Dear CASL: When can I rely on “implied consent”?

.

By Richard Stobbe

Canada’s Anti-Spam Legislation (CASL) is overly complex and notoriously difficult to interpret – heck, even lawyers start to see double when they read the official title of the law (An Act to promote the efficiency and adaptability of the Canadian economy by regulating certain activities that discourage reliance on electronic means of carrying out commercial activities, and to amend the Canadian Radio-television and Telecommunications Commission Act, the Competition Act, the Personal Information Protection and Electronic Documents Act and the Telecommunications Act).

The concept of implied consent (as opposed to express consent) is built into the law, and the trick is to interpret when, exactly, a company can rely on implied consent to send commercial electronic messages (CEMs). There are a number of different types of implied consent, including a pre-existing business or non-business relationship, and the so-called “conspicuous publication exemption”.

One recent administrative decision (Compliance and Enforcement Decision CRTC 2016-428 re: Blackstone Learning Corp.) focused on “conspicuous publication” under Section 10(9) of the Act. A company may rely on implied consent to send CEMs where there is:

  1. conspicuous publication of the email address in question,
  2. the email address is not accompanied by a statement that the person does not wish to receive unsolicited commercial electronic messages at the electronic address; and
  3. the message is relevant to the person’s business, role, functions, or duties in a business or official capacity.

In this case, Blackstone Learning sent about 380,000 emails to government employees during 9 separate ad campaigns over a 3 month period in 2014. The case against Blackstone by the CRTC did not dwell on the evidence – in fact, Blackstone admitted the essential facts. Rather, this case focused on the defense raised by Blackstone. The company pointed to the “conspicuous publication exemption” and argued that it could rely on implied consent for the CEMs since the email addresses of the government employees were all conspicuously published online.

However, the company provided very little support for this assertion, and it did not provide back-up related to the other two elements of the defense; namely, that the email addresses were not accompanied by a “no spam” statement, and that the CEMs were relevant to the role or business of the recipients. The CRTC’s decision provides some guidance on implied consent and “conspicuous publication”:

  • The CRTC observed that “The conspicuous publication exemption and the requirements thereof set out in paragraph 10(9)(b) of the Act set a higher standard than the simple public availability of electronic addresses.” In other words, finding an email address online is not enough.
  • First, the exemption only applies if the email recipient publishes the email address or authorizes someone else to publish it. Let’s take the example of a sales rep who might publish his or her email, and also authorize a reseller or distributor to publish the email address. However, the CRTC notes if a third party were to collect and sell a list of such addresses on its own then “this would not create implied consent on its own, because in that instance neither the account holder nor the message recipient would be publishing the address, or be causing it to be published.”
  • The decision does not provide a lot of context around the relevance factor, or how that should be interpreted. CRTC guidance provides some obvious examples – an email advertising how to be an administrative assistant is not relevant to a CEO.  In this case, Blackstone was advertising courses related to technical writing, grammar and stress management. Arguably, these topics might be relevant to a broad range of people within the government.
  • Note that the onus of proving consent, including all the elements of the “conspicuous publication exception”, rests with the person relying on it. The CRTC is not going to do you any favours here. Make sure you have accurate and complete records to show why this exemption is available.
  • Essentially, the email address must “be published in such a manner that it is reasonable to infer consent to receive the type of message sent, in the circumstances.” Those fact-sepecific circumstances, of course, will ultimately be decided by the CRTC.
  • Lastly, the company’s efforts at compliance may factor into the ultimate penalty. Initially, the CRTC assessed an administrative monetary penalty (AMP) of $640,000 against Blackstone. The decision noted that Blackstone’s correspondence with the Department of Industry showed the “potential for self-correction” even if Blackstone’s compliance efforts were “not particularly robust”. These compliance efforts, among other factors, convinced the commission to reduce the AMP to $50,000.

As always, when it comes to CEMs, an ounce of CASL prevention is worth a pound of AMPs. Get advice from professionals about CASL compliance.

See our CASL archive for more background.

Calgary 07:00 MST

No comments

No comments yet. Be the first.

Leave a reply

You must be logged in to post a comment.