2018

Part 8: Case File – Brian Conley/nCrowd

Part 9: Case File Anthology, 2019-2022

Part 10: NOV – Sam Medouini

Part 11: Wrap-Up

Core resources:

The Act

Enforcement Actions Table (CASL selected)

Before we dig into what Canada’s Anti-Spam Legislation (CASL) does, let’s look at what it’s for. This whole series kicked off as a work-related question around student subscriptions to Faculty newsletters,1In a nutshell: we use Mailchimp for newsletters, which comes with a baked-in unsubscribe function; we’ve also developed a process to scrape the school database to auto-update student lists so that it periodically “automagically” recalibrates for students who have left, new students who have joined, etc. That in turn would refresh the lists in a way that pushes students who unsubscribe – which they really shouldn’t do in the first place – back into the mailing list, and administrators, appropriately concerned, asked if that was even CASL compliant. Hence (gestures around). so that’s a jumping off point for what I’ll be exploring here.

Oh! Yes! I am not a lawyer and this is not legal advice. Just a reminder (and a catchy tune, if I do say so myself).

The first organizing question, then, is “are school newsletters subject to CASL?”

The most safe answer is “yes.” But that’s not an entirely accurate answer. If you are very diligent about content and ensuring you’re always on the right side of not including CEMs2Commercial Electronic Messages; Part One of this series has all the definitions. (see below), it’s feasible to have a newsletter program that – by diligently avoiding CEMs entirely – is outside of CASL’s scope.

Law firm Borden Ladner Gervais prepared an overview for Colleges Ontario, vexingly not available on either the BLG or Colleges Ontario sites but available on some college sites, including that of Algonquin College.

It is very much a document that errs on the side of caution, and is very prescriptive; to understand it, it’s necessary to understand some of the basic premises of CASL.

All commercial messages are forbidden, and CASL creates exceptions to a general prohibition.

All commercial electronic messages (CEMs) are forbidden by default.

This isn’t a situation where they are allowed, with some prohibited: they are all forbidden, except under circumstances that the law lays out.

This might seem obvious but was kind of hard for me to wrap my head around. Going into this, I had the general sense that the law hews toward a “if it’s not forbidden in the law, it’s okay”, or as WR Lederman put it:

What is not forbidden is permitted, but certain things must be and are forbidden.3W R Lederman, The Nature and Problems of a Bill of Rights, 1959 37-1 Canadian Bar Review 4, 1959 CanLIIDocs 21, <https://canlii.ca/t/t5qk>, retrieved on 2023-05-24

I kind of assumed it was like a sign at a park about dogs. “Dogs Welcome!” Generally speaking, you can bring your dog there. And then it specifies that some types of dogs, or certain breeds, are not allowed (“No Pit Bulls”, or “No Aggressive Dogs,” or “No Dogs Over 10 lbs.”). Dogs are permitted, generally speaking, and there are rules governing outliers.

CASL is actually like a sign that says no dogs allowed and then goes on to say “except these specific breeds” or “except dogs of a certain size”. CEMs fall under the “…but certain things must be and are forbidden.” end of Lederman’s sentence above.

The legislation carves out exceptions to a prohibition, rather than prohibiting elements of a broadly allowed behaviour.

CEMs are prohibited. Period. The only exceptions under which CEMs are allowed are those detailed in CASL.

All dogs are welcome (except certain dogs), vs. no dogs are allowed (except certain dogs). CASL keeps all the dogs out, but makes provisions for certain dogs being okay. I have tried to make a “who let the dogs out” joke here, but it’s just not coming together.

What is a CEM?

I’d recommend you open the Act in a new tab before continuing: http://laws-lois.justice.gc.ca/eng/acts/E-1.6/index.html

Before we get to how the Act defines a CEM, let’s hop through a couple of other definitions from Part 1 of the Act:

1(1)
commercial activity: means any particular transaction, act or conduct or any regular course of conduct that is of a commercial character, whether or not the person who carries it out does so in the expectation of profit, other than any transaction, act or conduct that is carried out for the purposes of law enforcement, public safety, the protection of Canada, the conduct of international affairs or the defence of Canada.

(…)

electronic address: means an address used in connection with the transmission of an electronic message to

(a) an electronic mail account;

(b) an instant messaging account;

(c) a telephone account; or

(d) any similar account.

(…)

electronic message: electronic message: means a message sent by any means of telecommunication, including a text, sound, voice or image message.

Putting it all together for a definition of a CEM:

1(2)

For the purposes of this Act, a commercial electronic message is an electronic message that, having regard to the content of the message, the hyperlinks in the message to content on a website or other database, or the contact information contained in the message, it would be reasonable to conclude has as its purpose, or one of its purposes, to encourage participation in a commercial activity, including an electronic message that

(a) offers to purchase, sell, barter or lease a product, goods, a service, land or an interest or right in land;

(b) offers to provide a business, investment or gaming opportunity;

(c) advertises or promotes anything referred to in paragraph (a) or (b); or

(d) promotes a person, including the public image of a person, as being a person who does anything referred to in any of paragraphs (a) to (c), or who intends to do so.

The law also extends the request for consent itself to be a commercial electronic message.

This is vexing for people who are permission-seeking, but makes perfect sense from a consumer standpoint: it closes a loophole of the permission-seeking being the ad. If they didn’t do this, “May we send you messages about CreamerSquirtz (a squeezable creamer container that will revolutionize how you put cream in your coffee, now on sale at your local grocer for $2.99, buy it today!)?” would be viable. Hence:

1(3)

(3) An electronic message that contains a request for consent to send a message described in subsection (2) is also considered to be a commercial electronic message.

CASL regulates all electronic messages, not just email

While “Spam” is right there in the name, it’s not really just about email spam (or text spam). As defined above in 1(1), an electronic message is a message sent by any means of telecommunication.

There’s an implied element of directness in there: a billboard cannot be a CASL violation, for instance. It governs messages sent to an “electronic address” (see above):

6 (1) It is prohibited to send or cause or permit to be sent to an electronic address a commercial electronic message unless

(a) the person to whom the message is sent has consented to receiving it, whether the consent is express or implied; and

(b) the message complies with subsection (2).

Any commercial message contaminates a non-commercial message

The content of school newsletters, at least where I work, is almost entirely non-commercial. Upcoming key exam dates, or an announcement that a club is looking for members, or summaries of recent news articles, don’t fall under the definition of a CEM.

But some things on the periphery do qualify, and that’s why understanding contamination is important.

Just like you can’t have a shop that stocks mostly soda pop and just a smidge of toxic waste, and think that’s okay because it’s mostly soda pop, you can’t have a “mostly” non-commercial message with a bit of commercial messaging.

The law is clear: all commercial messages are de facto forbidden. A school e-newsletter that’s 90% announcements but also 10% promoting a clothing sale that kicks back some profits to the school is considered a CEM – the latter contaminates the former, as it’s a commercial message.

There are no exceptions for non-profits or charities

Right back up to 1(1): “…whether or not the person who carries it out does so in the expectation of profit…”. Just because you’re a school – or a church, or a Scout troop, or whatnot – a CEM is a CEM is a CEM.

People can’t sue you for CASL violations

At one point, the federal government was going to introduce a “private right of action” – i.e. empowering lawsuits – over CASL violations. It was removed before the law finally came into full force, but it’s not impossible to see it being reintroduced. It’s possible that people could sue you for other reasons related to unsolicited messages, but there’s no mechanism for people to point at CASL as the foundation of a lawsuit.

Consent is implied if a recipient is in an existing business or non-business relationship

This is something I’m still actively poking at, because it feels like the mechanism under which school newsletters might work, but it also feels… tricky.

One of the challenges with CASL implementation – which we’ll see when we get into examining actual cases, especially those resulting in AMPs – is that there just isn’t that much jurisprudence in the “interesting” zones around the fringes of the flagrant examples of unsolicited, no-question-it’s-spam spam. Like many things in law, a Real Lawyer (and I am not one) can confidently say “the law says this” but it’s still ultimately up to the courts to decide how the law is applied when a use case is operating on the fringes.

I feel there’s a strong argument, when you look at s10 (9) and (10), that students at a university are in a business relationship with their school.

Implied consent — section 6
(9) Consent is implied for the purpose of section 6 only if (a) the person who sends the message, the person who causes it to be sent or the person who permits it to be sent has an existing business relationship or an existing non-business relationship with the person to whom it is sent (…)

Definition of existing business relationship
(10) In subsection (9),
existing business relationship means a business relationship between the person to whom the message is sent and any of the other persons referred to in that subsection — that is, any person who sent or caused or permitted to be sent the message — arising from
(a) the purchase or lease of a product, goods, a service4emphasis mine, land or an interest or right in land, within the two-year period immediately before the day on which the message was sent, by the person to whom the message is sent from any of those other persons (…)

On its face, it seems clearly arguable that a student is purchasing a service, or really a broad set of services, from a university. Money is exchanged, the student receives instruction and grades and so on.

To date, there hasn’t ever been anything that addresses this or is comfortably adjacent to it. So I personally feel confident that consent is implied when a student is paying a college or university for the services of education (or residence, or gym use, etc.) but it’s… fuzzy. I’ve got a lot of notes for a dive into this topic as its own thing, and hope to get to it.

This interestingly dovetails entirely with another area of active interest for me – the interweaving of FIPPA and PIPEDA5Freedom of Information and Protection of Privacy Act / Personal Information Protection and Electronic Documents Act; essentially provincially-regulated public-sector legislation and national private-sector legislation governing privacy. on campuses, with for-profit PIPEDA eligible activity nested inside larger FIPPA-regulated structures, but that’s a whole ‘nother thing.

Coming up: actual numbers, 2018-present

Up soon… let’s look at the actual numbers of what CASL has done since it started taking recorded actions. There will be charts.

  • 1
    In a nutshell: we use Mailchimp for newsletters, which comes with a baked-in unsubscribe function; we’ve also developed a process to scrape the school database to auto-update student lists so that it periodically “automagically” recalibrates for students who have left, new students who have joined, etc. That in turn would refresh the lists in a way that pushes students who unsubscribe – which they really shouldn’t do in the first place – back into the mailing list, and administrators, appropriately concerned, asked if that was even CASL compliant. Hence (gestures around).
  • 2
    Commercial Electronic Messages; Part One of this series has all the definitions.
  • 3
    W R Lederman, The Nature and Problems of a Bill of Rights, 1959 37-1 Canadian Bar Review 4, 1959 CanLIIDocs 21, <https://canlii.ca/t/t5qk>, retrieved on 2023-05-24
  • 4
    emphasis mine
  • 5
    Freedom of Information and Protection of Privacy Act / Personal Information Protection and Electronic Documents Act; essentially provincially-regulated public-sector legislation and national private-sector legislation governing privacy.
Categories
CASL Consent Higher Ed Law Marketing & Communications Privacy

CASL at 10 – Terminology

This is part one of a multi-part series reviewing Canada’s Anti-Spam Legislation in practice since its introduction in 2014 and the beginnings of full enforcement in 2017. Crosslinks will be added as new parts go up.

Part 1: Terminology

Part 2: Parameters

Part 3: Big Numbers

Part 4: Case File – Compu-Finder

Part 5: Case File Anthology, 2015-2016

Part 6: Case File – Blackstone Education

Part 7: Case File Anthology, 2017-2018

Part 8: Case File – Brian Conley/nCrowd

Part 9: Case File Anthology, 2019-2022

Part 10: NOV – Sam Medouini

Part 11: Wrap-Up

Core resources:

The Act

Enforcement Actions Table (CASL selected)

CASL has been a subject of professional and personal interest to me for some time. I began working in higher ed marketing at around the same time as the legislation was introduced, and well in the groove when it came into full force. It made pretty much everyone in marketing — whether they were in for-profit, not-for-profit or charitable work — pretty anxious.

Almost 10 years later, it feels like a good time to see how it’s all playing out. I’ve been working on this at a fairly relaxed pace, so it’s conceivable that I might wrap this up for its 10th anniversary at this point.

Even as somebody who was passingly familiar with CASL for professional reasons going into this, I rapidly ran into a pretty fair-sized lexicon of terms and acronyms. Before we get into the meat of it, let’s get some acronyms and terms out of the way.

CRTC: The Canadian Radio-television and Telecommunications Commission. Responsible for broadcasting, Internet, and telephony in Canada. Very eager to point out that they “operate at arm’s length from the federal government” – it’s practically the tag line for the whole organization on their home page.1I can’t find any other federal commissions that do this. The Canadian Nuclear Safety Commission doesn’t do it, the Human Rights Commission doesn’t do it, the National Capital Commission doesn’t do it, the Truth and Reconciliation Commission didn’t do it… I could go on. I don’t want to sound conspiratorial out of the gate, but given how many criticisms the CRTC has seen for being connected to big telco companies, it’s interesting that the first words out of their virtual mouths are “we aren’t the government, guys!”

CASL: Canada’s Anti-Spam Legislation. The subject of these short essays. It was introduced in 2014, with a “transitional period” to July 1, 2017, when it came into full force.

CEM: Commercial electronic messages. Pretty much any electronic message (text, email) that promotes a product or service, with some clearly defined exceptions. We’ll unpack this more in the next post.

Investigative powers: Commission staff, who are persons designated by the Commission to conduct investigations, may use the following powers to investigate possible violations under CASL. These presumably lead to actions (see below).

  • Notice to Produce (NTP) – a notice served on a person requiring them to produce data, information or documents in their possession or control (additional information is available in section 17 of CASL);
  • Preservation Demand – a demand served on a telecommunications service provider requiring it to preserve transmission data in that is in or comes into its possession or control (additional information is available in section 15 of CASL); and
  • Search Warrant – a judicially pre-authorized warrant that authorizes designated persons to enter a place (business or dwelling-house) to examine, copy or remove documents or things (additional information is available in section 19 of CASL). 2Verbatim from the CASL FAQ at https://crtc.gc.ca/eng/com500/faq500.htm/

Action types: measures that CASL / the CRTC uses to reinforce compliance with CASL (as well as Unsolicited Telecommunications Rules (UTR) and the Voter Contract Registry (VTR)). Particularly pertinent for CASL:

  • Citation: a letter outlining alleged violations and an “opportunity to clarify”. Other than publishing the citation 30 days after issuance (absent a valid defence), there don’t seem to be any follow-on penalties to a citation. There’s only been one citation in CASL history to date (Orange Link Inc., details not available online).
  • Notice of Violation: sets out alleged violations, and may include an AMP (see below).
  • Compliance and Enforcement Decision (“Decision”): official decisions following the review of a Notice of Violation, Notice to Produce or Preservation Demand.
  • Undertaking: an agreement between a violating entity and Commission staff defining compliance obligations; can also include a payment amount.
  • AMP: Administrative Monetary Penalty. These are part of a Notice of Violation; a civil penalty imposed by a regulator. They can be appealed to the commission – this gets important later.

In the next post, we’ll start looking more at the early days of CASL, its remit governing Commercial Electronic Messages (CEMs), and what exactly CASL is, and is not, meant to enforce. It wasn’t quite what I always assumed it was; this might be true for you as well.