The private right of action for sending spam in violation of CASL comes into force on July 1. Many companies are dreading it – some class action lawyers can’t wait. The right thing for the government to do would be to completely scrap CASL – the statute is that bad and ill-conceived. But wishful thinking won’t make it go away.
At the moment, CASL violators are subject to enforcement proceedings by the CRTC. But after July 1, those who have been spammed in violation of CASL can sue the sender. Here are some things to keep in mind about the private right of action.
- Individuals can sue a CASL violator – but class actions are most likely.
- CASL does not say if the right applies only to violations that occur after July 1. That would be the most obvious interpretation, but expect plaintiffs to say it is retroactive.
- In addition to the CASL anti-spam formalities, the right of action applies to the anti-harvesting provisions CASL added to PIPEDA, and the email false advertising provisions CASL added to the Competition Act.
- Damages include actual damages plus statutory damages calculated in a couple of ways – $200 per violation or up to a million dollars per day. It could get expensive.
- Directors and officers are at risk to be sued.
- Depending on timing, a notice of violation from the CRTC or entering into an undertaking with the CRTC may stay a court action. The reverse also applies – a court can prevent an undertaking or notice of violation. Potential defendants may have some influence over picking their poison.
- Due diligence defences are available to mitigate the damage amount.
Cross-posted to Slaw
CASL, the Canadian anti-spam legislation, came into force on July 1, 2014. July 1, 2017 will be an important date for CASL, as a private right of action will become available. Anyone (class actions are likely) will be able to sue CASL violators. Statutory damages means that it won’t be necessary to prove actual damages.
CASL is a complex, illogical statute. Many businesses don’t comply because they don’t think emails they send could possibly be considered spam. After all, spam is about illicit drugs, diets and deals scams, right? Not according to CASL.
Nor do they understand they must keep detailed records to prove they have implied or express consent for each person they send an email to. Or they may be rolling the dice that they will be a low priority for CRTC enforcement. (That approach risks personal liability for directors and officers.)
Once the private right of action kicks in, the enforcement landscape changes. If a business has not yet come to grips with CASL, the spectre of private suits for violations may offer an incentive to comply.
In the long term, the private right of action could provide a couple of silver linings.
Getting CASL in front of the courts may provide some badly needed guidance on how to interpret and apply it in practice. So far, the handful of cases the CRTC has made public have not provided enough detail to help with that.
There is some thought that CASL could be struck down on constitutional grounds. Any business sued under the private right of action should include that in its defence.
The possibility of CASL being struck down should not, however, be a reason not to comply with CASL. It could take years before an action gets far enough to see that result. And that result is by no means assured.
Cross-posted to Slaw
The CRTC recently issued a media advisory entitled Enforcement Advisory – Notice for businesses and individuals on how to keep records of consent. It doesn’t add anything new – but reinforces what the CRTC is looking for. This is important because CASL requires a business to prove that they have consent to send a CEM (Commercial Electronic Message). CASL has a complex regime of express and implied consent possibilities.
The advisory states: “Commission staff has observed that some businesses and individuals are unable to prove they have obtained consent before sending CEMs. The purpose of this Enforcement Advisory is to remind those involved, including those who send CEMs, of the requirements under CASL pertaining to record keeping.”
The problem in practice is that keeping those records can be a herculean task. I’m concerned that the difficulty of getting this right will make many businesses fodder for CASL breach class action lawsuits when that right becomes available in 2017.
My personal view continues to be that the prime effect of CASL is to add a huge compliance burden to legitimate businesses. It may give some tools to attack actual spam, but its approach is fundamentally flawed, and the cost/benefit is way out of whack.
Cross-posted to Slaw
The CRTC recently published a document with some guidance on implied consent under CASL.
The parts about “Can I send CEMs to an email address I find online?”, “How can I prove I have consent?”, and “What records should I be keeping?” show how difficult, if not impossible, it is to comply with CASL in practice.
CASL and its interpretation is so granular and so nuanced that the average business doesn’t stand a chance of getting it consistently right. The email address publication relevance issue, for example, is so fraught with risk that it isn’t worth tempting fate with in most instances. And the level of proof and record keeping that is expected is simply impractical.
In my view CASL does the opposite of what it says it is supposed to do:
3. The purpose of this Act is to promote the efficiency and adaptability of the Canadian economy by regulating commercial conduct that discourages the use of electronic means to carry out commercial activities, because that conduct
(a) impairs the availability, reliability, efficiency and optimal use of electronic means to carry out commercial activities;
(b) imposes additional costs on businesses and consumers; …
The compliance costs in terms of dollars, time, and exposure to penalties are simply far too high, and it actually impedes “efficiency and optimal use of electronic means to carry out commercial activities”.
Cross-posted to Slaw
The CRTC issued a press release on March 5 announcing that it has issued a Notice of Violation to Compu-Finder including a penalty of $1.1 million for violating CASL.
The Notice of Violation has not been made public, and we don’t know all the facts or exactly how CASL was applied. It relates to email messages sent to promote corporate training programs.
This should be a wake-up call to those who are not yet taking CASL seriously.
Unfortunately, though, until we see a decision containing the facts and how CASL was applied, it does not help those of us who are trying to understand how this difficult piece of legislation is going to be interpreted in practice. It contains far too many unclear provisions, inconsistent provisions, and gray areas, and actual decisions would be most helpful to see.
CASL, the Canadian anti-spam act, contains provisions that take effect on January 15, 2015 that are intended to prevent malware from being installed on computers (including any device that uses software such as smartphones, cars, TV’s, routers, thermostats…). The sections require the software provider to obtain express consent from the computer user for certain installations. There are 2 different levels of consent. Both require the disclosure of specified information, and the second level requires the consent to be obtained outside of the license.
Unfortunately the CASL software consent provisions are tortuous and unclear, and if taken literally could cause huge problems for the software industry. The IT bar has been collectively scratching its heads trying to understand how to interpret the sections. The CRTC has tried to interpret them in a way that aligns with the intent of stopping people from installing malware on computers. While the CRTC interpretation may not line up with the act, we basically have to work within it for the time being. When advising clients we will have to include caveats that we can’t guarantee that a court would agree with the CRTC’s interpretation.
Because January 15 is close at hand, software providers with customers in Canada should consider whether they need to do anything to comply. Violating the act has the same huge potential consequences as violating the anti-spam provisions.
The chart below is an attempt to give an overview of the analysis that a software provider should do to determine what, if anything, they need to do. There are 2 caveats to this chart. First, the sections are technical and have their own caveats and exceptions, so you can’t rely on the chart alone. Second, it relies on the CRTC position as it stands at this moment based on statutory language that really doesn’t make a lot of sense.
download pdf CASL software chart
I’ve had some time to reflect on the CASL software provisions as interpreted by the CRTC . As I’ve said before, the CASL software consent provisions are tortuous and unclear, and if taken literally could cause huge problems for the software industry. The CRTC has tried to interpret them in a way that aligns with the intent of stopping people from installing malware on computers. While the CRTC interpretation may not line up with the act, we basically have to work within it for the time being. (Lawyers advising clients would be well served to include caveats that we can’t guarantee that a court would agree with the CRTC’s interpretation.)
Software providers should review CASL with their legal counsel to determine how they fit within this labyrinth, but here is my take from a simplified high level on how it applies to the installation of software on a device I own.
I acquire the “Sliced Bread” software by Softco. It doesn’t matter how I get it – could be an app store, download, CD, etc. I install Sliced Bread on my computer – or my phone, tablet, car, drone, thermostat, fridge, server, router, etc.
Since I’m installing it myself on my own device, CASL doesn’t apply.
BUT IF Sliced Bread does one of the things CASL deems undesirable – things like collecting personal information, changing or interfering with data / operations / control, or sending information to someone;
AND IF those things are something I’m not reasonably expecting Sliced Bread to do (this expectation issue is a huge grey area and will vary depending on what Sliced Bread does);
THEN Softco is deemed to be installing it on my device, and Softco has to obtain my express consent outside of the EULA as detailed in the act.
Cross posted to Slaw.
Some businesses seem to be ignoring the CASL anti-spam law. Their attitude is that it’s been months since it’s been in force, nobody’s been fined, and there have been no public enforcement actions (other than one spam bot server situation). They are feeling safe that it’s not being enforced against typical businesses, and that the CRTC can’t possibly go after every small business.
In a recent webinar, the CRTC said they have issued a number of compliance orders under CASL. They are not making compliance orders public, though, and they did not say how many. They will at some time release stats on numbers of orders issued – perhaps at the end of the year.
They also said they would not always start with a gentle request to comply. In other words, don’t think you can sit back and not comply, then react only when they knock on your door.
The gentle approach is more likely if a business has tried but not quite got it right – less likely for one that has just ignored it. I suspect the CRTC will be eager to make some examples.
The CRTC has just published their thoughts on the interpretation of section 8 of CASL that requires consents for certain types of software installations.
They also discussed them in an IT.Can webinar. Their interpretation is helpful, and addresses some of the uncertainty around the provisions. But some aspects are still unclear, and some of their interpretations may not be entirely supported by the wording of the act. That may be fine so long as the CRTC is enforcing it, but a court does not have to defer to CRTC interpretation. I suspect there will be further clarification coming at some point given some of the questions that were being asked in the webinar.
They are interpreting it with the philosophy that the provisions are to prevent the installation of software that does perhaps undesirable things if they were unexpected by the user. More detail to come after we digest their thoughts and how they might work in practice. Anyone in the software business should consult their counsel to find out how section 8 might apply to them.
Cross posted to Slaw.
In addition to the anti spam provisions of CASL, it contains provisions against malware starting in January 2015. It imposes disclosure and consent requirements for software providers in certain situations.
Unfortunately, those provisions are perhaps more ill-advised and unclear than the anti-spam provisions. They have the potential to make life difficult for software companies, create additional record keeping responsibilities where none are needed, and could even hurt Canadian consumers if foreign software developers simply don’t sell their products in Canada to avoid compliance.
The IT law bar is collectively scratching their heads trying to understand what the provisions mean in practice.
When I last mentioned this, the CRTC was collecting questions to help them frame their guidance on the sections.
The CRTC will reveal their interpretation thoughts in an IT.Can webinar on November 11.
Cross posted to Slaw