Not just any Canada Day – Important CASL changes in effect on July 1, 2017

Canada's Anti-Spam Law

Data Protection, Privacy and Security Alert

Canada’s anti-spam law (CASL) came into effect on July 1, 2014. Almost three years later, Canadian businesses and their lawyers are still grappling with CASL compliance issues and trying to understand how CASL’s broad and often unclear provisions apply in practice. And, on July 1, 2017, two new things happen under CASL.

Basis of implied consent to narrow when transition period ends

When CASL came into force in 2014, it included a 3-year transition period that allowed organizations to rely on deemed implied consent for sending commercial electronic messages (CEMs) in certain circumstances. If an organization had, as of July 1, 2014, an existing business or non-business relationship (as defined in CASL) with a person, and that relationship included the sending of CEMs, then the organization was deemed to have implied consent to send CEMs to that person for three years or until the person opted out. This transition period was meant to give organizations the chance to adapt to CASL and upgrade to express consents where possible.

That transition period, and the implied consent, expire on July 1, 2017. This means that organizations can no longer rely on this implied consent, and will have to remove recipients from their mailing lists by July 1, 2017 unless: (a) the organization obtained express consent from the recipient during the transition period; or (b) another exception such as implied consent under an existing business relationship has arisen during the transition period and hasn’t expired (and the recipient has not opted out).

CASL states that an organization sending CEMs has the onus of proving that it has the necessary consent (or that an exception properly applies) for each CEM that it sends. And the formal CASL enforcements to date demonstrate that CASL regulators are more than willing to find against an organization that cannot show a valid basis for sending CEMs.

Many organizations undertook careful pre-CASL preparations in 2014 to evaluate their commercial electronic communications and their recipient lists. If you did so, now is a good time to revisit those preparations and to confirm whether your organization is still sending CEMs in reliance on implied consent under CASL’s transition provisions. If it is, then before July 1, 2017 you should obtain express consent from those recipients or confirm whether there is another basis on which you can send CEMs.

CASL litigation expected to rise when private right of action comes in effect

CASL’s private right of action comes into effect on July 1, 2017, and many lawyers and commentators expect a flurry of CASL litigation (including perhaps class actions) to follow quickly.

CASL creates a statutory cause of action under which persons who allege that they are affected by a CASL breach can apply to court for an order against the alleged violator. Available remedies include compensation in an amount equal to the actual loss or damage suffered or expenses incurred, and additional amounts for different CASL violations (each with a maximum amount). For example, the court can award statutory damages of $200 per day for each breach of section 6 (the CEM obligations), not exceeding $1 million for each day on which a breach occurred.

As well, CASL imposes personal liability on officers, directors, agents and mandataries of a corporation that violates CASL if they directed, authorized, assented to, acquiesced in or participated in the violation, regardless of whether the corporation is proceeded against. Therefore any private right of action might well be brought against directors and officers, etc., personally.

The private right of action contains a limitation clause that says unless a court holds otherwise, no one can bring an application later than three years after the day on which the applicant first knew of the CASL violation in question. However, it is not entirely clear whether that provision is completely prospective, such that any violations before July 1, 2017 cannot be the basis for a private action, or whether as of July 1, 2017 organizations can be sued for violations that occurred before July 1, 2017. CASL regulators have indicated that they interpret the provision as entirely prospective, and that violations before July 1, 2017 cannot found a claim. However, it is not clear whether a court would take the same view.

CASL contains a due diligence defence that states that a person must not be liable for a violation if they establish that they “exercised due diligence” to prevent the violation. CASL does not set out what due diligence is sufficient, but CASL enforcements to date give some indication of what is required. Several organizations have entered into voluntary undertakings that require, among other things, implementing written policies and procedures regarding CASL compliance, implementing training programs for employees, tracking complaints and subsequent resolutions, and implementing monitoring and auditing mechanisms to assess and track CASL compliance.

The private right of action increases the potential downside of CASL non-compliance, as violations could result in legal claims (and the resulting reputational risk and costs of time and money) even if those violations have not caught the regulators’ attention. This is another good reason to revisit your CASL compliance measures before July 1, 2017.

Authors