The Anti-Spam Act, Part 4 of 5: Things We Can Do Now to Prepare
Today’s’ article talks about what we can start doing now to be ready when the Act comes into effect.
This is the forth of a series of 5 articles that will introduce the Act, describe what spam is and is not, talk about collateral provisions, what we can do now, and some of the challenges going forward.
At this point it is unclear when the Act will come into force. Expectations range from the next few months to as late as June of 2014. We have been waiting for some time for the regulations to be finalized, as they are crucial to practical compliance with the Act. The CRTC regulations are final. While the Industry Canada regulations released on January 5 are only in draft form, they are a second draft, so are likely fairly close to the final version.
We are now therefore in a position to understand the Act’s practical application.
Consent is king under the Act. So businesses and charities should start thinking about how to best obtain and document consent to send electronic messages. It is important to remember that a consent that you may have now that qualifies under PIPEDA or other privacy legislation may not qualify as consent under the Act. You may have to obtain consent again using a method that qualifies under the Act.
For example, under PIPEDA you might have my consent on an opt-out basis to send me emails promoting your products. The Act (at least in the CRTC’s official view – I’m not convinced this is supported by the Act) does not recognize opt-out consent or consent obtained by “toggling”. So a consent to send that email to me that is valid under PIPEDA might not be valid under the Act.
The first step is to conduct an audit of your information practices. Take a look at the types of electronic messages your organization sends, why you send them, to whom you send them, and how you get people’s addresses. Consider not only mass emails, but also what individual employees might send routinely or occasionally.
Keep in mind that the Act applies to any kind of electronic message – not just email – such as text messages, and direct messages using social media.
As a picture of your electronic communications emerges, consider how they fit into the Act. Do the messages qualify as spam? Do you have consent that is sufficient to comply? What information do you need to add to the communications to comply?
It may be prudent to obtain and document explicit consent before the Act is in force. The Act is very particular about how consent is obtained, so if consents are obtained before the Act comes into force, it is crucial to ensure that they comply. The advantage of obtaining consent before the Act comes into force is that electronic messages can be sent to obtain consent before the Act is in force. Once the Act is in force, electronic messages sent to obtain consent are themselves considered spam.
To reduce the odds of director and officer liability, consider implementing appropriate policies to show diligence, put proper processes in place, and reduce the chances of a violation.
If you use third party mail services to send emails to customers, potential customers, donors or others, discuss the legislation with the provider and ask if they are implementing processes to include the required information and unsubscribe capability, and obtain and track consents. Of particular concern are email providers from outside of Canada. The Act is very different than anti-spam legislation in other countries. They may be unaware of the requirements, may want higher fees to implement the changes, or indeed may choose not to take the time and effort required to comply at all.
If you are in the software business, your software should be looked at to determine if it does anything that would require explicit consent under the Act. If so, methods will have to be implemented to obtain and track the consents. Consider whether the software can be changed to avoid the consents, or whether changing to a SAAS model will avoid the issue.
The next and final article will discuss some of the challenges going forward.
[1. Introduction] [2. The Definition and Treatment of Spam] [3. Other Things in the Act]
[4. Things We Can Do Now to Prepare] [5. Challenges Going Forward]
You suggest obtaining consent before the Act comes into effect. However, Industry Canada is not providing a grandfathering provision for consent that was legitimately obtained under PIPEDA. If you seek consent now, will you have to re-validate that consent once CASL is in effect, or will you only have to re-validate it if it’s opt-out consent (i.e. if I obtain Express Consent that, once in effect, would be acceptable under CASL, can I rely on that once CASL is in effect, or can I not rely on ANY consent that i’ve already obtained?)
Grandfathering of existing PIPEDA consents is a bit unclear at the moment. The CRTC and Industry Canada are giving inconsistent answers to that.
I think it is clear, though, that if you get consent now and follow all the CASL rules to get it, then it will be fine once the act is in force. Might be prudent to wait until the Industry Canada regs are finalized though just to make sure.