The Canadian Radio-television and Telecommunications Commission (CRTC) dashed hopes that it will be sensitive to the needs of businesses when enforcing Canada’s anti-spam legislation (CASL).
On October 10, 2012 it published two bulletins that provide guidance on how it will enforce key elements of CASL, including the rules governing consent. The CRTC indicated that CASL is expected to come into force in 2013.
While the bulletins bring clarity to what the CRTC expects businesses to do, the CRTC’s interpretation of CASL will leave most organizations with no choice but to adopt expensive and disruptive changes to the processes they use now in respect of their use of electronic communications and their installation of computer programs on a consumer’s device.
Highlights from the bulletins, including related impacts on business, are summarized below.
Rejection of opt-out consent
There has been an ongoing debate over what constitutes express consent and whether it is sufficient to require the person whose consent is being sought to uncheck a pre-checked box. The CRTC has effectively closed the door on the use of pre-checked boxes, even if the box is included within an online process that requires the user to “check” a box indicating overall agreement with terms and conditions of the sale or other arrangement.
The CRTC’s position on the use of pre-checked boxes will force many organizations to change well-established practices for obtaining consent to send promotional and other commercial messages. As well, it will significantly limit the circumstances in which an organization will be able to rely upon consents previously acquired from consumers.
Rejection of bundled consent
An open issue under CASL has been whether requests for consent could be subsumed in, or bundled with, requests for consent to the general terms and conditions of sale or use. The CRTC has emphatically rejected this approach to obtaining consent. Rather, it expects that a consumer will be given the opportunity to accept the agreement terms, but separately have the ability to refuse to provide consent for activities governed by CASL.
This requirement will cause most businesses to change the processes they currently use to obtain consents. Additionally, compliance will be particularly problematic in the context of the installation of computer programs. Requiring separate “clicks” for the end user licence agreement and the installation of the software can be expected to create confusion among consumers.
The CRTC has indicated that, following receipt of express consent, confirmation of the consent should be sent to the person who provided it.
It is unclear why the CRTC has adopted this requirement, as it is not reflected in the wording of CASL or the regulations. However, what is certain, is that it will increase the operational costs of businesses. Additionally, at least in some contexts, consumers may be annoyed at receiving what they view as an unwarranted and unwanted electronic communication.
Option of unsubscribing from all electronic messages
Online businesses have been concerned that the unsubscribe mechanism in CASL could be interpreted to require that consumers be given the option of unsubscribing from all electronic messages of a commercial nature, even if the messages are service or transactional in nature and even if the consumer has chosen to transact online. It had been hoped that the CRTC would clarify that messages consisting solely of factual information about the consumer’s account and purchases would not need to be covered by an unsubscribe request. To the contrary, the CRTC has indicated that the opposite is required.
The CRTC’s approach effectively means that businesses who rely exclusively on electronic messages to communicate with consumers will be faced with losing consumers or incurring the costs of communicating with consumers by telephone or mail.
Proving oral consent
Although CASL generally allows an organization to obtain consent orally, there have been questions about what evidence will be necessary to discharge the onus of proving that consent has been obtained. The CRTC has indicated that this onus can be discharged in the following narrow circumstances:
- where oral consent can be verified by an independent third party; or
- where a complete and unedited audio recording is retained by the person seeking consent or a client of the person seeking consent.
It is noteworthy that this approach is consistent with the one adopted by the CRTC in the context of Canadian telemarketing rules. In doing so, it appears that the CRTC has failed to consider that businesses often obtain consent orally from consumers in-person (e.g., at the time of purchase) and that many businesses, particularly small ones, do not have systems in place to record calls with consumers.
Additionally, it will be interesting to observe how the Privacy Commissioner of Canada responds to an interpretation of CASL by the CRTC that will have the effect of encouraging businesses to collect more personal information from consumers (such as voice recordings) and then retain the information in a database indefinitely.
Proving written consent
Although the CRTC has previously clarified that consent obtained in writing is satisfied by information in electronic form, it has now indicated that consents obtained on a web page need to be supported by a record of the date, time, purposes, and manner of the consent stored in a database. Businesses that collect consent online will need to carefully review their database management practices to determine if changes are required to meet this requirement.
Identification of all affiliates
An open issue under CASL has been whether the identity of each affiliate on whose behalf a commercial electronic message (CEM) is sent must be identified in the CEM, or whether it is sufficient to identify the top level brand-name used by an organization (e.g., “Acme” or “the Acme Group of Companies”). The CRTC has indicated that the identity of all affiliates must be identified in a CEM. Presumably, the CRTC will also expect each affiliate to be identified in requests for consent (to the extent that consent is being requested on behalf of the affiliate). Complying with these requirements will create particular challenges for organizations with multiple operating companies who currently share consumer information for marketing and other commercial purposes.