Your employee is on Facebook over her lunch break, when she notices that her friend's brother is the President of a start-up that could likely use your company's services. She retrieves his email address from Facebook and sends him an email from her company email account, looking to arrange a coffee meeting to catch up and perhaps talk business.
- Before July 1st of this year, this was an admirable employee attempting to expand the company's business and following up on a promising lead.
- Today, she has exposed your company to risk of prosecution, hefty fines (up to $10,000,000 – no, that's not a typo), and soon the spectre of civil litigation.
What troubles us and our clients, is that this is not an obscure scenario plucked from a law school exam. Rather, it is one of many, practical vulnerabilities facing Canadian employers since the coming into force of the new Canadian Anti-Spam Legislation (CASL).
What is CASL?
CASL is a broad and controversial piece of legislation that came into force on July 1, 2014. By now, most Canadians are aware of its existence. What we have found in our discussions with clients on the subject, is that many thought the legislation was limited in application to mass email marketing.
Nothing could be further from the truth.
MYTH #1: CASL applies only to mass email marketing campaigns. CASL does not distinguish between CEM emails sent between two people and an email sent to 2,000 people on a distribution list. If the nature of the message makes it a CEM, CASL applies subject to certain exceptions (discussed below).
CASL covers a very broad range of commercial electronic messages ("CEMs") and makes them subject to its consent, contact information, and unsubscribe link requirements. While email is seemingly the primary focus of CASL, the definition of "electronic communications" that are regulated by CASL is significantly broader, and captures effectively any text, sound, and voice messages.
While voicemails are exempt, it appears that the purpose of CASL is to be inclusive in its scope. As a result, it appears that most forms of electronic communication will be covered by CASL, which is the intention of the legislation.
At its most basic, CASL prohibits electronic business communications not consented to by their recipient. Consent must be explicit (not "opt-out") or it may be implied in certain limited circumstances (i.e. consent may be implied for a rolling two year period for ongoing commercial relationships). Ultimately, the onus is on the party sending the electronic message to prove consent. Consent obtained before July 1, 2014 is valid, but the sender must still be able to prove consent.
Employer Liability under CASL
Section 32 of the CASL specifically establishes that employers are liable for violations of the act committed by their employees acting within the scope of their employment. It may be very difficult for an employer to avoid such liability by claiming that sending an electronic communication relating to a business opportunity was outside of the scope of an employee's employment. It is unlikely that, absent sufficient policies and oversight, an employer could escape liability simply by asserting it was unaware or did not condone or specifically authorize a particular communication.
The Act makes it unnecessary for a complainant to identify the individual within a company who allegedly violated the Act. As a result, effectively any email sent from an employer's address or server may expose an employer to penalties and civil liability.
Welcome (Misunderstood) Exceptions
CASL provides a number of specific exceptions for certain communications depending on factors such as the nature of the communication or the identity of the parties involved. These exceptions exclude various forms of regular, day-to-day and "ordinary course of business" communications from the consent requirements, as well as communications between people with a "personal relationship".
MYTH #2: Messages via social media platforms are exempt. CASL does not distinguish between CEM messages sent via social media platforms and via email. Posting on a Facebook wall is likely exempt as is posting on your own feed, but if you send a message outside the platform using a message service provided by the platform, that is likely no different than using any agent to send your message. It that message is a CEM, you must comply with the CASL framework.
The Government's website explains, thankfully, that in its view you may send one CEM to a person to whom you were referred by a third party, so long as the third party has consent to send that person CEMs. Again, the onus is on the party claiming the exception to prove it applies.
Penalties for Violation under the Act
Penalties for non-compliance are draconian. Indeed, the maximum penalty for companies, at $10Million, is 20 times the maximum penalty for violating most provincial health and safety legislation. Although it is unlikely the government will impose the maximum penalty for inadvertent violations of CASL, or for unremarkable cases, the sheer size of the available penalties places them well outside the realm of a cost of doing business.
In addition, starting in 2017, anyone affected by a beach of CASL may seek damages in civil proceedings, even without proving they have suffered a financial loss. These provisions could also be used as the basis for large class litigation against businesses accused of repeatedly violating CASL. When considering that some employees send out thousands of emails per day, or more when engaging in campaigns, and with each individual message considered a potential discrete violation, the scale of these class actions could be astronomical.
Many companies have taken steps to ensure that marketing and communications departments are compliant with CASL. But compliance requires training and policy enforcement at all levels and in all departments.
What Can Employers Do?
As the legislation evolves, it will change radically. In particular, we have yet to see how the CRTC's enforcement branch will interpret its mandate and the vague language of the Act (and regulations which will follow).
Based on public comment and materials, it appears the CRTC views its enforcement powers under this branch as being critical, and early indications are that it will be intent on ensuring compliance with the new law by making examples of significant violators and other low hanging fruit.
Appropriate organizational policies and procedures, training, and consistent internal implementation and enforcement are likely to be the key to ensuring awareness, compliance and establishing due diligence.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.