Anti-Spam Legislation Frequently Asked Questions
Note: This FAQ is intended to assist TRU staff and faculty members to understand their obligations under the CASL. It summarizes and simplifies the complex requirements of the CASL and is not intended to be a substitute for legal advice. If you have specific questions about the CASL, contact the Privacy Officer in the Office of the General Counsel.
1. General Questions
1.1 What is the Canadian Anti-Spam Legislation?
The primary purpose of the Canadian Anti-Spam Legislation (usually called the CASL) is to control spam (unwanted Commercial Electronic Messages, or CEMs). The CASL also prohibits the installation of computer programs without consent (eg. viruses, spyware); the unauthorized altering of transmission data; and the provision of false or misleading information in a message. The CASL is one of the world’s most stringent anti-spam laws.
1.2 When did the CASL come into force?
The CASL came into force on July 1, 2014.
1.3 Who does the CASL apply to?
The CASL applies to most organizations in Canada, including TRU.
1.4 What impact will the CASL have upon TRU?
The CASL will have a fairly modest impact on TRU because most electronic messages sent by TRU are not subject to the legislation. For more information about the scope of the CASL, see the following sections of this FAQ.
1.5 What are the penalties for non-compliance with the CASL?
The penalty for noncompliance with the CASL is a fine of up to $10 million for an organization, and $1 million for an individual. Also, anybody who receives a CEM without providing their consent has a private right of action against the organization sending the CEM, and may be entitled to receive up to $200 per violation. Officers, directors and agents can be held personally liable for their organization’s failure to comply with the CASL.
2. Scope of the CASL
2.1 What kinds of electronic messages are regulated by the CASL?
The CASL applies to “Commercial Electronic Messages” (CEMs), which are defined as any “electronic messages” that encourage participation in a “commercial activity”. These terms are defined below.
An “electronic message” is any message sent to an electronic account, e.g. an email, a text message, or an instant message. Interactive two-way voice communications, fax messages or voice recordings sent to a telephone account are not considered to be electronic messages. If you’re calling somebody to offer a product or service, that’s not an electronic message. Please keep in mind, however, that promotional phone calls may be regulated by the Do-Not-Call List. See https://www.lnnte-dncl.gc.ca/index-eng for more information about the Do-Not-Call List.
A “commercial activity” is broadly defined as “any particular transaction, act or conduct or any regular course of conduct that is of a commercial character, whether or not the person who carries it out does so in the expectation of profit”. Examples of commercial activities include purchasing, selling, bartering or leasing products, goods or services, or land; providing a business, investment or gaming opportunity; or advertising or promoting any of these activities.
2.2 How does the CASL impact TRU?
The CASL does not apply to messages related to the core activities of TRU. TRU, like other public educational institutions, is not a commercial entity; it provides a public service and is primarily dependent on taxpayer funding. Therefore, its core activities -- those activities that are central to its mandate and responsibilities -- are not of a “commercial character” and do not fall under the CASL. TRU’s core activities are defined in section 3 of the Thompson Rivers University Act as follows:
(a) to offer baccalaureate and masters degree programs;
(b) to offer post-secondary and adult basic education and training;
(c) to undertake and maintain research and scholarly activities for the purposes of paragraphs (a) and (b);
(d) to provide an open learning educational credit bank for students;
(e) to promote teaching excellence and the use of open learning methods;
(f) to serve the educational and training needs in the region specified by the Lieutenant Governor in Council; and
(g) to serve the open learning needs of British Columbia.
Also, certain types of messages are specifically exempted from the scope of the CASL. For example, the CASL does not apply to messages sent by registered charities for the primary purpose of raising funds. See question 2.4 for a complete list of all of these exemptions.
Therefore, very few of TRU’s electronic messages are subject to the CASL.
2.3 Where can I find examples of activities that fall under the CASL?
Here are examples of messages sent by TRU that do fall under the scope of the CASL:
- A message about a sale of sweatshirts at the TRU Bookstore
- A message promoting a TRU-branded credit card
- A message promoting a summer ESL program offered by a private school in a TRU facility
For a detailed analysis of how CASL applies to common University activities, see Applying CASL to TRU Activities.
If you can’t decide whether a message falls under the scope of the CASL, you should request advice from the Privacy Officer in the Office of the General Counsel.
2.4 What are the exemptions to the CASL?
Messages that do not relate to the core activities of TRU may nevertheless be exempted from the CASL. The exemptions are as follows:
- Messages sent by or on behalf of an individual to another individual with whom they have a personal or family relationship;
- Messages sent to a person who is engaged in a commercial activity and consists solely of an inquiry or application related to that activity;
- Messages sent within an organization that concern the activities of that organization;
- Messages sent between organizations with a relationship that concern the activities of the receiving organization;
- Messages sent in response to requests, inquiries or complaints, or otherwise solicited by the recipient;
- Messages sent to satisfy, provide notice of, or enforce a right, legal or juridical obligation;
- Messages sent on an electronic messaging service if the required information and unsubscribe mechanism are readily available on the user interface, and the recipient has consented to receive the message;
- Messages sent to a limited-access secure and confidential account to which messages can only be sent by the person who provides the account;
- Messages that a sender reasonably believes will be accessed in a listed foreign state, and conform to the anti-spam laws of such foreign state;
- Messages sent by or on behalf of a registered charity as defined in s.248(1) of the Income Tax Act, and have as their primary purpose raising funds; and
- Messages sent by or on behalf of a political party or organization or a candidate for publicly elected office that has as its primary purpose soliciting a contribution.
3. Requirements for Commercial Electronic Messages
3.1 What information do CEMs have to contain?
As stated previously, very few of the messages sent by TRU are subject to the CASL. However all CEMs that are subject to the CASL must contain the following information:
- the name of the TRU unit sending the message;
- the mailing address, and a telephone number, email address or web address, for the TRU unit seeking consent (or a link to a website containing this information); and
- information about how to unsubscribe from future Commercial Electronic Messages.
If it is not practicable to include all of the above information in the CEM, then it must contain a clear and prominent link to a webpage that contains the information.
See the Model Language for samples of compliant CEMs.
4. Consent Requirements
4.1 Do you need to secure recipients’ consent to send them CEMs?
As a rule, before sending a CEM, you must have the recipient’s implied or express consent. However, consent is not required for a CEM that meets any of the following requirements:
- provides a quote or estimate that was previously requested by the recipient;
- facilitates, completes or confirms a commercial transaction that the recipient previously agreed to enter into;
- provides warranty information, product recall information or safety or security information about a product, goods or a service that the recipient has used or has purchased;
- provides factual information related to the recipient’s subscription, membership, account, loan or similar relationship with the sender;
- provides information directly related to an employment relationship or related benefit plan in which the person to whom the message is sent is currently involved, is currently participating or is currently enrolled; or
- delivers a product, good or a service, including product updates or upgrades, that the recipient is entitled to receive under the terms of a transaction they previously entered into.
4.2 What is “implied consent”?
Implied consent may arise in three situations:
Where there is an existing business relationship: Such relationships arise from:
- the purchase or lease of a product, goods, a service, land or an interest or right in land, within the last two years, by the message recipient from TRU;
- the acceptance by the message recipient, within the last two years, of a business, investment or gaming opportunity offered by TRU;
- the bartering of anything mentioned in paragraph (a) between the message recipient and TRU within the last two years;
- a written contract entered into between the message recipient and TRU in respect of a matter not referred to in any of paragraphs (a) to (c), if the contract is currently in existence or expired within the last two years; or
- an inquiry or application, within the last six months, made by the person to whom the message is sent to any of those other persons, in respect of anything mentioned in any of paragraphs (a) to (c).
Where there is an existing non-business relationship: TRU has non-business relationships with two groups of individuals:
- donors; and
- volunteers.
Where the recipient has given you or has conspicuously published his or her business contact information: This only applies where:
- the recipient has not indicated a wish not to receive unsolicited CEMs; and
- your message is relevant to the recipient’s business, role, functions or duties in a business or official capacity.
Implied consent normally lasts for two years. For example, TRU has a non-business relationship with its donors, which gives us their implied consent to send them CEMs for two years after their last donation. If you already have somebody’s implied consent, you should send them a message asking for express consent before the two-year period expires.
4.3 What is “express consent”?
Express consent is consent that has been provided orally or in writing. Once you have secured recipients’ express consent, then you may continue to send them CEMs indefinitely unless they “unsubscribe” from further messages.
4.4 How do you obtain express consent?
Oral consent should be avoided unless you have a way to verify the consent, such as an unedited audio recording. It is preferable to obtain express consent in writing, as this makes it easier to verify that the consent was provided. You may request individuals to provide their written consent in various ways, e.g. by signing a document, sending you an email, entering information into a webform, or clicking on a checkbox or an “I Accept” button on a web page.
Electronic messages requesting consent are deemed to be CEMs. Therefore, you can only use an electronic message to request somebody’s express consent if you already have their implied consent. Essentially, you are “converting” implied consent into express consent. For example, when somebody volunteers for TRU, we have their implied consent to send them CEMs for the next two years. You can “convert” this from implied to express consent by emailing them a consent request.
4.5 What information do requests for express consent have to contain?
Requests for express consent must contain the following information:
- the specific purpose for which you’re seeking their consent;
- the name of the TRU unit seeking consent;
- the mailing address, and a telephone number, email address or web address, for the TRU unit seeking consent (or a link to a website containing this information); and
- a statement indicating that the person whose consent is sought can withdraw their consent.
In addition to requesting the individual’s express consent, it is also necessary to provide a privacy statement explaining your legal authority to collect personal information from the individual. See TRU’s Model Language for sample consent requests and privacy statements.
Consent must always be “opt-in”, not “opt-out”. This means that if you are using a check-box for consent, the box cannot be “pre-checked”.
4.6 Can TRU get a “blanket consent” that covers multiple units/purposes?
It is preferable for each unit to secure its own consent, which is restricted to the particular needs of that unit, rather than seeking a “blanket consent” that covers multiple units and purposes. There are at least two practical difficulties with “blanket consents”. The first is that a valid consent must identify the purpose for which you will contact the individual. With ”blanket consents”, it may be difficult to identify and define all of the purposes of the consent in an intelligible and concise fashion. The second difficulty is that CEMs must contain information about how to unsubscribe from future CEMs. When an unsubscribe request is received in relation to a “blanket consent”, it will have to be communicated to all of the units that were relying on the consent. Keeping track of all of these units could be quite challenging.
4.7 Do you have to keep a record of the consents you have secured?
Yes. This is absolutely essential. If you send a CEM without being able to prove that the recipient has consented to receive it, you are placing TRU at risk of a substantial fine under the CASL. In some cases, sloppy record-keeping may invalidate an entire mailing list.
5. Unsubscribe Mechanisms
5.1 What are the requirements for unsubscribe mechanisms?
All CEMs have to give subscribers the opportunity to unsubscribe from future CEMs, without cost to them. Your unsubscribe mechanism must be easy to access and use. An unsubscribe mechanism must be valid for at least 60 days after you send the CEM. If you receive a request to unsubscribe, you must comply within 10 business days.
When you send CEMs by email, you may offer one or both of the following unsubscribe methods:
- sending an email; and/or
- clicking on a link that will take the user to a web page where he or she can unsubscribe
When you send CEMs by text message, then you must offer both of the following unsubscribe methods:
- replying to the text message with the word “STOP”; and
- clicking on a link that will take the individual to a web page where he or she can unsubscribe
See a suggested unsubscribe notice in the Model Language.
5.2 Do I have to keep track of unsubscribe requests?
Yes. It is essential to track which electronic addresses have submitted unsubscribe requests to ensure that CEMs are not sent to them against the recipient’s wishes.
6. Other CASL Requirements
6.1 What are the other CASL requirements?
In addition to the requirements related to CEMs, the CASL also contains the following prohibitions:
Installing unwanted computer programs: In order to prevent the installation of viruses, spyware, and other unwanted programs, CASL prohibits the installation of any program without the consent of the computer owner.
Altering transmission data: CASL prohibits the alteration of transmission data in an electronic message so that the message is delivered to a destination other than that specified by the sender.
Providing false or misleading information: CASL prohibits false or misleading information in CEMs, including:
- any representation in the body of the message that is false or misleading in a material respect;
- any false or misleading representation made in a “locator”, i.e. a name, URL, or other information used to identify the source of data in a computer system; and
- any false or misleading representation in the “From” or “Subject” line of a message.
Harvesting addresses: CASL prohibits the use of programs that “harvest” email addresses to create mailing lists.
Collecting personal information: CASL prohibits the use of computer systems to collect personal information without authority.
7. More Information
7.1 How do I ensure I am compliant with the CASL?
To determine whether you are compliant with the CASL requirements related to CEMs, complete the Compliance Checklist. See the Model Language to ensure that your CEM-related messages are compliant with the legal requirements.
You may also direct any questions about the CASL to the Privacy Officer in the Office of the University Counsel.
7.2 Where can I get more information about privacy?
In addition to the CASL, you must also consider privacy issues whenever you are collecting, using or disclosing personal information. For more information, see the Privacy webpage or consult with the Privacy Officer in the Office of the General Counsel.