CASL PART 2: Questions, Answers, and Other Important CASL Facts
By Adam Dwek
This article is Part two of a six part series on Canada’s New Anti-Spam Legislation (CASL). Part 1 looked at the basic framework of the legislation, and how to assess what Commercial Electronic Messages you and your business could send.
This article looks at some of the finer nuances of CASL and provides some examples of how CASL will affect businesses.
As covered in the previous article, Canada’s New Anti-Spam Legislation (CASL) starts to come into effect July 1st, 2014. The legislation, collectively called CASL, includes the new law “An Act to promote the efficiency and adaptability of the Canadian economy by regulation certain activities that discourage reliance on electronic means of carrying out commercial activities, and to amend the Canadian Radio-television and Telecommunications Commission Act, the Competition Act, the Personal Information Protection and Electronic Documents Act and the Telecommunications Act” (the “Act”) it’s regulations, as well as amendments to the Personal Information Protection and Electronic Documents Act (“PIPEDA”), and the Competition Act. Its purpose is to regulate how commercial goods and services are marketed electronically to Canadians. This includes the regulation of electronic messages that have a commercial purpose, as well as the installation, upgrading and updating of computer programs, and the alteration of electronic messages and electronic data.
As its standard practice, CASL takes a shoot first with a shotgun, and ask questions later approach. Just about every business is going to find the new laws unduly harsh and restrictive. For example, leaving your company’s tagline in your email signature is enough to characterize just about any email you send as having a commercial purpose, making the message either outright prohibited, or subject to strict rules as to form and content. The result is that a lot of well-meaning, harmless, and even desired commercial and non-commercial messages will be prohibited. And the consequences for violating CASL may be severe. Businesses and persons sending messages that do not comply with CASL face fines of up to $1,000,000 and $10,000,000 respectively, and further private action from the recipient of said messages. The damages claimable under the private right of action are up to a million a day.
Despite concerns from numerous organizations, lawyers, and even those responsible for drafting CASL itself, the government has failed to amend the legislation in important ways. Just about every business out there is going to run afoul of CASL. It’s too broad. It’s too complex. Ideally your business will be fully CASL compliant, but this may not be realistic. At the very least your business should be be aware of, and avoid, any serious breaches. This means having CASL compliance policies in place, a bit of employee education, and if necessary, tracking consents.
We expect that the government agencies responsible for enforcing CASL will be forgiving of innocent and minor breaches, at least for some time. But if your business outright ignores CASL, or recklessly disregards it, know there may be serious financial and other repercussions. For example, if your business does not properly obtain and track consents, and is investigated for CASL violations, you may just get a warning and no fine, but you will also be prohibited from using your mailing list entirely, because you haven’t kept track of and cannot prove which email addresses you have valid consents for.
This article is Part two of a six part series on Canada’s New Anti-Spam Legislation (CASL). It looks at some of the finer nuances of CASL and provides some real life examples of how CASL will affect businesses.
Sending Commercial Electronic Messages (CEMs) Internationally –Does CASL Apply?
CASL applies to all CEMs that are sent or received in Canada. However, as an exception to his general rule, it is ok to send a CEM to someone if you have a reasonable belief that the CEM will be accessed in another country that has its own laws regulating CEMs. So if you know someone is going to be in Iceland next week, send your CEMs to them then (and pray the Icelandic Government doesn’t come after you). A list of the foreign states to which this exemption applies be can found in the regulations here. Note that these countries have their own anti-spam laws to which the message must conform.
My Business is Located Outside of Canada – Does CASL apply to me?
For senders outside of Canada, their CEMs accessed by persons (including organizations) in Canada are still subject to the same general rules prohibiting CEMs, but as for enforcement, that’s another story. The agencies responsible for enforcing CASL will have a significantly harder time going after those located abroad, and all but the most egregious CASL offenders are most likely safe for now.
What About Using a Third-Party Located Outside of Canada to Send My CEMs?
At this point you might be thinking, “Ok, I’ll just hire a company located outside Canada to send my CEMs to those in Canada for me”. Not a good idea! Under CASL you are still liable for messages authorized by you or sent on your behalf. You also attract liability for aiding and inducing the sending of electronic messages in contravention of CASL. And when it comes to enforcement, the Commission will undoubtedly be going after you; the easy, low hanging fruit; and not your international partner.
It is possible your business may have a third-party located abroad continue to market with CEMs on your company’s behalf to others outside of Canada. CASL technically only applies to CEMs sent or received in Canada. That said, it is arguable that CEMs sent on behalf of a person (including a business) located in Canada, are being sent from Canada, in which case CASL would apply. And remember, many other countries have their own anti-spam laws which must be considered.
Business Bear the Onus of Proving Consent
Remember, your business bears the onus of showing express or implied consent on the party sending the message. If your business relies at all on electronic messages, in any capacity, it needs to have a system in place to manage the consents it has as it may be required to prove not just that it had consent, but that such consents were obtained validly and covered the purpose for which the CEM was sent. CASL has very specific requirements as to what information must be provided to a person at the time consent is obtained. This is especially true for those that market directly to consumers, or provide software programs that may need to be updated or upgraded down the line.
CASL obligations are not a one-time fix. Business need to continuously re-evaluate their CASL policies, the messages they are sending, and how they are obtaining and managing consent information.
Business Liable for Violations by Employees and Agents
Your company is liable for violations committed by its employees acting within the scope of their employment.
Business are similarly liable for the violations committed by its agents. Business should ensure that any marketing companies they contract with are CASL compliant, and may wish to get such assurances in writing. This may pose a serious issue for companies that rely on United States based messaging services that cater primarily to messages sent within the country.
Depending on the size of the contract, businesses may wish to protect themselves even more, with an indemnity provisions and appropriate representations, and warranties.
My Business Violated CASL – Can I Be Personally Liable?
Personally liability can attach to anyone – directors, officers, employees, agents – that directed, authorized, assented to, acquiesced in, or participated in the commission of a violation. For an individual the maximum fine is $1,000,000, and this does not include money you may be liable for as a result of a private action brought for the violation. If you are in anyway responsible for the electronic messages your company sends out, especially to the public (read: not other businesses) make sure your business is CASL compliant. More caution is needed for those that work in, or with, marketing, and for those that work for a company that provides computer software or updates/upgrades.
Do Your Due Diligence!
While some CASL violations will undoubtedly occur in the next few months, if you are in anyway responsible for sending out CEMs, or overseeing employees who may send CEMs, do your due diligence, and document it. Insist, in writing, that your business adopt policies to be and stay CASL compliant. Showing you made a sincere and informed effort to prevent any violations will go a long way to protecting you from personal liability for violations made by your company. Just as important, such due diligence, if done properly, protects your company from its employees’ violations.
When Multiple Parties (Affiliates) Send a Message, Who’s Information Must Be Included?
As discussed in the previous article, CEMs must include identifying and contact information (the “identifying information”) of the person sending the message or on whose behalf the message is sent.
Now let’s say Best Buy sends its customers an email about a promotion it has for Kitchen-Aid Fridges. Must the CEM include the identifying information of both Best Buy and Kitchen-Aid? What about if the message was sent out by a marketing company on behalf of both of them? Would it have to include the identifying information of the marketing company? And what if the consent to send this promotion was obtained from a fourth company? What should the message look like?
According to Industry Canada’s Regulatory Impact Statement, only persons playing a material role in the content of the message or in providing the recipient’s contact information are required to be identified as “senders” in the message. That is not very helpful. In general, any parties that were responsible for obtaining the contact information of the recipient, the content of the message, or for sending the message should be identified. RIAS also permits that when multiple parties are involved, and the amount of contact and identifying information becomes excessive, such information may be “included” in the message by way of a hyperlink to a page on the World Wide Web containing such information. But the actual sender’s information should always be included. In the above example, the best solution would be to have the contact and identifying information of the marketing company sending the information in the actual message, followed by a hyperlink that contained the identifying and contact information for the other parties. Kitchen-Aid is the only party that may possibly be excluded.
I’m Buying a Business – Do Implied and Express Consents Obtained by the Business Transfer?
When purchasing a business the consents obtained by that business may transfer to the new owner depending on how the acquisition is structured. Part 4 of this series deals specifically with CASL issues in the context of buying and selling a business.
CASL is going to have a tremendous impact on most businesses and is expected to change the electronic commercial landscape. Businesses and those who work with them need to stay on top of it or risk serious consequences. If you haven’t already done so, now is the time to take the necessary steps to implement CASL compliance policies and ensure you and your business is following the law.
References and Footnotes
- An Act to promote the efficiency and adaptability of the Canadian economy by regulation certain activities that discourage reliance on electronic means of carrying out commercial activities, and to amend the Canadian Radio-television and Telecommunications Commission Act, the Competition Act, the Personal Information Protection and Electronic Documents Act and the Telecommunications Act, S.C. 2010, c. 23 (the “Act”), Sections 20(4), 47 ↩
- Regulation 81000-2-175 (SOR/DORS) ↩
- The Act, Section 9. ↩
- The Act, Section 32 ↩
- The Act, Section 31 and 51. ↩
- The Act, Section 33 ↩