Skip to content

A Quick Guide to Understanding Canada’s Anti-Spam Law and Social Media Compliance

Canada’s Anti-Spam Legislation (CASL), which went into effect July 1, 2014, has many businesses wondering how it impacts social media communication. As I discussed in a prior post, the new law requires businesses to have consent to send “commercial electronic messages” (CEMs) via email, telephone, (i.e. text), instant messaging, or similar account. The law gives recipients the option to opt-in to CEMs they wish to receive, and will prevent commercial businesses from sending spam.
Businesses that don’t comply with CASL could face serious penalties. Two recent cases resulting in heavy fines — $1.1M to Compu-Finder and $48,000 to PlentyOfFish — highlight the importance of businesses to double-check their social media strategies to ensure that communication is compliant. Both cases are examples of CASL violations where the “unsubscribe” mechanisms in emails did not function properly.
Given our focus on social media compliance, we have received a number of inquires on what and how social media activity should be handled under this new legislation, so I wanted to share some quick tips.
One challenge is that Canada’s anti-spam law takes a technology-neutral approach.  While there are certain provisions that apply only to electronic messages, CASL does not specifically define unique requirements for every unique type of social media communication. At a glance, there are three key categories of requirements from CASL:
CASL Visual-01 (1)
Here are 4 key takeaways for staying compliant with CASL:
1. CASL does not apply to public social media posts or broadcasting
Although some might consider a tweet or a Facebook post a “commercial electronic message”, the act of publishing is not affected by CASL because it is public, akin to content shared on your own website. Under CASL, businesses can tweet, update their company status, and post Instagram photos without consent and identification requirements.  See the guidance issued by Industry Canada.
However, any 1-to-1 or 1-to-few communication via social media, including but not limited to private or direct messages, chats and posting to groups, requires CASL compliance unless there is a clear exception as provided by CASL. The same rules that your organization would normally have in place to ensure email complies with CASL, should also be applied to the direct messaging (for example, LinkedIn InMail, Facebook Messages or Twitter Direct Messages) on social media.
As such, the mere pushing of content on social media (i.e. wall postings, LinkedIn status updates, tweets) is not affected by CASL. According to the Regulatory Impact Analysis Statement, “Another concern is how CASL might apply to CEMs on popular social networking services or instant messaging services. Where they are not sent to electronic addresses, the publication of blog posts or other publications on microblogging and social media sites does not fall within the intended scope of the Act.
2. A connection or a “like” does not equal express consent
A mere connection, follow, or friendship on social networks does not constitute “express” or “implied” consent for somebody to reach out via email or direct message to solicit for product or services.  According to the Competition Bureau FAQ on CASL, “Using social media or sharing the same network does not necessarily reveal a personal relationship between individuals. The mere use of buttons available on social media websites – such as clicking “like”, voting for or against a link or post, accepting someone as a “Friend”, or clicking “Follow”– will generally be insufficient to constitute a personal relationship.
3. You must allow recipients to “opt out”
According to CASL, there must be an unsubscribe mechanism in emails/direct messages.  However, because there is no automated way to ‘unsubscribe’ a recipient from receiving a direct message via a Facebook message or  InMail, the sender should offer a manual  unsubscribe option. We suggest including in each message a disclosure stating that if the recipient does not wish to receive further messages from you, they should reply directly indicating as such. The best practice here is to have a template with approved unsubscribe language, and a documented process for how the responses are handled
4. Be cautious when making new “connections” or “friends”
Reaching out and requesting a connection or friend via LinkedIn or Facebook could constitute a CEM and therefore require CASL compliance, unless the individual can prove an existing relationship.
CASL Visual-02 (2)
For more information, download our Global Social Media Compliance Requirements for Financial Services Infographic, or read What You Need to Know for Social Media Compliance Under CASL.
Disclaimer: The material available in this article is for informational purposes only and not for the purpose of providing legal advice. We make no guarantees on the accuracy of information provided herein.

What you need to know for social media compliance under CASL

shutterstock_149738747While there is an ample write up on what businesses need to do in preparation for compliance under the Canadian Anti-Spam Legislation and Regulations (CASL), which will be in effect on July 1, 2014, very little has been provided specifically for social media compliance under CASL.
How does one obtain written express opt-in consent for social media? Is a current LinkedIn contact or Facebook friend considered to have given implied consent to receive commercial social media posts?
The good news is that mere pushing of content on social media (i.e. a wall posting, LinkedIn update, or tweet) is not affected by CASL. (See guidance issued by Industry Canada here). This is because the publication of a social media post on a business page or a profile is not considered a direct electronic delivery to a specific address. This is analogous to a posting of an advertisement on a board where passersby or members of an institution can view simply by being present in that forum.
This changes, however, when businesses use direct messaging on social media to contact individuals or groups. Under CASL, an electronic address to which the law applies includes an email account, a telephone account (i.e. text), an instant messaging account or any similar account. For commercial messages to such electronic addresses, the business would need an “express” or “implied” consent of the individual, or otherwise would require the communication to fall under one of the exemptions or exceptions. While there is an exemption for messages sent and received on an electronic messaging service, the exemption is stated to apply only if “the information and unsubscribe mechanism that are required under subsection 6(2) of the Act are conspicuously published and readily available on the user interface through which the message is accessed, and the person to whom the message is sent consents to receive it either expressly or by implication.” This exemption therefore must be assessed on a case by case basis, and its scope is difficult to assess without further guidance from government..
There are some notable exceptions to the CASL requirements. CASL does not apply to B2B messages sent by an employee of one organization to an employee of another organization where there is a relationship between the organizations and the message relates to the activities of the person receiving the message, or to messages sent internally within a business that relate to its activities. Messages also can be directly sent to ask another person about their business, and to persons who have specifically requested or inquired into receiving information about your business. Communications with immediate family and friends are exempt–but be aware that these relationships are strictly defined in the law. Importantly, CASL does not apply to messages that are sent to a person outside of Canada, as long as the message complies with the laws of that country.
Where the message is not exempt, for direct messaging on social networks, CASL will require businesses to:

  1. Obtain consent from the recipient before sending the message (express or implied),
  2. Include information that identifies the sender, and
  3. Enable the recipient to withdraw consent by unsubscribing to the communications.

It is important to note that express consent generally cannot be obtained by sending an initial message asking for consent.
You would have “implied consent” for sending a direct message on social media if you have an existing business (client) relationship with the contact, as defined in the law. Implied consent also exists if a contact has given the electronic address to you or published the address, so long as the contact has not disclosed on their profile or page that they do not want to receive commercial messages and the message relates to the person’s business function. There are other situations where implied consent exists: for example, where a referral has been made as defined in the law, or where a message is sent to facilitate an agreed upon business transaction or to provide product or warranty information.
Where relying on implied consent, just ensure that your direct message has a disclosure stating that if the recipient does not wish to receive further messages from you, they should reply directly indicating as such. Lastly, organizations should have a mechanism to retain and archive their communications on social media to ensure that records can be produced upon an audit by the regulators.
Disclaimer: The material available in this article is for informational purposes only and not for the purpose of providing legal advice. We make no guarantees on the accuracy of information provided herein.