Yesterday, the federal government issued an Order in Council delaying the introduction of a private right of action under Canada’s Anti-Spam Legislation (“CASL”).
CASL is consumer protection legislation that, among other things, was designed to limit and regulate the ability of businesses and organizations to send commercial electronic messages (“CEMs”) to consumers and prospective clients. This legislation already carries significant regulatory penalties for non-compliance including fines up to $10 million for organizations and $1 million for individuals. However, when CASL was enacted it also contemplated the introduction of a right for individuals to sue organizations for breach of the legislation (referred to as the private right of action) to come into effect July 1, 2017.
The private right of action would have allowed individuals to sue organizations and their officers, directors, and agents for violations of CASL, including for:
- Sending CEMs without the implied or express consent of the recipient or without complying with the prescribed form and content of such messages;
- Installing computer programs on a device without consent; and
- Sending false or misleading electronic messages.
The legal and liability effects of the private right of action were anticipated by many to be far reaching given, in particular, the suitability of such claims to be advanced by way of class actions. Class action law suits for breaches of US anti-spam laws have attracted sizeable claims. In October 2015, as one example, LinkedIn Corp. reported a settlement in the order of $13 million for spam emails urging users to join its professional network. Yahoo also faces class action claims in connection with texts sent to approximately 500,000 Sprint customers alleging damages of $1,500 per message. Other organizations facing class action law suits for anti-spam violations in the US include corporate giants like Microsoft as well as, smaller and community-based organizations including, in one case, a charter community school.
Whether the private right of action will come into effect at some point in the future remains to be seen. The government’s decision, however, to delay implementation of the private right of action does not relieve organizations from their existing obligations under CASL. July 1, 2017 continues to mark the end of a transition grace period during which organization were able to rely on certain implied consents for sending CEMs under the legislation.
If your organization has not done so already, it is still prudent to take an opportunity before the end of the three year grace period to review your organization’s practices, including consideration of:
- Whether your organization sends CEMs, and, if so, whether the content of those messages complies with CASL requirements.
- Whether your organization’s CEMs contain a compliant and functioning unsubscribe mechanism; and, whether the unsubscribe requests are acted upon within the statutory time limit.
- Whether your organization has a system in place for tracking and maintaining proof of express consents which are received; or, if CEMs are sent based on implied consents, whether there are systems for tracking the expiry of implied consents.
- Whether your organization engages in the installation of computer programs? If so, has appropriate consent been obtained?
Organizations should also note that CASL provides a defence of due diligence. While it is not explicitly set out what constitutes “due diligence”, implementing written policies and procedures regarding compliance, administering employee training programs, and keeping organized, systematic records which track compliance are useful in demonstrating an organization’s diligence.
Questions relating to this article can be directed to Suzanne Kennedy.
This article may not be republished without the express written permission of Harris and Company LLP