Report on the Informal Consultation of 25 February 2013 among Industry and Consumer Groups and CRTC Staff on Canada’s Anti-Spam Legislation

Ottawa, 3 April 2013

Introduction

1. In December 2010, Parliament passed An Act to promote the efficiency and adaptability of the Canadian economy by regulating certain activities that discourage reliance on electronic means of carrying out commercial activities, and to amend the Canadian Radio-television and Telecommunications Commission Act, the Competition Act, the Personal Information Protection and Electronic Documents Act and the Telecommunications Act. This Act is also known as Canada’s Anti-Spam Legislation (CASL).1

2. CASL will address issues related to spam and other electronic threats. There are obligations for individuals, businesses and organizations that conduct any of the following activities:

  • sending a commercial electronic message (CEM) to an electronic address,
  • altering transmission data for an electronic message in the course of a commercial activity, and
  • installing a computer program in the course of a commercial activity.2

3. The Canadian Radio-television and Telecommunications Commission (CRTC) will be the primary government agency responsible for administering and enforcing CASL. In March 2012, after a public process, the CRTC published the Electronic Commerce Protection Regulations (CRTC) (the CRTC Regulations).3

4. For the purpose of helping businesses prepare for CASL, the CRTC also published two information bulletins in October 2012:

  • Guidelines on the interpretation of the Electronic Commerce Protection Regulations (CRTC), Compliance and Enforcement Information Bulletin CRTC 2012-548; and
  • Guidelines on the use of toggling as a means of obtaining express consent under Canada’s anti-spam legislation, Compliance and Enforcement Information Bulletin CRTC 2012-549 (the Information Bulletins).

5. After the publication of the Information Bulletins, various stakeholders asked questions about their obligations under CASL and the CRTC Regulations. In response, staff from the CRTC’s Compliance and Enforcement sector invited industry and consumer groups to attend an informal consultation on 25 February 2013 regarding issues that fall within the mandate of the CRTC under CASL and the CRTC Regulations, as well as the Information Bulletins.

6. This report is a summary by staff of the discussion that took place at the informal consultation, and highlights significant ideas and conclusions that emerged. Some key conclusions are:

  • There is no one-size-fits all answer that will assist every business in complying with CASL, as context is critical to an appropriate interpretation in the circumstances of each case.
  • Businesses require assistance in the form of greater clarity on certain provisions of CASL, and to this end, participants suggested that the CRTC consider providing a framework of guiding principles to underpin compliance expectations.

7. Staff appreciates the useful information gathered, which will shed light on various CASL compliance issues raised by industry and consumer groups. This information will also serve to inform future compliance and communications materials for the purpose of assisting businesses in complying with the legislation, and empowering consumers to protect themselves.

Discussion Summary

8. The objective of the informal consultation was to facilitate a focused conversation and gather useful information regarding issues that businesses and consumer groups foresee when CASL comes into force. The discussions focused on six topics that were identified by the participants as being of most interest. These topics were covered in three round-table sessions. This was followed by a plenary, which summarized and confirmed the conclusions of the round-table discussions and provided an opportunity for participants to add or refine comments.

9. The six discussion topics were:

  • Means of obtaining "express consent"
  • Proof of consent
  • Section 66 of CASL and the three-year transitional period
  • Obtaining consent to send a commercial electronic message (CEM) – seeking consent for affiliates
  • Prescribed information in a CEM – "on behalf of"
  • Installation of computer programs

10. The staff summarized the discussions in paragraphs below, and participants were afforded the opportunity to comment on a draft report, prior to publication.

Means of obtaining "express consent"

11. The general principle underpinning the CASL provisions for which the CRTC is responsible is that prior consent is required before sending a CEM. This type of regime means that a person must opt-in and provide prior consent. In contrast, there are a few countries whose regimes allow a person to opt-out and withdraw their consent after the fact.

12. Most participants were of the view that express consent is the strongest form of consent and requires an opt-in consent mechanism. However, they believed that there is room for innovation with respect to the exact form this mechanism can take. Some participants felt that multiple check-boxes could be too complex for users. They suggested there should be a balance between prescriptive guidance and flexibility to innovate.

13. Certain participants believe that an opt-in regime could be disadvantageous and would prefer an opt-out regime. However, an opt-out regime would, run counter to CASL. Some participant’s asked whether express consent could be inferred from circumstances, such as leaving a business card, or whether there needs to be a clear statement of express consent. Other participants pointed out that in many instances express consent may not be required, because consent could be implied or the circumstances could fall under one of the exceptions in CASL.

14. Beyond the topic of obtaining express consent, participants expressed concern regarding the private right of action (PRA), which allows private parties, rather than the government, to take legal action. Specifically, they expressed concern about the possibility of private actions being taken against businesses for incidental non-compliance. Consequently, some participants requested additional clarity and certainty with respect to the definition of express consent. Participants said that this point was especially important to small and medium-sized businesses.

15. There was some discussion on whether express consent could validly be obtained by having a consumer sign or electronically submit a user agreement. Participants also asked for additional clarity with respect to providing prescribed information in a request for consent, especially over mobile devices.

Proof of consent

16. Participants requested additional examples, beyond those contained in the Information Bulletins, of acceptable means of proving that they have consent, written or oral. They considered the examples provided in the information bulletins to be too narrow or too few.

17. Some participants suggested that, in the case of oral consent, reading a script containing all the prescribed information and then recording the consent in a database should be sufficient. However, some participants questioned whether such information could be forged, and whether it might be difficult to demonstrate the extent and manner to which a script was followed and thus, the extent to which the CASL requirements have been met.

18. Other participants suggested that there should be a double opt-in approach for oral consent with respect to the sending of CEMs. Under this approach, oral consent would be recorded at the point of sale. Subsequently, a confirmation message would be sent to the persons whose oral consent had been recorded. These persons would be required to confirm their consent. This method would allow for the correction of transcription errors and would convert oral consent into written consent.

19. In the case of written consent, some participants suggested that process-based express consent should be sufficient. For example, where a person installs a program on a computer system without Internet connectivity, it would be impractical for software businesses to record written, electronic consent in a database. In such cases, businesses may have a process that provides a reasonable basis upon which they can demonstrate that consent has been obtained. However, other participants suggested that adopting such a policy may not be sufficient where there is no way of determining if it had been respected in a potential instance of non-compliance. In another example, participants questioned how consent could be demonstrated by a developer whose computer programs were downloaded from an application platform, such as an app store, and not directly from the developer.

20. Participants stressed that context was very important when deciding whether the onus of proving consent had been satisfied.

Section 66 of CASL and the three-year transitional period

21. All participants agreed that future CEMs must be compliant with CASL, notably, its requirements about consent. However, participants requested greater clarity regarding consent obtained prior to the coming-into-force of CASL. This question relates to section 66 of CASL.

22. Participants raised potential difficulties in complying with CASL, and asked if businesses will be able to successfully rely on section 66. Some difficulties relate to the manner in which email addresses and consent were previously obtained. In particular, some participants asked whether express consent obtained prior to CASL will survive coming-into-force, especially in cases where prior requests for express consent did not contain certain information prescribed by CASL and the CRTC Regulations.

23. Participants also asked how they might prove consent, because existing databases may not necessarily show how the information was obtained and whether the consent is implied or express. Such a situation would make it difficult to know if a business can rely on an exception, such as implied consent under an existing business relationship. As a result, some participants suggested that grandfathering consent obtained prior to the coming-into-force of CASL would alleviate these difficulties. They also suggested that grandfathering would make the transition more seamless from the recipient’s perspective, considering that subsequent messaging will feature an unsubscribe mechanism, allowing recipients to reconsider and withdraw consent.

24. Moreover, some participants raised issues regarding the potential attrition of existing lists of email addresses. They asked if obtaining consent from persons who already provided consent would be required where previous consent may not necessarily have been obtained in compliance with CASL. There is the possibility that current recipients may fail to provide consent or unsubscribe from future communications if asked to provide consent once again.

Obtaining consent to send a CEM – seeking consent for affiliates

25. As described above, consent is required under CASL in order to send a CEM to an electronic address. There are also requirements under CASL and the CRTC Regulations for seeking such consent.

26. A number of participants raised issues about their obligations in identifying people on whose behalf they might send a CEM. The majority of participants indicated that context matters, as there is no one-size-fits-all solution. Participants indicated that balance was important and that further guidance would be helpful. They suggested that future CRTC guidance should be broad enough to include various corporate structures and relationships. For example, the term "affiliate" may have different meanings to different organizations.

27. Additionally, participants indicated that future guidance should be informed by the "reasonable expectations" of the consumer. They discussed what such expectations might be, as consumers may associate more with a brand than with a corporate name. Participants also requested clarity on the identification requirements set out in CASL and how they align with the expectations of consumers. Industry members may want to send messages from a wider scope of entities, whereas consumers may want to receive messages from a narrower scope of entities. Moreover, there is a need to control the scope of distribution so that it is reasonable and practical for recipients to unsubscribe. Some participants felt that recipients should not need to individually unsubscribe from messages being sent by multiple senders, while others believed that with less granular unsubscribe mechanisms, recipients might inadvertently unsubscribe from messages they would like to continue receiving.

28. Finally, participants stated that there may be practical difficulties in becoming compliant with the legislation. Some participants expressed hope that the legislation will not require a major change to prevalent industry practices. They indicated that naming individual corporate entities would be difficult in situations where multiple companies engage in marketing using the same business name, such as is the case with large franchises.

29. Participants noted that this discussion topic is closely related to the issue of messages being sent "on behalf of" other persons, which is discussed below.

Prescribed information in a CEM – "on behalf of"

30. CASL and the CRTC Regulations require certain information to be included in a CEM when sent to an electronic address. Such information includes, but is not limited to, identifying people on whose behalf a CEM is sent.

31. Participants asked questions about when a message would be considered to have been sent "on behalf of another person." Some participants suggested that certain persons situated between the person sending the message and the recipient should not need to be identified. Some participants suggested that an important issue to consider was who had control of the recipient list. The discussion centered on the following four sub-topics:

Email Service Providers

32. There was considerable discussion about whether email service providers (ESPs) should be identified in a CEM. ESPs may simply facilitate the sending of CEMs or they may have a significant role in content development and the choice of recipients. Participants pointed out that the current industry practice is not to identify ESPs. Some participants suggested that identifying ESPs, who are not generally known to consumers, would be confusing for consumers. Participants requested clarity on whether ESPs should be identified.

Direct Marketing

33. There was also considerable discussion about whether and when direct marketers send CEMs "on behalf of" other persons. Direct marketers may play varying roles in the value chain. In some cases, an association may directly communicate certain commercial opportunities from other businesses to its members. If the member is interested, it can contact the business directly. In other cases, a direct marketer may be a vendor or reseller, or otherwise act as an intermediary between another person and the recipient. In such scenarios, the relationship is generally only between the direct marketer and the member or purchaser. Some participants suggested that identifying multiple senders may be confusing for consumers. Additional clarity was requested for when direct marketers would be considered to be sending CEMs on behalf of other persons or on their own behalf.

Gift Subscriptions

34. Participants pointed out that gift subscriptions, such as for a magazine, added complexity to the transaction and the relationships created by it, especially where a direct marketer was involved. With respect to CEMs sent regarding a gift subscription, participants requested clarity as to who must obtain consent, asking if it is the direct marketer or the original seller or creator of the product. They asked questions about whose consent must be obtained, such as the purchaser or the beneficiary of the gift.

35. As there may be several parties involved in sending CEMs for gift subscriptions, participants also asked about which of the several possible connections among these parties constituted an existing business relationship that would allow for the presumption of implied consent.

Unsubscribe Mechanism

36. Participants requested additional clarification on the unsubscribe mechanism. They referred to, for example, the case of an association sending a CEM to its members regarding promotional deals offered by another business. If the association is found to be sending CEMs on behalf of that other business, would it be required to allow consumers to unsubscribe not only from its own mailing list but also from the mailing list of the other business? In this instance, the other business has no relationship with the members of the association. Several participants suggested that this would be technically difficult to do and to manage.

Installation of a "computer program"

37. There are various requirements under CASL and the CRTC Regulations regarding the installation of a computer program in the course of a commercial activity. Participants discussed several sub-topics on the matter of installing a computer program.

38. To begin, participants requested additional clarity with respect to when it would be reasonable to believe that a person consented to the installation of a computer program pursuant to paragraph 10(8)(b) of CASL. Participants discussed whether it would reasonable to believe that there is express consent when an individual purchases a computer system with software, including the operating system, already installed. If not, participants asked who would be required to obtain consent and at what point should this be done, such as at the point of sale or upon activating a computer program. Participants agreed that it would be reasonable to believe that the user consented to the installation of an operating system, but some questioned whether there was really consent for the other previously installed computer programs.

39. Additional clarity was also requested on the installation of software updates. Participants raised issues regarding software evolving over time, such as software that may have new functionality that a user may want, but that was not expressly consented to at the time of the installation of the original computer program. Participants requested clarity with respect to whether it is reasonable to believe that a person consents to new software functionality in line with the original computer program.

40. Participants also raised questions in the context of computer repair. Generally, when a computer is taken to a repair store, a computer technician would need to contact the user to load and install diagnostic software. In this scenario, participants discussed whether the computer technician would be considered to be an "authorized user" of the computer system pursuant to CASL. Some participants were of the view that a technician’s authorization would, in any event, be limited to that which is reasonable in the circumstances.

41. Liability was a major concern, particularly in the context of the application marketplace, such as for cell phones, tablets and other devices. Participants requested additional clarity with respect to the liability and responsibility of an application developer and the person providing and managing the application marketplace or platform. They raised questions regarding:

  • the means of obtaining consent, for instance where the application platform does not provide the means for a developer to obtain and record express consent prior to the installation of the application; and
  • who causes the installation of a program, for instance, who is responsible if malware makes its way onto a user’s machine through an application downloaded from an application store.

42. Participants also questioned how the defence of due diligence will apply in the context of a PRA, where a person, as described above, commences legal action under CASL. They discussed the role that industry guidelines or best practices would play in the establishment of a due diligence defence, especially in the context of a PRA. Overall, there was great concern that individuals may try to exploit a technical or incidental non-compliance issue against a large organization, leading to expensive lawsuits.

43. Some participants also raised questions about potential inadvertent effects on cloud computing, asking about a computer program that may install additional computer programs or download content from a server. They asked if such circumstances would trigger CASL’s consent and disclosure requirements.

Conclusion and Next Steps

44. At the end of the event, participants were asked their views on the usefulness of the consultation.

45. Feedback was positive and participants appreciated the opportunity to raise issues and engage views, and the group was unanimously interested in continuing a dialogue. It was suggested that one-on-one discussions with stakeholders, including sector-specific discussions, would be appreciated in the future. If the same format is used again in the future, some participants recommended that discussions should take place in smaller groups and focus more narrowly on specific issues.

46. The information that was gathered at this session will be taken into consideration by CRTC staff when preparing future compliance and communication material to assist businesses in implementing compliance measures in the months prior to the coming-into-force of CASL. Moving forward, it is hoped that this session will encourage future dialogue among industry associations, consumer groups and the CRTC, such that CRTC staff can provide guidance to businesses, outreach to consumers on self-protection, and assist Canadians in recognizing and reporting potential violations.

Related Documents


[1] An Act to promote the efficiency and adaptability of the Canadian economy by regulating certain activities that discourage reliance on electronic means of carrying out commercial activities, and to amend the Canadian Radio-television and Telecommunications Commission Act, the Competition Act, the Personal Information Protection and Electronic Documents Act and the Telecommunications Act, S.C. 2010, c. 23 (CASL). A copy of CASL can be found at: Justice Laws Website.

[2] More information on sending CEMs, altering transmission data and installing computer programs can be found at: Canada's Anti-Spam Legislation website.

[3] A copy of the CRTC Regulations can be found in the appendix of Telecom Regulatory Policy 2012-183.