What Constitutes Consent under CASL?
Canada’s new Anti-Spam Legislation (CASL) is scheduled to be proclaimed in force sometime this year. Originally it looked like the proclamation might be this Spring (2013), although with all manner of people, groups and organizations lobbying for changes, we will see! Regardless, it is wise to be aware of the requirements in advance.
In my January 29th blog post I mentioned that CASL contains new regulatory requirements for sending certain types of emails and other electronic communications, and for installing software, including updates and upgrades.
In the February 14th post I provided commentary on what electronic messages are governed by the statute. As mentioned in that post, a commercial electronic message (known as a CEM) may only be sent where: (a) the recipient has consented to receiving it, whether by express or implied consent, and (b) the message complies with the identification and unsubscribe mechanism requirements in CASL, unless exempted. For a definition of “commercial electronic message” or CEM, please refer back to the February 14th post.
In this post I will provide information on constitutes consent under CASL, for the purpose of sending CEMs and for installing software.
Message recipients need only provide express consent on one occasion; separate consents for each instance (of sending a CEM or downloading a computer program updates) are not required. Once consent has been given, it will be deemed to be given until withdrawn.
A request for consent to permit a person, business or organization to send a CEM and/or install a computer program or updates to a computer program that are regulated by CASL, is required to include the following identification information: (a) the name of the business or organization sending the message, or on whose behalf the message is sent, or if there is no business name then the name of the person sending the message, and (b) the mailing address and a telephone number or email or web address of the sender. The street or post box address is required to be valid for at least sixty (60) days after the CEM is sent. A general email mailbox or address would not be adequate or acceptable for compliance purposes.
If it is not practical to include all of that information in the CEM, such as in an SMS, the information may be posted on a website and accessed by a link in the SMS CEM (as an example).
Intermediaries or those who distribute or facilitate the distribution of CEMs on behalf of others are not required to be identified. However, if a CEM is sent on behalf of a number of different entities, such as a company and its affiliates, then the identification and contact information for the company and each affiliate are required.
Written Express Consent
Consent may be “in writing”, which includes paper and electronic forms.
Often online requests for consent include a box that has the consent to an action or agreement pre-checked, and the user is required to click another button if consent is declined. This is referred to as “toggling”. The CRTC Toggle Bulletin states that toggling is insufficient to comply with CASL even if a user consents by clicking one or more icons to agree to any or all of the information on the webpage. According to the CRTC, express consent in the form of a positive action is required. Positive actions include any form of opt-in mechanism, such as actively requiring the user to check a box or icon, typing in an email address to indicate consent or a combination of these.
This may be one area of contention and possible litigation since there are many “click-wrap agreement” cases accepting a click or similar action in an on-line agreement or form to be an expression of express consent.
Oral Express Consent
Consent may be oral; however proof of consent may be an issue. The CRTC has indicated that oral consent will be accepted where an independent third party can verify the consent, or where the person seeking consent, retains a complete, unedited audio recording of the consent. Other methods may also be acceptable.
Confirmation of Consent
There is no need to provide message recipients with receipts to confirm that consent has been given. Confirmation of receipt of express consent is recommended, however, since a receipt is evidence of consent. Senders may wish to record the date, time, purpose, and manner of consent, and store it in a backed up database.
Consent may also be implied, which will the subject of my next blog post.
Until then, stay tuned!