During 2016, the Canadian Radio-television and Telecommunications Commission ("CRTC") issued important guidance for compliance with Canada's anti-spam legislation (commonly known as "CASL") and took significant steps to enforce CASL against Canadian businesses. The guidance and enforcement actions are instructive for organizations that wish to comply with CASL's rules for the sending of commercial electronic messages.
CASL creates a comprehensive regime of offences, enforcement mechanisms and potentially severe penalties (including personal liability for employers, corporate directors and officers) designed to prohibit unsolicited or misleading commercial electronic messages ("CEMs"), the unauthorized commercial installation and use of computer programs on another person's computer system and other forms of online fraud (such as identity theft and phishing).
For most organizations, the key parts of CASL are the rules for CEMs. Subject to limited exceptions, CASL creates an opt-in regime that prohibits the sending of a CEM unless the recipient has given consent (express or implied in limited circumstances) to receive the CEM and the CEM complies with prescribed formalities (including an effective and promptly implemented unsubscribe mechanism) and is not misleading. An organization that sends a CEM has the onus of proving that the recipient consented to receive the CEM.
CASL also prohibits, subject to limited exceptions, the commercial installation and use of a computer program on another person's computer system without the express consent of the owner or authorized user of the computer system. The computer program rules apply to almost any computer program (not just malware, spyware or other harmful programs) installed on almost any computing device (including mobile phones) as part of a commercial activity (regardless of expectation of profit).
CASL violations can result in potentially severe administrative monetary penalties (up to $10 million per violation for an organization and $1 million per violation for an individual) in regulatory enforcement proceedings, civil liability for compensatory damages and potentially substantial statutory (non-compensatory) damages in a private action by a person affected by a CASL contravention (commencing July 1, 2017) and vicarious liability on employers, directors and officers who are unable to establish that they exercised due diligence to prevent CASL contraventions.
CRTC, the Competition Bureau and the Office of the Privacy Commissioner of Canada have enforcement responsibility under CASL, and have various enforcement tools for that purpose (e.g. preservation demands, production notices and warrants).
In July 2016, CRTC issued Enforcement Advisory — Notice for businesses and individuals on how to keep records of consent to provide guidance on CASL's requirements for keeping records of consent to receive CEMs. The guidance explains the onus of proving consent, the benefits of good record keeping and the kinds of paper or electronic records CEM senders should consider keeping to prove consent. (More information)
CRTC announced the following CASL enforcement actions in 2016:
- Warrant for Malware Enforcement: In January 2016, CRTC announced that it executed a CASL warrant as part of an ongoing investigation relating to the installation of malicious software and the alteration of transmission data. The announcement did not provide details of the warrant or its execution, but explained that CRTC is using enforcement tools and cyber investigative techniques to investigate alleged CASL violations. (More information)
- CEMs Sent without Consent: In September 2016, CRTC announced a voluntary settlement with Kellogg Canada Inc. regarding the alleged sending of CEMs without consent. As part of the settlement, Kellogg agreed to pay a $60,000 fine, review and update its CASL compliance program and ensure that service providers it engages to send CEMs comply with CASL. (More information)
- CEMs Sent without Consent: In October 2016, CRTC issued a Compliance and Enforcement Decision against Blackstone Learning Corp. imposing a $50,000 administrative monetary penalty (reduced from the $640,000 penalty recommended by the investigator) for sending CEMS without consent. The decision provides important guidance regarding the interpretation and application of the "conspicuous publication rule" for implied consent to receive CEMs, and helpful insight into CRTC's approach to assessing administrative monetary penalties. (More information)