Provisions of Canada's three-year-old anti-spam legislation that are set to come into effect July 1 will require senders of electronic messages meant to directly or indirectly encourage participation in a commercial activity (CEMs) to have the express consent of the recipients of those messages.
Additionally, failure to comply with Canada's anti-spam legislation will give individuals and businesses a private right of legal action to sue those who send unwanted e-mails, texts and other electronic messages without express consent or which otherwise do not comply with the statute.
After July 1, it will no longer be enough to rely on a recipient's implied consent to send them commercial electronic messages. And in addition to fines that can be imposed by the CRTC as regulator, a court will be able to award statutory damages to plaintiffs of $200 for each non-compliant CEM, up to a maximum of $1,000,000 per day.
Canada's anti-spam legislation (CASL) came into effect in July, 2014. Since that time, the sending of an unsolicited e-mail, text, instant message, Facebook message or any other commercial electronic message has had to comply with CASL. This law is extremely broad and captures all electronic messages sent or received in Canada – and may, in some cases, even capture tweets. You may think that the business e-mail or newsletter you're sending is not spam in the traditional sense, or that you're somehow exempt because you're a non-profit or a charity seeking donations, but CASL applies to you, and you face even more significant penalties for non-compliance after July 1.
As it stands now, for a CEM to be in compliance under CASL, a business or other organization must have the recipient's express or implied consent to receive the CEM; the sender must clearly identify themselves and their organization in the CEM (including the phone number, e-mail address or Web address), and there must be a way for the recipient to unsubscribe, at no cost, from the receipt of future CEMs.
Since 2014, the administrative penalties imposed by the CRTC have been significant – as much as $1-million per violation for individuals and $10-million for corporations. Rogers Communications Inc. and Kellogg Canada Inc. were assessed $200,000 and $60,000 fines respectively. And in 2015, corporate training firm Compu-Finder of Quebec was fined $1.1-million for breaching CASL.
The provisions coming into force on Canada Day will make things even tougher for anyone sending CEMs.
That's because, when CASL came into force in 2014, it provided a three-year transition period in which senders were permitted to rely on a recipient's implied consent to receive CEMs. That three-year window ostensibly gave senders time to obtain express consent from those on their mailing lists. It also gave recipients a reasonable period of time to unsubscribe.
But that window closes July 1. With limited exceptions, you shouldn't be sending that e-letter or unsolicited e-mail, and you should instruct your employees to delete anyone in your customer relationship management system that has not provided their express consent to receive CEMs.
If your electronic newsletter is inadvertently sent to 10,000 e-mail addresses without the express consent of those recipients, you have improperly identified your organization or there is no "unsubscribe" option available, you are not only inviting legal action from one recipient, you could face a class-action lawsuit by the 10,000 recipients of your unsolicited or non-compliant electronic message. And that's in addition to any fine the CRTC could impose.
Moreover, sending a false or misleading CEM, harvesting e-mail addresses or installing software on a device without consent are also breaches of CASL, giving affected individuals the right to sue.
As well, directors and officers of a company that has breached CASL can be personally liable for that breach if they approved, assented to or acquiesced to the activity that gave rise to the breach.
The risk of lawsuits by affected individuals, and indeed the possibility of class-action lawsuits that include directors and officers, is significant. It may well be that class-action lawyers, working on a contingency-fee basis, are waiting with bated breath for the day when the private right of legal action provision of CASL comes into force.
Although there is a defence of due diligence to violations of CASL, the legislation does not specify what level or type of due diligence is enough to avoid liability. Businesses and other organizations should take all reasonable steps to avoid breaching the statute. Certainly, if your organization has not done so already, you should draft and implement CASL-compliant policies and procedures and ensure that your managers, employees and contractors are adequately trained and retrained in CASL compliance. Your business might also adopt internal auditing practices and complaint-monitoring procedures. You might also review and amend third-party contracts to assess compliance and even re-evaluate your business's liability insurance, including directors' liability. CASL-compliant policies may help you take advantage of the due-diligence defence.
Given the significant consequences of non-compliance, particularly from individuals who will have the private right of legal action for breaches of CASL, businesses and other organizations should be reviewing compliance with CASL before the July 1 deadline and taking advice from their legal counsel.
Tony Wilson, Q.C., is a franchising, licensing and intellectual property lawyer at Boughton Law Corp. in Vancouver, an adjunct professor at Simon Fraser University and Thompson Rivers University Law School. His opinions do not reflect those of the Law Society of British Columbia or any other organization, and this column should not be construed as legal advice.