​Canada's Anti-Spam Law ("CASL") came into effect on July 1, 2014. Of key importance for financial institutions is CASL's regime of rules and enforcement mechanisms intended to prohibit unsolicited or misleading commercial electronic messages ("CEMs"), violations of which will soon be enforceable by way of private litigation.

A CEM is any kind of electronic message (for instance, an e-mail, text message or social media message) sent to an electronic address if one of the message's purposes is to encourage the recipient to participate in a commercial activity. While there are certain limited exceptions, the CEM rules apply to a CEM if the computer system sending or accessing the CEM is in Canada, regardless of where the sender or recipient is located. The CEM rules apply even if a CEM is sent to a single recipient.

CASL creates an opt-in regime for CEMs which prohibits the sending of a CEM unless (1) the recipient has given their consent to receive the CEM; (2) the CEM complies with certain prescribed formalities (including an unsubscribe mechanism); and (3) the CEM is not misleading in any respect.

An organization is liable for the CASL violations of its employees and agents, and corporate directors and officers will also be liable for CASL contraventions if the director or officer directed, authorized, assented to, acquiesced in or participated in the commission of the contravention. However, a due diligence defence is available to individuals or organizations for CASL violations if they can establish they exercised due diligence to prevent the commission of the contravention.

While the Canadian Radio-television and Telecommunications Commission ("CRTC") has regulatory and enforcement powers in respect of violations of CASL's CEM rules (pursuant to which it has already issued enforcement decisions and imposed administrative penalties up to $1.1 million dollars), effective July 1, 2017, private litigants affected by a CASL contravention (including the sending of a CEM without consent or in the absence of the proper formal requirements) may sue for compensatory and statutory damages. Statutory damages for a CASL violation are subject to a maximum of $200 for each contravention, not exceeding $1 million for each day on which the contravention occurred. While CASL's private right of action is in addition to the CRTC's regulatory enforcement powers, certain rules apply to limit overlap between these proceedings and claims for statutory damages.

Financial institutions should be aware of the potential for private litigation for CASL violations, and given that CEMs are often distributed broadly, should also note that CASL's private right of action will likely be invoked in support of class actions. To mitigate their exposure, financial institutions should review and update their CASL compliance regime. They should also maintain detailed records of their CASL compliance efforts to assist in establishing a due diligence defence in the event of legal or regulatory proceedings.