Express and Implied Consent: What is the Difference and When Can We Rely on Them?

Written By Guilda Rostama

In our previous article, we got introduced to Michael, Head of Sales, who has designed a tailored cold outreach campaign to reach out to as many individuals as possible that are responsible for purchasing training solutions. Our precedent article has led us to conclude that Michael’s campaign is indeed subject to CASL. Now, we need to figure out the actions that Michael needs to take to comply with CASL.

The first question Michael needs to ask himself is: who am I sending the CEMs to? Indeed, the nature of the relationship between the recipient and the company plays a key role in determining Michael’s obligations under CASL.

The business-to-business exemption

So, let’s start with the good news: CASL has a business-to-business exemption.  It means that if the recipient is an employee, representative, consultant, or franchisee of an organization that has a business relationship with your company, then CASL’s rules don’t apply. Indeed, CASL’s main purpose is to regulate CEMs sent to individuals that act in their “individual” capacity, and not in their functions or duties in an official or business capacity. Be careful though: the message must concern the activities of the organization you are sending the CEM to (more on that a little further below).

What does this mean for Michael? This means that Michael could send CEMs to the employees of commercial entities without having to worry about CASL, as long as he can demonstrate that (i) there is an existing relationship between both organizations (and not just between some of their employees) and that (ii) the message relates to the activities of the organization. For example, Michael could send CEMs to employees of an organization that has previously purchased trainings from the company for most of its staff members. However, if only a few staff members of that organization have purchased that training, or if there is no established business relation between the two organizations, the business-to-business exemption wouldn’t apply, and Michael would have to follow CASL regulations.

So, that was the good news. Now, if Michael wants to address the CEMs to employees of organizations that have no relations with his company or to individuals outside of their official/business capacity, this will no longer be a business-to-business relationship. Which brings us to another key notion in CASL: consent. 

Implied and express consent

There are two types of consent under CASL – express and implied. 

Express consent means that a person has clearly agreed to receive a CEM, either in writing or orally. The recipient must take a proactive action to indicate their express consent (for example, ticking a box, subscribing to a newsletter, or replying to an SMS expressing their willingness to receive CEM from you…).

Implied consent is more convenient for organizations, but it also brings a certain level of complexity. Simply put, implied consent is when you don’t ask the individual to take a specific action to agree to receive CEMs. In other words, to rely on implied consent, you must be capable of proving that given the circumstances, it is OK to assume that the individual would agree to receive CEMs.

So, the first thing you need to look at is whether the recipient has previously opted out of receiving CEMs from your organization. Indeed, CASL is very firm on that: you cannot rely on an individual’s implied consent if they have already told you that they do not want to receive any CEMs from you. This is why it’s so important to maintain opt-out lists in your organization.

If the individual has not previously opted out, you can rely on implied consent when:

  • your organization already had a previous commercial transaction with the recipient;

  • your organization has a non-business relationship with the recipient; or when

  • the recipient has “conspicuously” made available their electronic address, provided that (i) it is not indicated that they don’t want to receive CEMs and that (ii) the message is relevant to their role (yikes… more details below).

First, you can rely on implied consent if you have a previous commercial transaction with the recipient. But what is a previous commercial transaction? Well, it means that the individual has already purchased products from your organization, or already called upon the services of your organization. If you are unsure about having an existing business relationship with a potential recipient, you can ask yourself the following questions:

  • has the recipient made a purchase or lease of goods or services within the two years immediately before the day on which the message is sent?

  • has the recipient accepted a business and investment opportunity offered by you within two years immediately before the day on which the message is sent?

  • has the recipient made an inquiry within the six months immediately before the message is sent?

  • has the recipient entered into a written contract which is still in existence or expired within two years immediately before the day on which the message is sent?

If you answer yes to any of these questions, this means that you have an existing business relationship and that you can therefore rely on implied consent to send CEMs.

Now, the second possibility to rely on implied consent is an existing non-business relation. To determine whether such a relation exists, you can ask yourself the following questions:

  • Are you a registered charity, a political party or organization, or a candidate for publicly elected office, and has the recipient made a donation, performed volunteer work for you, attended a meeting you organized, or given you a gift within the two years immediately before the day on which the message is sent? 

  • Are you a club, association or voluntary organization and is the recipient a member?

Again, if you answer yes to any of these questions, you can consider that you have a non-business relation with the recipient and you can rely on implied consent.

The last situation where you can rely on implied consent is when you send CEMs to email addresses that have been made conspicuously (i.e., evidently, manifestly, clearly) available to the public. This means that you can potentially rely on the implied consent of individuals that you identify online. Be careful, however: CASL emphasizes the fact that the address is public is not sufficient. You must be able to prove that the recipient made their address publicly available on purpose, by deliberate action. This could be the case for example if you can prove that Linkedin does not publish the users’ email addresses by default and that the recipient chose to deliberately make their email available to the public.

On top of that, you need to make sure that there is no statement indicating that the individual does not wish to receive CEMs at that address. To get back to Michael, if he identifies the email address of a person responsible for training on an organization’s website, he needs to make sure that there is no statement, (whether on the page where the email is located or in the terms of use for example) that would indicate that CEMs should not be sent to the organization’s employees.

One last condition before you can rely on the “conspicuous” exception: you must ensure that the CEM relates to the individual’s role, functions, or duties in an official or business capacity. Therefore, Michael would need to justify that given the recipient’s role, he or she may potentially be interested in the company’s services. For instance, sending a marketing officer a CEM relating to a course to learn how to develop social media platforms for e-marketing may be relevant.  

In summary:

  • If you intend to send CEMs to employees or representatives of organizations with whom your organization has an established business-to-business relationship, the rules of CASL don’t apply;

  • Express consent requires a proactive action by the individual to receive your CEMs;

  • Implied consent means that you can “assume” that the individual is willing to receive your CEMs. However, you can only rely on implied consent under specific conditions:

    • if you have an existing business or non-business relation with the recipient; or if

    • the recipient has conspicuously made available their electronic address, as long as (i) they have not indicated that they don’t want to receive CEMs, and that (ii) the message relates to the recipient's business role, functions or duties in an official or business capacity.

In the next chapter, we will focus on “how” to collect express and implied consent.

Guilda Rostama

Guilda Rostama is a GDPR specialist. As a fully-qualified French lawyer, Guilda has a PhD in law, and holds the Master of Law and Internet Technology from Paris Sorbonne, as well as the LLB of the University of Sheffield, United Kingdom, and the CIPP/C. Before moving to Canada in 2021, Guilda was a senior legal counsel in the Economic Affairs department in the CNIL (the French Data Protection authority) for more than four years. During her tenure in the CNIL, she was actively involved in building recommendations and guidelines for organizations implementing the GDPR. She was also the leader of the Social Media Expert subgroup in the European Data Protection Board (EDPB).

Previous

CASL: How to Collect Consent and Demonstrate it?
Next

What is a CEM? An Introduction to Canada’s Anti-Spam Legislation.