On July 1, 2017, contraventions of Canada's Anti-Spam Legislation (commonly known as "CASL") will be subject to enforcement through private litigation, including class proceedings. On the same day, certain implied consents to receive commercial electronic messages, which are based on a special transition rule, will expire. Organizations should take steps now to verify their CASL compliance and mitigate the risks of CASL regulatory enforcement and private litigation.
CASL - Overview
CASL creates a comprehensive regime of offences, enforcement mechanisms and potentially severe penalties (including liability for employers and corporate directors and officers) designed to prohibit unsolicited or misleading commercial electronic messages, the unauthorized commercial installation and use of computer programs on another person's computer system and other forms of online fraud (such as identity theft and phishing).
For most organizations, the key parts of CASL are the rules for sending commercial electronic messages ("CEMs"). Subject to important but limited exceptions, CASL creates an opt-in regime that prohibits the sending of a CEM unless: (1) the recipient has given consent (express or implied in limited circumstances) to receive the CEM; (2) the CEM complies with prescribed formalities (including information disclosure and an effective and promptly implemented unsubscribe mechanism); and (3) the CEM is not misleading in any respect (including in the sender information, subject matter information and body of the message). An organization that sends a CEM has the onus of proving that the recipient consented to receive the CEM.
Subject to important but limited exceptions, a CEM is any kind of electronic message (e.g. emails, text messages and social media private messages) sent to an electronic address if one of the message's purposes (not limited to the sole or primary purpose) is to encourage the recipient to participate in a commercial activity (e.g. a transaction, act or conduct of a commercial character), regardless of expectation of profit. In addition, an electronic message sent to request consent to receive CEMs is deemed a CEM. Subject to important but limited exceptions, the CEM rules apply to a CEM if a computer system in Canada is used to send or access the CEM, regardless of the location of the sender or recipient. The CEM rules apply even if a CEM is sent to a single recipient.
An organization is liable for CASL contraventions by the organization's employees and agents (including independent service providers engaged by the organization to send CEMs on the organization's behalf) acting within the scope of their employment or authority. A corporate director or officer is liable for the corporation's CASL contraventions if the director or officer "directed, authorized, assented to, acquiesced in or participated in" the commission of the contravention. However, organizations and individuals may avoid liability for CASL contraventions if they establish that they exercised due diligence to prevent the commission of the contravention.
Contravention of CASL's CEM rules can result in: (1) potentially severe administrative monetary penalties (up to $10 million per violation for an organization and $1 million per violation for an individual) in regulatory proceedings; and (2) commencing July 1, 2017, potential civil liability for compensatory damages and potentially substantial statutory (non-compensatory) damages in private litigation (including class proceedings) brought by a person affected by the contravention.
The Canadian Radio-television and Telecommunications Commission ("CRTC") has regulatory and enforcement authority for CASL's CEM rules, and broad enforcement powers for that purpose. Since CASL came into effect on July 1, 2014, the CRTC has taken enforcement action against organizations and individuals who have violated CASL's CEM rules, including sending CEMs without valid consent. The CRTC has issued enforcement decisions and accepted voluntary undertakings (settlements) imposing administrative monetary penalties ranging from $15,000 to $1.1 million. For more information, see BLG bulletins CASL – Year in Review 2016 and CASL – Year in Review 2015.
Rules for Consent to Receive CEMs
CASL provides that consent to receive a CEM may be express (based on a prescribed form of consent request) or implied (arising from limited, specified circumstances). Both kinds of consent are equally valid.
CASL provides that express consent to receive CEMs must result from a request for consent that "clearly and simply" states certain prescribed information and includes a statement that the person whose consent is sought can withdraw their consent. The CRTC's Compliance and Enforcement Information Bulletin CRTC 2012-548 and Compliance and Enforcement Information Bulletin CRTC 2012- 549 provide guidance regarding requests for express consent.
CASL provides that implied consent to receive CEMs can arise from various specified circumstances, including either an "existing business relationship" or an "existing non-business relationship" (each as defined in CASL) between the person who sends the CEM and the person to whom the CEM is sent. Implied consent to receive CEMs based on an existing relationship expires after a specified period (either two years or six months) after the circumstances giving rise to the relationship, unless the consent is withdrawn earlier. Organizations that rely on implied consent must track implied consent expiration periods and make timely changes to consent lists. Organizations must also establish appropriate internal procedures to promptly implement unsubscribe requests (within 10 business days) and other withdrawals of consent.
In some circumstances, express consent might be easier to administer than some kinds of implied consent, because express consent lasts until withdrawn whereas some kinds of implied consent are time limited or might be more difficult to prove. For those reasons, organizations often rely on implied consent to send CEMs that request express consent to receive subsequent CEMs. The CRTC's From Canada's Anti-Spam Legislation (CASL) Guidance on Implied Consent provides guidance regarding implied consent.
CASL includes a special transition rule for implied consent to receive CEMs arising from either an "existing business relationship" or an "existing non-business relationship" (each as defined in CASL but without regard to the time limits mentioned in the definitions) that existed on July 1, 2014 (when CASL came into force) and involved the communication of CEMs. The transition rule provides that the implied consent lasts for three years (until July 1, 2017), rather than the ordinary time limits (either two years or six months), unless the consent is withdrawn earlier. Organizations that have relied on the transition rule for extended duration implied consents based on a relationship that existed on July 1, 2014, must ensure that the consents are removed from consent lists on July 1, 2017, unless the consents have been renewed (as a result of subsequent circumstances giving rise to implied consent) or replaced with express consent.
It is important to note that the expiration of extended duration implied consents based on the transition rule will not affect other kinds of implied consents, including implied consents arising from an "existing business relationship" or an "existing non-business relationship" that existed after July 1, 2014. Those kinds of implied consents will continue to be valid for the applicable time period (either two years or six months) unless withdrawn earlier, as described above.
Preparing for July 1, 2017
There are a number of steps that organizations can take to enhance their CASL compliance and mitigate the risks of CASL regulatory enforcement and private litigation. For example, with respect to consent to send CEMs:
- Converting Consents: An organization should consider taking steps to convert soon-to-expire implied consents into express consents by sending CEMs (based on implied consents) that request express consents.
- Evidence of Consent: An organization should ensure that it has sufficient, reliable records to prove consent to receive each CEM sent by the organization. The CRTC's Enforcement Advisory – Notice for businesses and individuals on how to keep records of consent (2016-07-27) provides guidance for keeping records of consent to receive CEMs. For more information, see BLG bulletin Canada's Anti-Spam Legislation – Regulatory Guidance.
An organization should also review and update its CASL compliance program, verify its due diligence documentation, and review and update its CASL complaint/litigation response plan.