What you need to know for social media compliance under CASL
May 14, 2014
While there is an ample write up on what businesses need to do in preparation for compliance under the Canadian Anti-Spam Legislation and Regulations (CASL), which will be in effect on July 1, 2014, very little has been provided specifically for social media compliance under CASL.
How does one obtain written express opt-in consent for social media? Is a current LinkedIn contact or Facebook friend considered to have given implied consent to receive commercial social media posts?
The good news is that mere pushing of content on social media (i.e. a wall posting, LinkedIn update, or tweet) is not affected by CASL. (See guidance issued by Industry Canada here). This is because the publication of a social media post on a business page or a profile is not considered a direct electronic delivery to a specific address. This is analogous to a posting of an advertisement on a board where passersby or members of an institution can view simply by being present in that forum.
This changes, however, when businesses use direct messaging on social media to contact individuals or groups. Under CASL, an electronic address to which the law applies includes an email account, a telephone account (i.e. text), an instant messaging account or any similar account. For commercial messages to such electronic addresses, the business would need an “express” or “implied” consent of the individual, or otherwise would require the communication to fall under one of the exemptions or exceptions. While there is an exemption for messages sent and received on an electronic messaging service, the exemption is stated to apply only if “the information and unsubscribe mechanism that are required under subsection 6(2) of the Act are conspicuously published and readily available on the user interface through which the message is accessed, and the person to whom the message is sent consents to receive it either expressly or by implication.” This exemption therefore must be assessed on a case by case basis, and its scope is difficult to assess without further guidance from government..
There are some notable exceptions to the CASL requirements. CASL does not apply to B2B messages sent by an employee of one organization to an employee of another organization where there is a relationship between the organizations and the message relates to the activities of the person receiving the message, or to messages sent internally within a business that relate to its activities. Messages also can be directly sent to ask another person about their business, and to persons who have specifically requested or inquired into receiving information about your business. Communications with immediate family and friends are exempt–but be aware that these relationships are strictly defined in the law. Importantly, CASL does not apply to messages that are sent to a person outside of Canada, as long as the message complies with the laws of that country.
Where the message is not exempt, for direct messaging on social networks, CASL will require businesses to:
- Obtain consent from the recipient before sending the message (express or implied),
- Include information that identifies the sender, and
- Enable the recipient to withdraw consent by unsubscribing to the communications.
It is important to note that express consent generally cannot be obtained by sending an initial message asking for consent.
You would have “implied consent” for sending a direct message on social media if you have an existing business (client) relationship with the contact, as defined in the law. Implied consent also exists if a contact has given the electronic address to you or published the address, so long as the contact has not disclosed on their profile or page that they do not want to receive commercial messages and the message relates to the person’s business function. There are other situations where implied consent exists: for example, where a referral has been made as defined in the law, or where a message is sent to facilitate an agreed upon business transaction or to provide product or warranty information.
Where relying on implied consent, just ensure that your direct message has a disclosure stating that if the recipient does not wish to receive further messages from you, they should reply directly indicating as such. Lastly, organizations should have a mechanism to retain and archive their communications on social media to ensure that records can be produced upon an audit by the regulators.
Disclaimer: The material available in this article is for informational purposes only and not for the purpose of providing legal advice. We make no guarantees on the accuracy of information provided herein.