As many Canadians, as well as foreign companies doing business in Canada, now know, the cornerstone of Canada’s Anti-Spam Law (CASL) is a general prohibition against sending any “commercial electronic message” without the prior express or implied consent of the recipient. A “commercial electronic message ” or “CEM” is broadly understood as any electronic message that encourages participation in a commercial activity. That’s a big deal, because one of the fundamental elements of CASL that makes it so onerous is that it is an ‘opt-in’ regime. Every other anti-spam law out there in the world provides for an ‘opt-out’ framework, meaning that senders have to implement an unsubscribe option which is identifiable, accessible and functional. But CASL requires senders to have consent first before anything can be sent, and obtaining that consent can pose a big wall to have to climb.
While express consent ought to be intuitive enough to be able to identify, CASL contains a number of instances of implied consent, any of which may be relied upon when sending a CEM. The most commonly relied upon example of implied consent is probably the permission that follows for the 2-year period after a customer purchases a product or service from you, but there are several others which your recipient may or may not comfortably fit into. In all cases, whether consent is expressly or implicitly given, you have to maintain and keep careful track of the categories of consent which your recipients fall under to ensure that they are removed from distribution lists should one of the eligible criteria expire or become unavailable.
And CASL has teeth! Statutory damages of up to $10,000,000 for corporations, or $1,000,000 for individuals. And the Canadian Radio Television Commission (or, the CRTC, which oversees and enforces CASL) has not shied from imposing significant fines on offenders in the tens and hundreds of thousands of dollars.
Oh, and did I mention the personal liability? Companies’ directors and officers can be found personally liable under certain provisions of CASL if they directed, authorized, assented to, acquiesced in or participated in the commission of a contravention of CASL!
And it was about to get worse. Until recently, Canadian businesses were planning around July 1, 2017, upon which date it was expected that the remedies available under CASL would no longer be limited to CRTC fines, but would also include a new private right of action, meaning that individuals and corporations could also sue alleged infringers of this law.
In addition to the statutory damages already mentioned, courts would also be able to order people liable under CASL to also pay to the complainants an amount equal to their actual loss or damage (if any), plus up to $200 for each violation of sending unsolicited messages up to $1,0000,000 for each day on which a violation occurred.
And those damages were to be available per violation per person! This raised alarm bells for businesses about the virtual inevitability of a new breed of class action litigation with a view towards court-ordered award against alleged violators of CASL that could be potentially in the millions of dollars.
Fortunately, the federal government of Canada heard the concerns of the business community and, on June 7, 2017 announced that the private right of action under CASL has been suspended indefinitely. Phew!
The other requirements of CASL are still very much in effect, though, so businesses around the world who have Canadians on their email distribution lists ought to take a deep dive into the composition of those lists, the nature of the electronic communications being sent to recipients and internal recording-keeping and audit practices to ensure that one, mistakenly sent mass email does not snowball into a catastrophe.
Contributed by Chad Finkelstein
Chad is a partner at the Canadian law firm of Dale & Lessman LLP and a registered trademark agent. Chad’s practice includes all areas of business law with an emphasis on franchise law, licensing and distribution. He can be reached at email@example.com.