Commencing July 1, 2017, CASL contraventions will be subject to enforcement through private litigation, including class proceedings, by individuals and organizations seeking compensatory damages and potentially substantial statutory damages. Organizations should take steps now to verify their CASL compliance and mitigate the risks of CASL regulatory enforcement and private litigation.
CASL - Overview
CASL creates a comprehensive regime of offences, enforcement mechanisms and potentially severe penalties (including liability for employers and corporate directors and officers) designed to prohibit unsolicited or misleading commercial electronic messages, the unauthorized commercial installation and use of computer programs on another person's computer system and other forms of online fraud (such as identity theft and phishing).
For most organizations, the key parts of CASL are the rules for sending commercial electronic messages ("CEMs"). Subject to important but limited exceptions, CASL creates an opt-in regime that prohibits the sending of a CEM unless: (1) the recipient has given consent (express or implied in limited circumstances) to receive the CEM; (2) the CEM complies with prescribed formalities (including information disclosure and an effective and promptly implemented unsubscribe mechanism); and (3) the CEM is not misleading in any respect (including in the sender information, subject matter information and body of the message). An organization that sends a CEM has the onus of proving that the recipient consented to receive the CEM.
Subject to important but limited exceptions, a CEM is any kind of electronic message (e.g. email, text messages and social media private messages) sent to an electronic address if one of the message's purposes (not limited to the sole or primary purpose) is to encourage the recipient to participate in a commercial activity (e.g. a transaction, act or conduct of a commercial character), regardless of expectation of profit. In addition, an electronic message sent to request consent to receive CEMs is deemed a CEM. Subject to important but limited exceptions, the CEM rules apply to a CEM if a computer system in Canada is used to send or access the CEM, regardless of the location of the sender or recipient. The CEM rules apply even if a CEM is sent to a single recipient.
An organization is liable for CASL contraventions by the organization's employees and agents (including independent service providers engaged by the organization to send CEMs on the organization's behalf) acting within the scope of their employment or authority. A corporate director or officer is liable for the corporation's CASL contraventions if the director or officer "directed, authorized, assented to, acquiesced in or participated in" the commission of the contravention. However, organizations and individuals may avoid liability for CASL contraventions if they establish that they exercised due diligence to prevent the commission of the contravention.
Contravention of CASL's CEM rules can result in: (1) potentially severe administrative monetary penalties (up to $10 million per violation for an organization and $1 million per violation for an individual) in regulatory proceedings; and (2) commencing July 1, 2017, potential civil liability for compensatory damages and potentially substantial statutory (non-compensatory) damages in private litigation (including class proceedings) brought by a person affected by the contravention.
The Canadian Radio-television and Telecommunications Commission ("CRTC") has regulatory and enforcement authority for CASL's CEM rules, and broad enforcement powers for that purpose. Since CASL came into effect on July 1, 2014, the CRTC has taken enforcement action against organizations and individuals who have violated CASL's CEM rules, including by sending CEMs without consent, without required information disclosure or without a required or properly functioning unsubscribe mechanism, and by failing to honour unsubscribe requests within 10 business days. The CRTC has issued enforcement decisions and accepted voluntary undertakings (settlements) imposing administrative monetary penalties ranging from $15,000 to $1.1 million. For more information, see BLG bulletins CASL – Year in Review 2016 and CASL – Year in Review 2015.
Commencing July 1, 2017, any individual or organization affected by a CASL contravention (e.g. the sending of a CEM without consent or required information disclosure or formalities) may sue the persons who committed the contravention or are otherwise liable for the contravention and seek: (1) compensation for actual loss, damage and expense suffered or incurred by the applicant; and (2) statutory (non-compensatory) damages.
Statutory damages for a contravention of CASL's CEM rules are subject to a maximum of $200 for each contravention, not exceeding $1,000,000 for each day on which the contravention occurred. CASL requires a court to consider all relevant circumstances when determining the appropriate amount of statutory damages to be imposed on a respondent, including the purpose of the statutory damages award (i.e. to promote CASL compliance), the nature and scope of the CASL contravention, the respondent's history with previous CASL contraventions and enforcement actions, the respondent's financial benefit from the CASL contravention, the respondent's ability to pay the award and whether the applicant has received compensation in connection with the CASL contravention.
The private right of action is in addition to regulatory enforcement, and a CASL contravention might be subject to both regulatory enforcement and private litigation. However, there are limiting rules that apply to claims for statutory damages. In particular, CASL provides that: (1) a court may not award statutory damages against a person for a CASL contravention after a regulator has issued a notice of violation against the person for the contravention or the person has entered into a voluntary undertaking (settlement) with a regulator for the contravention; and (2) if a court determines that it may consider a claim for statutory damages against a person for a CASL contravention, then a regulator may not issue a notice of violation against the person for the contravention and the person may not enter into a voluntary undertaking (settlement) with a regulator for the contravention.
- Class Proceedings
CASL's private right of action will likely be invoked to support class proceedings seeking compensation and statutory damages on behalf of large groups of persons affected by unlawful CEM campaigns. Class proceedings for CASL contraventions will be required to comply with existing procedures for class proceedings, which require that a proposed class proceeding be certified by a court before it can proceed. There are various requirements for certification of a proposed class proceeding, which usually include a judicial determination that: (1) the claims of the proposed class members raise common issues; (2) the proposed class proceeding is the preferable procedure for the resolution of the common issues; and (3) the applicant will fairly and adequately represent the interests of the proposed class members.
Preparing for July 1, 2017
There are a number of steps that organizations can take, both before and after July 1, 2017, to enhance their CASL compliance and mitigate the risks of CASL litigation and regulatory enforcement. For example:
- CASL Compliance Program: An organization should review and update/improve its CASL compliance program to reduce the likelihood of CASL contraventions, and to help establish a due diligence defence and mitigate potential regulatory penalties and statutory damages if a CASL contravention occurs. The CRTC's Compliance and Enforcement Information Bulletin CRTC 2014-326 Guidelines to help businesses develop corporate compliance programs (2014-06-19) provides helpful guidance regarding CASL compliance programs. Additional guidance may be found in decisions issued in CASL enforcement proceedings and in related compliance undertakings. For more information, see BLG bulletin CASL Compliance Programs Preparing for Litigation.
- Due Diligence Documentation: An organization should create and maintain a comprehensive and detailed record of all CASL compliance efforts by the organization and its directors and officers (including documented periodic reports to directors and officers) that may be used to establish a credible due diligence defence to liability for CASL contraventions. The documents should be reliable and otherwise admissible into evidence in legal and regulatory proceedings.
- Complaint/Litigation Response Team: An organization should establish a written plan, and designate an appropriate team of internal personnel and external advisors (including legal counsel and public relations consultants), for responding to CASL complaints, private litigation and regulatory enforcement. The plan should include appropriate checklists and guidelines for: (1) internal and external communications and reporting; (2) establishing and maintaining legal privilege for legal advice and litigation-related communications; (3) giving notice to insurers; and (4) determining whether the organization should attempt to negotiate a voluntary undertaking with the appropriate regulator before the CASL contravention is subject to private litigation.
Organizations should be mindful that Canadian privacy laws regulate the collection, use and disclosure of certain kinds of personal information to send CEMs. Accordingly, organizations should ensure that their marketing activities regarding CEMs comply with both CASL and applicable privacy laws.