Risk Analysis thumb image

Strap on your Helmet …

Peter Clausi has written a great article about the upcoming troubles that businesses and individuals could face once CASL enter it’s next stage on July 1st 2017.

CASL really has only two key requirements. The first is that you, as the sender of a commercial electronic message (CEM) (including any business email or text), are prohibited from sending that CEM unless you can prove you had prior consent to send it to that person. You have to be able to prove you had prior consent. You can’t email someone to ask for consent to email them.

Second, all CEM’s must be transparent – it must clearly disclose who the sender is and it must include a simple unsubscribe link. This element is fairly straightforward. If you apply some business intelligence, human resources training and forethought, you can comply with this part of CASL.

It all seems simple, doesn’t it.

Whether you like these two elements is not relevant. This has been the law in Canada for several years. It doesn’t matter if you think it’s a silly law or a disproportionate one – this is a law with global exposure, as the CRTC has assumed jurisdiction if the email is sent or received in Canada (just passing through an ISP doesn’t count). Does your business operate outside of Canada but email into Canada on occasion? You’re caught. Are you a Canadian business sending any email outside of Canada? You’re caught too.

But a CRTC isn’t really the problem. The Commission’s limited resources mean you can probably sleep at night without worrying about the CRTC showing up at your office tomorrow. What you should be afraid of is July 1, 2017. Mark that date in your calendar. That’s the day when your company’s breaches of CASL, until then relatively innocuous, can be punished by a private right of action. Anyone to whom you send an email or text will have the right to sue – all they have to prove is that they received your message, and then the onus shifts to you to prove you had prior consent to do so.

That’s what CASL itself and the CRTC’s Enforcement Advisory are telling us.

After you get sued, you will then need to put forward evidence that you had prior consent to send that email. This would be part of the discovery process in the litigation, and since this type of litigation supports class action litigation, your legal bills are going to be astronomical. And if any of the recipients are outside of Canada, watch for creative aggressive plaintiff counsel to figure out ways to trace liability back to that jurisdiction. Double the litigation, double the legal expenses.

Click here to read the full article.

CASL, Risk Analysis thumb image

Jillian Swartz of Allen McDonald Swartz LLP has published an excellent article discussing the impending danger of class action lawsuits under CASL coming into effect on July 1st, 2017.

On July 1, 2017, CASL’s private right of action provisions, which provide for penalties of up to Cdn$1,000,000 per day, will come into effect. Class actions are almost a certainty. Any Canadian business (and any business that has customers, donors or contacts in Canada) that is not fully compliant with CASL must act now to develop and implement robust compliance strategies in order to mitigate its class action risk.

CASL provides for a private right of action. This means that, in addition to the risk that the regulators may bring an enforcement action against an organization that violates CASL, there is a potential for individuals, partnerships, corporations, organizations, etc. (or more aptly, a group of such persons) to bring a lawsuit against an organization that has breached CASL. There is a risk of high damages awards under CASL. The following chart summarizes the potential damages that a court may award.

As a result of the potential for high damages awards, it is likely that CASL litigation will become the next trend in class action litigation. It is also important to note that the CRTC, because it has limited resources to pursue enforcement action, has been focusing on the worst offenders. Class action lawyers are not similarly restrained, so it is likely that they will aggressively pursue organizations that have allegedly violated CASL. The class action risk is heightened because CASL allows a court to impose a monetary award without any proof that actual damages have been sustained.

An employer can be held liable where an employee violates CASL while acting within the scope of his or her employment, unless the employer can show that it exercised due diligence to prevent the violation. In addition, it is an offense to aid, induce, procure or cause to be procured the sending of CEMs in violation of CASL.

For more visit their article here or download the PDF version here.

Enforcement thumb image

CRTC CASL Compliance and Enforcement Update

On February 12th Lynne Perrault and Dana-Lynn Wood did a presentation to continue the CRTC’s “on-going dialogue” with industry. Keith Rose wrote a great synopsis for snIP/ITs:

As of early February 2016, the SRC has received over 500,000 complaints. These have been received fairly steadily at a rate of about 22,000 per month (5,000 – 6,000 per week), although there is a noticeable spike each time the CRTC issues an enforcement announcement.

More than 80% of the submissions from Canadians (a subset – the SRC accepts submissions from non-Canadians as well) have been about email. SMS is the next largest category, at about 13%. However, this may reflect (at least in part) the fact that the collection mechanisms that the SRC uses were largely designed with email in mind and it is much easier to report an email message to the SRC than any other kind of CEM.

An overwhelming 94% of complaints involved some form of consent issue (including both initial consent and withdrawal of consent/unsubscribe issues). Approximately 1/3 of complaints involved the identification requirements, and slightly less than that (28%) involved some allegation of deceptive marketing practices. (The numbers do not add up to 100% because complaints may involve multiple issues. Also, to be clear, the analysis is of issues reported by the complainants without any attempt to assess their merits.)

The presenters also addressed the interpretation of the due diligence provisions of the Act. As they explained it, whether an organization has exercised due diligence is an all-or-nothing question; there is no partial defence.

The presenters referred to a number of factors or tests that might be applied, including having adequate written policies with adequate on-going training, contemporaneous record-keeping, active monitoring and enforcement to put those policies into practice as well as responsiveness to complaints, problems and to inquiries from the CRTC. It was not entirely clear whether these were factors to consider, if relevant, or tests that would apply on a cumulative basis. But in any case, the Commission’s view seems to be that due diligence is not a one-time activity; it is an on-going, day-to-day activity that organizations will have to practice and document if they want to be able to rely on it as a defence.

To read the rest of the synopsis please visit: http://www.canadiantechlawblog.com/2016/02/12/crtc-casl-compliance-and-enforcement-update/

Stay on the pulse. Know when CASL Cure has posted.

Subscribe to our RSS Feed
Enforcement thumb image

CRTC executes warrant in malicious malware investigation

The CRTC has executed their second warrant under Canada’s anti-spam legislation at two locations in the Niagara region. The warrant was obtained as part of an ongoing investigation relating to the installation of malware based on a lead from FireEye Inc. (a cyber threat protection and forensics specialist).

“We are working to protect Canadians from online threats by pursuing those individuals and entities who violate Canada’s anti-spam legislation. We are grateful for the assistance that FireEye Inc. provided which led to the execution of this warrant, and we will continue to work closely with our domestic and international partners in the fight against cyber threats.”

Manon Bombardier
CRTC Chief Compliance and Enforcement Officer

At the moment details are sparse but visit the Government of Canada new release for more details.

CASL thumb image

2016: Cybersecurity, Corporate Ebola and CASL

Peter Clausi takes a look at the key risks to businesses in 2016 including Cybersecurity and CASL’s looming threat of class action litigation.

Cybersecurity was identified by PWC at its 2015 global conference in Monte Carlo as one of the key risks to businesses in 2016. The cybersecurity insurance market is estimated to be worth USD$7.5B by 2020. IIROC, the self-regulatory body for Canada’s brokerage firms, takes this so seriously that in December, 2015 it issued a standalone Cybersecurity Best Practices Policy aimed at small and medium sized firms.

Currently, the only consequence of a failure to comply with CASL is a prosecution by the Canadian Radio-television Telecommunications Commission (CRTC) and possible fines. The maximum penalty for a violation is $1,000,000 for an individual and $10,000,000 for a corporation, in addition to the legal costs, the cost of distraction and the public relations damage.

The problem is, that will change in July of 2017. That’s when the courts begin to share jurisdiction over CASL breaches. You and your company can then be sued for CASL breaches. Yes, in court, and supportable by class action litigation. And the onus will be on you as the sender to prove you were in compliance – the plaintiffs will not have to prove you weren’t in compliance.

Visit the original post for the full article.

Risk Analysis thumb image

A high-level look at the looming disaster

Peter Clausi has written an in depth article looking at the reality of how CASL has changed the landscape of commercial email activity in Canada, the consequences of not complying with the new rules and also the upcoming changes to the law and their impacts.

CASL compliance is about consent, not content. You need consent BEFORE you send the email. You cannot email someone to ask for consent to send that person email. If challenged, the onus is on you as the sender to prove you had prior consent.

Actually, it’s worse than that.

Every message you send must have a built-in unsubscribe feature. Must. If you don’t, you’re in breach of CASL.

The statute is so broad, the consequences so harsh, that most of us in the compliance industry did not think it could be rigorously enforced. The CRTC simply lacked the resources or the will to enforce CASL in any meaningful way.

We were wrong.

In March of 2015, the CRTC gave notice of its intentions when it punished a numbered corp with an administrative monetary penalty of $1,100,000 for having sent emails without the recipients’ consents as well as for sending commercial emails that did not have a properly functioning unsubscribe mechanism. We didn’t criticize the penalty since the numbered corp was what we normally think of as a true spammer – atta go, CRTC!

Then Plenty of Fish got hit for $48,000. We didn’t really care since it’s a free dating website, so we all just giggled a little, albeit nervously.

We began to really care in June of this year when regional flyer Porter Airlines was hit by the CRTC for $150,000 for CASL breaches. And we really paid attention a few weeks ago when Rogers Communications agreed to a $200,000 fine, for the “offence” of sending corporate emails that did not always have a fully functioning “unsubscribe” mechanism.

Look at the email you send. Is there a fully functioning unsubscribe mechanism in every email you send? If not, your entire organization is at risk.

Visit the original post for the full article.