Is your business ready for CASL’s private right of action?
On July 1, 2017, Canada will be “celebrating” the third anniversary of Canada’s Anti-Spam Legislation—generally known as CASL.
Whether a celebration is warranted is questionable. While the legislation was purportedly designed to protect Canadians from spam, its actual effect on what we would all term “spam” is arguably negligible. Rather, it has created a tremendous amount of work for legitimate Canadian businesses in an effort to comply with a very difficult law.
Furthermore, with a private right of action scheduled to become available on July 1, 2017, contraventions of CASL will most certainly result in businesses (and in the case of corporations, also their directors and officers) being sued for damages. While CASL provides for compensatory damages, it also provides for statutory damages of $200 for each contravention of CASL to a maximum of $1 million per day, making such CASL claims rife for class actions.
What is CASL?
CASL attempts to regulate the sending of “commercial electronic messages,” commonly known as CEMs. CEMs are broadly defined to encompass any type of electronic message, in any format, that when examined, as a whole, has the purpose of encouraging participation in a commercial activity, regardless of whether that activity is carried out with the expectation of profit.
The Three Requirements of CEMs
Generally speaking, if a CEM is sent to an electronic address, the sender has to comply with three main requirements:
- Obtain the appropriate consent from the recipient (which may be express or implied), noting that an electronic message just seeking consent is considered a CEM.
- The CEM must clearly provide specific contact information directly or via a link.
- The CEM must provide an easy-to-perform unsubscribe mechanism, such as a reply option or a “click to unsubscribe” link. The unsubscribe request must be processed within 10 business days and any link must remain “good” for at least 60 days.
The CRTC has been the main enforcer of the provisions of CASL. Most businesses who have been pursued by the CRTC have agreed to enter into an undertaking with the CRTC whereby they agree to improve their compliance with CASL—and pay a penalty—for such violations as:
- Sending CEMS that did not contain an unsubscribe mechanism that was set out clearly and prominently, and that could be readily performed ($48,000 penalty).
- Sending CEMS that did not contain: (a) an unsubscribe mechanism that was set out clearly and prominently; and (b) complete contact information. Further, failing to honour, within 10 business days, unsubscribe requests and failing to have sufficient proof of consent for each electronic address that CEMs were sent to ($150,000 penalty).
- Sending CEMS that did not contain an unsubscribe mechanism that functioned properly and could be readily performed by the recipient. Failing to honour, within 10 business days, unsubscribe requests ($200,000 penalty).
- Sending out CEMs without appropriate consent—even though a third party third party service provider may have been the source of the error ($60,000 penalty).
The CRTC has been actively seeking Canadians to report suspected violations of CASL to the “Spam Reporting Centre.” More recently, the CRTC:
- as a result of only 50 complaints, fined a business $50,000 for sending CEMs without appropriate consent; and,
- as a result of only 58 complaints, fined a sole-proprietorship $15,000 for sending out non-compliant CEMs.
Is Consent Always Required?
CASL does remove the consent requirement but maintains the other two requirements for CEMs in certain situations, that include:
- Providing a quote or estimate if requested by the recipient.
- Providing facilitation, completion or confirmation of a commercial transaction that the recipient previously agreed to enter into with the sender.
- Providing warranty information, product recall information or safety information about a product that the recipient used or purchased.
- Providing notification about factual information about the ongoing use or purchase of a product or service, subscription, account or membership.
In addition to the above, CASL also provides for certain further exceptions, which remove all of the CEM requirements, in very limited and specific circumstances, such as internal business communications and communications between businesses with existing relationships.
Implied Consent can be shown to exist in certain situations, including:
- The recipient has made a purchase or lease of goods, services, and land or interest in land from the sender within the two-year period immediately prior to the date the CEM is sent.
- The recipient has made an inquiry or application to the sender on any of the items above within the six-month period immediately prior to the date the CEM is sent.
- The recipient has entered into a written contract with the sender which is still in existence or expired within the two-year period immediately prior to the date the CEM is sent.
While implied consent can be helpful, tracking the implied consent – and connecting it to individual CEMs - is practically very difficult.
Given the above, many businesses—in addition to ensuring that any CEMs contain the required contact information and an appropriate unsubscribe mechanism—have diligently worked to ensure that they have clear, opt-in, express consent to send any CEMs. The reason is simple: such express consent removes the need of proving that a specific CEM fit within any of the above exceptions.
Of course, any consent, whether it is implied or explicit, can be revoked at any time via the unsubscribe mechanism.
The Need for a Database
Given the complexities of CASL, most businesses are having to create extensive databases which track the basis for consent and, furthermore, monitor and track the sending of CEMs and any unsubscribe requests. It must be remembered that the onus rests on the business to prove that an individual CEM complied with the provisions of CASL.
Revisit CASL Compliance
As can be seen, the provisions of CASL have created extensive compliance costs that appear to only be increasing. Businesses would be well advised to regularly review their CASL compliance in an effort to limit the literal damages that can result.
**This article provides a brief summary of CASL. Specific questions about its applicability in any specific situation should be discussed with your lawyer.**
Paul K. Grower is a partner with Fillmore Riley LLP who practises primarily in the areas of taxation litigation, privacy law, and general commercial litigation. You can reach him at (204) 957 8369 or email@example.com.