canada’s anti-spam legislation

April 11, 2023Maanit ZemelMTZ Law P.C. &

Canada’s Anti-Spam Legislation

Canada’s Anti-Spam Legislation

What Charities and Non-ProfitsNeed to Know BeforeJuly 1, 2014

April 11, 2023Canada’s Anti-Spam Legislation

Maanit ZemelMTZ Law P.C.&Agenda

1.Introduction to CASL (Canada’s Anti-Spam Legislation)

2.CEMs (Commercial Electronic Messages)

3.CASL Compliance

4.Exemptions to CEM Requirements

5.Preparing for CASL

Maanit ZemelMTZ Law P.C. &

Introduction to CASL


The Problem…

Maanit ZemelMTZ Law P.C.&The Solution…

Regulate Everyone!»CASL regulates all Commercial Electronic Messages sent or accessed by a computer in Canada

»CASL also regulates a broad range of electronic and online activities, including:»The installation of computer program»Misleading advertising and marketing practices»Privacy invasion via computers»Collecting email addresses without consent

(i.e., email harvesting)Maanit ZemelMTZ Law P.C. &

Maanit ZemelMTZ Law P.C.&Underlying Principles

»All regulated activities may only be carried out with:1. Informed consent by the recipient; and2. Clear identification of the sender

»All activities are based on an Opt-In regime, not an Opt-Out


Maanit ZemelMTZ Law P.C.&Non-Compliance

»CASL provides a complaint mechanism

»Anyone can complain to the regulators at

www.fightspam.gc.ca

»There will be significant consequences for non-compliance


Maanit ZemelMTZ Law P.C.&Consequences Include

»Administrative penalties»Fines up to $1 million for individuals per violation»Fines up to $10 million for organizations per

violation

»Private rights of action

»Class action suits

»Vicarious liability of organizations for employee actions

»Liability of officers and directors for organization actions


Maanit ZemelMTZ Law P.C.&Regulating Bodies

»Regulators have sweeping investigative powers (search an seizure orders)

»Division of responsibility among 3 government bodies

»CRTC – Commercial Electronic Messages and installation of computer programs

»Privacy Commissioner – Collection of personal information and address ‘harvesting’

»Competition Bureau – misleading advertising and marketing


Maanit ZemelMTZ Law P.C.&Dates to Know

»July 1, 2014: Requirements respecting Commercial Electronic Messages

»January 15, 2015: Requirements respecting computer programs

»July 1, 2017»End of transition period for implied consent»Private rights of action become available to

complainants



CEMsCommercial Electronic Messages

Maanit ZemelMTZ Law P.C.&CEMs

A Commercial Electronic Message (CEM) is

a message sent by any electronic means (i.e.,

email, SMS text, instant message, social media)

that has,

as its purpose, or one of its purposes, to encourage

participation in a “commercial activity”


Maanit ZemelMTZ Law P.C.&Commercial Activities

Commercial activity is “any particular

transaction, act or conduct that is of a

commercial character whether or not

the person who carries it out does

so in the expectation of profit.”


Maanit ZemelMTZ Law P.C.&Examples of CEMs for Charities and Non-Profits

»Email appeals for donations»Emailed invitations to events»Promotional emails (i.e., event or lottery promotions)

»Emails promoting a charitable event or activity, if those activities are of a “commercial character”

»Electronic newsletters»Emails promoting the organization, if the organization’s activities are of a “commercial character”



CASL Compliance

Maanit ZemelMTZ Law P.C.&Requirements

»You are prohibited from sending a CEM to an electronic address unless:

»The recipient has already consented to receive the CEM; and

»The CEM contains specific prescribed information

»Consent can be “express” or “implied”

»The onus is on the sender to provide documentation proving consent


Maanit ZemelMTZ Law P.C.&Establishing Implied Consent

»Implied consent exists when the recipient has

»Conspicuously published his or her electronic address (e.g., on a website); and

»Has not indicated a desire not to receive unsolicited CEMs; and

»The message is relevant to the recipient’s business role, duties, or functions

Or»Disclosed his or her electronic address to the

sender without indicating a wish not to receive unsolicited CEMs; and

»The message is relevant to the recipient’s business role, duties, or functions


Maanit ZemelMTZ Law P.C.&Establishing Implied Consent (non business relationships)

»Consent is implied when the sender is a registered charity (as defined in ITA) and:

»The recipient has made a donation to the charity within the preceding two years; or

»The recipient has volunteered in the preceding two years;

or

»The sender is a Non-Profit Organization (as defined in ITA) and:

»The recipient was a member of the organization at some point in the preceding two years


Maanit ZemelMTZ Law P.C.&Establishing Implied Consent (existing business relationships)

»Consent is implied when the recipient had:

»Purchased / leased / bartered a product / good / service / or land in the preceding two years;

»Accepted a business / investment / gaming opportunity offered by the sender in the preceding two years; or

»A written contract is created or had existed between the recipient and sender in the preceding two years

Or»The sender had received an inquiry or

application about one of the above items in the preceding six months


Maanit ZemelMTZ Law P.C.. &Proving Implied Consent

Proving implied consent relies on your ability to

track and report on your constituents’

relationships

and activities with your organization.

We strongly recommend using a centralized

Customer Relationship Management (CRM)

system.

Maanit ZemelMTZ Law P.C.&Express Consent

»Express consent may be obtained orally or in writing

»The request for express consent must include:

»The purpose for which consent is being sought, stated “clearly and simply”

»The sender’s identification and contact information and/or on whose behalf consent is being sought

»Statement that the receiver can withdraw their consent

»No pre-checked boxes

»Cannot be in the form of a CEM – post July 1, 2014 cannot send an email requesting consent Maanit Zemel

MTZ Law P.C. &

Maanit ZemelMTZ Law P.C.. &Proving Express Consent

Express consent can be tracked within a CRM

as well,

by marking how and when your constituents

consented

to each message type (like “event invitations”)

you easily

send messages to the people who have asked

for them.

Maanit ZemelMTZ Law P.C.&Transitional Period

»Parties who are in an existing business relationship or non-business relationship and have been sending CEMs to the recipients prior to July 1, 2014, will have their implied consent period extended until July 1, 2017

»Therefore charities and non-profits have implied consent from their existing donors, volunteers, and members until July 1, 2017


Maanit ZemelMTZ Law P.C.&Information Requirements on CEMs

»All CEMs must include the following:1. The sender’s (and/or on whose behalf the CEM

is sent) identifying information and contact details (name and mailing address and email or phone) – this information must be valid for 60 days following the deployment of the message

2. A means by which to contact the sender3. An unsubscribe mechanism

»If it isn’t practical to include all the requirements directly within the CEM, the information must be posted on a website and a link to that website be included, prominently and clearly, in the CEM


Maanit ZemelMTZ Law P.C.&Unsubscribing

»The unsubscribe mechanism must be effective for at least 60 days

»The provided unsubscribe mechanism must be in the same means as the message or other electronic means

»The mechanism must be at no cost to the unsubscriber

»All requests must be given effect within 10 days


Maanit ZemelMTZ Law P.C.. &Unsubscribing

Many email deployment programs track

unsubscribes by removing email addresses

from their deployment list.

We recommend not doing this, rather we

suggest

tracking ‘unsubscribes’ much like explicit

consent

(to what, when, and how did a person

unsubscribe).


Exemptions to CEM Requirements

Maanit ZemelMTZ Law P.C.&Registered Charities Exemption


CEM sent by or on behalf of a registered

charity which has “as its primary purpose

raising funds for the charity”

Maanit ZemelMTZ Law P.C.&Other Exemptions

»“Personal” or “family” relationships»A CEM consisting solely of an inquiry or application relating to the commercial activity of the recipient

»Solicited CEMs – i.e., responses to requests, inquires, or complaints, or otherwise solicited by the person to whom the message is sent

»Internal CEMs to the business, if concerns the activities of the business – emails sent between employees that are unrelated to the business are not exempted (e.g., soliciting volunteers for an external charity event)



»CEMs between organizations/business if they ‘have a relationship’ and concerns the activities of the receiver’s business/organization

»CEMs sent to enforce a legal right»CEMs sent to foreign jurisdictions listed in the CASL schedule – but, must comply with any foreign anti-spam laws in force in that jurisdiction or face prosecution under CASL

»CEMs sent by political parties for the primary purpose of soliciting contributions



»CEMs sent within electronic platforms where ‘unsubscribe’ and identifying information is readily available (e.g., most social networks)

»CEMs sent within a limited-access secure account by the person who provides that account (e.g., banking portals)

»Two way voice communications

»Faxes and voicemail messages


Maanit ZemelMTZ Law P.C.&Exemptions that Require Information and Unsubscribes

»Third party referrals – the first CEM sent to a person based on a referral by a third party, consent is required thereafter

»Quotes or estimates in response to a request

»Warranty, recall, or product safety information

»CEMs that deliver products or services, including updates and upgrades


Maanit ZemelMTZ Law P.C.&More Exemptions that Require Information and Unsubscribes

»CEMs that facilitate or confirm transactions; and

»CEMs that provide factual information about:

»Ongoing subscriptions, memberships, accounts, loans

»Ongoing use or purchases»Employment relations or benefit plans for

employees



Preparing for CASL

Maanit ZemelMTZ Law P.C.&CASL Flowchart


Do you send CEMs?

You may be exempt from compliance only If:The primary purpose of CEM is to raise

funds for the charity*

Are you a Registered Charity?

No further action required

Is the CEM:•A third party referral?•Providing a quote or estimate in

response to an request•Providing warranty, recall or product

safety information• delivering a product or service, including

updates and upgrades• facilitating or confirming transactions • Providing factual information about:1. Ongoing subscription, membership, accounts, loans;2. Ongoing use or ongoing purchases; 3. Employment relations or benefit plans for employees


Yes Yes

Implied consent only good for 2 yearsNeed to: 1. Include prescribed info 2. Keep track of 2 years 3. Obtain express consent before 2 years expires

Yes

• Before July 1, 2014:1. Obtain express consent2. Include prescribed ID info and unsubscribe

mechanism in all CEMs• After July 1, 2014:1. Obtain consent in prescribed form2. Include prescribed ID info and unsubscribe

mechanism in all CEMs

No / unsure

No

Yes

Yes (most likely)

No (unlikely)

NoUnsure – consider next step

No consent required but CEM must include:• Identifying information• Unsubscribe mechanism

Do Other Exemptions Apply? • Organization to organization• Personal / family relationship• Internal CEM• An inquiry / application • A response to an inquiry / request / complaint• To enforce a legal right• Sent within a secured access platform• Within a platform containing unsubscribe and ID info• To a foreign jurisdiction (must comply with foreign laws)

Is Consent Implied?1. You are a registered charity / Not-for-profit org.; and 2. Recipient has been a donor, volunteer or member in the preceding 2 years

Maanit ZemelMTZ Law P.C.&CASL Systems

»Contains constituent information

»Stores relationship (transaction, volunteer, membership) details

»Express consent

»Processes self-serve unsubscribe requests

»Filters email deployments against opt-out lists

»Sends email contact information to the CRM


Database(CRM) Email System

Maanit ZemelMTZ Law P.C.&The CRM and Email System Supports Your Planning


Do you send CEMs?

You may be exempt from compliance only If:The primary purpose of CEM is to raise

funds for the charity*

Are you a Registered Charity?



Yes Yes

Implied consent only good for 2 yearsNeed to: 1. Include prescribed info 2. Keep track of 2 years 3. Obtain express consent before 2 years expires

Yes

Obtain / Send with Express Consent

Filter Track Unsubscriptions

No / unsure

No

Yes

Yes (most likely)

No (unlikely)

NoUnsure – consider next step

No consent required but CEM must include:

• Identifying information

• Unsubscribe mechanism

Do Other Exemptions Apply? • Track applicable relationships through the CRM, for example family relationships can be coded in most systems.

Is Consent Implied?

Is the CEM itself exempted?

Planning

CRM Email System

Maanit ZemelMTZ Law P.C.. &Developing and Email Process

There are a lot of steps to remember. Building

a solid and systematic process will help make

it easier, encourages compliance, and allows

for effective

process monitoring.

Maanit ZemelMTZ Law P.C.&Recommended Process

Plan deployment

Create email list

Filter list

Send email

Process opt-outs

Report on success


Maanit ZemelMTZ Law P.C.&

Database(CRM)

Email System

Some Functions Fit Best With Specific Systems

Plan deployment

Create email list

Filter list

Send email

Process opt-outs

Report on success


Maanit ZemelMTZ Law P.C.. &Integrated Systems?

There are a number of integrated systems that

handle both Constituent management and

Email deployments. If you have such a system

we still strongly encourage maintaining

distinct processes for each activity – or even

separate staff members be responsible for

different phases.

Maanit ZemelMTZ Law P.C.&Plan Your Message

»Planning out your emails is the first step in sending compliant and effective messages:• Identify a clear goal for the message – are you

trying to acquire new donors, engage current constituents, inform them about your organizations activities? Based on your goals who should receive your message?

• When is the message being sent, are there critical groups that you need to establish consent for and do you have time to do that before you send?

• Can you take what you’ve learned from previous messages and improve this message?


Plan deployment

Create email list

Filter list

Send email

Process opt-outs

Report on success

Maanit ZemelMTZ Law P.C.&Building a List

»Build your email list through your database (CRM) based on groups of constituents that are meaningful to your organization, but ensure:• You track, on each constituent or individual

person, what they have opted in to and when• You develop a standard set of queries or criteria

that comply with CASL’s implied consent criteria


Plan deployment

Create email list

Filter list

Send email

Process opt-outs

Report on success

Maanit ZemelMTZ Law P.C.&Filtering the List

»Building your email list creates a baseline of people who have opted in, and by extension filter most of the people who have opted out. Now just before sending we filter again, directly within the email system, to ensure self-service opt-outs are captured.• To be effective the master opt-out list should be

maintained in the system that sends the emails• All unsubscribes should be added to this list

Plan deployment

Create email list

Filter list

Send email

Process opt-outs

Report on success


Maanit ZemelMTZ Law P.C.&Send Your Message

»All of your planning is done, now write the email message and send it. Ensure that you have all the crucial information:• You’ve identified your organization and whom the

message is sent on behalf of Current mailing address

• Phone, email address, or web address (that’s valid for at least 60 days after sending)

• An unsubscribe mechanism – preferably automatic, but must process opt-outs in at least 10 days.

Plan deployment

Create email list

Filter list

Send email

Process opt-outs

Report on success


Maanit ZemelMTZ Law P.C.&Process Any Unsubscribes

»After the message is sent you can generally expect to see a few unsubscribes, remember that they must be processed within 10 days of sending. Generally we suggest• Updating your opt-out information on the email

system first• Make sure you are flagging peoples’ accounts

that they have opted out, do not delete them! This is a valuable and important record

Plan deployment

Create email list

Filter list

Send email

Process opt-outs

Report on success


Maanit ZemelMTZ Law P.C.&Synchronize Your Information and Report

»Your plan identified some goals, it’s important to review them as well as the general performance of your message. As well this is a good opportunity to update your constituents in your CRM• Build an import/synchronization schedule for regular

updates• Track usable metrics in your database, and evaluate

your message and identify any lessons learned for future deployments

• Use your opt out list to update your CRM• Note, the opt-out data in the CRM should be used for

analysis and review, not for filtering your lists as it will always be slightly out-of-date.

Plan deployment

Create email list

Filter list

Send email

Process opt-outs

Report on success



CASL Tips

Maanit ZemelMTZ Law P.C.&Get Your Board on Board!

Decisions respecting CASL should form part of the organization’s overall risk management strategies

»Decisions must be made at board and executive levels

»If you are not getting the board or senior leadership to pay attention – remind them of the directors’ and officers’ liability


Maanit ZemelMTZ Law P.C.&Conduct an Audit

Create an inventory of all messages that your organization sends, and identify the audiences that you reach out to

»Try to think through an entire business cycle – you may be surprised how much is actually sent

»Audit each message and audience for CASL compliance

»Have they opted in?»Implied consent?»Have they opted out?»Do the messages contain requisite

information?Maanit ZemelMTZ Law P.C. &

Maanit ZemelMTZ Law P.C.&Obtain Consent

While express consent isn’t required for all emails, it is the safest way to send messages and a great way to qualify contacts

»Consent is required in most cases for businesses and non-profits, charities have additional exemptions

»An opt in – or express consent – is not just a requirement it is a person telling you that they want to hear from you


Maanit ZemelMTZ Law P.C.&Develop a CASL Compliance Policy

A Due Diligence defence only works if you have a reasonable compliance policy

»The procedures must include:»Requesting, maintaining, and utilizing

consents»Tracking implied consents»Acting on ‘unsubscribe’ requests

»Include CASL compliance and indemnification clauses in third-party contracts


Maanit ZemelMTZ Law P.C.&Train Staff, Volunteers, and if Necessary Contractors

It is critical that anyone sending messages on behalf of your organization is educated and trained on your process

»Develop and deploy a training program

»Ensure Management, Employees, and Volunteers have gone through the program

»Include CASL training in new hire onboarding

»Ensure third-parties who send messages on your behalf are familiar with and adhere to your process – this may require some training for them Maanit Zemel

MTZ Law P.C. &

Maanit ZemelMTZ Law P.C.&Get Help!

CASL compliance can be challenging to achieve and maintain. Don’t be afraid to seek help achieving compliance, avoiding complacency, and mitigating risk

»Consider CASL insurance

»IT professionals or departments may have systems based support

»Ensure you have any compliance language and policies reviewed by legal counsel



Final Notes

Maanit ZemelMTZ Law P.C.&Not Just SPAM – Other CASL Activities

CEMs are only one part of CASL, the following other areas are controlled by CASL regulators

»Installation of computer programs without consent

»Unauthorized collection of personal information online

»Email address harvesting

»Misleading marketing and advertising in any electronic format


Maanit ZemelMTZ Law P.C.&How Can We Help?

»Comprehensive compliance and systems audits – current and planned

»Advice on developing and implementing CASL compliance

»Drafting and review of compliance policies, processes, and documentation

»Computer systems and process design

»Drafting and review of third party contracts

»Compliance training

»Representation before regulators and courts



Questions?Disclaimer: This presentation is provided as an information

service and is a summary of current legal issues. The

information is not meant as legal opinion or advice and viewers

are cautioned not to act on information provided in this

publication without seeking specific legal advice with respect

to their unique circumstances.

All rights reserved. This presentation may not be reproduced

and redistributed without the prior written consent of the

author.Maanit [email protected] / @maanitzemel

Jim [email protected]

canada’s anti-spam legislation

Marketing