The final regulations for CASL were published in December. Here are some key dates to keep in mind.
- The Act’s provisions affecting the sending of spam become effective on July 1, 2014.
- The Act’s provisions requiring specific permission to install certain types of software become effective on January 15, 2015.
- The Act’s provisions providing a private right of action remedy (the ability for anyone to sue anyone violating the Act) become effective July 1, 2017.
One key issue is whether existing consents to send electronic messages that are valid under privacy laws will be grandfathered. The answer to that seems to be “it depends”.
FAQ’s published by the CRTC say:
If you obtained valid express consent prior to CASL coming into force, you will be able to continue to rely on that express consent after CASL comes into force, even if your request did not contain the requisite identification and contact information.
The uncertainty in that is the reference to “valid express consent”, especially since the CRTC insists that consent can only be given by a positive step (ie opt in), but under PIPEDA it is possible in some circumstances to get opt-out consent. So the test is not the strict CASL requirement, but not all consents acceptable under privacy law might be sufficient.
CASL also has a transitional provision (section 66). The CRTC’s FAQ on that says:
Section 66 deems implied consent for a period of 36 months (unless the recipient withdraws consent earlier) where there is an existing business or non-business relationship and the relationship includes the communication of CEMs. During the transitional period, the definition of existing business or non-business relationship is not subject to the limitation periods (6 months and 2 years) that would otherwise be applicable under CASL, for implied consent to exist.
That is not as simple as it sounds, as one must look to the definitions of ”business relationship” and “non-business relationship” to see if the recipient fits. And the sender must have sent the recipient electronic messages prior to July 1.
The grandfathering and transitional provisions are helpful, but the safest practice would be to try to get explicit permission that complies with CASL requirements before July 1. One reason to do that is that after July 1 it will be considered spam to email someone to ask for their permission unless you already have implied or express consent.
Keep in mind that the onus to prove a sender has consent is on the sender. That means that if the sender is accused of violating the act and sending spam, the sender must prove that it had explicit consent, or that it had implied consent by virtue of one of the exceptions in the Act.
For more detail about CASL see my previous blog posts, particularly the 5 part article series.