It feels like we’ve been saying this for years now, but, as we reported again last Monday, Canadian businesses can expect new legislation governing commercial electronic communication and spam in the coming months. Formerly Bill C-28, An Act to promote the efficiency and adaptability of the Canadian economy by regulating certain activities that discourage reliance on electronic means of carrying out commercial activities (sometimes called the Fighting Internet and Wireless Spam Act, or the Electronic Commerce Protection Act or Canada’s Anti-Spam Legislation), restricts the ways businesses may interact with customers without first obtaining consent.
Jeffrey Sherman also weighed in last year with a detailed look at the prohibitions and requirements under the law.
Monday’s post mentioned the legislation’s consent provisions and the acts it prohibits, but the law imposes other obligations, too. A commercial electronic message must identify the sender of the message and the party that initiated the sending of the message (if they are different). The message must also include or link to accurate contact information for the sender. Messages must also offer the recipient an explicit method to unsubscribe from future messages. Senders must act promptly on unsubscribe requests.
The Canadian Radio-television and Telecommunications Commission (CRTC) will be looking closely at businesses’ efforts. Consider this example from JDSupra Law News:
…online forms may be useful in obtaining express consent. However, a further CRTC Enforcement Bulletin indicates that pre-checked boxes that a user must uncheck (called “toggling”) will not constitute adequate express consent. Organizations should offer individuals the option of checking a box themselves, or of performing some other act to choose to accept [commercial electronic messages], such as by entering their email address in a form, rather than relying on any sort of pre-checked option.
This time, it really is time to act, according to law firm Osler:
The Minister of Industry has committed to bringing the law into force in 2013 and the regulator with chief enforcement responsibility, the CRTC, has warned that businesses should not expect a grace period before enforcement activities begin.
Osler recommends businesses create a compliance plan by following these steps:
- Identify a compliance team
- Identify the CASL requirements that apply to you
- Audit and document current practices
- Resolve preliminary “interpretation” issues
- Develop and document your compliance plan
- Implement your compliance plan
- Monitor, track and update your compliance plan
Osler also offers a list of 10 essential compliance activities. Consider:
- Creating a comprehensive list of the commercial electronic messages currently sent by your organization
- Determining if electronic addresses your organization collected previously can be used after CASL comes into force and, if not, scrubbing your existing databases or obtaining “fresh” consent
- Ensuring you have adequate systems in place for maintaining a record of each consent you obtain
See the rest of the list here.
Two sets of regulations—one from the CRTC and one from Industry Canada—will govern the relevant activities. You can read the CRTC’s regulations here. It is the others that are keeping the law from coming into force. However, you can read Industry Canada’s proposed regulations here. The government is accepting comments on the latter proposed regulations until February 4, 2013, at the following contact:
Bruce Wallace
Director
Security and Privacy Policy
Digital Policy Branch/Spectrum, Information Technologies and Telecommunications
Industry Canada
Telephone: 613-949-4759
Email: [email protected]
Please feel free to let us know how your compliance efforts are going, and what challenges you’re facing.
Adam Gorley
First Reference Editor