A panel comprised of recently retired GM Canada General Counsel, Heather Innes; current Bell Canada General Counsel, Bill Abbott; and Peter Clausi, General Counsel at GTA Resources and Mining and moderated by Neil Beaton, VP Corporate Development with CASL Cure, gave the CCCA member-audience an overview of issues surrounding the hot topic of the law’s upcoming private-right-of-action evolution which will open up CASL to allow class action suits, alongside the current CRTC regulation.
On July 1, a “private right of action” comes into force, opening the door for plaintiff-side class action lawyers to sue companies for alleged breaches of the law. This changes the game, because up till now companies in breach of the law have only had to answer to government regulators.Heather Innes, who was previously chief privacy officer with General Motors of Canada Ltd., said the regulatory actions have been harsher than most corporate counsel had expected. But they also offer a preview as to how easy it can be for a company to violate the law.
“Even the most sophisticated organization can make mistakes,” Innes told the panel. The regulators mean business, she said. “They are going to fine, and they are going to fine even if people have simply made mistakes.”
Bill Abbott, assistant general counsel and privacy ombudsman with Bell Canada, said that regulatory enforcement has focused on clear violations of the law. He expects class action lawyers to cast a wider net with their claims.
“Private right of action brings an entirely different environment with profit-driven plaintiffs who aren’t restricted by policy,” Abbott said. “Unlike the CRTC, which appears to be avoiding the ambiguous areas, that’s what they play on. That’s where they bring claims.”
Please visit the Financial Post Article for more information.
An individual has been fined $15,000 for 10 violations by the CRTC. In an enforcement action, published last week, the CRTC stated:
The Commission imposes an administrative monetary penalty of $15,000 on William Rapanos for 10 violations of section 6 of Canada’s Anti-Spam Legislation. Specifically, Mr. Rapanos sent commercial electronic messages (i) that did not identify the sender, (ii) that did not include information that enables the recipient to readily contact the sender, (iii) without prior consent from the recipients, and (iv) that, in certain cases, did not include a functioning unsubscribe mechanism.
For more information please read this article by Word to the Wise regarding this incident or the original CRTC enforcement action.
Peter Clausi has written a great article about the upcoming troubles that businesses and individuals could face once CASL enter it’s next stage on July 1st 2017.
CASL really has only two key requirements. The first is that you, as the sender of a commercial electronic message (CEM) (including any business email or text), are prohibited from sending that CEM unless you can prove you had prior consent to send it to that person. You have to be able to prove you had prior consent. You can’t email someone to ask for consent to email them.
Second, all CEM’s must be transparent – it must clearly disclose who the sender is and it must include a simple unsubscribe link. This element is fairly straightforward. If you apply some business intelligence, human resources training and forethought, you can comply with this part of CASL.
It all seems simple, doesn’t it.
Whether you like these two elements is not relevant. This has been the law in Canada for several years. It doesn’t matter if you think it’s a silly law or a disproportionate one – this is a law with global exposure, as the CRTC has assumed jurisdiction if the email is sent or received in Canada (just passing through an ISP doesn’t count). Does your business operate outside of Canada but email into Canada on occasion? You’re caught. Are you a Canadian business sending any email outside of Canada? You’re caught too.
But a CRTC isn’t really the problem. The Commission’s limited resources mean you can probably sleep at night without worrying about the CRTC showing up at your office tomorrow. What you should be afraid of is July 1, 2017. Mark that date in your calendar. That’s the day when your company’s breaches of CASL, until then relatively innocuous, can be punished by a private right of action. Anyone to whom you send an email or text will have the right to sue – all they have to prove is that they received your message, and then the onus shifts to you to prove you had prior consent to do so.
That’s what CASL itself and the CRTC’s Enforcement Advisory are telling us.
After you get sued, you will then need to put forward evidence that you had prior consent to send that email. This would be part of the discovery process in the litigation, and since this type of litigation supports class action litigation, your legal bills are going to be astronomical. And if any of the recipients are outside of Canada, watch for creative aggressive plaintiff counsel to figure out ways to trace liability back to that jurisdiction. Double the litigation, double the legal expenses.
Click here to read the full article.
Jillian Swartz of Allen McDonald Swartz LLP has published an excellent article discussing the impending danger of class action lawsuits under CASL coming into effect on July 1st, 2017.
On July 1, 2017, CASL’s private right of action provisions, which provide for penalties of up to Cdn$1,000,000 per day, will come into effect. Class actions are almost a certainty. Any Canadian business (and any business that has customers, donors or contacts in Canada) that is not fully compliant with CASL must act now to develop and implement robust compliance strategies in order to mitigate its class action risk.
CASL provides for a private right of action. This means that, in addition to the risk that the regulators may bring an enforcement action against an organization that violates CASL, there is a potential for individuals, partnerships, corporations, organizations, etc. (or more aptly, a group of such persons) to bring a lawsuit against an organization that has breached CASL. There is a risk of high damages awards under CASL. The following chart summarizes the potential damages that a court may award.
As a result of the potential for high damages awards, it is likely that CASL litigation will become the next trend in class action litigation. It is also important to note that the CRTC, because it has limited resources to pursue enforcement action, has been focusing on the worst offenders. Class action lawyers are not similarly restrained, so it is likely that they will aggressively pursue organizations that have allegedly violated CASL. The class action risk is heightened because CASL allows a court to impose a monetary award without any proof that actual damages have been sustained.
An employer can be held liable where an employee violates CASL while acting within the scope of his or her employment, unless the employer can show that it exercised due diligence to prevent the violation. In addition, it is an offense to aid, induce, procure or cause to be procured the sending of CEMs in violation of CASL.
For more visit their article here or download the PDF version here.
On February 12th Lynne Perrault and Dana-Lynn Wood did a presentation to continue the CRTC’s “on-going dialogue” with industry. Keith Rose wrote a great synopsis for snIP/ITs:
As of early February 2016, the SRC has received over 500,000 complaints. These have been received fairly steadily at a rate of about 22,000 per month (5,000 – 6,000 per week), although there is a noticeable spike each time the CRTC issues an enforcement announcement.
More than 80% of the submissions from Canadians (a subset – the SRC accepts submissions from non-Canadians as well) have been about email. SMS is the next largest category, at about 13%. However, this may reflect (at least in part) the fact that the collection mechanisms that the SRC uses were largely designed with email in mind and it is much easier to report an email message to the SRC than any other kind of CEM.
An overwhelming 94% of complaints involved some form of consent issue (including both initial consent and withdrawal of consent/unsubscribe issues). Approximately 1/3 of complaints involved the identification requirements, and slightly less than that (28%) involved some allegation of deceptive marketing practices. (The numbers do not add up to 100% because complaints may involve multiple issues. Also, to be clear, the analysis is of issues reported by the complainants without any attempt to assess their merits.)
The presenters also addressed the interpretation of the due diligence provisions of the Act. As they explained it, whether an organization has exercised due diligence is an all-or-nothing question; there is no partial defence.
The presenters referred to a number of factors or tests that might be applied, including having adequate written policies with adequate on-going training, contemporaneous record-keeping, active monitoring and enforcement to put those policies into practice as well as responsiveness to complaints, problems and to inquiries from the CRTC. It was not entirely clear whether these were factors to consider, if relevant, or tests that would apply on a cumulative basis. But in any case, the Commission’s view seems to be that due diligence is not a one-time activity; it is an on-going, day-to-day activity that organizations will have to practice and document if they want to be able to rely on it as a defence.
To read the rest of the synopsis please visit: http://www.canadiantechlawblog.com/2016/02/12/crtc-casl-compliance-and-enforcement-update/
The CRTC has executed their second warrant under Canada’s anti-spam legislation at two locations in the Niagara region. The warrant was obtained as part of an ongoing investigation relating to the installation of malware based on a lead from FireEye Inc. (a cyber threat protection and forensics specialist).
“We are working to protect Canadians from online threats by pursuing those individuals and entities who violate Canada’s anti-spam legislation. We are grateful for the assistance that FireEye Inc. provided which led to the execution of this warrant, and we will continue to work closely with our domestic and international partners in the fight against cyber threats.”
CRTC Chief Compliance and Enforcement Officer
At the moment details are sparse but visit the Government of Canada new release for more details.
Peter Clausi takes a look at the key risks to businesses in 2016 including Cybersecurity and CASL’s looming threat of class action litigation.
Cybersecurity was identified by PWC at its 2015 global conference in Monte Carlo as one of the key risks to businesses in 2016. The cybersecurity insurance market is estimated to be worth USD$7.5B by 2020. IIROC, the self-regulatory body for Canada’s brokerage firms, takes this so seriously that in December, 2015 it issued a standalone Cybersecurity Best Practices Policy aimed at small and medium sized firms.
Currently, the only consequence of a failure to comply with CASL is a prosecution by the Canadian Radio-television Telecommunications Commission (CRTC) and possible fines. The maximum penalty for a violation is $1,000,000 for an individual and $10,000,000 for a corporation, in addition to the legal costs, the cost of distraction and the public relations damage.
The problem is, that will change in July of 2017. That’s when the courts begin to share jurisdiction over CASL breaches. You and your company can then be sued for CASL breaches. Yes, in court, and supportable by class action litigation. And the onus will be on you as the sender to prove you were in compliance – the plaintiffs will not have to prove you weren’t in compliance.
Visit the original post for the full article.
Peter Clausi has written an in depth article looking at the reality of how CASL has changed the landscape of commercial email activity in Canada, the consequences of not complying with the new rules and also the upcoming changes to the law and their impacts.
CASL compliance is about consent, not content. You need consent BEFORE you send the email. You cannot email someone to ask for consent to send that person email. If challenged, the onus is on you as the sender to prove you had prior consent.
Actually, it’s worse than that.
Every message you send must have a built-in unsubscribe feature. Must. If you don’t, you’re in breach of CASL.
The statute is so broad, the consequences so harsh, that most of us in the compliance industry did not think it could be rigorously enforced. The CRTC simply lacked the resources or the will to enforce CASL in any meaningful way.
We were wrong.
In March of 2015, the CRTC gave notice of its intentions when it punished a numbered corp with an administrative monetary penalty of $1,100,000 for having sent emails without the recipients’ consents as well as for sending commercial emails that did not have a properly functioning unsubscribe mechanism. We didn’t criticize the penalty since the numbered corp was what we normally think of as a true spammer – atta go, CRTC!
Then Plenty of Fish got hit for $48,000. We didn’t really care since it’s a free dating website, so we all just giggled a little, albeit nervously.
We began to really care in June of this year when regional flyer Porter Airlines was hit by the CRTC for $150,000 for CASL breaches. And we really paid attention a few weeks ago when Rogers Communications agreed to a $200,000 fine, for the “offence” of sending corporate emails that did not always have a fully functioning “unsubscribe” mechanism.
Look at the email you send. Is there a fully functioning unsubscribe mechanism in every email you send? If not, your entire organization is at risk.
Visit the original post for the full article.
Does your business use an email host like GoDaddy or HostGator? If so, up until now, we could not offer CASL Cure to you since those types of email host providers could not selectively relay individual companies’ email through our smarthost without affecting other companies in their shared hosting environment.
CASL Cure is pleased to announce that we now offer a solution that will provide you and your company with the CASL Cure tools as part of a fully hosted email platform.
Now you have three options to choose from when deploying CASL:
1. SaaS (Software as a Service) Model: we host a cloud based CASL Cure solution for you.
2. Enterprise License: we install an on-prem version of CASL Cure on your hardware in your corporate IT environment.
3. Fully Hosted Model: we provide full service e-mail hosting along with CASL Cure as an all-in-one solution.
For more information, please contact Neil Beaton at email@example.com or 519-200-8131.
In order to help businesses’ understand the various contexts of implied consent and what is and is not allowed under CASL, the CRTC released updated
guidance on implied consent on September 4th.