In an increasingly connected society, the channels available to businesses to connect with consumers have reached unprecedented heights. This digital accessibility to consumers and their personal data, through email marketing or social media, has provided a vehicle for businesses and their marketing campaigns to gain traction with broader and more diverse audiences.
However, the scope of these activities and the wider availability of information online prompted concerns over privacy rights and data breaches, from consumer groups and governments alike. In response to these concerns, the federal government introduced Canada’s Anti-Spam Legislation (CASL) in July 2014. Among the strictest anti-spam laws in the world, CASL prohibits unsolicited marketing techniques (often enabled by webscraping applications) in favour of a consumer-oriented consent model.
When CASL was first introduced, the legislation’s most expansive element, a right empowering consumers to take legal action against businesses for breaches of certain provisions, was slated to come into force on July 1, 2017. However, the federal government recently announced that it would be delaying the implementation of the private right of action pending review by a parliamentary committee, to consider clarifying CASL’s requirements and to address the compliance concerns raised by the business community.
While this delay has come as welcome news to some, businesses should be aware that the balance of CASL continues to apply during this review period.
What is the private right of action?
CASL’s private right of action provides consumers with the direct right to take businesses to court, whether on their own or as part of a class action, for breaches of CASL, including for:
- sending unsolicited commercial e-messages, altering transmission data and installing computer programs without consent (which also applies to persons who “aid and abet” any of those breaches);
- collecting or using electronic addresses compiled by a webscraping tool or other application designed to generate or search for and collect email addresses; or
- engaging in deceptive marketing practices in e-messages, such as using false or misleading sender or subject line information, making materially false or misleading representations in an e-message and using false or misleading locators (such as metadata or a URL).
The biggest shift associated with the private right of action was the possibility of businesses paying damages to consumers for CASL breaches, ranging from $200 per contravention of the unsolicited commercial e-messages requirements to $1,000,000 per day for breaches of the computer program installation and anti-webscraping provisions.
What does the delay mean?
As it stands, the federal government has committed to a review of CASL, noting that it supports a “balanced approach that protects the interests of consumers while eliminating any unintended consequences for organizations that have legitimate reasons for communicating electronically with Canadians.”
To date, there is no indication as to when the parliamentary review will take place, how long it might take or whether the committee will recommend changes to CASL beyond the private right of action. What we do know is that CASL remains in force and represents a significant compliance burden for businesses that interact with their customers through electronic communications.
So, is anything still happening on July 1, 2017?
Despite the delay to the private right of action, July 1, 2017 still marks the end of the 3-year transition period for implied consent, which permitted businesses to send commercial e-messages to any person with whom they had an existing business or non-business relationship, as long as the relationship existed before July 1, 2014. Going forward, businesses will need to be aware of and actively manage the time limits that CASL imposes on using implied consent as a basis to send commercial e-messages.
What do you do now?
With the private right of action delayed, businesses should continue to consider whether they are CASL-compliant and use this opportunity to develop a comprehensive marketing strategy going forward. While your strategy should be tailored to your business, the following are a few thoughts on how businesses can navigate the CASL regulatory landscape and build a stronger brand:
- Leverage your opportunities – Many types of e-messages are permitted under CASL without express consent. These include: where you have an existing business relationship with the recipient, sending electronic invoices and receipts to customers, and responding to requests or inquiries that you receive from your customers—although care should be taken, as some of these exceptions are time-limited. These permitted exceptions should be viewed as opportunities to ask for express consent to communicate electronically with those consumers, increasing the chance to convert single interactions into lasting relationships.
- Webscraping was overrated – No one likes an unwelcome guest, whether it’s at their front door or in their inbox. While webscraping and similar technologies once provided a cost-effective medium to generate leads and customers, this marketing method was impersonal, flooded inboxes with unwanted emails, and generally aggravated consumers. A better approach, from both a compliance and brand equity perspective, is to engage with your customer base and obtain their consent to receive your next email blast. Your customers may thank you for it.
- Explore alternative online marketing channels – If your business does not already have a presence on social media, now may be the time to explore this medium. A well-executed social media marketing strategy can provide significant value by building a strong following of existing and new customers, while increasing your business’ conversion rate. From a CASL perspective, the CRTC has indicated in its FAQs that a Facebook wall post would not constitute sending a commercial electronic message to an “electronic address” (falling outside of the CASL regime), while more targeted messages (including via Facebook’s Messenger or LinkedIn’s InMail) would fall foul of the provisions. Similarly, typical advertising on websites and social media sites, such as sponsored links generated by Google AdWords or similar technology, may not be caught under CASL (although the CRTC has not confirmed this).
- Cover your tracks – The CRTC has issued a reminder about the importance of keeping records of consent: it is your business’ responsibility to demonstrate that it has consent to send electronic messages. While this can be as simple as maintaining a spreadsheet to log consents, more comprehensive solutions are available to help businesses manage the recordkeeping aspects of CASL compliance. Not only will these records help you in the event of a CRTC investigation or private action, they should also help you keep tabs on your existing customer base.
- Seek out assistance – If the changes to CASL seem confusing or have put you off online marketing altogether, just remember that you are not alone. From lawyers to consultants, expert advisors are available to assist your business to put procedures in place to help reduce the risks relating to online marketing activities. Alternatively, your business could consider outsourcing its online marketing campaigns, which can shift some of the CASL compliance risk to the service provider, if done carefully.
While ensuring CASL compliance in the lead up to July 1 will be top of mind for businesses that interact with their customers electronically, a savvy approach to advertising and compliance activities should provide the opportunity to establish stronger customer relationships and enhance brand awareness. Although the delay in the private right of action provides a reprieve from the uncertainties of direct claims from consumers, now is the time to implement effective CASL compliance strategies while simultaneously leveraging this opportunity to increase brand awareness and connect with a more engaged customer base.