In May 2013, we advised that it was merely a matter of time for Canadaʼs new Anti-Spam law to come into force. Now, after much anticipation, most of the Canadian Anti-Spam Legislation and its regulations (collectively, “CASL”) is set to come into force on July 1, 2014.  Provisions of CASL related to the unsolicited installation of computer programs will come into force on January 15, 2015 and the provisions of CASL providing for a private right of action are set to come into force on July 1, 2017.

This newsletter recaps the major points about CASL and its impact on the business community. Take note of CASL and its requirements if your business markets to or communicates with customers through email or other electronic means, whether directly or through third-party service providers.

1. The Crux of CASL

CASL prohibits sending a “commercial electronic message” (CEMs) without obtaining the recipient’s prior express or implied consent. The definition of “commercial electronic message” captures many different types of electronic communication, including emails, text messages, and instant and social media messages. CASL also regulates the alteration of transmission data in an electronic message and the installation of computer programs. In both cases, transmission data cannot be altered and a computer program cannot be installed without the user’s prior express or implied consent, subject to certain exceptions. The focus of this newsletter is on CEMs.

Certain exceptions do apply where a recipient’s consent may not be required. A CEM either (i) must have been sent with the recipient’s express or implied consent, or (ii) must rely on one of the exceptions.

In addition to obtaining consent (or fitting into one of the exceptions), CEMs must set out prescribed information. Essentially, the CEM must identify the sender and the person on whose behalf the message is sent (if different from the sender), provide the sender’s contact information and provide a means for the recipient, at no cost, to unsubscribe and avoid receiving future CEMs from the sender.

2. What are the Penalties for Non-compliance?

Penalties for non-compliance can be severe. Once in force, a CASL violation could result in administrative monetary penalties of up to one million dollars ($1,000,000) per violation for an individual and up to ten million dollars ($10,000,000) per violation for a corporation. The amount of the penalty will depend on certain prescribed factors.

CASL violations by corporations could also result in directors’ and officers’ liability. Employers can also be vicariously liable for the violations of their employees. This type of liability may be avoided if the director, officer or employer can successfully establish that they exercised due diligence to prevent the commission of a violation. Once completely in force, CASL’s private right of action provisions will also expose companies to the risk of law suits for non-compliance, including class-actions.

3. Enforcement

The CRTC, Competition Bureau, Privacy Commissioner of Canada and the courts will be primarily responsible for enforcing CASL’s provisions. CASL’s reach is broad and affects many uses of electronic communication that businesses rely on every day.

4. How can your Business get ready for Compliance?

Businesses should take steps now to prepare for compliance with CASL. These should include the following:

  1. Compile and review CEMs previously sent to your customers to determine whether they contain the required information and a functioning unsubscribe mechanism
  2. Review your customer email or distribution lists to determine whether consent is required or if one of the statutory exceptions apply.
  3. Review business agreements with service providers and strategic partners to ensure appropriate compliance requirements are included.
  4. If required, obtain the express consent from your customers to receive CEMs from your business and keep a record of all consents received. Ensure your request for consent complies with CASL’s regulations.
  5. Develop a system to ensure that you keep a record of consents received from your customers.
  6. Develop or revise your internal communication policies and procedures to address CASL’s requirements.
  7. Train your employees on CASL and best practices for sending CEMs.

If you require assistance with any of the above, the members of our Privacy Law Group would be pleased to assist you.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.