Canada's Anti-Spam Legislation (CASL) establishes a highly restrictive regime for the sending of marketing and promotional emails and texts (commercial electronic messages or CEMs). The enforcement risks associated with CASL will be dramatically heightened as of July 1, 2017, when the provisions enabling a statutory private right of action (PRA) come into force.
The PRA will allow private individuals and organizations to seek significant damages from businesses that violate the key provisions of CASL. To prepare for this new reality, organizations should review their CASL compliance program to ensure that it is adequate to establish a due diligence defence against an allegation of non-compliance.
CASL Overview
The provisions of CASL relating to the sending of CEMs came into force on July 1, 2014 and generally require prior consent to send a CEM and prescribe certain message content requirements, including a specific form of unsubscribe. Enforcement activity by the CRTC has emphasized that the onus is on the sender of the CEM to prove that express consent was properly obtained. In addition, while organizations can rely on specific categories of implied consent in order to send CEMs, these categories are strictly defined and to date have been narrowly interpreted by the CRTC.
Other provisions of CASL impose distinct obligations relating to the transmission of electronic messages and the installation of computer programs.
CASL provides for significant statutory penalties in the event of a contravention of the law. For businesses, the maximum penalty is $10 million. To date, the CRTC has imposed fines as high as $1.1 million for non-compliance.
The Private Right of Action
On July 1, 2017, sections 47 to 51 and 55 of CASL will come into force to establish a private right of action pursuant to which individuals and organizations may apply to a court to obtain damages for contraventions of the law. Under section 47(1), any individual, partnership, corporation or association may initiate an application by alleging a violation of CASL and applying to a court of competent jurisdiction. The effect is to allow private actors, and not just the public bodies charged with enforcing the Act, to seek redress for prohibited conduct.
Section 51(1) of CASL sets out the penalties that may be imposed by a court if it is satisfied that the violations alleged in the application have occurred. Under section 51(1)(a), the court may order that the respondent pay compensation in an amount equal to the actual loss or damage suffered, or expenses incurred by the applicant. In addition, under section 51(1)(b), the court may order that the respondent pay the applicant the following amounts in non-compensatory (i.e. statutory) damages:
- For a contravention of section 6: $200.00 for each contravention, not exceeding $1,000,000.00 for each day on which a contravention occurred;
- For a contravention of section 7 or 8, $1,000,000.00 for each day on which a contravention occurred;
- As a general rule, for a contravention of section 9: $1,000,000.00 for each day on which a contravention occurred.
The Act also exposes senior corporate officials to these large monetary penalties if they directed, authorized, assented to, acquiesced in or participated in the commission of the contravention. Under section 55 of CASL, where more than one person is determined to have contravened the act on a section 47(1) application, all of those persons are jointly and severally liable for the payment of the amounts ordered by the court under section 51(1).
While the language of CASL that allows for imposition of the penalties is permissive and the law expressly states that the purpose is not to punish but rather to promote compliance, it remains to be seen how harshly the penalties will be applied. To date, the law has been interpreted restrictively and significant penalties have been imposed even against those businesses that have fully cooperated with the CRTC in its investigation.
The Availability of a Due Diligence Defence
Section 54(1) of CASL allows for a due diligence defence that provides an opportunity for businesses to avoid liability by showing that they took reasonable steps to avoid the violations. The CRTC recently has identified several measures that should be taken by businesses to comply with CASL, and which may aid in the establishment of a due diligence defence. Notably, the CRTC suggests that senders of commercial electronic messages maintain:
- Written policies and procedures regarding CASL compliance;
- The documented methods through which consent was collected;
- All evidence of express and implied consent (e.g. audio recordings, copies of signed consent forms, completed electronic forms) from consumers who agree to receive CEMs;
- All unsubscribe requests and resulting actions.
As July 1, 2017 approaches, Canadian businesses should ask themselves whether they are ready for the impending PRA regime and have the necessary CASL policies and procedures in place to mitigate against enforcement risk. Is adherence to this compliance program monitored and audited? Are records of both express consent and implied consent adequate to prove compliance? Are unsubscribe requests implemented and tracked? Are employees appropriately trained on what is required by the law? The ability to respond to the above questions in the affirmative has become increasingly essential as implementation of this final phase of the law becomes imminent.