Guest post by: Shaun Brown
In the Regulatory Impact Analysis Statement (RIAS) accompanying the final Industry Canada regulations under CASL, Industry Canada stated that
In some cases, where there is neither an exclusion nor any form of consent under CASL, some businesses that may have been compliant with PIPEDA when seeking consent to collect or to use electronic addresses to send commercial electronic messages may no longer be able to contact those addresses under CASL. Express consents, obtained before CASL comes into force, to collect or to use electronic addresses to send commercial electronic messages will be recognized as being compliant with CASL.
Often referred to as “grandfathering” of existing consent, this is a significant relief to many senders who have already obtained express consent, though not in a manner that is fully compliant with CASL. However, what, exactly, does grandfathering mean?
I get a lot of questions about this, and many people seem to be interpreting Industry Canada’s statement more broadly than it is intended to be. This does not mean that entire databases are grandfathered merely because they exist before CASL comes into force. Rather, it means that a business can continue sending to a recipient whose express consent was obtained before CASL comes into force in a manner compliant with the Personal Information Protection and Electronic Documents Act (PIPEDA).
PIPEDA is federal privacy legislation that establishes rules for the collection, use and disclosure of personal information in the private sector. PIPEDA generally requires organizations to obtain express consent in order to collect, use or disclose personal information – including email addresses – for marketing purposes. Thus, even in the absence of CASL, organizations are already required to get consent before sending marketing communications by email, and to provide a means by which consent can be withdrawn. This has been the case since PIPEDA came into force more than a decade ago.
So what is the difference between consent under PIPEDA and CASL? The biggest distinction is that CASL requires a sender to provide certain prescribed information when requesting consent, such as a mailing address, and any of a telephone number, email address or web address. Senders are also specifically required to notify the individual that they can withdraw consent. On this issue, the CRTC states that “If you obtained valid express consent prior to CASL coming into force, you will be able to continue to rely on that express consent after CASL comes into force, even if your request did not contain the requisite identification and contact information.”
There is also the issue of opt-in vs. opt-out express consent; e.g., whether pre-checked boxes can be used. Although the CRTC continues to assert that pre-checked boxes are not valid under CASL, the Office of the Privacy Commissioner of Canada has stated that pre-checked boxes are acceptable under PIPEDA so long as certain conditions are met. In light of this, both the CRTC and Industry Canada seem to agree that express consent obtained using a pre-checked box in a PIPEDA-compliant manner is acceptable for grandfathering.
About the author:
Shaun Brown is a partner with nNovation LLP, a pre-eminent Canadian law firm that advises private and public sector organizations in connection with a broad range of Canadian regulatory regimes. With several years of experience both in the public and private sectors, Shaun’s practice focuses on e-marketing, e-commerce, privacy, and access to information. Subscribe to Shaun’s Privacy newsletter at PrivacyScan. You can follow Shaun on Twitter at @emarketinglaw