As avid readers of our newsletter will know by now, certain provisions of Canada’s 2014 anti-spam legislation (CASL) were amended as of July 1, 2017. In brief, CASL’s three year transition rules have come to an end, and with that, changes have been made to the current implied consent rules and the granting of new rights in civil proceedings.
Readers will recall that CASL applies to all commercial electronic messages (i.e., email, text messaging and direct social media contact – CEMs) sent in contemplation of a commercial activity. One of the most important features of CASL is the requirement for Canadian and international organizations that send CEMs within or from Canada to obtain the consent of the receiver of the message before the CEM is sent. Consent can come in the form of express or implied. It is the implied consent provisions that are relevant to this article.
CASL was implemented with a three year transition period in order for businesses to establish CASL-compliant communication practices. This three year period came to an end on July 1, 2017. Before discussing the main changes that senders of CEMs need to know, a word of caution for those who think CASL has been a paper tiger. The CRTC, the Office of the Privacy Commissioner and the Competition Bureau, the government agencies mandated to monitor and enforce CASL and its Regulations, have, over the last three years, handed down significant penalties for what they have deemed infractions of the regime. For example:
- March 2015 – CompuFinder was fined $1,100,000.00 for CASL infractions as a result of CompuFinder’s practice of data-mining websites for email addresses and using the addresses to send unsolicited offers.
- June 2015 – Porter Airlines agreed to pay $150,000.00 in penalties due, in part, to elements of its CEMs that were not in compliance with CASL Regulations.
- November 2015 – Rogers Media was assessed $200,000.00, in part, because its CEMs did not include a user friendly “unsubscribe” mechanism.
- October 2016 – The CRTC found that Blackstone Learning Corp. committed nine violations of CASL by sending CEMs without consent and imposed a penalty of $50,000.00. The CRTC had originally issued a Notice of Violation to Blackstone seeking $640,000.00 in penalties.
Clearly, the CRTC and other government agencies have taken their mandate very seriously. All the more reason to be aware of changes implemented on July 1, 2017.
The transitional period provided businesses with flexibility by allowing senders of CEMs to continue to send out messages to recipients from whom they have implied consent, unless the recipient otherwise unsubscribes, and provided the content provisions of CASL had been complied with. The relationship between sender and receiver must have been created before July 1, 2014, in order to rely on the three year transitional provisions. As of July 1, 2017, senders of CEMs may now only send CEMs:
- where an exemption to CASL exists;
- to recipients who have given express consent; or
- where the new implied consent provisions are satisfied, namely:
(a) where the sender can establish they have had a business relationship with the receiver of the CEM within the last 24 months; or
(b) the receiver of the CEM has made a related inquiry within the last six months to which the sender is responding.
The largest change that was anticipated with the end of the transitional period was the creation of a private right of action under CASL, enabling private parties to sue the sender of an unsolicited CEM personally, rather than advancing a complaint to the CRTC. Additionally, the private right of action provides significant monetary remedies for parties affected by non-complying CEMs which may provide an incentive for individuals to litigate to enforce the new private rights. While each individual non-compliant CEM is limited to a $200 claim (up to a maximum of $1,000,000.00 per day), the possibility of class action lawsuits, or even corporate actions commenced on behalf of a company’s employees, makes the threat of civil liability a very real, and potentially expensive, proposition. This means that an organization could face a civil law suit by a private party for a violation of the legislation in addition to facing an administrative penalty from the CRTC for the same violation.
However, on June 7, 2017, the federal government announced that it was temporarily suspending the implementation of the private right of action. Simply put, this means that the status quo, respecting CASL enforcement, will be maintained and organizations will remain at risk of penalties from the CRTC for violations of the CASL legislation, while civil lawsuits will not be available to private parties. At this moment, we caution that it is unclear if and/or when the private right of action provision will take effect, however the prudent business will proceed on the assumption that the civil liability provisions will ultimately come on-line.
Nevertheless, July 1, 2017 marked a significant date for organizations that have been relying upon a past business relationship to imply consent when sending out CEMs in furtherance of their sales and marketing activities. As of a few weeks ago, that consent may no longer exist and senders of CEMs are strongly encouraged to ensure they are compliant with the new implied consent provisions.