What Canada's New Anti-Spam Legislation Means for Franchisors

Canada will soon have the dubious distinction of having what many believe is the most onerous and comprehensive anti-spam legislation in the world (S.C. 2010, c. 23, known colloquially as “CASL”). While first impressions may be that any anti-spam legislation is a benefit, a review of the legislation reveals restrictions and obligations that apply to virtually all commercial electronic messages, and certainly beyond what is typically thought of as spam. CASL also will enact rules to restrict spyware (installation of computer programs on another person's computer) and certain practices such as pharming and address harvesting. Both the anti-spam and spyware provisions are drafted broadly and will apply to most instances of the remote installation of a computer program on another person's computer, regardless of whether the program is installed for a malicious purpose. Accordingly, despite the seemingly good intentions of the legislation, it has the prospect of affecting virtually all legitimate businesses. Franchisors' relationships with customers and with their franchisees will be affected.

CASL focuses on three main topics: 1) restricting unsolicited commercial electronic messages, 2) restricting the installation of computer programs on another person's computer, and 3) other practices, such as pharming and address harvesting.

Anti-spam: The restrictions relating to anti-spam create significant obligations on any business sending electronic messages for a commercial purpose. CASL will require express, opt-in consent from recipients, subject to limited exceptions. It is noteworthy that this opt-in consent regime is stricter than existing requirements under Canada's privacy law, the Personal Information Protection and Electronic Documents Act (“PIPEDA”), which generally permits opt-out consent for marketing messages and allows for reliance on implied consent in broader circumstances than does CASL.

Even U.S. franchisors, which are accustomed to the U.S. CAN-SPAM Act, may need to rethink their electronic communication practices. CAN-SPAM applies only to e-mail, but CASL applies to other forms of electronic communication, such as text messages, instant messaging and social media messaging.

Once CASL is in force, subject to a limited transitional period discussed below, the legislation will require franchisors that communicate electronically with franchisees, customers or others to reconsider how they obtain consent from the recipients of the e-mails. Unfortunately, in many cases, businesses will need to obtain new or “refreshed” consent from individuals on an opt-in basis. This may mean that existing mailing lists can no longer be used until fresh consent is obtained ' and businesses will be well advised to use the transitional period to do so.

Obtaining fresh consent for existing customers lists and new consent from new customers will pose additional challenges in franchise systems where the franchisor does not have direct contact with customers, but compiles the mailing lists based on information provided by franchisees. Not only must the franchisor develop new procedures for obtaining and documenting consent, but it must also communicate these procedures to its franchisees and ensure that they are followed.

It is not all bad news: CASL provides limited exceptions to its opt-in consent requirement. Businesses with an “existing business relationship” with the recipient of the e-mail can rely on implied consent. Unfortunately, this exception is largely limited to specific categories of customers who have been active within the prior two-year or six-month period.

CASL provides for a three-year transitional period for both active customers and inactive customers with whom there is a qualifying business relationship. Businesses are allowed to send customers electronic messages and, more importantly, requests for consent during this time period. In addition, there are business card and address publication exclusions: Express consent is not required if: 1) the recipients have publicly published or provided their electronic address, 2) have not stated they do not wish to receive messages, and 3) the message is relevant to the recipients' business or professional roles.

Anti-spyware: The anti-spyware provisions of CASL include an express consent requirement for the installation of computer programs and prescriptive disclosure and notice requirements. The consent and notice provisions are broadly drafted and will apply to most computer programs, regardless of whether the program is installed for a malicious purpose. Both “basic” and “function-specific” disclosure notices (including reasonably foreseeable impacts on the user's computer and e-mail contact information) must be given to end users in advance of installation of a program.

Any franchisor that has remote access to its franchisees' computers must be aware of these provisions and ensure they comply, even for installing updates and patches remotely on the computers.

There are some limited exceptions. For example, use of cookies, Java Script and HTML are exempted, but only where the person's conduct makes it reasonable to believe that he consents to these programs being installed on his computer. In addition, to allow for automatic update services offered by many software publishers, the installation of an update or upgrade to a computer program will be exempted from the express consent and “basic” disclosure requirements if: 1) the program was initially installed in accordance with those requirements; 2) the initial consent entitles individuals to receive the update or upgrade; and 3) the installation is made in accordance with the initial consent.

As with the anti-spam provisions, there is a transitional period of three years or until consent is withdrawn, whichever comes first, for programs installed on a user's computer prior to CASL coming into force.

Other practices: CASL also amends other statutes: 1) PIPEDA will be amended to restrict “address harvesting,” or the unauthorized collection of e-mail addresses through automated means without consent, 2) the Competition Act will be amended to make it an offense to make false or misleading representations in the sender information, subject matter information or content of an electronic message, and 3) the Telecommunications Act will be amended to repeal the national Do-Not-Call List.

Offenses and Penalties

Franchisors must be aware that CASL represents a fundamental shift in risk and imposes significant penalties for noncompliance, particularly when compared to noncompliance with PIPEDA. In addition to offense provisions for false or misleading subject lines, e-mail address harvesting and pharming, breach of the anti-spam and anti-spyware rules will be enforced with stiff penalties, including administrative monetary penalties of up to $10 million for corporations ($1 million for individuals). A private right of action, including the possibility of class actions, will allow consumers and businesses to commence enforcement proceedings and recover damages, including statutory damages of up to $1 million a day.

What Should Franchisors Do?

The Act is expected to come into force in late 2011 or early 2012. Generally speaking, franchisors must consider whether their existing procedures and systems for obtaining and documenting consent are sufficient to address the new “express” consent requirements (i.e., relying on consent strategies developed under PIPEDA is no longer appropriate). If not, the franchisor must scrub its mailing lists of all tainted addresses and establish new procedures and systems for collecting appropriate consent, and for sending CASL-compliant messages in the future. This should include obtaining renewed consent before CASL comes into effect, or when it applies, during the transitional period for existing business relationships. Also, given the possible damages for a breach of the legislation and the limited relief that an indemnity provision from a franchisee would provide to a franchisor, franchisors should consider educating their franchisees of the significance and potential pitfalls of the new legislation.

Dominic Mochrie and Andraya Frith are partners at Osler, Hoskin & Harcourt LLP, in Toronto. Mochrie can be contacted at 416-862-5994 or [email protected]. Frith can be contacted at 416-862-4718 or [email protected].

Canada will soon have the dubious distinction of having what many believe is the most onerous and comprehensive anti-spam legislation in the world (S.C. 2010, c. 23, known colloquially as “CASL”). While first impressions may be that any anti-spam legislation is a benefit, a review of the legislation reveals restrictions and obligations that apply to virtually all commercial electronic messages, and certainly beyond what is typically thought of as spam. CASL also will enact rules to restrict spyware (installation of computer programs on another person's computer) and certain practices such as pharming and address harvesting. Both the anti-spam and spyware provisions are drafted broadly and will apply to most instances of the remote installation of a computer program on another person's computer, regardless of whether the program is installed for a malicious purpose. Accordingly, despite the seemingly good intentions of the legislation, it has the prospect of affecting virtually all legitimate businesses. Franchisors' relationships with customers and with their franchisees will be affected.

CASL focuses on three main topics: 1) restricting unsolicited commercial electronic messages, 2) restricting the installation of computer programs on another person's computer, and 3) other practices, such as pharming and address harvesting.

Anti-spam: The restrictions relating to anti-spam create significant obligations on any business sending electronic messages for a commercial purpose. CASL will require express, opt-in consent from recipients, subject to limited exceptions. It is noteworthy that this opt-in consent regime is stricter than existing requirements under Canada's privacy law, the Personal Information Protection and Electronic Documents Act (“PIPEDA”), which generally permits opt-out consent for marketing messages and allows for reliance on implied consent in broader circumstances than does CASL.

Even U.S. franchisors, which are accustomed to the U.S. CAN-SPAM Act, may need to rethink their electronic communication practices. CAN-SPAM applies only to e-mail, but CASL applies to other forms of electronic communication, such as text messages, instant messaging and social media messaging.

Once CASL is in force, subject to a limited transitional period discussed below, the legislation will require franchisors that communicate electronically with franchisees, customers or others to reconsider how they obtain consent from the recipients of the e-mails. Unfortunately, in many cases, businesses will need to obtain new or “refreshed” consent from individuals on an opt-in basis. This may mean that existing mailing lists can no longer be used until fresh consent is obtained ' and businesses will be well advised to use the transitional period to do so.

Obtaining fresh consent for existing customers lists and new consent from new customers will pose additional challenges in franchise systems where the franchisor does not have direct contact with customers, but compiles the mailing lists based on information provided by franchisees. Not only must the franchisor develop new procedures for obtaining and documenting consent, but it must also communicate these procedures to its franchisees and ensure that they are followed.

It is not all bad news: CASL provides limited exceptions to its opt-in consent requirement. Businesses with an “existing business relationship” with the recipient of the e-mail can rely on implied consent. Unfortunately, this exception is largely limited to specific categories of customers who have been active within the prior two-year or six-month period.

CASL provides for a three-year transitional period for both active customers and inactive customers with whom there is a qualifying business relationship. Businesses are allowed to send customers electronic messages and, more importantly, requests for consent during this time period. In addition, there are business card and address publication exclusions: Express consent is not required if: 1) the recipients have publicly published or provided their electronic address, 2) have not stated they do not wish to receive messages, and 3) the message is relevant to the recipients' business or professional roles.

Anti-spyware: The anti-spyware provisions of CASL include an express consent requirement for the installation of computer programs and prescriptive disclosure and notice requirements. The consent and notice provisions are broadly drafted and will apply to most computer programs, regardless of whether the program is installed for a malicious purpose. Both “basic” and “function-specific” disclosure notices (including reasonably foreseeable impacts on the user's computer and e-mail contact information) must be given to end users in advance of installation of a program.

Any franchisor that has remote access to its franchisees' computers must be aware of these provisions and ensure they comply, even for installing updates and patches remotely on the computers.

There are some limited exceptions. For example, use of cookies, Java Script and HTML are exempted, but only where the person's conduct makes it reasonable to believe that he consents to these programs being installed on his computer. In addition, to allow for automatic update services offered by many software publishers, the installation of an update or upgrade to a computer program will be exempted from the express consent and “basic” disclosure requirements if: 1) the program was initially installed in accordance with those requirements; 2) the initial consent entitles individuals to receive the update or upgrade; and 3) the installation is made in accordance with the initial consent.

As with the anti-spam provisions, there is a transitional period of three years or until consent is withdrawn, whichever comes first, for programs installed on a user's computer prior to CASL coming into force.

Other practices: CASL also amends other statutes: 1) PIPEDA will be amended to restrict “address harvesting,” or the unauthorized collection of e-mail addresses through automated means without consent, 2) the Competition Act will be amended to make it an offense to make false or misleading representations in the sender information, subject matter information or content of an electronic message, and 3) the Telecommunications Act will be amended to repeal the national Do-Not-Call List.

Offenses and Penalties

Franchisors must be aware that CASL represents a fundamental shift in risk and imposes significant penalties for noncompliance, particularly when compared to noncompliance with PIPEDA. In addition to offense provisions for false or misleading subject lines, e-mail address harvesting and pharming, breach of the anti-spam and anti-spyware rules will be enforced with stiff penalties, including administrative monetary penalties of up to $10 million for corporations ($1 million for individuals). A private right of action, including the possibility of class actions, will allow consumers and businesses to commence enforcement proceedings and recover damages, including statutory damages of up to $1 million a day.

What Should Franchisors Do?

The Act is expected to come into force in late 2011 or early 2012. Generally speaking, franchisors must consider whether their existing procedures and systems for obtaining and documenting consent are sufficient to address the new “express” consent requirements (i.e., relying on consent strategies developed under PIPEDA is no longer appropriate). If not, the franchisor must scrub its mailing lists of all tainted addresses and establish new procedures and systems for collecting appropriate consent, and for sending CASL-compliant messages in the future. This should include obtaining renewed consent before CASL comes into effect, or when it applies, during the transitional period for existing business relationships. Also, given the possible damages for a breach of the legislation and the limited relief that an indemnity provision from a franchisee would provide to a franchisor, franchisors should consider educating their franchisees of the significance and potential pitfalls of the new legislation.

Dominic Mochrie and Andraya Frith are partners at Osler, Hoskin & Harcourt LLP, in Toronto. Mochrie can be contacted at 416-862-5994 or [email protected]. Frith can be contacted at 416-862-4718 or [email protected].