Canadian Privacy Commissioner Issues Guidance For Privacy Law And CASL Compliance
On April 27, 2015, the Office of the Privacy Commissioner of Canada issued a guidance document entitled “Anti-spam law’s changes to Canadian federal privacy law: A guide for businesses doing e-marketing” and a related “Helpful Tips” summary document. The Guide explains basic privacy law requirements for the use of personal information (including email addresses) to send commercial messages (including emails), and provides recommendations for compliance. The Guide is an important reminder that organizations that send commercial electronic messages must comply with both Canada’s anti-spam law and Canadian privacy laws.
Privacy Laws and CASL
Canadian privacy laws, including the federal Personal Information Protection and Electronic Documents Act (“PIPEDA”), regulate the collection, use and disclosure of personal information. Privacy laws provide that, subject to limited exceptions, an individual’s personal information (including name and email address) may not be collected, used or disclosed without the individual’s meaningful consent. PIPEDA permits the collection and use of personal information without consent in exceptional circumstances, but those exceptions do not apply to an electronic address that was collected by a computer program designed to collect electronic addresses (a process known as “address harvesting”) or by unlawful access to a computer system.
Canada’s anti-spam law (commonly known as “CASL”) creates a comprehensive regime of offences, enforcement mechanisms and potentially severe penalties designed to prohibit unsolicited or misleading commercial electronic messages, the unauthorized commercial installation and use of computer programs on another person’s computer system and other forms of online fraud. For most organizations, the key parts of CASL are the rules for commercial electronic messages. Subject to limited exceptions, CASL prohibits the sending of a commercial electronic message unless the recipient has given informed consent (express or implied in limited circumstances) to receive the message and the message complies with prescribed formalities (including an effective and promptly implemented unsubscribe mechanism) and is not misleading.
The Guide is a reminder that commercial messages are regulated by both CASL (which regulates the sending of commercial electronic messages) and Canadian privacy laws (which regulate the collection, use and disclosure of email addresses in the course of commercial activities).
The Guide explains some of the basic Canadian privacy law requirements for commercial electronic marketing activities. Following is a summary:
- Accountability: An organization is accountable for how the organization and its service providers collect, use and disclose personal information (including email addresses) in the course of commercial activities.
- Consent: An organization is required to obtain an individual’s meaningful consent to the organization’s collection, use and disclosure of the individual’s personal information. An individual’s consent should be obtained before or at the time the individual’s personal information is collected, and should be renewed before or when the personal information is used for a new purpose. An organization should allow individuals to withdraw consent to the use of their personal information at any time, subject to legal or contractual restrictions and reasonable notice.
- Service Providers: An organization is accountable for commercial electronic marketing performed for the organization by its service providers, and is responsible for ensuring that its service providers obtain appropriate consent for the collection, use and disclosure of personal information for commercial electronic marketing purposes.
- Purchased Address Lists: An organization must ensure that electronic addresses used in the course of commercial activities by or on behalf of the organization have been obtained with appropriate consent, even if the addresses are purchased from an address list vendor.
- Address Harvesting: An organization that engages in address harvesting, or uses an address list compiled through address harvesting, runs a real risk that the organization will be collecting or using electronic addresses without consent in contravention of privacy laws.
The Guide provides some practical recommendations to avoid contravening privacy laws. Following is a summary:
- Consent: When an organization collects an individual’s email address, the organization should clearly and accurately explain how the organization will use and disclose the email address. An organization should not assume that an individual whose electronic address is available online (e.g. on a website) consents to the use of the address for commercial marketing purposes.
- Due Diligence – Purchased Lists: If an organization intends to send commercial electronic messages using an address list purchased from an address list vendor, the organization should make appropriate enquiries to ensure that the vendor obtained appropriate consent to the collection and use by the organization of the listed addresses.
- Due Diligence – Service Providers: If an organization engages a marketing service provider, the organization should make appropriate enquiries to ensure that the service provider complies with privacy law requirements regarding the collection and use of electronic addresses to promote the organization and its business.
- Current Information: An organization dealing with an address list vendor or a marketing service provider should make appropriate enquiries to ensure that the vendor or service provider keeps its electronic address lists up to date (e.g. by removing addresses when individuals withdraw consent by unsubscribing from the receipt of future marketing emails) and informs the organization of those changes.
- Consent Withdrawal: An organization should enable individuals to withdraw consent to the use of their personal information at any time, subject to legal or contractual restrictions and reasonable notice.
- Documentation/Contracts: An organization should document (for future reference) the organization’s due diligence regarding privacy law compliance, and should include in contracts with address list vendors and marketing service providers appropriate obligations for compliance with both privacy laws and CASL.
Organizations that send commercial electronic messages must comply with both Canadian privacy laws and CASL. As a general rule, organizations that send commercial electronic messages should ensure that each message recipient has given meaningful consent to both the organization’s collection and use of the individual’s email address and the receipt of the organization’s commercial electronic messages.