Canada’s Anti-Spam Legislation (CASL) establishes a highly restrictive regime for the sending of marketing and promotional emails and texts (commercial electronic messages or CEMs). Since the CEM provisions of the Act came into force on July 1, 2014, the regulatory enforcement body (the CRTC) has vigorously enforced the law and imposed significant penalties for non-compliance.
The risks associated with CASL enforcement will become even higher as of July 1, 2017, when the provisions of the law enabling a statutory private right of action come into force. The private right of action (PRA) will allow private individuals and organizations to seek significant damages from businesses that violate the key provisions of CASL.
Now is the time for organizations that send CEMs to review their CASL compliance to ensure that their corporate compliance program is adequate to establish a due diligence defence against an allegation of non-compliance. The CRTC has recently issued additional guidance on the appropriate elements of a compliance program with particular focus on organizational policies and procedures as well as record keeping.
CASL – Overview of the Law
The provisions of CASL relating to the sending of CEMs came into force on July 1, 2014. The CEM provisions (reflected in section 6 of the Act) are built around two key pillars: the requirement to obtain consent prior to sending a CEM to a recipient, and the requirement to ensure that the CEM contains prescribed information and an unsubscribe mechanism that functions in a particular way.
The term CEM is defined broadly to capture virtually all emails, texts or other electronic messages that are sent to an electronic address and which seek to promote commercial activity. Express consent to send CEMs must be obtained in a prescribed format and the onus is on the sender of the CEM to prove that express consent was properly obtained.
While organizations can rely on particular categories of implied consent in order to send CEMs, these categories are strictly defined and to date have been narrowly interpreted by the CRTC. In addition, in the context of recent enforcement actions, the CRTC has prescribed onerous record keeping requirements on organizations that seek to rely on implied consent.
Other provisions of CASL impose distinct obligations. Section 7 prohibits, in the course of a commercial activity, the altering of the transmission of an electronic message so that it is delivered to a different destination without express consent. Section 8, in force since July 1, 2015, prohibits the installation of computer programs to another person’s computing device in the course of commercial activity without the express consent of the device owner or an authorized user.
CASL provides for significant statutory penalties in the event of a contravention of the obligations set out in the law. The maximum amount of an administrative monetary penalty, per violation, for an individual is $1 million, and for a business it is $10 million. To date, the CRTC has imposed fines as high as $1.1 million for non-compliance.
The Private Right of Action – Section 47(1) Applications
On July 1, 2017, sections 47 to 51 and 55 of CASL will come into force and will establish a private right of action pursuant to which individuals and organizations may apply to a court to obtain damages from organizations and individuals who have contravened the law.
Section 47(1) establishes the PRA by providing that “a person” – defined by the Act to include individuals, partnerships, corporations, organizations, and associations – alleging that they were affected by a violation of sections 6 to 9 may apply to a court of competent jurisdiction for an order against those persons who allegedly committed the violation.
The effect of section 47(1) is to allow private actors, and not just the public bodies charged with enforcing the Act, to seek redress for prohibited conduct.
Applications under section 47(1) are subject to a three-year limitation period and must be accompanied by an affidavit identifying the relevant particulars of the violation and outlining any losses claimed by the applicant. The application for an order must be served on both those against whom an order is sought and the relevant public bodies.
Section 51(1) of CASL sets out the penalties that may be imposed by a court if it is satisfied that the violations alleged in the section 47(1) order have occurred. Under section 51(1)(a), the court may order that the respondent pay compensation in an amount equal to the actual loss, damage suffered, or expenses incurred by the applicant. In addition, and perhaps more significantly, under section 51(1)(b), the court may order that the respondent pay the applicant the following amounts in non-compensatory (i.e. statutory) damages:
- For a contravention of section 6: $200.00 for each contravention, not exceeding $1,000,000.00 for each day on which a contravention occurred;
- For a contravention of section 7 or 8, $1,000,000.00 for each day on which a contravention occurred;
- As a general rule, for a contravention of section 9: $1,000,000.00 for each day on which a contravention occurred.
The Act also exposes senior corporate officials to these large monetary penalties. Section 52 of the Act makes officers, directors, agents, and mandataries of corporations liable for contraventions of sections 6 to 9, if they directed, authorized, assented to, acquiesced in or participated in the commission of the contravention, whether or not the corporation is proceeded against. Under section 55 of CASL, where more than one person is determined to have contravened the act on a section 47(1) application, all of those persons are jointly and severally liable for the payment of the amounts ordered by the court under section 51(1).
The penalties are potentially very significant. While the language of CASL that allows for imposition of the penalties is permissive (versus mandatory) and CASL expressly states that the purpose is not to punish but rather to promote compliance, it remains to be seen how harshly the penalties will be applied. To date, the already onerous law has been interpreted restrictively by the regulatory enforcement body, significant penalties have been applied against organizations that send promotional and marketing emails in the normal course of business (as opposed to sending what might be commonly considered to be “spam”), and even those organizations that have fully cooperated with the CRTC in its investigation have been penalized.
The Availability of a Due Diligence Defence
It is important to recognize that section 54(1) of CASL allows for a due diligence defence – more specifically, a person must not be found to have contravened the relevant sections of CASL where they establish that they exercised due diligence to prevent the contravention or conduct in question. The statutory recognition of a “due diligence defence” provides an opportunity for businesses who, at first blush, may have contravened the Act, to show that they took reasonable steps to avoid the violations.
The CRTC recently has identified several measures that can be taken by organizations that may aid in the establishment of a defence under section 54(1). Among other things, the CRTC suggests that senders of commercial electronic messages maintain the following:
- written policies and procedures regarding CASL compliance;
- the documented methods through which consent was collected;
- all evidence of express and implied consent (e.g. audio recordings, copies of signed consent forms, completed electronic forms) from consumers who agree to receive CEMs;
- all unsubscribe requests and resulting actions.
The above recommendations provide a starting point for the measures that should be taken by organizations to ensure compliance and to place themselves in an appropriate position to present a viable due diligence defence to a PRA.
As July 1, 2017 approaches, Canadian businesses should ask themselves whether they are ready for the impending PRA regime. Is an appropriate written compliance program (i.e. policies and procedures) in place? Is adherence to the compliance program monitored and audited? Are records of both express consent and implied consent adequate to prove compliance? Are unsubscribe requests implemented and tracked? Are employees appropriately trained on what is required by the law?
The ability to respond to the above questions in the affirmative has become increasingly essential to mitigate against enforcement risk as implementation of this final phase of the law becomes imminent.