In an order dated June 2, 2017, the Canadian government indefinitely suspended a key provision in Canada’s anti-spam legislation (CASL), which was set to take effect on July 1, 2017. While CASL initially came into force in July 2014, the final set of provisions to take effect would have afforded individuals the right to file private causes of action for alleged violations of CASL, in addition to the administrative penalties. Although businesses may sigh in relief from this undefined period of reprieve, now is a good time to review whether your organization is compliant with CASL’s obligations. As noted above, government entities already have the power to enforce CASL regulations and the potential administrative penalties of up to $10 million for companies are steep.
Organizations that do not have operations in Canada be aware. Non-Canadian organizations and even businesses without operations in Canada may incorrectly assume that they are not subject to CASL’s requirements – however, that is not the case. The scope of CASL’s application is broad. CASL applies to commercial electronic messages (CEMs) sent from, routed to, or accessed from a device in Canada. Thus, it is equally important to understand where the recipients of your CEMs are located. Further, in contrast to the U.S. analogue anti-spam statute, CAN-SPAM, which generally applies to commercial email messages only, under CASL, CEMs include text, sound, voice, image, email, and in some cases, social media content.
If your organization is already satisfying CASL’s obligations, be sure that well-documented records are being kept to demonstrate to regulators, if necessary, that your organization has complied with express and implied consent requirements. Such records may include email correspondence and logs from the unsubscribe function.
There are several nuanced distinctions between CASL and the CAN-SPAM Act. The chart below provides a general overview of some of the differences in the key provisions of the legislation. For more information, contact your Foley relationship attorney or the Privacy, Security & Information Management team.