The Canadian government has suspended the CASL private right of action that was to have come into force on July 1. The private right of action (most likely in the form of class actions) would have allowed people to sue anyone for sending spam. Or more accurately for those who violated the technical provisions of CASL.
This is a welcome move. But while we can breathe a sigh of relief that this remedy is gone, CASL still remains in force and must be complied with.
The government’s press release said:
Canadians deserve an effective law that protects them from spam and other electronic threats that lead to harassment, identity theft and fraud. At the same time, Canadian businesses, charities and non-profit groups should not have to bear the burden of unnecessary red tape and costs to comply with the legislation.
The Government supports a balanced approach that protects the interests of consumers while eliminating any unintended consequences for organizations that have legitimate reasons for communicating electronically with Canadians.
For that reason, the Government will ask a parliamentary committee to review the legislation, in keeping with the existing provisions of CASL.
There is no indication that the CRTC will lighten up its enforcement against those who try to comply with the spirit of the legislation, but can’t get the technical details right.
We don’t know how long this review process will take or how long it might be until changes are passed.
And frankly I’m skeptical that the “balanced approach” will go nearly as far as I and others would like to see it go. I (and I’m certainly not alone in this) have maintained from the start that CASL is one of the most ill-conceived, badly written, impractical pieces of legislation I’ve ever seen. It provides little benefit – at a great cost. Tinkering with the legislation won’t fix it – it needs a major overhaul.
Cross-posted to Slaw
The private right of action for sending spam in violation of CASL comes into force on July 1. Many companies are dreading it – some class action lawyers can’t wait. The right thing for the government to do would be to completely scrap CASL – the statute is that bad and ill-conceived. But wishful thinking won’t make it go away.
At the moment, CASL violators are subject to enforcement proceedings by the CRTC. But after July 1, those who have been spammed in violation of CASL can sue the sender. Here are some things to keep in mind about the private right of action.
- Individuals can sue a CASL violator – but class actions are most likely.
- CASL does not say if the right applies only to violations that occur after July 1. That would be the most obvious interpretation, but expect plaintiffs to say it is retroactive.
- In addition to the CASL anti-spam formalities, the right of action applies to the anti-harvesting provisions CASL added to PIPEDA, and the email false advertising provisions CASL added to the Competition Act.
- Damages include actual damages plus statutory damages calculated in a couple of ways – $200 per violation or up to a million dollars per day. It could get expensive.
- Directors and officers are at risk to be sued.
- Depending on timing, a notice of violation from the CRTC or entering into an undertaking with the CRTC may stay a court action. The reverse also applies – a court can prevent an undertaking or notice of violation. Potential defendants may have some influence over picking their poison.
- Due diligence defences are available to mitigate the damage amount.
Cross-posted to Slaw
The CRTC issued a press release on March 5 announcing that it has issued a Notice of Violation to Compu-Finder including a penalty of $1.1 million for violating CASL.
The Notice of Violation has not been made public, and we don’t know all the facts or exactly how CASL was applied. It relates to email messages sent to promote corporate training programs.
This should be a wake-up call to those who are not yet taking CASL seriously.
Unfortunately, though, until we see a decision containing the facts and how CASL was applied, it does not help those of us who are trying to understand how this difficult piece of legislation is going to be interpreted in practice. It contains far too many unclear provisions, inconsistent provisions, and gray areas, and actual decisions would be most helpful to see.
CASL, the Canadian anti-spam act, contains provisions that take effect on January 15, 2015 that are intended to prevent malware from being installed on computers (including any device that uses software such as smartphones, cars, TV’s, routers, thermostats…). The sections require the software provider to obtain express consent from the computer user for certain installations. There are 2 different levels of consent. Both require the disclosure of specified information, and the second level requires the consent to be obtained outside of the license.
Unfortunately the CASL software consent provisions are tortuous and unclear, and if taken literally could cause huge problems for the software industry. The IT bar has been collectively scratching its heads trying to understand how to interpret the sections. The CRTC has tried to interpret them in a way that aligns with the intent of stopping people from installing malware on computers. While the CRTC interpretation may not line up with the act, we basically have to work within it for the time being. When advising clients we will have to include caveats that we can’t guarantee that a court would agree with the CRTC’s interpretation.
Because January 15 is close at hand, software providers with customers in Canada should consider whether they need to do anything to comply. Violating the act has the same huge potential consequences as violating the anti-spam provisions.
The chart below is an attempt to give an overview of the analysis that a software provider should do to determine what, if anything, they need to do. There are 2 caveats to this chart. First, the sections are technical and have their own caveats and exceptions, so you can’t rely on the chart alone. Second, it relies on the CRTC position as it stands at this moment based on statutory language that really doesn’t make a lot of sense.
download pdf CASL software chart
I’ve had some time to reflect on the CASL software provisions as interpreted by the CRTC . As I’ve said before, the CASL software consent provisions are tortuous and unclear, and if taken literally could cause huge problems for the software industry. The CRTC has tried to interpret them in a way that aligns with the intent of stopping people from installing malware on computers. While the CRTC interpretation may not line up with the act, we basically have to work within it for the time being. (Lawyers advising clients would be well served to include caveats that we can’t guarantee that a court would agree with the CRTC’s interpretation.)
Software providers should review CASL with their legal counsel to determine how they fit within this labyrinth, but here is my take from a simplified high level on how it applies to the installation of software on a device I own.
I acquire the “Sliced Bread” software by Softco. It doesn’t matter how I get it – could be an app store, download, CD, etc. I install Sliced Bread on my computer – or my phone, tablet, car, drone, thermostat, fridge, server, router, etc.
Since I’m installing it myself on my own device, CASL doesn’t apply.
BUT IF Sliced Bread does one of the things CASL deems undesirable – things like collecting personal information, changing or interfering with data / operations / control, or sending information to someone;
AND IF those things are something I’m not reasonably expecting Sliced Bread to do (this expectation issue is a huge grey area and will vary depending on what Sliced Bread does);
THEN Softco is deemed to be installing it on my device, and Softco has to obtain my express consent outside of the EULA as detailed in the act.
Cross posted to Slaw.
Some businesses seem to be ignoring the CASL anti-spam law. Their attitude is that it’s been months since it’s been in force, nobody’s been fined, and there have been no public enforcement actions (other than one spam bot server situation). They are feeling safe that it’s not being enforced against typical businesses, and that the CRTC can’t possibly go after every small business.
In a recent webinar, the CRTC said they have issued a number of compliance orders under CASL. They are not making compliance orders public, though, and they did not say how many. They will at some time release stats on numbers of orders issued – perhaps at the end of the year.
They also said they would not always start with a gentle request to comply. In other words, don’t think you can sit back and not comply, then react only when they knock on your door.
The gentle approach is more likely if a business has tried but not quite got it right – less likely for one that has just ignored it. I suspect the CRTC will be eager to make some examples.
The CRTC has just published their thoughts on the interpretation of section 8 of CASL that requires consents for certain types of software installations.
They also discussed them in an IT.Can webinar. Their interpretation is helpful, and addresses some of the uncertainty around the provisions. But some aspects are still unclear, and some of their interpretations may not be entirely supported by the wording of the act. That may be fine so long as the CRTC is enforcing it, but a court does not have to defer to CRTC interpretation. I suspect there will be further clarification coming at some point given some of the questions that were being asked in the webinar.
They are interpreting it with the philosophy that the provisions are to prevent the installation of software that does perhaps undesirable things if they were unexpected by the user. More detail to come after we digest their thoughts and how they might work in practice. Anyone in the software business should consult their counsel to find out how section 8 might apply to them.
Cross posted to Slaw.
I’m taking part in a 4 part video series about CASL that deals with both Canadian and American perspectives on the anti-spam act. Here are the details:
How To Avoid The CASL Right HookLet’s face it – a lot of Canadians don’t know all the facts about the new Canada Anti-Spam Law (CASL)… and its evolving. But what you don’t know – CAN hurt you.
Helping us learn more about CASL and how to prepare for it, is Canadian lawyer, +David Canton
focusing on CASL, and American lawyer, Sean A. Moynihan, focusing on American Marketing. They’ll be informing, discussing and weighing in on the facts about this new law and how it opens to the doors to Class Action suits that can shut down your business – even businesses outside of Canada.
Round 1: David informs us about CASL and recent, new developments – Sean weighs in
Round 2: Sean gives us “The American Perspective” – David weighs in
Round 3: Things That Will Catch You Off Guard – Social Media & Other Surprises
Round 4: Best Practices – How To Win – Sean and David share winning strategies with us
Celebrating Small Business Owners Month!
Sign up for this complimentary, 30 minute, 4 part series, open to viewers on Facebook, LinkedIn and Google+, taking place on October 1st, 8th, 15th and 22nd at PST: 1:00 p.m. / MST: 2:00 p.m. / CST: 3:00 p.m. / EST: 4:00 p.m. (check your timezone here: http://www.timeanddate.com/worldclock/).
Sign in early and post your questions ahead of time and we’ll see if David and Sean can answer them. If you miss a Show – we’ve got you covered, you can view and ask questions even after the “Live” Show.
Click here to register: http://goo.gl/asZ229
Share with anyone who has questions or concerns about CASL
See you there!
#casl #smallbusiness #antispam #ns
Perhaps the most difficult compliance challenge arising from CASL – the new Canadian anti-spam law – is how to deal with one-off emails sent by individual employees. A new online service called CASL-cure provides an outbound email filter solution to this problem.
CASL requires either express consent, or one of a complex series of implied consents, before you can send email that is even slightly promotional in nature. Just 1 non-compliant email sent by 1 employee can put a business at risk for significant sanctions, including multi-million dollar fines, personal director and officer liability, and starting in 2017 private rights of action including class action suits. The onus is on the sender to prove compliance, so records must be kept to show how and when express consent was obtained, or how the recipient fits into an implied consent category. The email itself must contain specified contact info and an unsubscribe mechanism.
That is a lot to expect any employee to understand, let alone comply with, regardless of how much training they get.
CASL-cure solves this challenge in two ways. First, it automatically adds CASL compliant contact information and an unsubscribe mechanism to every email. Second, it compares the outbound email addresses to a whitelist of emails that have consent. If it detects an address that is not listed, it holds the email and sends a reply to the sender saying that the intended recipient is not on the CASL approved list, and offers a menu that the sender can use to enter the details of the nature of the consent. Once the sender completes that information, that consent detail is added to the whitelist and the email is released.
This solution significantly reduces the risk of sending non-compliant emails. And since it records how and who added the consent details to the database, it is easy for the business to deal with an employee who tries to cheat the system. It also helps immensely with a defense under CASL if an investigation results from a complaint. First, because the system records consent details. Second, if a non-compliant email does get through for some reason, such as an employee entering false information, it provides a due-diligence defense showing that the business did as much as it possibly could to prevent a violation.
Transparency disclosure – the providers of CASL-cure are clients of mine.
I participated in a Google+ video hangout that has been turned into a 3 part video series answering some questions about CASL.
The first one is now available on the HP website.