What exactly is ‘SPAM’ and are you guilty of serving it?
MENU with Katherine Stanger and Shane Morganstein of Borden Ladner Gervais LLP (BLG)
There are myriad essential laws, policies and Acts that affect how businesses operate in Canada. Beyond the more familiar pieces of legislation, there exists a lesser-understood and acronym-laden group that may represent a sleeping liability for operators. If you’re marketing your business, Canada’s Anti-Spam Legislation or CASL is one of the residents of this murky legislative neighbourhood you’ll need to get to know. We connected with Katherine Stanger and Shane Morganstein of BLG to learn more about CASL and its specific implications for restaurants and foodservice.
What is spam?
Spam is essentially any unsolicited electronic message. It applies to email, texts and software sent to customers or prospective customers without their consent.
So, what is CASL and what is its purpose?
Created in 2014, CASL was designed with the best intentions. It sought to address growing social and economic stress caused by new forms of electronic or email marketing as well as more malicious activities like spam and cyber threats in a relatively naïve user population. It was the classic case of a few rotten apples ruining the party for legitimate businesses looking to engage with their customers. That said, the threat was real, due to the proliferation of malware, identity theft and phishing and poor business etiquette.
“CASL is Canada’s version of an anti-spam law,” Katherine Stanger, Senior Associate at BLG explains. “The official title of the legislation is “An Act to promote the efficiency and adaptability of the Canadian economy by regulating certain activities that discourage reliance on electronic means of carrying out commercial activities, and to amend the Canadian Radio-television and Telecommunications Act, the Competition Act, the Personal Information Protection and Electronic Documents Act and the Telecommunications Act” but, since that’s a bit of a mouthful, we call it “Canada’s Anti-Spam Legislation” or “CASL”.”
The title alone suggests you’d have to take a deep dive into multiple Acts to even begin to grasp CASL’s scope, and that’s precisely the reason businesses struggle to understand and apply the legislation. Avoidance is not the answer though. Whether or not you understand CASL, it may well apply to you and your business marketing activities. CASL governs the flow of marketing messages and transactions from businesses to consumers. It’s grounded in the idea that consumers are entitled to their privacy and that businesses must be granted appropriate permissions—or consent—from a customer to try and deepen the relationship through marketing materials. CASL outlines the terms that define when and how businesses can share marketing material or messages with customers or prospective customers.
“CASL is designed to deter unsolicited marketing messages, and also contains some rules around the unauthorized installation of computer programs on another person’s computer and other forms of online fraud (such as identify theft and phishing),” says BLG Associate Shane Morganstein. “Generally speaking, the basic rule under CASL is: (1) you need consent to send a marketing message to a person; and (2) your marketing message has to contain an unsubscribe mechanism and some information disclosures about you as the sender. There are some exceptions and other nuances, so you need to look at CASL’s rules really carefully to make sure your marketing messages comply.”
What types of marketing fall under CASL?
Morganstein points out that CASL exists to ensure consumer privacy and is centred in b2c communication. “CASL applies to what are called “commercial electronic messages” (or “CEMS”),” he notes. “CEMs are messages designed to encourage participation in a commercial activity—think messages promoting sales, advertisements, or encouraging investments into franchises. CASL is relevant to all commercial entities, including restaurants, that engage their consumers electronically, particularly since CASL fines can scale quickly with steep penalties.”
What happens when a business breaks the rules?
Whether or not a business’ electronic marketing intentions are malicious, they are responsible for making sure they’re in compliance with CASL. The sender is liable for any message sent without recipient consent to receive it—even “friendly” emails or texts, like community or social messages with no explicit sales pitch or offer. “CASL violations can result in significant fines—up to $1 million for an individual, and up to $10 million for a corporation,” says Morganstein. “These fines are per violation, meaning that each CEM sent in contravention of CASL can invite its own fine. This can be extremely problematic for larger restaurants sending large numbers of CEMs, since one mass email campaign that is offside CASL can result in significant fines.”
What are some of the more common marketing activities that put hospitality businesses at risk of CASL violation?
“One mistake we sometimes see is a business operating under an “opt-out” consent model rather than “opt-in”—meaning a business will assume it has a person’s consent to send CEMs to that person until that person unsubscribes (which is how the United States CAN-SPAM Act works),” explains Stanger. “Under CASL, subject to some exceptions and other nuances, a business needs to have a person’s consent before sending a CEM to that person.”
“Another mistake we see is businesses not tracking their consents. Under CASL, the sender bears the burden of proof of demonstrating that consent was obtained. This means that, if there’s ever an issue about consent, a business will need to show evidence that it properly obtained the person’s consent before the business sent a CEM to that person.”
“Lastly, we see businesses having issues with their unsubscribe mechanism. CASL requires each CEM to contain a valid unsubscribe mechanism that can be used by a person to unsubscribe from your business’s marketing emails relatively easily. Sometimes we see businesses send out CEMs that have an unsubscribe button, but that unsubscribe button is overly complicated or doesn’t work properly, or for whatever reason the business keeps sending CEMs to a person who has tried to unsubscribe. As a practical matter, you can see how this would be pretty annoying for customers. In our view, it’s a fast way to get a CASL complaint made against you!”
What types of messages does CASL define as “CEMs”?
To help operators manage their risk, they need to understand the types of communications CASL views as a CEM. Morganstein outlines some of the common misconceptions business owners need to be aware of. “First, you need to know that an electronic marketing message sent to only one person is a CEM. If the message is electronic and of a “commercial character”, it will be a CEM and therefore fall under CASL. As a result, the sending organization will need the individual’s express or implied consent to send them the CEM subject to some limited exceptions, including having an existing relationship with that individual which pre-dates the CEM. Note that a CEM requesting an individual’s consent to receive CEMs is still considered a CEM, meaning organizations need to get creative in how they solicit consent to receive marketing communications from their customers.”
“Second, an electronic marketing message sent via text is a CEM. Under CASL, the definition of “CEM” includes messages “sent by any means of telecommunication, including a text, sound, voice or image message.” Even direct social media messages can be captured by CASL.”
“Third, an electronic message that only has a minor marketing purpose is a CEM. An electronic message only needs one of its purposes to be encouraging participation in a commercial activity for the message to be a CEM. Note, however, that this analysis is always a contextual one. For example, including a logo or hyperlink in an email signature should not make an otherwise non-marketing message a CEM. However, including a tagline in your email signature promoting a product or service, or a coupon code at the bottom of your email, could change a regular email into a CEM – it’ll just depend on the specific message.”
Can businesses effectively promote themselves while making sure they’re compliant?
There are ways to send out CASL-compliant marketing messages; however, many businesses find CASL complicated and may be unsure as to whether or not they have successfully received consent. The challenge often lies around the concepts of “express” and “implied” consent as defined within CASL. Express consent means that a recipient has agreed verbally or in writing to receive your messages. This type of consent does not expire unless the recipient withdraws their consent or “unsubscribes”. Implied consent is trickier. This type of consent is conditional on various factors including whether the recipient has an existing business relationship with the sender—when the recipient has made a recent purchase or submitted a query, for example—and it is limited.
Uncertainty around compliance can be a little daunting, Morganstein admits. “If you aren’t sure whether your organization is CASL compliant, speak with your lawyer or give us a call!”
Shane Morganstein
Associate
Borden Ladner Gervis LLP
Katherine Stranger
Senior Associate
Borden Ladner Gervis LLP