Guest post by: Shaun Brown
In March of this year, the Canadian Radio-television and Telecommunications Commission (CRTC) published its Electronic Commerce Protection Regulations (CRTC) (the “Regulations”) under Canada’s Anti-Spam Legislation (CASL). Yesterday the CRTC issued two compliance and enforcement information bulletins that provide “guidelines on the interpretation of the Regulations” and examples of what the CRTC “considers to be compliant behaviour”: Guidelines on the interpretation of the Electronic Commerce Protection Regulations (CRTC) (CRTC 2012-548), and Guidelines on the use of toggling as a means of obtaining express consent under Canada’s anti-spam legislation (CRTC 2012-549) (collectively, the “Guidelines”).
The Guidelines provide further detail on how the CRTC intends to interpret a number of provisions in the Regulations, which answers a few important questions. Most notably, the CRTC clarified what it means to send “on behalf” of another person, and offers its interpretation of express consent.
What it means to send “on behalf” of another person: service providers do not need to be identified
CASL imposes certain obligations when one person sends a commercial electronic message (CEM) on behalf of another. Most significantly, paragraph 6(2)(a) of the Act requires that every message “set out prescribed information that identifies the person who sent the message and the person — if different — on whose behalf it is sent“. This created uncertainty as to when one person is sending on behalf of another for the purposes of the Act. For example, it was unclear whether this was meant to apply to service providers, such as email service providers (ESPs), who merely provide services that enable a CEM to be sent.
The CRTC has taken the position that a person who may “facilitate the distribution of a CEM”, but who has “no role in its content or choice of the recipients” need not be identified. This means that ESPs will likely not need to be identified in a CEM in most circumstances.
A person would be sending on behalf of another person where they deliver content of an advertisement to their own subscribers, such as a list rental or newsletter. In such a case, all advertisers would need to be identified. This is a practical interpretation that provides much needed clarity on this issue, and is consistent with industry practices.
Express consent: boxes cannot be “pre-checked”
One of the most common questions regarding express consent under CASL is whether a check box (referred to by the CRTC as a “toggle-box”) can be pre-checked. The CRTC has taken the position that such a practice would not be considered sufficient for the purposes of CASL.
The CRTC states that a pre-checked box would be considered “opt-out”, and that “in order to comply with the express consent provisions under the Act, a positive or explicit indication of consent is required.” As a result, according to the CRTC, express consent “cannot be obtained through opt-out consent mechanisms.” Thus, in order for express consent to be considered valid, the user must be required to actively check a box or click an “icon”.
This is a prescriptive approach that follows the EU model of “unambiguous consent”. It is arguably inconsistent with guidance that has emerged with years of findings and guidance under the Personal Information Protection and Electronic Documents Act, which provides that consent for marketing purposes can be obtained through “opt-out” means. There is nothing in law that equates “express” with “opt-in”; rather, opt-in and opt-out have often been seen as two forms of express consent.
Furthermore, the CRTC also states that users should be sent a confirmation following a request for consent (i.e., “notified” opt-in).
If the objective was to add further detail around the meaning of express consent, it would have been preferable to state that the form of consent depends on the circumstances. For example, opt-in may be necessary where a user is asked to sign up for the installation of a computer program, for a newsletter that provides information about a sensitive medical condition, or where the individual’s electronic address will be shared with several parties. However, it seems unreasonable to require opt-in consent to sign up for something more innocuous such as a newsletter for a daily deal site (remember that each email must contain an unsubscribe mechanism).
The Guidelines state that typing an email address into a field can be taken as an indication of express consent (i.e., if the email address is being typed in specifically for the purposes of signing up for a list, there is no need for separate check box).
Mailing address is defined
The CRTC has clarified that a mailing address, for the purposes of paragraphs 2(1)(d) and 4(d) of the Regulations1 consists of a “valid, current street (or civic) address, postal box address, rural route address, or general delivery address.”
Unsubscribe landing pages are acceptable
An “unsubscribe landing page” is acceptable for the purposes of the Regulations, which require that an unsubscribe mechanism must be able to be “readily performed”. The page can allow a user to choose whether to unsubscribe from all or some messages from the sender. In the case of a short message service (SMS) text, the user must be have the choice of being able to unsubscribe by replying “STOP” or “Unsubscribe”, or by clicking on a link to an unsubscribe landing page.
Seeking consent separately for different acts
The Guidelines state that a person must seek consent separately for sending a CEM, installing a computer program, and altering transmission data. For greater clarity, the CRTC states that a person must not be required to consent to one of these acts in order to consent to another. This seems fairly obvious already, but must have been a point of uncertainty for some stakeholders.
Request for consent must be separate from general terms and conditions
A request for consent must “not be subsumed in, or bundled with, requests for consent to the general terms and conditions of use or sale.” A user must be able to consent to the general terms of sale while being able to refuse consent to receiving CEMs, to the installation of a computer program, or to the alteration of transmission data. This appears to be, in effect, a form of “refusal-to-deal” clause like that found in private sector privacy legislation2.
Where the installation of a computer program – or certain functions of that computer program, such as the collection of personal information – is necessary in order to use a product or service, consent must still be obtained before the product is used or sold.
The CRTC states that a separate “tick-box” or “icon” must be clicked for any separate request for consent (an image is provided as an example). This could pose challenges for most if not all of the major app platforms (e.g., Apple App Store, Blackberry App World), as these platforms do not seem to provide a separate consent button aside from the “download” button. In other words, it may be difficult for developers to sell apps that are CASL-compliant through these platforms.
Consent obtained orally and in writing
Although the Regulations allow consent to be obtained orally, any person requesting consent orally still bears the onus of proving that consent was properly obtained. The CRTC considers the following as evidence of oral consent:
- where oral consent can be verified by an independent third party; or
- where a complete and unedited audio recording of the consent is retained by the person seeking consent or a client of the person seeking consent.
An audio recording may be reasonable in circumstances where calls are already recorded (e.g., for quality control purposes), but not practical if the infrastructure does not already exist, or for smaller businesses. Furthermore, the concept of an “independent third party” is unclear. While the CRTC states that “consent may be given at the time that individuals use a product or service (e.g. point of sale purchases),” the requirement for an audio recording or independent third party could make this very difficult. As a result, retailers may be forced to require users to fill in a paper form for point of sale collection.
Regarding consent obtained in writing, the CRTC considers the following forms of evidence to be acceptable: “checking a box on a web page to indicate consent where a record of the date, time, purpose, and manner of that consent is stored in a database; and, filling out a consent form at a point of purchase.”
Consent to specified functions in computer programs
CASL requires separate express consent to be obtained if a computer program performs any of the following enumerated functions:
- (a) collecting personal information stored on the computer system;
- (b) interfering with the owner’s or an authorized user’s control of the computer system;
- (c) changing or interfering with settings, preferences or commands already installed or stored on the computer system without the knowledge of the owner or an authorized user of the computer system;
- (d) changing or interfering with data that is stored on the computer system in a manner that obstructs, interrupts or interferes with lawful access to or use of that data by the owner or an authorized user of the computer system;
- (e) causing the computer system to communicate with another computer system, or other device, without the authorization of the owner or an authorized user of the computer system;
- (f) installing a computer program that may be activated by a third party without the knowledge of the owner or an authorized user of the computer system; and
- (g) performing any other function specified in the regulations.
The CRTC clarifies that a user must be required to check a separate icon or toggle-box for each and every of the above-noted functions, if applicable.
About the author:
Shaun Brown is a partner with nNovation LLP, a pre-eminent Canadian law firm that advises private and public sector organizations in connection with a broad range of Canadian regulatory regimes. With several years of experience both in the public and private sectors, Shaun’s practice focuses on e-marketing, e-commerce, privacy, and access to information. Subscribe to Shaun’s Privacy newsletter at PrivacyScan.
1 – These sections specify the information that must be provided when requesting consent and when sending a CEM.
2 – “Refusal-to-deal” generally means that an organization cannot require an individual to consent to the collection, use, or disclosure of personal information beyond that which is reasonably necessary to provide a product or service.