On July 1, Canada is getting a fun present for its 147th birthday: new anti-spam laws.Canada’s Anti-Spam Legislation, or CASL, is coming into effect and it’s fair to say there’s some confusion about it.
Many small businesses aren’t ready for the new law—nor are they even aware that it’s happening. Critics, meanwhile, have suggested that CASL will do little to curb the worst spammers but plenty to harm legitimate businesses, who will be forced to rebuild their mailing lists and spend money on compliance with the new law.
Some of the fears are overblown, according to University of Ottawa professor Michael Geist. Writing in the Toronto Star, he says the fear and loathing stems from a few factors, especially CASL requiring businesses to acquire express consent from customers to communicate with them, rather than the implied consent they’ve been working with till now.
The other worrying part of the new legislation are the stiff penalties. Individuals can be dinged with a fine of up to $1 million for sending out spam, while companies can get hit for up to $10 million. This has led to a recent spate of mass mailouts over the past week or two from companies looking to get that express consent.
What’s not being as widely reported is that while CASL takes effect on July 1, businesses actually have a three-year grace period to convert people on their lists from implied consent to express consent. And those sky-high fines are unlikely to be handed down in a heavy-handed manner by the Canadian Radio-television and Telecommunications Commission, which is tasked with enforcing complaints. Warnings for innocent violations, especially in the case of small businesses, are more likely.
I chatted about CASL with Jake Enright, spokesman for Industry Canada, the government department overseeing the new legislation. Here’s that conversation:
What’s the goal of the legislation?
Enright: Our government believes Canadians should not receive email they don’t want or did not ask to receive. Often online solicitations lead to harassment, identity theft and fraud, so for example, if somebody is emailing you saying you’ve won a trip to Morocco and you click on that link, malware can be installed on your computer. That leads to identity theft and fraud and potentially your personal information to be compromised.
In January 2015, that is going to be illegal – it’ll take a little longer for that part of the legislation [dealing with phishing] to kick in – but it’ll also be illegal to download programs onto your computer without your consent or knowledge.
What’s also important is that CASL expands information sharing with all G7 countries, or countries that have very similar legislation to our legislation. If someone in in the United Kingdom is spamming someone here in Canada, the CRTC can work with officials over there to identify that threat if it’s brought to their attention.
It’s also very good for businesses too because if you’re compliant with the UK anti-spam legislation, you would also be considered compliant with the Canadian anti-spam legislation. It’s a bit of a red-tap reduction measure.
Why is CASL necessary?
Nearly 70% of all email in the world is spam. It’s estimated this costs the Canadian economy over $3 billion a year.
Spam filters tend to take care of the really overt stuff, like Viagra and Nigerian scams, so is this aimed more at legitimate businesses sending out unwanted email or is it still going after those obvious spammers?
It’s both. There’s a component of this that is being monitored more closely in the media about Canadian businesses sending out unsolicited commercial email, but the way the regulations work, if you have express consent of Canadians already you don’t have to worry about CASL because you’re CASL complaint.
For example, I couldn’t figure out why the Toronto Blue Jays hadn’t sent me my CASL email yet, but I think when I signed up for it two years ago I actually checked the box. They have my express consent.
For those Canadian businesses that have implied consent because they’re in a commercial relationship with someone – say I bought something and they send me email as a result even though I didn’t consent to it – they actually have three years to move from implied consent to express consent, or July 1, 2017.
What will change on July 1, 2014, is for the people in the business of spam. It will be illegal [to send spam]. We’ve taken every step to ensure that the impact on legitimate Canadian businesses is as minimal as possible.
When [Industry] Minister [James Moore] first became Minister, he sat down with stakeholders and did a roundtable. One of the things that came out of it and was implemented in the regulations was the transitional rule in implied consent. We wanted to make sure the impact was as minimal as possible and we understood that small businesses often operate on implied consent when they’re communicating with their customers.
There are concerns that this is going to harm legitimate businesses in terms of forcing them to start their mailing lists over, and in terms of compliance costs. Is this not the case?
While we’ve taken every step to limit the impact on Canadian businesses, our government does have an obligation to put the interests of Canadian consumers first and foremost. This legislation was passed four years ago, the regulations have been in place since December 2013.
Can you explain the difference between implied and express consent a little more?
Express consent is when I have you tick the box and you’ve said, “Yes, I want to receive your emails.” Implied consent is that you have entered into a client relationship because you’ve bought something from me and have given me your email and I’ve just kind of started sending you email as a result of that, but I don’t really have your consent to use your email for that purpose.
What happens if a business tweets you on Twitter?
CASL applies to direct messages in social media and inboxes. It does not apply to, for example, Facebook walls and Twitter feeds.
What can someone do if they feel they’ve received one of these unwanted messages?
They can visit fightspam.gc.ca.
And it’s the CRTC that will determine if a message is offside?
They are the enforcement mechanism and I’ll have to send you to them for a more fulsome explanation.
In that vein, I asked the CRTC about enforcement. Here’s what spokesperson Patricia Valladao said:
What can someone do if they feel they’ve received an unwanted commercial message? What will the enforcement process look like?
Valladao: Consumers, businesses and other organizations will be able to report their unwanted spam to the Spam Reporting Centre via fightspam.gc.ca as of July 1, 2014. The Spam Reporting is the point of contact for receiving complaints, reports of spam and other electronic threats related to CASL.
The information that is submitted with be gathered as evidence and intelligence that will be used by all the three enforcement agencies (the CRTC, Competition Bureau, and Office of the Privacy Commissioner) to support purse and support their investigations against those who violate CASL.
What if the message is coming from outside of Canada? Can you give an example of how enforcement of that might work?
The CRTC will work with our foreign counterparts to help us promote compliance with CASL for those sending unwanted CEMs to Canadians. The Compliance and Enforcement section has had success in developing investigation and enforcement relationships with several countries under the Unsolicited Telecommunications Rules [telemarketing regulations]. We have been solidifying these relationships with an eye to enforcing CASL.
CASL provides us with the tools to share information with our foreign counterparts on a reciprocal basis. There are however non-cooperating countries that we have yet to make inroads with. Other countries may very well be willing, but unfortunately lack the resources to assist. We will continue to work towards developing new relationships as CASL is enforced.