July 1, 2014 is a date most organizations remember - the date that many key provisions in Canada’s Anti-Spam Law (“CASL”) came in to force.
July 1, 2017 was to be another significant milestone for organizations in their on-going pursuit of CASL compliance; however, on June 7, 2017, the federal government issued an Order in Council that provided a last minute reprieve by delaying the coming into force of the private right of action (“PRA”) under CASL until the completion of a parliamentary review. Organizations breathed a collective sigh of relief with some lamenting that they had spent the past several years stressing about July 1, 2017.
Many are heralding the suspension of the PRA as a strong signal that the government is prepared to fix or, at the very least mitigate, some of the extreme elements of the legislation. The Honourable Navdeep Bains, Minister of Innovation, Science and Economic Development was quoted in a press release issued on June 7, 2017:
“Canadians deserve to be protected from spam and other electronic threats so that they can have confidence in digital technology. At the same time, businesses, charities and other non-profit groups should have reasonable ways to communicate electronically with Canadians. We have listened to the concerns of stakeholders and are committed to striking the right balance.”
While the PRA has been suspended, business must be aware that the transitional period, discussed below, will end as scheduled on July 1. Further, the CRTC will continue to enforce the legislation.
July 1, 2017 was to mark the arrival of the PRA. As drafted, the PRA provisions in CASL would have allowed individuals and businesses to file a lawsuit to recover damages if they felt they had been affected by any act or omission that: (a) constituted a contravention under Section 6 to 9 of CASL (the provisions setting out the core rules for the transmission of commercial electronic messages (“CEMs”), the alteration of transmission data and the installation of computer programs); (b) resulted from false or misleading CEMs under the amendments to the Competition Act; or (c) resulted in a violation of the email harvesting and use provisions in the Personal Information Protection and Electronic Documents Act.
The potential cost awards were significant – in addition to compensatory damages, the court could have awarded up to $200 for each non-compliant CEM up to a maximum of $1 million for each day on which a contravention occurred. Additionally, CASL imposes personal liability on officers, directors and agents of a corporation if they directed, authorized, assented to or participated in the violation, regardless of whether or not the corporation is subject to a proceeding.
The PRA sparked concerns that frivolous and/or costly class action lawsuits would be brought against both large companies and small businesses, including those who had inadvertently breached CASL in their good faith efforts to comply with the onerous legislation. The PRA was also viewed as unnecessary - given the potential financial and reputational damage that comes with non-compliance, businesses have plenty of incentive to comply with the legislation. The CASL regime already contains significant administrative monetary penalties and the CRTC has been very active in their enforcement activities, having imposed several significant fines since the legislation came in to force on July 1, 2014.
Despite the potentially indefinite delay of the PRA, organizations would be well advised to use this time to ensure they have a rigorous corporate compliance program in place that includes a detailed record of all CASL compliance efforts. This includes establishing appropriate record-keeping that proves the appropriate level of consent from an individual for every CEM sent, detailed policies, employee training and evidence of regular audits as this could assist in establishing a due diligence defence.
Time’s Up - The end of the transition period
First, the three-year transition period for CEMs will end. During the three years between July 1, 2014 and July 1, 2017, organizations were free to continue to email contacts with which they had prior existing relationships (so long as the contact had not unsubscribed) on the basis of implied consent to receive CEMs from the organization. This time period also provided a window for organizations to obtain express consent or to ensure compliance with a consent exception or implied consent rule.
After the cut-off date, organizations may only send CEMs to recipients that have provided express consent or whose implied consent is currently valid under CASL. After July 1, those organizations relying on an “existing business relationship” for implied consent to send CEMs must observe the 6 month or 2 year time limit from the activity creating the relationship and cease sending CEMs upon the expiration of that limit.
With the expiration of this transition period looming, organizations must review their mailing lists and databases to ensure full compliance with the consent requirements of CASL. If you do not have adequate consent, you should remove that contact from your database prior to the deadline. Remember, appropriate records are required to successfully demonstrate consent and the burden of proof is on the sender.