The Hidden Costs of Canada’s Anti-spam Law
February 21, 2013 | Rebecca Harris | Comments
New exemptions to C-28 are helpful, but the anti-spam bill may not fight spam after all
This story originally appeared in Feb. 25 special Privacy Issue of Marketing. Tickets for Marketing’s Understanding Privacy in 2013 half-day conference are still available.
Unless you’re in the market for a Russian bride, unsavory loan or discount sex enhancements, nobody really likes spam. And surely most would agree it should be stopped.
The federal government certainly thinks so, passing Canada’s Anti-Spam Legislation (CASL) into law in December 2010. Bill C-28, as it pertains to marketers, bars the sending of commercial electronic messages (CEMs) including e-mails and text messages, without prior consent from the recipient.
While CASL’s intent is to snuff out true spammers, the first draft regulations published in July 2011 revealed that many legitimate marketing practices would be rendered illegal. Fifty-five businesses and industry associations brought their concerns to Industry Canada during a two month consultation period ending Sept. 7, 2011. Finally, on Jan. 5, 2013, revised regulations were published.
Was it good news for marketers? Cue the collective, “Yes, but…” The new regulations, which contain some important business-to-business exemptions, will certainly soften the impact for marketers. But many believe the exemptions don’t go far enough, and that at its core, CASL is flawed.
“It’s the most Draconian anti-spam legislation anywhere in the world and the bill requires [new] regulations in order to make it effective,” says Barry Sookman, a artner at Toronto law firm McCarthy Tétrault. The problem is the bill “starts from an approach that says commercial speech is illegal in this country, rather than from an approach that says ‘Let’s try and identify harmful speech,’” says Sookman.
The government “then recognized there was an over-sweep and they needed to have exceptions because it was catching things that made no sense.”
Sookman says the fact there are exemptions in the first place illustrates “there’s a problem here… You have some [new] regulations that have identified specific problems and then tried to solve them. But they don’t solve them completely and they don’t solve all of them.”
He likens the process to the arcade game Whac-a-Mole. “It’s like trying to plug holes,” says Sookman. “And you’re going to plug a hole and there’s going to be a bunch more and you’re never going to be able to keep up.”
As it stands, compliance with CASL is not going to be easy. “It’s very expensive, there’s a lot of red tape and it’s going to restrict a lot of the current marketing activities that [marketers] are engaging in,” says Sookman.
The thrust of the act, as it pertains to CEMs, is consent. The general rule is that express, opt-in consent must be obtained before you can send a person or business an email.
The regulations are stricter than existing requirements under the Personal Information Protection and Electronic Documents Act (PIPEDA), which has governed email marketing since 2000. PIPEDA permits opt-out consent for marketing messages, meaning if a person does not clearly decline consent, consent is granted. For example, online shoppers might be asked to uncheck a box if they don’t want their personal information shared with affiliates. That won’t work under CASL; consent can be implied only where there is an existing business or nonbusiness relationship, as defined in the act, if the person voluntarily discloses his/her email address or has “conspicuously published” it.
Most disappointing for marketers is Industry Canada’s continued rejection of grandfathering PIPEDA consents—something marketing groups like the Canadian Marketing Association (CMA) lobbied for after the initial draft was published in 2011. That means many companies will have to re-qualify their email contact lists with new, opt-in consent.
“Many organizations are already following good, respectful practices, but the reality is those practices range quite a bit in terms of the type of consent that organizations obtain,” says Wally Hill, vice-president of public affairs and communications at the CMA. “We’ve said [the government] should clearly grandfather all of the consents that companies have in their databases, up to the time this goes into force.”
The consents “may be of various types, but they were valid under the law.” Janine MacNeil, a partner at McMillan’s competition and marketing law group, says the decision not to grandfather PIPEDA consents existed under the first-draft regulations and nothing “happened in the interim that caused us to expect that state of affairs to change,” she says.
“A lot of marketers were concerned that it was going to be a significant amount of work to have to re-qualify a lot of consents,” says MacNeil. “And if it’s not something that they’ve started on already, it will still be a significant amount of work, but it’s really not that surprising.” (See sidebar at left, “How To Get Ready for CASL.”)
The good news is businesses are being given a three-year transitional period after the act comes into force, during which time consent will be implied for both active and inactive customers with whom there is a qualifying business relationship. But that won’t help new businesses trying to drum up business or companies looking for new clients, as they don’t have existing business relationships. “It would be legal to send [a message] by mail, but illegal to send it by email,” notes McCarthy’s Sookman. “Who implements a system that makes it virtually impossible for young, innovative start-up companies to start businesses? It’s insanity.”
For its part, Industry Canada admitted the act “captures some regular business communications that are not the types of threats that were intended to be captured within the scope of the act.”
The new exemptions released in January were intended to “address many of the most serious concerns raised in the consultations about the unintended application of CASL to ordinary, transactional business communications.” Among the exemptions are:
• Business to Business: CEMs sent within a business; CEMs sent between businesses that are in an ongoing business relationship, and where the messages are sent by an employee, representative, contractor or franchisee and are relevant to the business, role, function or duties of the recipients
• Third-party referrals: A single CEM sent as a result of a referral if the sender discloses the name of the person who made the referral and the person who made the referral has a family relationship, personal relationship or an existing business relationship with both the sender and recipient.
• Personal relationships: The new definition of personal relationship removes requirements that the individuals have met in person and have communicated within the past two years.
The revised regulations were open for a 30-day consultation period, so it’s possible new exemptions will be introduced. (Industry Canada would only say it “looks forward to hearing from interested stakeholders on the revised and new regulations.”) While the exemptions are helpful to businesses, they “don’t change the fundamental structure of the act, which is to presumptively prohibit using email for business purposes,” says Michael Osborne, a partner at Toronto law firm Affleck Greene McMurty. He believes the burden will fall on legitimate businesses and will be disproportionate in the case of small and new businesses. “The act privileges existing business relationships over potential new ones,” says Osborne. “In that way, it will impede competition for new customers and act as a barrier to entry and expansion by new firms.”
Osborne believes CASL will be challenged in court, as it violates Canada’s commercial freedom of speech. “There is an obvious constitutional challenge waiting to happen,” he says. “The act basically bans the use of email for business. And it says you can use it for business if the government lets you. So the mechanism that the act uses itself creates constitutional issues that are going to get raised as soon as [the government] attempts to prosecute someone.”
The fact that CASL is still not in force – more than two years after being introduced – points to its inherent challenges. The act was initially expected to come into force in 2012 and was later pushed back to 2013. Most recently, Industry Canada said the law will be enforced by July 2014 at the latest. Sookman suspects once the law comes into force, there will be a “short burn-in period, followed by very quick enforcement,” which means businesses should start preparing now. “Once the legislation is in effect, they’re not going to get much time” to ensure they are compliant. The fines for violators are steep: up to $1 million for individuals and up to $10 million for businesses that breach the law.
As marketers prepare to dutifully comply with the legislation, the question remains, what will Canada’s anti-spam act actually do to combat real spam? “Nothing,” says Osborne.
“Real spammers are mostly outside of Canada and they can’t be reached by this bill.”
According to the Register of Known Spam Operations, compiled by The Spamhaus Project, an organization that tracks email spammers, only six out of 116 spam operations operate in Canada. The group says 100 spam operations globally are responsible for 80% of all spam.
The vast majority of spam, Osborne says, “gets filtered by our spam filters and it concerns – judging by what I saw in my spam box most recently – beautiful girls in Russia who have apparently taken a fancy to me, offerings for pharmaceuticals and other enhancements mostly concerning the bedroom. That’s not going to stop. I wish it would, but this bill won’t stop that.”
In an emailed response to Marketing, an Industry Canada spokesperson stated, “An important component of Canada’s anti-spam legislation is the enforcement regime whereby the Canadian Radio-television and Telecommunications Commission (CRTC), Competition Bureau Canada and the Office of the Privacy Commissioner have been given the authority to share information and evidence with their counterparts that enforce similar laws internationally in order to pursue violators beyond our borders.”
The CMA’s Hill says it’s “important to have a framework” that allows enforcement agencies to collaborate with other jurisdictions. Spam is “an international problem and you need to be able to work with countries to shut it down. If you don’t have anything firm to stand on in your own country, it’s hard to work with others.”
Overall, he adds, “what we’re trying to do here is good. It’s just that the devil’s in the details.”
Illustration: Warren Gebert
There’s more! To find out how to prepare for CASL, read the full article in the Feb. 25 issue of Marketing. Subscribe today.
For more insight on online privacy and consumer expectation, check out Understanding Privacy in 2013: The New Rules of Engagement on Feb. 28. Tickets are still available