The controversial private right of action included in the legislation colloquially called Canada’s Anti-Spam Law (the “Act” or “CASL”), comes into force on July 1st of this year. The private right of action will enable the commencement of civil proceedings against persons that are alleged to be in contravention of certain provisions of CASL, PIPEDA or the Competition Act. While the legislation initially came into force in July of 2014, it included a three year delay for the provisions that empower individuals to commence private claims.
Although it is possible that individuals will utilize this right of action to commence traditional sole-plaintiff claims, the bigger risk to organizations is the potential for class action lawsuits.
This bulletin provides a quick overview of the private right of action, as well as steps that organizations should take to reduce and mitigate risks.
The Private Right of Action
The private right of action will allow individuals to seek financial relief from the court for various violations of CASL, PIPEDA or the Competition Act. Specifically, CASL permits an individual to claim damages in circumstances where:
1. they have been impacted by a breach of the provisions of CASL that prohibit:
a) transmission of commercial electronic messages;
b) rerouting of commercial electronic messages;
c) installation of a computer programs; or
d) participation or promotion of any of these prohibited activities.
2. they have been the target of false or misleading electronic messages under the Competition Act;
3. their electronic address has been obtained through data mining without their consent; or
4. their personal information has been obtained through accessing a computer system without authorization under PIPEDA.
Financial Exposure to Breaching Companies
CASL allows the court to order those who breach the Act to compensate individuals for any losses or damages suffered as a result of the breach, including for any expenses incurred. The court also has the authority to award an additional non-compensatory amount of up to $200 per violation, to a maximum of $1,000,000 per day (the “Statutory Damages”).
Since the actual losses resulting from violations of the anti-spam provisions in CASL are likely to be low in the vast majority of cases, the Statutory Damages are of particular significance because they dramatically increase the potential for material awards against offending organizations. For example, at $200 per contravention, sending 5,000 commercial electronic messages per day, in a manner that violates CASL, could lead to the maximum Statutory Damages of $1,000,000 per day.
The legislation sets out a list of prescribed factors that a court must consider in determining the appropriate amount of Statutory Damages to award, including:
1. the purpose of the order;
2. the nature and scope of the contravention;
3. history of any previous contraventions and undertakings;
4. any financial benefit the business obtained from the contravention;
5. the offender’s ability to pay the total amount ordered;
6. whether the applicant received compensation; and
7. any other relevant factor.
There remains an open question as to whether courts will be inclined to order payment of the maximum possible Statutory Damages, given that the express purpose of an order under the Statutory Damages provision of CASL is to promote compliance with the Act, and “not to punish” organizations.
Liability under the private right of action provisions may also extend to corporate officers and directors that have directed, authorized, assented to, acquiesced in or participated in the commission of the offensive conduct. The Act also permits applications to be brought against directors and officers even where the company has not itself been named.
The only statutory defence expressly provided for in CASL is due diligence. The Act provides that a person cannot be found to have committed a contravention of the relevant provisions of the Act if they exercised due diligence to prevent the breach.
The Act also imports common law defences that may justify or excuse breaches in the circumstances.
Limitation on the Private Right of Action
There are certain limitations on the ability of an individual to seek redress for alleged breaches of the Act.
An individual is not permitted to apply for relief for a breach that has already been addressed through another enforcement action under CASL.
The private right of action also has a limitation period of three years after the day on which the alleged breach became known to the applicant.
Implications and Takeaways
The private right of action under CASL could prove to be a significant basis for class action litigation and it is widely expected that its coming into force will give rise to a new surge of lawsuits. In the US, the Telephone Consumer Protection Act similarly established a private right of action for individuals who receive telephone calls, texts, or faxes that they did not consent to receive and multiple class actions have been contemplated and commenced against US businesses as a result of such legislation.
Those who are alleged to have violated CASL face significant financial exposure under the Act itself, in addition to the potential legal costs associated with defending a class action lawsuit. Given the high number of emails many businesses send out in a day, it is easy to see how damages can quickly multiply. While it is impossible to eliminate the risk of being named in a civil application under the Act, a thorough review of organizational policies and procedures to ensure that they comply with CASL is likely to reduce an organization’s financial exposure to costly damage awards. In addition, it is important to ensure that employees receive proper training on complying with CASL, and that they are periodically reminded of key principles, as breaches of the Act are often the result of human error.
Good advice for all businesses is to comply with CASL today to keep the class actions away!