A year since Canada’s Anti-Spam Legislation (CASL) came into effect, we have seen three enforcement cases publicized by the CRTC. The following is a snapshot of the penalties imposed and the breaches cited by the CRTC in the applicable notice of violation or undertaking:
Click here to view table.
Back to Basics
As set out in our nutshell, organizations need to ensure that the following key requirements are met before or at the time of sending a commercial electronic message:
- Consent has been obtained (unless an exemption is available).
- The sender’s identification and contact information is provided.
- An unsubscribe mechanism is in place with the following features: it is set out clearly and prominently; it is able to be readily performed; and it is effective within 10 business days of a recipient’s indication that they wish to unsubscribe.
Based on the penalties imposed, the CRTC appears to be communicating the following:
- While much of the discussions in the industry before July 2014 surrounded the consent requirement, the cases suggest that meeting the content requirements is also important. For example, Plentyoffish was subject to a voluntary undertaking, including a payment of $48,000 for having an ineffective unsubscribe mechanism, even though it limited its electronic communications to its website subscribers (therefore meeting the consent requirement).
- Mitigating factors may help an organization that breaches CASL requirements, but will not necessarily save it. For example, the CRTC acknowledged that Porter “immediately” took steps to comply with CASL once it was made aware of the CRTC’s investigation. However, Porter was still subject to a voluntary undertaking, including a payment of $150,000.
- Organizations should ensure that they have the following CASL-related items in place: a compliance policy, a robust compliance program, training and proper documentation of consents. For example, as part of their voluntary undertakings, Plentyoffish and Porter agreed to update their compliance programs to cover elements such as corporate compliance policies and procedures, training and education, monitoring, auditing and reporting mechanisms, and consistent disciplinary procedures.
Reminder: Private Right of Action
Starting in January 2017, firms will be exposed to civil lawsuits, many of which are expected to be in the form of class actions. It is unclear whether actions could be launched on a retroactive basis (i.e., between July 1, 2014, when CASL came into force, and January 1, 2017, when the provision on the private right of action will come into force).
Marking this CASL Anniversary
It is important to take the technical requirements of CASL seriously. More than 330,000 complaints have been submitted under CASL and the CRTC has emphasized that it will continue to enforce CASL provisions. Being subject to a CASL enforcement action may involve not only financial penalties, but also time and costs of an investigation, and unwelcome publicity. First-time offenders do not necessarily get a free pass.
We encourage you to review your CASL compliance program and assess how you are protecting your firm against a regulatory action or civil lawsuit.