Tough New Canadian Anti-Spam Law May Affect American Franchisors
American franchisors with franchisees or customers residing in our neighbor to the north should pay close attention to a new Canadian law that takes effect on July 1, 2014 and that will substantially restrict electronic marketing. The law, known as the Canadian Anti-Spam Law (CASL), regulates many routine business activities, such as sending marketing emails, text messages, or social media messages to individuals in Canada. It also applies to software downloads, including programs and updates to mobile applications.
Although the CASL addresses many of the same concepts as the American CAN-SPAM Act, franchisors based in the U.S. should be aware that it takes a very different approach. Most importantly, as of July 1, the law effectively converts electronic marketing in Canada from an “opt-out” basis to an “opt-in” standard. U.S.-based franchisors should begin to take measures now in anticipation of the new rules, lest they face a last minute scramble before the rules take effect.
CASL expressly provides that it will apply to businesses outside of Canada that have Canadian customers, because its purpose is to protect people and computers located in Canada. Thus, it plainly will apply to franchisors located in the U.S. if the recipient of the message or download is located in Canada. This will complicate business processes for American franchisors with cross-border franchisees or customers.
In general, the CASL prohibits the sending of a “commercial electronic message” (CEM) to an “electronic address” unless the recipient has consented to receiving it and the message complies with certain additional requirements. A CEM is a message intended “to encourage participation in a commercial activity.” This includes marketing, promotional, and advertising messages, such as emails and texts. An “electronic address” broadly means an email account, an instant messaging account, a telephone number, or “any similar account.” An electronic message that requests consent for the delivery of such commercial messages is itself a CEM.
Under CASL, as of July 1, any CEM must also contain the following:
- Information (prescribed by regulation) that identifies the person sending the message and the person on whose behalf it is sent, if different;
- Information that will enable the recipient to “readily contact” the sender; and
- An unsubscribe mechanism that allows the recipient to indicate, at no cost, his or her desire to no longer receive any CEMs through the same electronic means by which the message was sent, or, if that is not available, an electronic address or link to a webpage to which the indication can be sent. A person must honor an opt-out request within 10 business days.
Consent also can be implied where an existing business relationship or personal relationship exists. For this purpose, an “existing business relationship” requires the purchase or lease of a product or service (or certain other commercial transactions) within the two-year period immediately before the day on which the CEM is sent. Alternatively, an inquiry or application, within the six-month period prior to the sending of the CEM, also creates an existing business relationship. These exceptions may prove useful to franchisors.
Finally, the law allows certain commercial messages to be sent without the recipient's prior consent, and in some cases, without the sender's identification and unsubscribe mechanism. For example, CEMs that provide price quotes requested by the recipient, or that facilitate, complete, or confirm a commercial transaction, are permitted.
Computer programs, including mobile applications, will be subject to additional requirements that take effect on January 15, 2015. Not only must a provider of an app describe its function and purpose, it must also disclose if the app will collect personal information stored on the user's device or change the device's settings. The law also limits the ability of app and other software providers to transmit updates and upgrades to a computer program automatically.
Routine computer software, such as cookies, that necessarily is installed when a computer visits a website is treated differently. The law contains an exception that presumes consent to the setting of cookies, to the installation of HTML code and Java scripts, and to the downloading of programs executable only through programs that the user has previously installed or consented.
When the CASL takes effect on July 1, 2014, the law initially will be enforced only administratively. The maximum penalty for a violation is CD$10 million, but the regulations may specify that each day on which a violation occurs constitutes a separate violation. However, the CASL also authorizes private rights of action, including class actions, as of July 1, 2017.
As mentioned above, the CASL will apply to U.S. firms sending commercial emails and computer programs, such as apps, into Canada. This will present a risk for many American franchisors that currently transmit CEMs on the “opt-out” basis established by the U.S. CAN-SPAM Act. Those businesses will need to consider whether to segregate their Canadian recipients (if they can be identified) for separate handling in their marketing, or whether to convert to a more opt-in approach generally. And even if the Canadian recipients can be identified, securing the necessary consents may be a heavy lift.
To alleviate the effect of these changes, the CASL in effect will grandfather “established business relationships” in existence as of July 1, 2014, for a three-year transitional period if the existing business relationship includes the transmission of CEMs. During the next three years, companies may rely on implied consents arising from existing business relationships or non-business relationships, where permitted under existing Canadian privacy laws, unless that person expressly withdraws the consent. However, that exception applies only to consents; other requirements established by the CASL will continue to apply (such as the inclusion of identification, contact information, and an unsubscribe mechanism in some cases). A similar three-year transition period will allow businesses to install updates or upgrades to computer programs on an implied basis, unless the person expressly rescinds consent.
American franchisors with Canadian franchisees, or with customer email lists that include Canadian citizens, are well-advised to begin taking steps now. A first step would be to identify what types of CEMs—as defined by the CASL—the franchisor currently uses, or is planning to use in the next few years. This inventory should include emails, texts, and mobile applications. It should also take into account how the franchisor intends to use social media, such as Facebook and Twitter.
A second step would be to review any software programs it makes available, including mobile applications, to see whether appropriate consent to updates and upgrades has been obtained. Still another necessary step would be to attempt to identify the Canadian recipients of such messages, and to figure out how to start converting them to an opt-in regime.