CASL Update: What You Need to Know Before July
As you know, the Canadian Anti-Spam Law (CASL) went into effect July 1, 2014. CASL is a Canadian consent first email framework that requires a sender to obtain consent from a recipient before sending any messages. CASL is anti-spam legislation that applies to all electronic messages (i.e. email, texts) organizations send in connection with a “commercial activity.” Its key feature requires Canadian and global organizations that send commercial electronic messages (CEMs) within, from, or to Canada to receive consent from recipients before sending messages. CASL does not apply to CEMs that are simply routed through Canada.
As a reminder, the basic mechanics include:
- Name of organization/person seeking consent
- Mailing address, phone number & place/person to get obtain more information
- A statement identifying person on behalf of whom consent is being obtained
- Identity & contact info of any 3rd parties who are obtaining consent
- A free unsubscribe mechanism for opting out of communications
- The ability to opt out of ALL commercial electronic messages (CEMs)
CASL enforcements have become a significant issue in light of a record 30 million CAD fine against the Avis Budget Group for what was judged to be misleading advertising in an email marketing campaign. One facet of the enforcements worth noting is that the Canadian authorities have been making a distinction between willful violations that warrant substantial administrative monetary penalties (AMP) and the inadvertent violations that fall instead under the lesser category of undertakings.
So we at Return Path wanted to update you on three things this year that are important under CASL in terms of timing.
1. The three-year transition period that commenced July 1, 2014 for commercial electronic messages (CEMs) will end on July 1, 2017
This transitional provision has provided significant flexibility (effectively a qualified grandfathering) for organizations that have a history of communicating electronically with their contacts. It has allowed senders to continue to mailing to recipients from whom they have implied consent, unless they unsubscribe. The relationship, whether business or non-business, must have been created prior to 1 July 2014 in order to rely on the three year transitional provision set out by CASL. In order to rely on the transitional provision, the parties’ relationship must also have included communication via the sending of CEMs. Any business or non-business relationship created after 1 July 2014 is subject to the time periods specified in the implied consent provisions of CASL and the three-year transitional period cannot be relied upon. After the upcoming 2017 cut-off date, senders may only send to recipients who have given express consent or whose implied consent is currently valid under CASL—that is, 24 months after a purchase or six months after an inquiry.
2. CASL’s private right of action (PRA) will come into force on July 1, 2017
The PRA—which provides significant monetary remedies for persons affected by non-complying electronic messages—will allow any individual to sue any entity they believe is sending spam messages. An individual or organization who is affected by a contravention may litigate to enforce the new private rights directly.
While CASL does not expressly provide for class actions, it is broadly expected that such actions will be launched to permit large numbers of applicants (for example, the recipients of alleged spam) to pursue compensation as a group. The private right of action allows a plaintiff to sue for actual and statutory damages. Actual damages are intended to compensate an aggrieved party for breach of his/her rights. Statutory damages could prove to be quite onerous. Anti-spam violations may result in an award of $200 per violation, up to $1 million per day. For instance, if a company sends out 1,000 emails per day to its customers, advertising for its annual holiday sale, for a period of 30 days prior to Christmas, and those emails do not comply with the relevant provisions of CASL, the company, as well as its directors, officers and agents may be jointly and severally liable for $3 million in statutory damages, in addition to compensatory damages.
3. It is likely that enforcement of the law – by the CRTC, the Office of the Privacy Commissioner and the Competition Bureau – will become more rigorous after July 1, 2017
All three agencies now have “tested the waters” with investigative actions under CASL and things seem to be working well.
Something here to note as well, CASL requires a Parliamentary committee to review the provisions and operation of the law three years after it has been in force. One of the things that have been brought to the attention of many is if the PRA is even really needed due to the consistent and fair enforcement of the law to date by the regulators in Canada. What is needed is not more risk for Canadian companies attempting to market their products but an amended, streamlined and more practical law to protect consumers while allowing companies to effectively engage in electronic marketing. Of course, trying to remove the PRA from the law would take much more time and the proposed idea has been to ask that the PRA be pushed out a little further for more review/ This idea has been met with a bit more welcome by those working on the regulation. So there is some hope.
Overall, organizations have two months left in being compliant with CASL and should assess their CASL compliance and prepare to respond to CASL lawsuits by reviewing and updating their CASL compliance program as soon as possible. You can read the full context of the law here. This article is intended as a resource and does not constitute legal advice. If you have more questions about CASL, we encourage you to contact an attorney who is familiar with this issue, if we at Return Path can help, please contact your account manager.
About Dennis Dayman
Dennis Dayman has more than 20 years of experience combating spam, security/privacy issues, data governance issues, and improving email delivery through industry policy, ISP relations and technical solutions. As Return Path’s chief privacy and security officer, Dayman leverages his experience and key relationships to provide best practices to Return Path, its customers, and ensures the compliance of their communications data flows. He is also responsible for coordinating and managing Return Path’s international electronic commerce, privacy and Internet related policy issues.