Can charities handle CASL's complexity?

Canada’s anti-spam legislation goes into effect on July 1, but there’s still a lot of confusion about what that means for not-for-profit organizations. Charities and non-profits fall under the same legislation as private businesses — and are subject to the same penalties, which are hefty.

But many non-profits don’t have the same resources or sophisticated technology as private businesses and rely heavily on volunteers, so the administrative burden and cost of compliance is expected to be significant.

Canadian Anti-Spam Legislation — which many consider to be the toughest of its kind in the world — was developed to limit the ability of companies to send spam and prohibit unwanted downloads of programs onto people’s computers. Commercial electronic messages are defined as any communication that involves a sale or fee.

But, according to the Ontario Nonprofit Network, many non-profits generate their own revenue by charging fees for products and services and participation in activities and programs.

“Unfortunately, the legislation and proposed regulations were drafted initially for commercial businesses and did not accommodate for the unique activities of the non-profit sector and its community-building work,” states the Ontario Nonprofit Network on its web site. And this means many revenue-generating activities of the non-profit sector, however small, fall under CASL.

While the legislation goes into effect on July 1, organizations will have three years to get opt-in permission that will allow them to legally communicate with the people on their mailing lists.

“The legislation really ought to have been much more narrowly focused,” says Barry Sookman, senior partner with McCarthy Tétrault LLP. CASL should have been drafted in a way that targets real offenders and offensive messages, he adds. But, as it stands, the scope is undifferentiated “by actor or even by message.”

Charities typically provide community services that are socially beneficial, but they typically have limited budgets. “Those are the kinds of things you would want to encourage,” says Sookman.
“You would want them to reach out to the community.” But CASL could impact their ability to do that.

What is still somewhat unclear is the definition of a “commercial electronic message,” or CEM. Basically, for an e-mail to be a CEM, it must encourage participation in a commercial activity.

Many charities provide inducements to donate, says Sookman, from newsletters to invitations and advance notice of events. A message might also contain a donation hyperlink that takes the reader to a charity web site that also refers to the sale of goods and services. That could turn a message into a CEM under CASL, he said.

But since non-profits previously had no need to keep track of this data, many don’t have records of opt-in consent (or the technology to track it). And unless they have opt-in consent — and can prove due diligence — they now have to get that consent or purge their databases of those names. If they continue to operate without opt-in consent, technically they would be operating illegally.

And, once CASL comes into effect, it will be illegal to send out a message asking people if they want to receive CEMs. “It’s a Catch-22,” says Sookman. If you want to send a CEM, you won’t be able to do it without opt-in consent, but you won’t be able to send out an e-mail to get that consent. Basically, it means people have to come to you.

CASL is going to be a large compliance burden for charities and non-profits, says Ryan Prendergast, an associate at Carters Professional Corp. They already have to deal with a complex web of rules such as the Income Tax Act, as well as regulations that vary from province to province, so this adds to that compliance burden.

“It’s always been ironic to me that one of stated purposes of the legislation is to target activities that increase costs, but the legislation poses additional compliance costs,” he says. “There will be initial front-end costs to make sure compliance will be possible for the organization.”

This might be easier for larger non-profits that already have sophisticated compliance procedures in place, but smaller organizations made up of volunteers are less likely to have IT people on staff who can set up databases and tools to make sure they are in compliance with the legislation.

One major impact of CASL is that it will impose liability on the board of directors or volunteers if there’s a compliance breach.

So non-profits need to make sure their staff is aware of that so they can be protected, says Prendergast.

Another impact will be association-to-association communication, where the non-profit might not be communicating directly to its own members. The legislation, however, doesn’t recognize this ongoing method of communication that takes place in the non-profit world. “(It’s) going to be tricky making sure they are getting consent,” says Prendergast.

The legislation does encompass certain exemptions, including one specifically for soliciting charitable donations (where the primary purpose of the electronic communications is to raise funds), but this only applies to registered charities. And not all non-profits are registered.

“There was intense lobbying on the part of not-for-profits to allow this because e-mail is a cheap, efficient way to raise funds,” says Christine Carron, senior partner and chairwoman of the Canadian privacy and access to information team with Norton Rose Fulbright Canada LLP. “They’re not doing it to make a profit the way businesses are, they’re begging for money, so that is perhaps an explanation as to why the regulators gave in to that exception.”

If the CEM is intended to solicit funds for a registered charity or recognized political party, that implies consent and the charity or party is not required to include an unsubscribe mechanism. If it arises from a recipient’s volunteer work at a non-profit, that also implies consent, but the non-profit must still provide an unsubscribe mechanism.

Implied consent lasts two years from the time of the last donation or volunteer work or two years from the time when the person quit the voluntary organization. That means non-profits must track their donations and relationships, and then sort their e-mail list by the date of the last transaction or end of the relationship.

It gets more complicated, because there’s a question of when a message actually turns into a commercial message — and that’s where non-profits will need help from legal counsel.

TVOntario, a publicly funded educational TV station and media organization in Ontario, is reviewing its express consents and ensuring proper protocols are in place for outbound communications, especially those that would fall under CASL, says Jonathan Lau, in-house counsel with TVO.

“Where we differ from the private sector is with a specific regulatory exception from the legislation,” he says. When that came out, people thought great, charities are exempt, he adds, but that’s a simplified, cursory perspective.

As with any legislation, there are always grey areas, so there’s a need to clarify — and make everyone aware of — what compliance actually means. “You have to be very careful about that. Just because we’re a charity, if we’re sending out a message we can’t just say we’re a charity, we’re exempt,” says Lau.

He anticipates there will be a lot of questions about what actually falls under the exemption. In some cases, it could be arguable whether an e-mail is primarily intended for fundraising purposes (it could be an e-mail newsletter update that also asks for donations). Once you get into these grey areas, things get a whole lot more complicated for non-profits.

TVO may have an easier time than many other non-profits, however, since it already had software in place to keep its database up-to-date. “We want a sticky list,” says Lau. A recipient actively selecting to opt-in for future communications helps to create a “stickier” list so the organization isn’t blindly sending out e-mails, he added.

So, for the most part, the organization had already been obtaining opt-in consents; it’s currently confirming it has those consents and ensuring its database is accurate going forward. It’s also developing a compliance program and providing compliance training to those affected by CASL.

“We’re focusing on if we need to get express consent, if we need to send out those messages,” says Lau. “We are in pretty good shape but always (looking out) for potential gaps.”

For non-profits, those gaps come with potentially heavy penalties. “The penalties are the same as the penalties for business — there’s no distinction (between) fines that can be levied, so potentially a charity that operates as a corporation could be exposed to a $10 million fine,” says Prendergast. “I don’t think that will ever happen but the potential is there for the same penalties to be doled out against charities as a big monolith.”

The act itself gives discretion to the court in fixing the fines and asks them to take into consideration that the fine is there to encourage compliance and not to strictly punish, said Carron. And due diligence is a defense.

That’s different than a repeat offender, she added. The CRTC is setting up a complaints bureau, which will be manned to collect complaints from the public. And it will note if it’s getting multiple complaints from the same organization.

The chance of non-profits being the first group to be targeted is probably pretty low, says Sookman. “In theory they run the risk of fines. In practice I think the CRTC is going to leave them alone,” he says. But it puts these organizations in a situation where they have to decide what to do — make a decision to carry on their activities illegally or spend some of the little money they have on trying to be compliant and developing a due diligence program.

“Nobody has the time or inclination to worry about CASL so it’s going to be breached in practice,” says Sookman. And it makes no sense to have a law that’s serving no useful purpose that people are going to breach, he added, or one that has them worrying about whether they’re conducting legitimate activities.

“There’s no good reason for it,” he says. “When you think about charities and non-profits, they are not the kinds of organizations that we’re concerned about (with) spam.”

The government could easily have exempted non-profits and it wouldn’t have undermined the purpose of the legislation, says Sookman. Indeed, many other countries have developed anti-spam laws with “carve-outs” for charities and other non-profit organizations.

“It’s a bad policy choice at a time when governments have little extra money to help non-profits and charities, to add an extra administrative burden and make it more difficult to do their jobs,” says Sookman.

Most organizations now have spam filters and 99 per cent of that is blocked anyway, he added. “The reality is that (CASL) is addressing a problem that largely doesn’t exist anymore, so it’s a huge sledgehammer to cover a problem . . . (where) there’s a technological solution that can deal with it.”

HOW TO COMPLY

First, organizations need to track how they collect e-mail addresses. Second, they need to track the date at which their relationship with a person or business ends. “As of 2017, you will only be able to send an e-mail arising from that relationship two years after the relationship ends,” says Norton Rose Fulbright’s Carron.

Organizations need to ensure — except

for limited exemptions — that they include contact information and an unsubscribe mechanism that meets the requirements of the act. That unsubscribe mechanism must

be provided in the same format in which

the message was sent (such as in an e-mail).

If they’re sending the message on behalf

of someone else, they need to identify that person and indicate their contact information, unless the person is strictly a service provider for the sole purpose of sending e-mail messages (such as the Liberal Party of

Quebec sending an e-mail on behalf of

the Liberal Party of Canada).

The unsubscribe mechanism must be valid for 60 days after sending the message. If someone asks to be unsubscribed, the organization has 10 days to do it.