Chapter 6: Canadian Anti-Spam Legislation (“CASL”)

HTML VERSION

Chapter 6:
Canadian Anti-Spam Legislation (“CASL”)

I. Overview of CASL Enforcement and Fines

CASL is short for “Canada’s Anti-Spam Legislation”, which itself is an abbreviated form of a much longer name. In recent years, it has been considered “the toughest anti-spam law in the world.”

[See CASL, SC 2010, c 23; Kris Klein and Aron Feuer, Canadian Privacy Law, 3d ed. (Toronto: IAPP, 2018) at section 2.2.4.]

There are three government agencies responsible for enforcing CASL:

• Canadian Radio-Television and Telecommunications Commission (“CRTC”);
• Competition Bureau; and
• Office of the Privacy Commissioner of Canada (“OPC”).

[See CASL, s.57.]

For the purposes of joint CASL enforcement, these three agencies mobilize their resources pursuant to a Memorandum of Understanding.

[See CASL, ss.58-59; Competition Bureau, Memorandum of Understanding for cooperation, coordination and information sharing (Oct 22, 2013).]

The maximum fine under CASL is $1 million against an individual, and $10 million against a corporation (or other entity). Note that a corporation’s liability may extend to corporate insiders or agents that were not duly diligent.

[See CASL, ss.20(4), 31-33(1), 52-54.]

To date, the largest CRTC fine issued under CASL is $1.1 million. This amount was subsequently reduced to $200,000, which is the present largest administrative monetary penalty issued under CASL. However, CASL is still young legislation, and there are no definite signs of its penalty provisions being reformed any time soon.

[See CRTC 2017-368; 2015 Rogers undertaking.]

The CRTC has a right to obtain data and documents to assess compliance with domestic and foreign anti-spam law. If necessary, a warrant can also be obtained for this purpose. Non-cooperation may result in an offence, which may further extend to corporate insiders or agents that were not duly diligent.

[See CASL, ss.15, 17, 19, 42-46.]

A business subject to a CASL fine should note that “giving in” and paying the fine, or ignoring the fine, will result in a deemed admission of liability. This could have significant public-relations consequences, because the CRTC has the power to make details of such liability public. Legal counsel should therefore be consulted while assessing options in response to a CASL fine.

[See CASL, ss.24(2), 39(b).]

At present, civil actions under CASL are not permitted. Moreover, there is no tort of harassment available to civil plaintiffs. However, depending on the facts, a civil action could potentially be supported by other common law causes of action.

[See Orders in Council 2013-1323, 2017-0580; INDU Committee Report, “Canada’s Anti-Spam Legislation: Clarifications Are in Order” (Dec 2017) at 7, 17-20; Merrifield v. Canada (Attorney General), 2019 ONCA 205 at paras. 43, 105.]

II. CASL Application

CASL applies in respect of commercial electronic messages (“CEMs”), altering transmission data, and installing software or causing software to send electronic messages.

[See CASL, ss.6, 12(1); CASL Regs, s.3; CASL ss.7, 12(2), 8.]

Non-compliance with these sections will invoke liability under CASL. Moreover, aiding, inducing or procuring with respect to such non-compliance will also invoke liability.

[See CASL, s.9.]

In most cases, sending a CEM requires the receiver’s prior consent, either express or implied. CEMs must also contain formal information regarding the sender and an unsubscribe mechanism. There are limited exceptions to these requirements, including telephone calls, voicemail, and faxes.

[See CASL, ss.6(2)(c), 11(1)), 6(8).]

The CEM requirements also do not apply in respect of a prior personal relationship between the sender and receiver, an inquiry specifically in respect of the receiver’s commercial activity, and where the sender is a telecom service provider.

[See CASL, s.6(5)-(7).]

With respect to the alteration of transmission data, such conduct is prohibited in commercial contexts, except with express consent, a court order, or for telecom providers managing their networks.

[See CASL, s.7.]

Installing software, or causing previously installed software to send electronic messages, requires express consent or a court order. However, these requirements apply only when the installer, the installer’s principal, or the client computer system is within Canada.

[See CASL, s.8.]

III. “Consent” Under CASL

Consent in Canada is based on an opt-in system, similar to the E.U. and in contrast with the U.S.

[See Kris Klein and Aron Feuer, Canadian Privacy Law, 3d ed. (Toronto: IAPP, 2018) at section 5.3.5.]

Any consent obtained must be supported by proof and be subject to revocation.

[See CASL, ss.11, 13.]

Express consent is the gold standard for consent. It is only valid when the receiving party is provided with certain basic information, including why consent is being sought and information about the sender.

[See CASL, ss.6(1)(a), 10(1)-(8).]

Express consent is presumed (not implied) in a very limited set of circumstances, including the installation of cookies, HTML code, Java Scripts, and an operating system

[See CASL, s.10(8); CASL Regs, s.6; Planet49 GmbH case, ECJ Case C‑673/17 (Oct 1, 2019) at paras. 44-81 re cookies under the GDPR.]

In other cases, consent can be implied. The circumstances for implied consent are also limited. Consent can be implied if there is an existing business or personal relationship between the sender and recipient, or if the CEM provides a requested quote, facilitates a transaction, or delivers a good or service. Various other grounds for implied consent also exist.

[See CASL, s.10(9)-(14).]

The CRTC has provided further guidance on implied consent and record keeping.

[See CRTC, “From Canada’s Anti-Spam Legislation (CASL) Guidance on Implied Consent” (Jan 24, 2019).]

IV. Principles from CASL cases

As previously stated, CASL is still a young piece of legislation, with much room for clarification through tribunal and court decisions. However, at least thirteen foundational CASL principles have already emerged.

ONE. The most obvious arguments that CASL is unconstitutional—for example, as an unjustifiable impediment to free speech—have failed before the CRTC. However, these arguments are ripe for court determination.

[See CRTC 2017-367 at paras. 230-232; E. Crowne and S. Provato, “Canada's Anti-Spam Legislation: A Constitutional Analysis” (2014) 31:1 John Marshall J. Info. Tech; Barry Sookman, “CASL: my appearance before the INDU Committee” (blog, Oct 6, 2017).]

TWO. CASL stipulates that it targets only commercial conduct. However, this category has been broadly interpreted to include “educational and training programs.” Moreover, the CRTC has stated that CASL “encompasses a wide range of activities” including conduct that is disruptive, unwelcome, and causes nuisance and frustration. However, CASL does not apply to a regulatory body enforcing its own rules by e-mail or website publications.

[See CASL, ss.3, 1(1) “commercial activity”; CRTC 2017-65 at para. 9; CRTC 2016-428 at para. 18; CRTC 2017-368 at para. 101; Bejm v. Law Society of British Columbia, 2015 BCSC 169 at paras. 21-23.]

THREE. CASL violations are determined on a balance of probabilities, not the higher criminal standard requiring an absence of reasonable doubt.

[See CRTC 2017-65 at para. 30, footnote #3; CRTC 2017-367 at paras. 199-207.]

FOUR. Penalties under CASL are meant to promote compliance rather than punish. Consider, for example, that an individual was fined only $15,000 in one case, where that amount was “large enough to promote a change in behaviour.” In another case, a small business was fined $50,000, which was considered “reasonable and necessary to promote … compliance.” For a large company, the ability to pay without inordinate risk to the business will be an important factor in assessing an appropriate fine.

[See CRTC 2017-65 at paras. 38-40; CRTC 2016-428 at paras. 60, 63; CRTC 2017-368 at para. 109.]

FIVE. There is an arguably low bar for a small company to prove that its revenues are modest, and that a large fine would therefore not be justified. In one case, the CRTC accepted a small company’s unaudited financial statements for the previous 2 years.

[See CRTC 2016-428 at para. 52.]

SIX. A lack of cooperation may be grounds to increase the fine, in order to ensure compliance.

[See CRTC 2016-428 at para. 56; CRTC 2017-368 at para. 110.]

SEVEN. The defence of due diligence will not apply if the due diligence measures “were taken after the period of the violations.”

[See CRTC 2017-368 at para. 78.]

EIGHT. Aiding, inducing, or procuring non-compliance “may take the form of providing access to the tools or equipment necessary to commit a violation. Alternatively, it may involve facilitating a violation by giving technical assistance or advice.”

[See CRTC 2018-415, para. 4.]

NINE. Implied consent is not established by the purchase of e-mail addresses from a third party. Nor is it established by a history of sending CEMs.

[See CRTC 2016-428 at para. 27; CRTC 2017-368 at paras. 55, 67.]

TEN. Ineffective or misleading unsubscribe practices will not meet CASL’s requirement for CEMs to contain an unsubscribe mechanism. Most CRTC settlements since 2014 indicate that this was a particular area of concern.

[See CRTC 2017-65 at para. 31; CRTC 2017-368 at paras. 59-64; 2015 undertakings to the CRTC by Plentyoffish (Mar 18, 2015), Porter Airlines (Jun 26, 2015), Rogers (Nov 19, 2015), Halazon/TTC (Jun 12, 2017), Ancestry Ireland (Jan 24, 2018), two numbered Quebec corps (Mar 15, 2018), and Blacklock’s (Sep 28, 2018).]

ELEVEN. The respondent has the burden to prove that a third party used his name and internet connection so as to invoke CASL liability.

[See CRTC 2017-65 at paras. 26, 29.]

TWELVE. “[M]easures to ensure compliance with CASL may vary, particularly in the case of small- to medium-sized businesses. The Commission will assess measures taken to ensure compliance on a case-by-case basis….”

[See CRTC 2018-415, para. 3.]

THIRTEEN. The Commission will consider level of control, degree of connection, and reasonable steps taken to prevent CASL violations.

[See CRTC 2018-415, para. 8.]