Canada’s Anti-Spam Legislation or “CASL”, has been in full force and effect since July 1, 2014. Since that date, its reach and impact has continued to grow. On January 15, 2015, the sections of CASL prohibiting malware came into force. On July 1, 2017, there will be yet another significant development; the private right of action will take effect.
CASL already affects most businesses, as electronic communication and/or computer software are staple elements of running a business in the information age. Effective July 1, 2017, all businesses subject to this legislation, could face million dollar lawsuits for alleged non-compliance.
CASL regulates the installation of computer programs that have features similar to malware or spyware programs, unless the end user has given prior express consent. Essentially, it is illegal to install, or to cause to be installed, a computer program on another person’s computer system or to cause a computer program to send a message from a computer system unless you have the prior consent of the owner of the computer system, or their agent, or you are acting under a court order. It is also illegal to use computer programs to collect or “harvest” email addresses, without consent.
Complying with the anti-malware provisions is fairly straight forward, as most businesses are aware of which, if any, of their software causes programs to be installed on others’ computers. Thus, it is possible to identify the end users from whom consent must be sought.
What is less straight forward is the application of the anti-spam provisions. You do not need to be disseminating spam to be subject to CASL. If you send electronic communications about your goods and services via email, text message, or social media, your communications will likely fall under the purview of spam. Such communications are known as “commercial electronic messages” or “CEMs” and CASL imposes stringent requirements for their transmission. Although the legislation is meant to regulate the transmission of messages which advertise, promote, or include offers to sell, purchase, barter or lease, the broad wording of the legislation could catch legitimate communications to your business contacts.
The core of the compliance conditions is that the sender must clearly disclose the origin of the message and the recipient must have the option to opt out of receiving the message. More specifically, all your CEMs must meet the following requirements:
- You must have prior consent of the recipient. The consent can be either express or implied, but it can only be implied in certain specified circumstances, such as within an existing business relationship. In any case, there must be a record of the consent;
- The identity of the sender, and anyone else on whose behalf the message is being sent must be disclosed; and
- You must provide the recipient with a simple unsubscribe mechanism allowing him or her to unsubscribe via the same channel by which the original message was sent.
This applies equally to mass and individual messages.
CASL does not apply to:
- CEMs sent to persons with whom the sender has a personal relationship;
- CEMs sent within or between organizations with an existing business relationship;
- CEMs solicited or sent in response to complaints, inquiries, or requests;
- CEMs providing information about a transaction to which the recipient already consented. This includes information such as confirmation of a purchase or warranty for a product/service; and
- CEMs providing information about an existing employment relationship with the recipient.
To date, these provisions have been enforced by the Canadian Radio-television and Telecommunications Commission (“CRTC”), the Competition Bureau and the Office of the Privacy Commissioner of Canada (“Privacy Commissioner”). This enforcement has consisted of orders to do things required by CASL or refrain from doing things prohibited by it.
Private Right of Action
Starting this summer, however, anyone, whether an individual or corporation, who alleges that they are affected by an act or omission that constitutes a contravention of CASL, can bring a private right of action in court against any other individual or corporation for violating the CASL provisions. This will enable applicants to seek actual and statutory damages. One limitation on this avenue for relief is that the court will not accept applications for statutory damages against an individual or corporation who has entered into an undertaking or received a Notice of Violation in respect of the alleged contravention.
If the application succeeds, the statutory damages can be alarmingly steep. Non-compliance can cost $200 per violation, up to a maximum of $1 million a day, for each day on which the contravention occurred.
One million dollars per day. This means that a well-intentioned email or social media marketing campaign could bankrupt your business. Most businesses promote their goods and services online, and could easily run afoul of CASL. Hypothetically, a business may have opted to promote itself by sending simple messages to 10,000 social media or email users, once a month. Within six months, the business’s liability would be $12,000,000. Depending on the size of the business, this likely blows the marketing budget out of the water.
CASL stipulates that the court is to consider many factors in coming to its decision, and is not to simply apply this formula mechanically. It will consider the nature and scope of the violation, the alleged contravener’s history of violations, the ability to pay the damages, the profit that has resulted from the violation, etc. Nonetheless, it is difficult to predict how the court will weigh these factors.
Allocation of Liability
In case the dollar value of non-compliance is not daunting enough, the allocation of liability is also expansive. Directors, officers and agents can be jointly and severally liable if they directed, authorized, assented to, acquiesced in or participated in the commission of the alleged contravention by the corporation. This liability is so broad that a person may choose to forgo a lawsuit against the corporation, and sue only the controlling individuals. This is likely to have a chilling effect on board membership; people will think twice before taking on this hefty responsibility.
But wait, there’s more! Your business could be vicariously liable for the contraventions of your employees and agents, if they were acting within the scope of their authority. Once again, this liability persists even if no proceeding is started against the responsible employee or agent. In fact, they do not even have to be identified.
What does this new CASL development mean in a nutshell? Be cautious and prepare for more costs. Expect that your business will need to invest in developing and enforcing proper precautions for communicating anything about your products, services or brand. Develop appropriate policies and train your employees. The costs of a non-compliance order can be staggering. Even if no order for damages is ultimately made, the lawsuit can be costly. Best to immediately institute compliance policies that are beyond reproach because the breadth of the legislation makes it ripe for frivolous lawsuits and your business could be a target.
As noted above, it is not always clear when and how the CASL restrictions apply to you and your business. Turn your attention to your communication and software practices now, because effective July 1, 2017, they may cost you $1 million a day. If you require assistance developing the right protections, contact your legal advisors.