Canada’s Anti-Spam Legislation (CASL) will come into effect on July 1, 2014, setting new requirements for commercial electronic messaging. CASL officially switches Canada from an opt-out to an opt-in model for messaging: only recipients who have chosen to receive messages should be contacted. If your organization sends promotional or marketing messaging via electronic media such as email, Twitter, Facebook, or web apps, you need to know how this applies to you.
In our earlier article, “The EU, North America, Big Data, and Privacy: Lessons Learned,” we compared North American and European privacy legislation. Perhaps the most fundamental difference between European Union (EU) and North American laws is that North American legislation mostly focuses on how organizations should manage citizens’ personal information, while European legislation focuses on giving individuals control over their personal information. One of the areas in which this plays out is the regulation of commercial messaging. In North America, many organizations add individuals to their mailing lists without consent; as long as there is an “opt out” or “unsubscribe” option, this is considered to be acceptable. Organizations also commonly share or sell their mailing lists to other organizations. Europe, on the other hand, requires an “opt in” model, where messages are sent only to individuals who sign up for a mailing list.
In Canada, this is about to change. Canada’s Anti-Spam Legislation (CASL) comes into effect on July 1, 2014. For the first time, an opt-in model for commercial messaging will be enforced in North America. What will this mean for Canadian organizations? Below, we outline new requirements of CASL, common practices prohibited by CASL, and upcoming changes in enforcement.
CASL requires acknowledged consent to receiving commercial electronic messages. This means that individuals should make a conscious decision to join a mailing list. Customers or members should not be added to an organization’s mailing list by default.
All commercial electronic messages must now have a label at the bottom of the message indicating the sending organization’s name and up-to-date contact information, and the electronic address of the intended recipient.
Revocation and Access
Messages should provide a simple means to revoke consent to receiving messages (i.e. unsubscribe) that is effective immediately. Also, according to the Personal Information Protection and Electronic Documents Act (PIPEDA), recipients should be instructed whom to contact to manage their profile: for instance, to update their contact information, or to ask what information the sender has about them or why they were added to a mailing list.
Practices Not Permitted by CASL
CASL amends PIPEDA to prohibit “address harvesting”: various methods of obtaining lists of email addresses for use in bulk email or other purposes usually labeled as spam. The simplest method of address harvesting involves spammers purchasing or trading lists of email addresses from other spammers. Another common method is the use of spider software known as “harvesting bots” or “harvesters,” which scan web pages, mailing list archives, internet forums and other publicly available online sources to obtain email addresses.
CASL amends Canada’s Competition Act to prohibit false or misleading representations and deceptive marketing practices in electronic commercial messaging. This includes the use of false or misleading sender information, subject lines, messages, or contact information. This is obviously relevant with regard to phishing (sending messages purporting to be from a reputable organization, such as a bank or a web service provider, requesting personal information), which is already illegal. However, it may have new implications with regard to pop-up advertising: delivering content other than what was advertised to recipients can be considered misleading advertising.
CASL prohibits the alteration of “transmission data” in an electronic message without the consent of the sender or the recipient. This provision is intended to address pharming: the practice of redirecting a website’s traffic to another, bogus site. The simplest method of pharming is to use website addresses that imitate popular sites (e.g., by setting up a website using the name of a well-known company, followed by .ca instead of .com). Another method is to exploit vulnerabilities in individual computers or in DNS server software to redirect website traffic from a legitimate web address to a different site. Besides prohibiting these clearly deceptive practices, CASL’s prohibition of pharming may have implications for businesses that redirect users of their free wireless networks to the company website before allowing them to visit other sites.