Things are about to get a little trickier north of the border, and it’s nothing like Anaheim Ducks winger Corey Perry’s mini-stick antics at this year’s National Hockey League All-Star Game in Ottawa. A new law that currently is on ice in the Canadian capital will have a significant impact on all electronic communications between companies and consumers.

Canada’s anti-spam legislation (CASL), Bill C-28, which the House of Commons adopted on Dec. 15, 2010, will soon be in force and is likely to be a compliance headache for foreign companies that are either unaware of the bill or slow to update their electronic marketing and communications practices.

CASL is the result of a government task force that assembled in 2004 to investigate bulk unsolicited messages, spyware, malware and other online threats. The task force, which included representatives from the government, private industry and public interest groups, eventually decided to expand the scope of four existing laws to cover all activities involving the sending of commercial electronic messages and the installation of any computer program on another person’s device, subject to narrow exceptions.

“Rather than limiting the law to go after the true evildoers, the law was expanded in scope to cover all activities except those that were actually excluded,” says Osler, Hoskin & Harcourt Partner Michael Fekete. “And therein lies the biggest challenge associated with the legislation because the scope is extremely broad—perhaps the broadest of any anti-spam/anti-spyware legislation in the world.”

Thankfully for companies, time remains before the law goes into effect. Industry Canada—the national department of industry—has indicated that there will be a 30-day comment period following the publication of draft regulations with an additional six to eight weeks following the comment period during which it will review the comments and finalize the regulations. And once the regulations are published in draft, a two-and-a-half-month window is expected before they would be finalized. Therefore, the soonest CASL could go into effect is fall 2012, but early 2013 is more likely.

Conjuring Consent

American businesses may have a bit of work to do in preparation for CASL. The major difference between CASL and the U.S. CAN-SPAM Act (Controlling the Assault of Non-Solicited Pornography and Marketing Act of 2003) is that CASL requires express consent to send commercial emails. In essence, Canada’s law requires all message recipients to opt in to receive messages as opposed to opting out, which is what CAN-SPAM mandates. However, there are exceptions to this blanket rule.

Provisions exist within the law for implied consent, but only within a narrow category of an established business relationship. Under the law, a standing business relationship exists wherever a consumer has purchased a good or service from the message sender within two years prior to the message being sent. An existing relationship also exists when a consumer places an inquiry or application to a business.

CASL also requires disclosure for when companies request consent. This can be tricky: Senders not only have to get express consent to send a message, but they also have to get consent in a particular manner. The law provides that senders must state the purpose for requesting consent, identify the person asking for consent, provide specific contact information and explain that the recipient can later withdraw his consent.

Another difference between the U.S. and Canadian laws is that CAN-SPAM is limited to email, whereas CASL covers instant messages and text messages as well as social media messages when a sender is pushing the message to a recipient instead of the recipient pulling it from an online server. It also targets unauthorized installation of computer programs and having false or misleading subject lines in electronic messages.

Pricey Predicament

As onerous as the anti-spam law sounds, the potential penalties for violators may be worse. There are two forms of punishment: CASL provides for an administrative monetary penalty levied by the Canadian Radio-television Telecommunications Commission (CRTC) of up to $10 million for corporate offenders.

A statutory damage penalty also exists in the form of a private right of action. Without proving damages, individuals who allege that they’ve received a noncompliant message from a sender have the right to sue for a maximum fine of $200.

Fasken Martineau attorney Charles Lupien, who conducted a survey on U.S. corporate awareness of the law (See “Needing Counsel”), says these types of penalties are much higher than usual in Canada. Additionally, he says the latter penalty makes the possibility of class action very real. “We probably will see law firms trying these class actions and making deals with plaintiffs based on the $200 ‘bounty hunter fee,’” he says.

Fekete agrees, noting that it will take time for organizations to truly understand to what extent there will be material damages awarded as a result of these actions.

Contemplating Compliance

Marketers and legal departments of businesses that will be sending email and other electronic messages to Canadians must recognize that they need to start updating their practices now and not wait for the law to come into force. But in advance of the final rules, even this may be problematic.

“The challenge for organizations right now is uncertainty,” Fekete says. “When you’re engaging in compliance planning, there are a whole host of issues that come up where the legislation doesn’t provide a clear answer.”

Because of this, Fekete recommends undertaking a risk assessment, but warns that the risks could change once the draft regulations are released, or once the CRTC issues its expected interpretation bulletins.

Fekete also suggests that companies identify the various issues on which they need to make business decisions before settling on a compliance strategy because it’s still unknown whether they will need fresh consent from prospective recipients, or if they can rely on an existing business relationship or consent that was obtained through an opt-out mechanism prior to the law coming into force.

“How this is interpreted by Industry Canada is the $64,000 question,” says DLA Piper Partner Jim Halpert.

Another compliance problem is present for companies that rely on third-party-provided marketing lists, or third parties that collect consent on behalf of companies. Currently, those provisions only exist in regulations that are still in draft form. As a result, companies should scrutinize the practices of the list providers to ensure they’re compliant with the law.