Tyndale CASL FAQ
1.1 What is the Canadian Anti-Spam Legislation?
The primary purpose of the Canadian Anti-Spam Legislation (CASL) is to control spam (unwanted or unsolicited Commercial Electronic Messages, referred to as CEMs).
1.2 When will the CASL come into force?
The CASL will come into force on July 1, 2014.
1.3 Who does the CASL apply to?
The CASL applies to most organizations in Canada, including Tyndale
1.4 What are the penalties for non-compliance with the CASL?
The penalty for noncompliance with the CASL is a fine of up to $10 million for an organization, and $1 million for an individual. Also, anybody who receives a CEM without providing their consent has a private right of action against the organization sending the CEM, and may be entitled to receive up to $200 per violation. Officers, directors and agents can be held personally liable for their organization’s failure to comply with the CASL.
2.1 What kinds of electronic messages are regulated by the CASL?
The CASL applies to “Commercial Electronic Messages” (CEMs), which are defined as any “electronic messages” that encourage participation in a “commercial activity”. These terms are defined below.
An “electronic message” is any message sent to an electronic account, e.g. an email, a text message, or an instant message. Interactive two-way voice communications, fax messages or voice recordings sent to a telephone account are not considered to be electronic messages. If you’re calling somebody to offer a product or service, that’s not an electronic message. Please keep in mind, however, that promotional phone calls may be regulated by the Do-Not-Call List. See https://www.lnnte-dncl.gc.ca/index-eng for more information about the Do-Not-Call List.
A “commercial activity” is broadly defined as “any particular transaction, act or conduct or any regular course of conduct that is of a commercial character, whether or not the person who carries it out does so in the expectation of profit”. Examples of commercial activities include purchasing, selling, bartering or leasing products, goods or services, or land; providing a business, investment or gaming opportunity; or advertising or promoting any of these activities.
2.2 Where can I find examples of activities that fall under the CASL?
Here are examples of messages sent by Tyndale that do fall under the scope of the CASL:
• A message about a sale of sweatshirts at the Tyndale Bookstore
• A message promoting a Tyndale-branded credit card
• A message promoting a summer ESL program offered by a private school in a Tyndale facility
2.3 What are the exemptions to the CASL?
Messages that do not relate to the core activities of UBC may nevertheless be exempted from the CASL. The exemptions are as follows:
(a) Messages sent by or on behalf of an individual to another individual with whom they have a personal or family relationship;
(b) Messages sent to a person who is engaged in a commercial activity and consists solely of an inquiry or application related to that activity;
(c) Messages sent within an organization that concern the activities of that organization;
(d) Messages sent between organizations with a relationship that concern the activities of the receiving organization;
(e) Messages sent in response to requests, inquiries or complaints, or otherwise solicited by the recipient;
(f) Messages sent to satisfy, provide notice of, or enforce a right, legal or juridical obligation;
(g) Messages sent on an electronic messaging service if the required information and unsubscribe mechanism are readily available on the user interface, and the recipient has consented to receive the message;
(h) Messages sent to a limited-access secure and confidential account to which messages can only be sent by the person who provides the account;
(i) Messages that a sender reasonably believes will be accessed in a listed foreign state, and conform to the anti-spam laws of such foreign state;
(j) Messages sent by or on behalf of a registered charity as defined in s.248(1) of the Income Tax Act, and have as their primary purpose raising funds; and
(k) Messages sent by or on behalf of a political party or organization or a candidate for publicly elected office that has as its primary purpose soliciting a contribution.
3.1 What information do CEMs have to contain?
All CEMs that are subject to the CASL must contain the following information:
(a) the name of the organization sending the message;
(b) the mailing address, and a telephone number, email address or web address, for the organization seeking consent (or a link to a website containing this information); and
(c) information about how to unsubscribe from future Commercial Electronic Messages.
If it is not practicable to include all of the above information in the CEM, then it must contain a clear and prominent link to a webpage that contains the information.
4.1 Do you need to secure recipients’ consent to send them CEMs?
As a rule, before sending a CEM, you must have the recipient’s implied or express consent. However, consent is not required for a CEM that meets any of the following requirements:
(a) provides a quote or estimate that was previously requested by the recipient;
(b) facilitates, completes or confirms a commercial transaction that the recipient previously agreed to enter into;
(c) provides warranty information, product recall information or safety or security information about a product, goods or a service that the recipient has used or has purchased;
(d) provides factual information related to the recipient’s subscription, membership, account, loan or similar relationship with the sender;
(e) provides information directly related to an employment relationship or related benefit plan in which the person to whom the message is sent is currently involved, is currently participating or is currently enrolled; or
(f) delivers a product, good or a service, including product updates or upgrades, that the recipient is entitled to receive under the terms of a transaction they previously entered into.
4.2 What is “implied consent”?
Implied consent may arise in three situations:
Where there is an existing business relationship: Such relationships arise from:
(a) the purchase or lease of a product, goods, a service, land or an interest or right in land, within the last two years;
(b) the acceptance by the message recipient, within the last two years, of a business, investment or gaming opportunity offered;
(c) the bartering of anything mentioned in paragraph (a) between the message recipient and Tyndale within the last two years;
(d) a written contract entered into between the message recipient and Tyndale in respect of a matter not referred to in any of paragraphs (a) to (c), if the contract is currently in existence or expired within the last two years; or
(e) an inquiry or application, within the last six months, made by the person to whom the message is sent to any of those other persons, in respect of anything mentioned in any of paragraphs (a) to (c).
Where there is an existing non-business relationship: Tyndale has non-business relationships with two groups of individuals:
(a) donors; and
Where the recipient has given you or has conspicuously published his or her business contact information: This only applies where:
(a) the recipient has not indicated a wish not to receive unsolicited CEMs; and
(b) your message is relevant to the recipient’s business, role, functions or duties in a business or official capacity.
Implied consent normally lasts for two years. For example, Tyndale has a non-business relationship with its donors, which gives us their implied consent to send them CEMs for two years after their last donation. If you already have somebody’s implied consent, you should send them a message asking for express consent before the two-year period expires.
4.3 What is “express consent”?
Express consent is consent that has been provided orally or in writing. Once you have secured recipients’ express consent, then you may continue to send them CEMs indefinitely unless they “unsubscribe” from further messages.
4.4 How do you obtain express consent?
Oral consent should be avoided unless you have a way to verify the consent, such as an unedited audio recording. It is preferable to obtain express consent in writing, as this makes it easier to verify that the consent was provided. You may request individuals to provide their written consent in various ways, e.g. by signing a document, sending you an email, entering information into a webform, or clicking on an a checkbox or an “I Accept” button on a web page.
Electronic messages requesting consent are deemed to be CEMs. Therefore, you can only use an electronic message to request somebody’s express consent if you already have their implied consent. Essentially, you are “converting” implied consent into express consent. For example, when somebody volunteers for Tyndale, we have their implied consent to send them CEMs for the next two years. You can “convert” this from implied to express consent by emailing them a consent request.
4.5 What information do requests for express consent have to contain?
Requests for express consent must contain the following information:
(a) the specific purpose for which you’re seeking their consent;
(b) the name of the Tyndale department seeking consent;
(c) the mailing address, and a telephone number, email address or web address (or a link to a website containing this information); and
(d) a statement indicating that the person whose consent is sought can withdraw their consent.
In addition to requesting the individual’s express consent, it is also necessary to provide a privacy statement explaining your legal authority to collect personal information from the individual. See Tyndale’s Model Language for sample consent requests and privacy statements.
Consent must always be “opt-in”, not “opt-out”. This means that if you are using a check-box for consent, the box cannot be “pre-checked”.
4.6 Can Tyndale get a “blanket consent” that covers multiple departments/purposes?
It is preferable for each department to secure its own consent, which is restricted to the particular needs of that department, rather than seeking a “blanket consent” that covers multiple departments and purposes. There are at least two practical difficulties with “blanket consents”. The first is that a valid consent must identify the purpose for which you will contact the individual. With ”blanket consents”, it may be difficult to identify and define all of the purposes of the consent in an intelligible and concise fashion. The second difficulty is that CEMs must contain information about how to unsubscribe from future CEMs. When an unsubscribe request is received in relation to a “blanket consent”, it will have to be communicated to all of the departments that were relying on the consent. Keeping track of all of these departments could be quite challenging.
4.7 Do you have to keep a record of the consents you have secured?
Yes. This is absolutely essential. If you send a CEM without being able to prove that the recipient has consented to receive it, you are placing Tyndale at risk of a substantial fine under the CASL. In some cases, sloppy record-keeping may invalidate an entire mailing list.
5.1 What are the requirements for unsubscribe mechanisms?
All CEMs have to give subscribers the opportunity to unsubscribe from future CEMs, without cost to them. Your unsubscribe mechanism must be easy to access and use. An unsubscribe mechanism must be valid for at least 60 days after you send the CEM. If you receive a request to unsubscribe, you must comply within 10 business days.
When you send CEMs by email, you may offer one or both of the following unsubscribe methods:
(a) sending an email; and/or
(b) clicking on a link that will take the user to a web page where he or she can unsubscribe
When you send CEMs by text message, then you must offer both of the following unsubscribe methods:
(a) replying to the text message with the word “STOP”; and
(b) clicking on a link that will take the individual to a web page where he or she can unsubscribe
5.2 Do I have to keep track of unsubscribe requests?
Yes. It is essential to track which electronic addresses have submitted unsubscribe requests to ensure that CEMs are not sent to them against the recipient’s wishes.
6.1 What are the other CASL requirements?
In addition to the requirements related to CEMs, the CASL also contains the following prohibitions:
Installing unwanted computer programs: In order to prevent the installation of viruses, spyware, and other unwanted programs, CASL prohibits the installation of any program without the consent of the computer owner.
Altering transmission data: CASL prohibits the alteration of transmission data in an electronic message so that the message is delivered to a destination other than that specified by the sender.
Providing false or misleading information: CASL prohibits false or misleading information in CEMs, including:
(a) any representation in the body of the message that is false or misleading in a material respect;
(b) any false or misleading representation made in a “locator”, i.e. a name, URL, or other information used to identify the source of data in a computer system; and
(c) any false or misleading representation in the “From” or “Subject” line of a message.
Harvesting addresses: CASL prohibits the use of programs that “harvest” email addresses to create mailing lists.
Collecting personal information: CASL prohibits the use of computer systems to collect personal information without authority.