Canada’s Anti-Spam Law came into force on July 1, 2014. Since then, all eyes have been on the Canadian Radio-television and Telecommunications Commission (CRTC) for decisions concerning CASL violations. In the cases made public to date, monetary penalties or settlement payments have ranged from $48,000 to $1.1 million. Canadian and foreign companies have learned some things in the past two years about how CASL applies to their business, and many have taken steps to put in place policies and procedures to avoid violations.
Whatever steps you have taken to date, 2017 will be the time to revisit CASL compliance.
On July 1, 2017, the private right of action (PRA) comes into force under CASL. An individual or organization who is affected by a contravention may litigate to enforce the new private rights directly. While CASL does not expressly provide for class actions, it is broadly expected that such actions will be launched to permit large numbers of applicants (for example, the recipients of alleged spam) to pursue compensation as a group.
Where the court finds a violation, it may order not only compensation for the applicant’s damages, but also monetary payments up to the following amounts:
- for sending commercial electronic messages contrary to CASL – $200 per contravention, to a maximum of $1 million for each day that the conduct occurred
- for altering the transmission data of a commercial electronic message – a maximum of $1 million for each day that the conduct occurred
- for installing apps or other computer programs contrary to CASL – a maximum of $1 million for each day that the conduct occurred
- for scraping, generating or otherwise accessing electronic addresses contrary to PIPEDA – a maximum of $1 million for each day that the conduct occurred
- for sending commercial electronic messages with false or misleading information, including sender, locator or subject matter information, contrary to the Competition Act – $200 per contravention, to a maximum of $1 million for each day that the conduct occurred
When the court sets the amount to be paid, it must consider the purpose of the payment order – which “is to promote compliance…and not to punish”, the nature and scope of the violation, the history of compliance, any financial benefit or compensation from the conduct, ability to pay, and “any other relevant factor”, when setting the amount to be paid.
CASL also provides for extended liability. Directors, officers, agents or mandataries of a corporation may be liable if they directed, authorized, assented to or participated in the contravention. Where an employee’s conduct in the course of his or her employment breaches CASL, the employer may be vicariously liable.
CASL provides that where a person establishes that they exercised due diligence to prevent a violation, they cannot be found to have contravened CASL. Despite this provision, a number of well-meaning businesses have been found offside CASL’s provisions, have made significant penalty or settlement payments, and in some cases have received negative media coverage for their failure to meet CASL requirements.
In July 2017, the risk exposure will increase. Now is the time to revisit your CASL compliance.
- Discuss with your Board and Senior Management team why you need to revisit CASL in 2017.
- Make sure that you have a CASL Compliance Policy and Procedure that covers your operations, and that is easy for employees to understand and use.
- Ensure that existing and new employees have access to – and receive appropriate training in – the Policy and Procedure.
- Conduct an audit under the Compliance Policy and Procedure, including how consent is obtained and documented; whether unsubscribe requests are fulfilled quickly; whether CASL-compliant message templates are consistently used; how complaints are addressed (etc.).
- Consider whether you need to check in with service providers (to send messages or install apps or other computer programs) about their CASL compliance.
- Consider whether service provider contracts include the appropriate clauses to address CASL compliance, liability, and indemnification.
Lessons Learned: E-Learning Company Faces $50K Spam Fine
CRTC Enforcement Advisory – Records to Show Consent
Privacy Law and Anti-Spam – Guidance from the Office of the Privacy Commissioner
Canada’s Anti-Spam Law: Not just for Canadians
CASL Applies to Software January 15 2015
New CASL Compliance and Enforcement Guidelines