CASL: From Bad to Perhaps Worse

A harmful regulatory regime was about to get downright dangerous — until the federal government backed off
CASL: From Bad to Perhaps Worse

REGULAR READERS of this column will remember that several years ago, when Canada’s anti-spam legislation (generally referred to as CASL) came into effect, I predicted it was overly broad and would have a negative effect on economic activity. Well, I don’t want to say “I told you so,” but when you look at the recent CASL enforcement efforts you just have to shake your head.

Thankfully, on June 7, the federal government announced that CASL’s private right of action (PRA) provisions would not come into effect on July 1, 2017. This lifted what would have been a very dark cloud hanging over our economy, although we may not be completely out of the woods yet; the government has sent the PRA to a parliamentary committee for review, so it’s still too early to tell what we will get by way of a PRA — and of course, we are still stuck with CRTC enforcement of CASL, regardless of the PRA.

I act for a number of early-stage Silicon Valley companies when they choose Canada as their first jurisdiction of expansion outside of the US. These businesses are careful to comply with the US anti-spam legislation; but when they hear about the CASL regime in Canada, they will often skip Canada altogether, or will not bring their full business model to our country.
Conversely, when I act for Canadian tech start-ups in the e-commerce space, and they learn about the hurdles CASL presents — well, you guessed it, a number of them shift certain economic activity and the jobs that go with it down to the United States. Sigh. 

In short, a federal government in Canada that wanted to commit itself to supporting a truly world-class tech sector could start by simply revising CASL to make it align with anti-spam laws in the US. We’ll see if the parliamentary committee review of the PRA will take us in that direction.

A CASL Refresher
Canada’s anti-spam legislation is federal legislation that prohibits the sending of any commercial electronic message unless the recipient has consented, expressly or impliedly, to its receipt. This legislation has extremely broad coverage, not only capturing every commercial email sent in this country — including messages originating from outside of Canada — but also text messages and a host of other electronic transmissions.

Moreover, when such a message is sent it has to be labeled properly and have an “unsubscribe” mechanism, so the recipient can elect to indicate that he or she does not wish to receive further commercial electronic messages from that particular sender. The unsubscribe feature has to be effective, and the deletion of the name from the distribution list must be carried out in 10 days.

CASL also prohibits the sending of software to another person’s computer without their consent, although this practice is increasingly common with automatic upgrades of software releases being regularly distributed to computers and smart devices such as smartphones, cars, appliances and more, which require software upgrades. 

This is a very important aspect of CASL, since all sorts of previously exclusively mechanical products are now being supplemented with digital networked capabilities. This means the manufacturers are transitioning from supplying merely products to making services available, and services are a lot “stickier” in terms of customer loyalty and recurring revenue. This is an additional CASL compliance consideration.

If you breach any of these rules, you can be subject to an administrative monetary penalty of up to $1 million per violation of the statute by individuals, and $10 million for corporations. When CASL came into effect a few years ago, we all wondered — and some of us dreaded — how these remedial provisions would be implemented.

Unlikely Enforcement Targets
We now know how these provisions would be implemented. There have been a number of enforcement actions, and frankly, the record is disheartening.

In the CRTC’s very first case, a small business sent out about 400,000 email ads during a series of campaigns over a period of several months. The bureaucracy that administers CASL sent the business’s owner a notice of violation with a fine of $640,000. Talk about showing your enforcement teeth! But really, a $640,000 fine for a small business?

Thankfully, the CRTC dug deeper into the small business’s situation and determined that a $640,000 fine would be more than several years’ worth of the business’s total revenue, so it reduced the fine to $50,000 — which may seem like a magnanimous gesture, but if you’ve ever run a small business you’ll know that it’s still a very significant amount.
In another case, the CRTC fined a husband and wife who run a small print shop $15,000 for sending email ads for their printing business. Turned out the fellow is just scraping by — and frankly, what in heaven’s name is the regulator doing going after folks like this? 

When the CASL legislation was first being considered in Parliament, the government officials proposing it said it would be aimed at criminal spammers, the ones clogging up the internet. These two cases don’t fit that profile at all.

Bigger Fish are Being Fried, Too
The CRTC has gone after bigger targets as well. An airline was fined $150,000 for failing to prove it had consent from all email recipients; plus, the messages did not provide the sender’s contact information, and in some of the messages there was no “unsubscribe” mechanism, while it didn’t work in the messages that did contain it.

The CRTC has been busy in the CASL space. They also fined a telecommunications company $200,000 for sending out messages with an unsubscribe mechanism that did not work properly. Moreover, when a recipient did unsubscribe, the company did not act on the request within the required 10-day period.

The biggest fine issued to date was for $1.1 million, also for sending messages with an unsubscribe mechanism that did not work. Under CASL, the unsubscribe mechanism has to be active in a message for at least 60 days; this company’s device did not comply with that requirement.

One more case worth noting involved a consumer packaged-goods company, which used a third-party agent to conduct an email advertising campaign. The agent was offside the CASL rules, but of course it was the client company who was found responsible, to the tune of $60,000.

Precarious Due Process
There are several disturbing themes emanating from these cases. The CRTC emphasizes that the administrative monetary penalty is not intended to “punish” but merely to “promote compliance” with the CASL statute. Accordingly, in the CRTC’s view, the legislation does not address “criminal” activity, and therefore the standard for determining a violation is a “balance of probabilities” and not the higher “beyond a reasonable doubt” that is applied in criminal cases. Equally, the CRTC is of the view that that the Charter’s “right to be presumed innocent until proven guilty beyond a reasonable doubt” does not apply to CASL proceedings.

Another point of concern is that most CASL complaints are received by the CRTC over the Spam Reporting Centre. In effect, with this bureaucratic vehicle, we are seeing the full weight of the state mobilized under the CASL regime. When coupled with the investigators we see a formidable enforcement edifice indeed, and yet a civil standard of “balance of probabilities” is being utilized. Not quite a level playing field, in my view.

Something Even More Unbalanced
If the cases above weren’t sufficiently disconcerting, the original CASL legislation provided that on July 1, 2017, the private right of action would come into effect. If you were fairly sanguine about this legislation previously, you may have been very concerned about this new remedial vehicle coming on stream.

What the PRA would have allowed, after July 1, 2017, is for individuals who feel a violation of CASL has occurred to apply to a judge not only for compensatory damages, but for non-compensatory damages as well. Here’s the thing: recovery under the former would have presumably been quite limited, as unwanted emails tend not to generate hard financial losses.

Hence the importance of the latter head of recovery: non-compensatory damages. This is where I predicted the initial action would play out, with the class action plaintiffs’ Bar arguing all sorts of claims under this rubric.

Due Diligence Defence
Thankfully, those of us who defend class actions (among whom I count myself) had a useful arrow in our quiver even under the original CASL statute, namely the due diligence defence. The CASL statute expressly provides that a person cannot contravene CASL if they exercised due diligence in attempting to comply with the law. 

While useful, the parameters around a due diligence defence are always uncertain at best. Therefore, it was with a real sense of relief that we received the announcement, on June 7, 2017, that on July 1, 2017, the PRA would not be coming into effect. Now there’s a birthday present to help celebrate Canada’s big day! 

However, we must remember that the CRTC enforcement provisions of CASL — as highlighted in the cases discussed above — are still very much in effect.

George Takach is a senior partner at McCarthy Tétrault LLP and the author of Computer Law.