Canada’s anti-spam legislation sees first major judicial interpretation

This summer, Canada’s anti-spam legislation (known as CASL) saw the release of its most important case to date, the Federal Court of Appeal’s (FCA) decision in 3510395 Canada Inc. v Canada (Attorney General). The FCA upheld the constitutionality of the legislation. This decision establishes the constitutionality of the CASL restrictions on commercial electronic communications and provides businesses with a degree of guidance on how to comply with CASL’s requirements.

Background

CASL, which came into force in 2014, regulates, among other things, commercial electronic messages (CEMs), which are often emails. It has a wide impact and, subject to some exemptions, generally requires businesses to obtain consent prior to sending a CEM to a recipient and to include a link in each CEM providing a simple method to unsubscribe from future CEMs.

In this case, the appellant, CompuFinder, a small business based in Québec offering professional training courses, sent several hundred emails to other businesses as part of an advertising campaign shortly after the coming into force of CASL. Following an investigation, CompuFinder was issued a Notice of Violation (NOV) pursuant to section 22 of CASL, on the grounds that CompuFinder had not obtained consent prior to sending the emails (which were CEMs) and that some of the CEMs had a non-functioning unsubscribe link. The NOV imposed a $1,100,000. CompuFinder challenged the NOV on various grounds before the Canada Radio-Television and Telecommunications Commission (CRTC), but was unsuccessful apart from reducing the penalty to $200,000. The constitutional challenge followed.

Constitutional challenges

The FCA held that the CASL CEM restrictions are within the federal government’s legislative authority over trade and commerce. It is worth noting that the FCA only considered whether the CEM provisions were within the federal government’s authority, leaving the other parts of CASL (altered transmission data and unauthorized installation of computer programs) open to later challenges.

CompuFinder alleged numerous violations of the Canadian Charter of Rights and Freedoms, including freedom of expression, unreasonable search and seizure, and other procedural rights. The FCA rejected each of these arguments, finding that the CASL CEM scheme is a justified infringement of the freedom of expression and that fines for violations of CASL up to $1,000,000 for an individual or $10,000,000 for corporations and other entities are not penal consequences.

In light of these findings, it is ultimately the interpretation of the various exemptions and other provisions of CASL that businesses will no doubt find to be the most useful takeaways from this decision.

Business-to-business exemption

One of the exemptions to the restrictions on CEMs is where it is a business-to-business communication. In order to qualify for this exemption, the CEM has to be: i) sent by an employee of a business to an employee of another business, ii) the businesses must have a relationship, and iii) the CEM must concern the activities of the receiving business.

The FCA provided some clarity on the latter two factors:

1. Where there are only a limited number of transactions between the businesses (for example, involving only a limited number of the recipient business’ employees), this may not give rise to a business relationship – that was precisely the case here.
2. The FCA supported a broader application of what constitutes “activities of the organization” for the last requirement described above: A recipient business’ “activities” are broader than its core business operations, and can include matters the business is required by law to undertake. However, this broader definition did not affect the outcome on the facts of this case.

Implied consent by conspicuous publication

The FCA also considered the issued of “conspicuous publication” under the implied consent exception. Where there is implied consent by way of “conspicuous publication”, a business may send unsolicited CEMs. In order to establish implied consent, i) the recipient must have published or caused the publishing of their electronic address, ii) the publication must not be accompanied by a statement that the recipient does not wish to receive CEMs, and iii) the CEM must be relevant to the business, role, functions or duties of the recipient individual or business.

The FC has now clarified that email addresses obtained from third-party directory websites do not meet the first requirement absent evidence that the recipient agreed to the publishing of their email in that directory.

In this respect, the FCA upheld the CRTC’s finding that the first requirement was not met in this case because the email addresses were taken from a third-party website, which did not indicate whether the content was user-submitted. Further, the FCA did not accept that CompuFinder had proven, based on the job titles of the recipients, that the CEMS were relevant to the business, role, functions or duties of the recipients. While the Court did not rule out that a job description could provide sufficient information to establish relevance, it will have to be established on a case-to-case basis.

Unsubscribe mechanisms

Finally, the FCA upheld the CRTC finding that the inclusion of two unsubscribe links, one functioning and the other not, constituted a breach of the requirement to include an unsubscribe link. This conclusion rested on the requirements of the regulations to CASL that the unsubscribe mechanisms be set out clearly and prominently, and be able to be readily performed. Based on evidence from consumers that the two unsubscribe links caused confusion and frustration among recipients, the FCA accepted the CRTC’s conclusion.

Takeaways

In light of the FCA’s reasons and interpretation of CASL, it is important that businesses sending CEMs ensure that:

1. They have a track record of transactions with the other business before relying on the business-to-business exemption. One or two transactions, particularly where dealing with few employees, is insufficient to establish that this exemption applies.
2. Third-party address directories, without more (including evidence that the recipients consented to the publication of their information in such a directory), do not meet the conspicuous publication requirement for implied consent.
3. Care must be taken to ensure that if multiple unsubscribe links are included in a CEM, that they both are functional and are presented in a manner that would not confuse the recipient.