UPDATE – the federal government has since announced it is "suspending the implementation" of the private right of action. For more, click here.
Canada turns 150 on July 1, 2017. That date also marks a milestone for Canada's Anti-Spam Law (CASL) - while few may be blowing out the candles for CASL's third birthday, two important milestones under that law will take effect on Canada Day.
First, the transition period for implied consent arising from an existing business relationship or an existing non-business relationship will come to an end.
Second, the private right of action will be available for contraventions of CASL's anti-spam provisions, as well as its computer spyware prohibitions, the rules against email harvesting found in the Personal Information Protection and Electronic Documents Act (PIPEDA) and the misleading electronic message offences under the Competition Act.
Keep reading for more information about what each of the milestones mean, and what you should be doing before and after July 1, because of them.
End of CASL's implied consent provisions for commercial electronic messages (CEMs)
Let's start with a recap of a few key principles under CASL. Under CASL, anyone who wants to send a CEM needs the recipient's consent, unless a specific exemption applies (these exemptions may either obviate the need for consent or exempt the CEM from CASL altogether).
If consent is necessary, CASL recognizes it may be express or implied. In some circumstances, consent is implied because the recipient has placed her or his email address on a website or a business card, without an accompanying "no spam" statement. In other circumstances, implied consent arises because of the nature of the relationship between the sender and the recipient. In particular, if the sender and the recipient have an existing business relationship or an existing non-business relationship, then consent is implied on the basis of that relationship.
An existing business relationship essentially arises if the sender and the recipient have done business with each other, while an existing-non business relationship arises between clubs, associations, or voluntary organizations and their members, or people who volunteer for these organizations. These two relationships are time-limited in nature. In order for consent to be implied, a sender must have either an active business or non-business relationship with a recipient, or have had that relationship expire within the last two years. This means that a sender which has sold a product to a recipient can imply consent to send that recipient CEMs for up to two years after the date of the sale (subject to that consent being withdrawn by an unsubscribe request).
However, CASL's introduction included a special one-time transition period which was intended to ease the burden on businesses. This transition period applies to the existing business and non-business relationship implied consent provisions. As indicated above, the general rule is that a sender has two years after the business or non-business relationship with a recipient ceases, during which implied consent continues to be implied. The effect of the transition period is that, if the sender:
a) had an existing business or existing non-business relationship with the recipient, before July 1, 2014; and
b) that business or non-business relationship involved the sending of at least one CEM between the sender and the recipient,
then, the sender would have implied consent to send CEMs to the recipient for three years. This is advantageous not only because the expiry period for implied consent is longer, but also because as long as the sender could prove there was a business or non-business relationship at some point in the past which involved the sending of CEMs (whenever that was), then consent would be implied.
On July 1, 2017, this block of transitional implied consents will expire. After that time, a business will need to prove its relationship with the recipient ended within the last two years.
CASL's private right of action
Currently, CASL violations are prosecuted primarily by the Canadian Radio-television and Telecommunications Commission (CRTC), and in limited cases, the Office of the Privacy Commissioner of Canada and the Competition Bureau.
The CRTC can levy administrative monetary penalties (AMPs) for non-compliance with CASL. To date, the largest AMP has been $1.1 million, but most are $100,000 or smaller. In addition, the practical fact is that the CRTC's resources are necessarily limited and therefore it can only prosecute so many people.
That will all change after July 1. From that date onward, any person who is a victim of a CASL violation can bring a lawsuit (as noted above, this includes sending of CEMs in contravention of CASL, installing spyware, scraping email addresses without consent and sending misleading electronic messages). Plaintiffs can sue for up to $200 for each violation of CASL's anti-spam provisions, to a maximum of $1 million per day on which the breach occurred. Damages can also be awarded to compensate provable harm or losses arising from the contravention.
For businesses, the most significant aspect of the private right of action is that it lends itself to class action lawsuits. So instead of the CRTC prosecuting individual CASL violations, offenders are now facing the prospect of being targeted by class action lawyers.
Practical steps your business can and should be taking
If you haven't already, carefully analyze your consent databases, and identify recipients who are subject to the implied consent transition period. Before that transition period ends, consider taking the opportunity to obtain express consent from these recipients. Express consent is not time limited and is thus easier to administer on a go-forward basis. In addition, CASL deems an electronic request for consent to be a CEM, in and of itself. Therefore, you might take the opportunity to get consent, while you can still rely on implied consent to send that message.
With the looming coming into force of the private right of action, now is the time to ensure your CASL record-keeping house is in order. CASL does include a due diligence defence, but guidance material published by the CRTC indicates an organization must establish clear CASL procedures, in order to avail itself of that defence.
Does your business have directors' and officers' insurance? If it does, carefully review the policy and determine whether damages arising from a private right of action lawsuit are excluded by the coverage. Consider also that directors and officers can be personally liable for the corporation's offences under CASL, if they directed or permitted the offence to occur. This is another reason to implement strong corporate CASL compliance procedures.
Note also that the commencement of prosecution by the CRTC precludes a private right of action from being brought in respect of the same CASL violation, and vice versa. Therefore, a business which discovers it is non-compliant with CASL might consider whether self-reporting to the CRTC and entering into a compliance agreement is preferable to risking exposure to a potential class action lawsuit. In each case, the risks and benefits will merit close consideration.
Finally, it's important to keep in mind what is not changing on July 1. The end of the implied consent transition period applies to the existing business and non-business relationship provisions, only. It does not affect implied consent which has arisen under other circumstances, nor does it preclude a business from continuing to rely on existing express consent, or any of CASL's exemptions to the requirement to obtain consent.
Andrew Buck has a business law practice, with a focus on electronic commerce issues. As part of that practice, he provides guidance about CASL compliance. Andrew is also a member of the Canadian Bar Association's National Access and Privacy Law Section, which has had an active role in advocating with respect to the implementation of CASL.