The CRTC recently released 2 CASL decisions on Compufinder. If this sounds familiar, it is because this is an appeal from an initial finding in 2015 that levied a $1.1 million penalty.
Compufinder took the position that CASL is unconstitutional. Many legal experts have questioned the ability of the Federal Government to pass this legislation. The CRTC decided that CASL is constitutional. But this is not the last word. Inevitably this will be argued in court. This decision is required reading for anyone who finds themselves in a position to challenge the act in the courts. Ironically, the delay of the private right of action may have delayed getting the constitutionality issue to the appeal level.
In the substantive decision the penalty was reduced to $200,000. This decision is required reading for anyone facing sanctions under CASL.
Topics covered include:
- what the business to business exemption means (Compufinder failed to convince them that the exemption applied)
- the conspicuously published implied consent, including who published it and message relevance
- what is needed to show a diligence defence (it’s not easy)
- factors in determining the size of the penalty
The decision shows that the CRTC will examine the CEM’s sent in individual detail, and that the business has a high onus of proof to show that they have done everything necessary to comply with the act for each and every one of them.
IMHO most small businesses simply don’t have the resources to meet the requirements. And no matter how hard they try, larger businesses will have a difficult time attaining them. To me CASL is like using a sledgehammer to kill a fly in a china shop. You may or may not kill the fly, but the collateral damage simply isn’t worth it.
Hopefully changes will be made to CASL as a result of the current review of the statute.
Cross-posted to Slaw
The Canadian government has suspended the CASL private right of action that was to have come into force on July 1. The private right of action (most likely in the form of class actions) would have allowed people to sue anyone for sending spam. Or more accurately for those who violated the technical provisions of CASL.
This is a welcome move. But while we can breathe a sigh of relief that this remedy is gone, CASL still remains in force and must be complied with.
The government’s press release said:
Canadians deserve an effective law that protects them from spam and other electronic threats that lead to harassment, identity theft and fraud. At the same time, Canadian businesses, charities and non-profit groups should not have to bear the burden of unnecessary red tape and costs to comply with the legislation.
The Government supports a balanced approach that protects the interests of consumers while eliminating any unintended consequences for organizations that have legitimate reasons for communicating electronically with Canadians.
For that reason, the Government will ask a parliamentary committee to review the legislation, in keeping with the existing provisions of CASL.
There is no indication that the CRTC will lighten up its enforcement against those who try to comply with the spirit of the legislation, but can’t get the technical details right.
We don’t know how long this review process will take or how long it might be until changes are passed.
And frankly I’m skeptical that the “balanced approach” will go nearly as far as I and others would like to see it go. I (and I’m certainly not alone in this) have maintained from the start that CASL is one of the most ill-conceived, badly written, impractical pieces of legislation I’ve ever seen. It provides little benefit – at a great cost. Tinkering with the legislation won’t fix it – it needs a major overhaul.
Cross-posted to Slaw
The private right of action for sending spam in violation of CASL comes into force on July 1. Many companies are dreading it – some class action lawyers can’t wait. The right thing for the government to do would be to completely scrap CASL – the statute is that bad and ill-conceived. But wishful thinking won’t make it go away.
At the moment, CASL violators are subject to enforcement proceedings by the CRTC. But after July 1, those who have been spammed in violation of CASL can sue the sender. Here are some things to keep in mind about the private right of action.
- Individuals can sue a CASL violator – but class actions are most likely.
- CASL does not say if the right applies only to violations that occur after July 1. That would be the most obvious interpretation, but expect plaintiffs to say it is retroactive.
- In addition to the CASL anti-spam formalities, the right of action applies to the anti-harvesting provisions CASL added to PIPEDA, and the email false advertising provisions CASL added to the Competition Act.
- Damages include actual damages plus statutory damages calculated in a couple of ways – $200 per violation or up to a million dollars per day. It could get expensive.
- Directors and officers are at risk to be sued.
- Depending on timing, a notice of violation from the CRTC or entering into an undertaking with the CRTC may stay a court action. The reverse also applies – a court can prevent an undertaking or notice of violation. Potential defendants may have some influence over picking their poison.
- Due diligence defences are available to mitigate the damage amount.
Cross-posted to Slaw
CASL, the Canadian anti-spam legislation, came into force on July 1, 2014. July 1, 2017 will be an important date for CASL, as a private right of action will become available. Anyone (class actions are likely) will be able to sue CASL violators. Statutory damages means that it won’t be necessary to prove actual damages.
CASL is a complex, illogical statute. Many businesses don’t comply because they don’t think emails they send could possibly be considered spam. After all, spam is about illicit drugs, diets and deals scams, right? Not according to CASL.
Nor do they understand they must keep detailed records to prove they have implied or express consent for each person they send an email to. Or they may be rolling the dice that they will be a low priority for CRTC enforcement. (That approach risks personal liability for directors and officers.)
Once the private right of action kicks in, the enforcement landscape changes. If a business has not yet come to grips with CASL, the spectre of private suits for violations may offer an incentive to comply.
In the long term, the private right of action could provide a couple of silver linings.
Getting CASL in front of the courts may provide some badly needed guidance on how to interpret and apply it in practice. So far, the handful of cases the CRTC has made public have not provided enough detail to help with that.
There is some thought that CASL could be struck down on constitutional grounds. Any business sued under the private right of action should include that in its defence.
The possibility of CASL being struck down should not, however, be a reason not to comply with CASL. It could take years before an action gets far enough to see that result. And that result is by no means assured.
Cross-posted to Slaw
The CRTC recently issued a media advisory entitled Enforcement Advisory – Notice for businesses and individuals on how to keep records of consent. It doesn’t add anything new – but reinforces what the CRTC is looking for. This is important because CASL requires a business to prove that they have consent to send a CEM (Commercial Electronic Message). CASL has a complex regime of express and implied consent possibilities.
The advisory states: “Commission staff has observed that some businesses and individuals are unable to prove they have obtained consent before sending CEMs. The purpose of this Enforcement Advisory is to remind those involved, including those who send CEMs, of the requirements under CASL pertaining to record keeping.”
The problem in practice is that keeping those records can be a herculean task. I’m concerned that the difficulty of getting this right will make many businesses fodder for CASL breach class action lawsuits when that right becomes available in 2017.
My personal view continues to be that the prime effect of CASL is to add a huge compliance burden to legitimate businesses. It may give some tools to attack actual spam, but its approach is fundamentally flawed, and the cost/benefit is way out of whack.
Cross-posted to Slaw
The CRTC recently published a document with some guidance on implied consent under CASL.
The parts about “Can I send CEMs to an email address I find online?”, “How can I prove I have consent?”, and “What records should I be keeping?” show how difficult, if not impossible, it is to comply with CASL in practice.
CASL and its interpretation is so granular and so nuanced that the average business doesn’t stand a chance of getting it consistently right. The email address publication relevance issue, for example, is so fraught with risk that it isn’t worth tempting fate with in most instances. And the level of proof and record keeping that is expected is simply impractical.
In my view CASL does the opposite of what it says it is supposed to do:
3. The purpose of this Act is to promote the efficiency and adaptability of the Canadian economy by regulating commercial conduct that discourages the use of electronic means to carry out commercial activities, because that conduct
(a) impairs the availability, reliability, efficiency and optimal use of electronic means to carry out commercial activities;
(b) imposes additional costs on businesses and consumers; …
The compliance costs in terms of dollars, time, and exposure to penalties are simply far too high, and it actually impedes “efficiency and optimal use of electronic means to carry out commercial activities”.
Cross-posted to Slaw
The CRTC issued a press release on March 5 announcing that it has issued a Notice of Violation to Compu-Finder including a penalty of $1.1 million for violating CASL.
The Notice of Violation has not been made public, and we don’t know all the facts or exactly how CASL was applied. It relates to email messages sent to promote corporate training programs.
This should be a wake-up call to those who are not yet taking CASL seriously.
Unfortunately, though, until we see a decision containing the facts and how CASL was applied, it does not help those of us who are trying to understand how this difficult piece of legislation is going to be interpreted in practice. It contains far too many unclear provisions, inconsistent provisions, and gray areas, and actual decisions would be most helpful to see.
CASL, the Canadian anti-spam act, contains provisions that take effect on January 15, 2015 that are intended to prevent malware from being installed on computers (including any device that uses software such as smartphones, cars, TV’s, routers, thermostats…). The sections require the software provider to obtain express consent from the computer user for certain installations. There are 2 different levels of consent. Both require the disclosure of specified information, and the second level requires the consent to be obtained outside of the license.
Unfortunately the CASL software consent provisions are tortuous and unclear, and if taken literally could cause huge problems for the software industry. The IT bar has been collectively scratching its heads trying to understand how to interpret the sections. The CRTC has tried to interpret them in a way that aligns with the intent of stopping people from installing malware on computers. While the CRTC interpretation may not line up with the act, we basically have to work within it for the time being. When advising clients we will have to include caveats that we can’t guarantee that a court would agree with the CRTC’s interpretation.
Because January 15 is close at hand, software providers with customers in Canada should consider whether they need to do anything to comply. Violating the act has the same huge potential consequences as violating the anti-spam provisions.
The chart below is an attempt to give an overview of the analysis that a software provider should do to determine what, if anything, they need to do. There are 2 caveats to this chart. First, the sections are technical and have their own caveats and exceptions, so you can’t rely on the chart alone. Second, it relies on the CRTC position as it stands at this moment based on statutory language that really doesn’t make a lot of sense.
download pdf CASL software chart
I’ve had some time to reflect on the CASL software provisions as interpreted by the CRTC . As I’ve said before, the CASL software consent provisions are tortuous and unclear, and if taken literally could cause huge problems for the software industry. The CRTC has tried to interpret them in a way that aligns with the intent of stopping people from installing malware on computers. While the CRTC interpretation may not line up with the act, we basically have to work within it for the time being. (Lawyers advising clients would be well served to include caveats that we can’t guarantee that a court would agree with the CRTC’s interpretation.)
Software providers should review CASL with their legal counsel to determine how they fit within this labyrinth, but here is my take from a simplified high level on how it applies to the installation of software on a device I own.
I acquire the “Sliced Bread” software by Softco. It doesn’t matter how I get it – could be an app store, download, CD, etc. I install Sliced Bread on my computer – or my phone, tablet, car, drone, thermostat, fridge, server, router, etc.
Since I’m installing it myself on my own device, CASL doesn’t apply.
BUT IF Sliced Bread does one of the things CASL deems undesirable – things like collecting personal information, changing or interfering with data / operations / control, or sending information to someone;
AND IF those things are something I’m not reasonably expecting Sliced Bread to do (this expectation issue is a huge grey area and will vary depending on what Sliced Bread does);
THEN Softco is deemed to be installing it on my device, and Softco has to obtain my express consent outside of the EULA as detailed in the act.
Cross posted to Slaw.
Some businesses seem to be ignoring the CASL anti-spam law. Their attitude is that it’s been months since it’s been in force, nobody’s been fined, and there have been no public enforcement actions (other than one spam bot server situation). They are feeling safe that it’s not being enforced against typical businesses, and that the CRTC can’t possibly go after every small business.
In a recent webinar, the CRTC said they have issued a number of compliance orders under CASL. They are not making compliance orders public, though, and they did not say how many. They will at some time release stats on numbers of orders issued – perhaps at the end of the year.
They also said they would not always start with a gentle request to comply. In other words, don’t think you can sit back and not comply, then react only when they knock on your door.
The gentle approach is more likely if a business has tried but not quite got it right – less likely for one that has just ignored it. I suspect the CRTC will be eager to make some examples.