CASL is the toughest law of its kind in the world and Canadian organizations are awakening to many major challenges they will face when trying to comply with this legislation. However, non-Canadian organizations should not overlook the Act’s extra-territorial application and its effect on their respective operations.
CASL’s requirements far exceed those in other countries. Rather than targeting false and misleading e-mails or those sent in violation of an opt-out request such as in the U.S., or limiting the restrictions to direct marketing messages as in the EU, CASL goes much farther. It does the same thing with its “ban all” approach to “malware”. To the extent that other countries have civil laws that regulate distributing computer programs without consent, they target malware, spyware or similar threats, not programs that are also completely innocuous as CASL does.
For many organizations, compliance will require development of new databases, modification of computer systems, changes to websites, user interfaces, and contracting processes and disclosures of information.
CASL regulates sending commercial electronic messages and the installation of computer programs. CASL’s anti-spam provisions apply to any commercial electronic message (CEM) where a computer system located “in Canada is used to send or access the electronic message”. It applies to emails, instant messages, SMS messages and messages sent to “similar accounts”. This means that the form, content and unsubscribe requirements established by CASL apply (i) to foreign messages including those sent by foreign organizations to Canadian recipients (whether customers, or proposed customers or otherwise), and (ii) to messages that are stored on foreign servers and accessed from Canada.
CASL’s broad prohibitions also make it illegal to install a computer program (whether or not it has any malware or spyware feature) including an update or upgrade onto someone else’s computer without making prescribed disclosures and obtaining a prior express consent. The computer program provisions apply if the computer program is installed on any computer system located in Canada –and not only with respect to “apps”, but also with respect to programs in embedded systems including those in vehicles and consumer and industrial products. Accordingly, if an organization sells or services almost any product to Canadians electronically, either directly or through third party distribution channels, CASL will likely apply to it.
Another key point that should be considered is that, unlike similar laws in other countries, CASL provides a private right of action to anyone with remedies that includes compensation for actual losses plus damages of up to $1 million per day of non-compensatory (essentially punitive) damages. Class actions are not foreclosed and if certified could lead to threats of massive liability.
To help organizations in their efforts to comply with CASL, McCarthy Tétrault has created a web page that compiles useful resources to help in developing and implementing compliance programs. It has also updated its very popular CASL Toolkit to take into account recent developments including the Industry Canada regulations and RIAS and the CRTC regulations and guidance documents.