Big news last week about CASL (Canada’s anti-spam legislation) – the right of private action, which was scheduled to come into effect on July 1st, was indefinitely delayed by an Order-in-Council issued by the Federal Government on June 7.
This is a relief for every organization, whether for-profit, non-profit, orcharitable. The right of private action was generally being met with dread – it allowed for private litigants to sue for any breach of specific sections of CASL and to claim for significant damages. Those damages included statutory damages of up to $1 million per day for violations.
Enforcement activity since 2014
However, this development doesn’t mean that CASL is toothless. Far from it. Fines under CASL are a maximum of $10 million per violation for businesses/organizations. That’s huge.
I attended an update on CASL put on by the CRTC for the Ontario Bar Association in mid-May. There has been a lot of activity around CASL enforcement since CASL came into effect 3 years ago (July 1, 2014). Here are a few tidbits that I learned about:
- In lieu of prosecutions, the CRTC tends to pursue “undertakings” when an investigated complaint reveals an apparent violation of CASL
- These undertakings require the offender to implement a robust compliance program
- Undertakings are accompanied by a reparation payment (in lieu of a fine/penalty)
- These reparation payments are substantial:
- Porter $150K
- Rogers $200K
- Kellogg’s $60K
- Blackstone $50K
- William Rapanos (individual) $15K
- Compu-Finder $1.1M (being contested)
- The ability of the offender to pay is taken into account as one of the factors in determining an appropriate payment. For example, Blackstone is a small business, resulting in a significantly reduced penalty. Still, $50K is a huge amount for any small business to pay.
Deemed implied consent – 3-year grace period ends July 1
Remember, CASL requires that your organization have consent (express or in some cases implied) when sending commercial electronic messages (CEMs). (To be “commercial”, the email/text must be trying to get people to buy a product or service.)
There was a 3-year grace period in which organizations were allowed to email current and former donors, members, volunteers and those with business relationships. That grace period ends on July 1, 2017. After that, the list of individuals to whom your organization can send CEMs is limited to a 2-year ever-refreshing window – you can only email with implied consent if you have had contact with the individual (as a donor, member, volunteer or for business purposes) for 2 years from the date of that contact.
How to be CASL compliant
What also became evident is that your organization needs to have a CASL policy, undertake and update CASL training of all staff, and monitor CASL compliance. If your organization becomes the subject of a complaint/investigation about CASL, you need to demonstrate good record-keeping – i.e., keeping screenshots of subscribes to newsletter lists and emails containing express consent to receive CEMs.
The CRTC update also offered these additional bits of information:
- Non-profits are “not bubbling to the top” of the enforcement radar, which is good news for the health sector
- Sending a survey is not a CEM.
The CRTC’s slides were available to attendees. If anyone is interested in receiving a copy, please let me know.
DDO’s CASL Toolkit for the non-profit and charitable sectors
DDO Health law published a “CASL – Anti-Spam Toolkit” in June 2014 targeted at assisting non-profit and charitable organizations to become CASL compliant. Copies are available for purchase – please contact me if interested.