In 2018, the Canadian Radio-television and Telecommunications Commission continued to enforce Canada’s Anti-Spam Legislation (commonly known as CASL) and issued an important information bulletin regarding the CASL provision that imposes indirect liability for CASL violations. In addition, the federal government issued a formal response to a parliamentary committee report on CASL.
CASL
CASL creates a comprehensive regime of offences, enforcement mechanisms and potentially severe penalties designed to prohibit unsolicited or misleading commercial electronic messages (CEMs), the unauthorized commercial installation and use of computer programs on another person’s computer system, and the unauthorized alteration of transmission data in electronic messages. CASL imposes liability not only on persons who directly commit a CASL violation, but also on persons who “aid, induce, procure or cause to be procured” a CASL violation.
For most organizations, the key parts of CASL are the rules for CEMs. Subject to limited exceptions, CASL creates an opt-in regime that prohibits the sending of a CEM unless the recipient has given consent (express or implied in limited circumstances) to receive the CEM and the CEM complies with prescribed formalities (e.g. sender information and an effective and promptly implemented unsubscribe mechanism). An organization that sends a CEM has the onus of proving that the recipient consented to receive the CEM.
CASL’s computer program rules prohibit, subject to limited exceptions, the commercial installation and use of a computer program on another person’s computer system without the express consent of the owner or authorized user of the computer system. The computer program rules apply to almost any computer program (not just malware, spyware or other harmful programs) installed on almost any computing device (including mobile phones) as part of a commercial activity (regardless of expectation of profit).
CASL violations can result in potentially severe administrative monetary penalties — up to $10 million per violation for an organization and $1 million per violation for an individual — in regulatory enforcement proceedings. CASL includes a private right of action, which is not in force.
The Canadian Radio-television and Telecommunications Commission (the CRTC) is primarily responsible for enforcing CASL. Since CASL came into force in 2014, the CRTC has taken enforcement action against organizations and individuals who have violated CASL, and has issued enforcement decisions and accepted voluntary undertakings (i.e. settlements).
Regulatory Enforcement
In 2018, the CRTC announced three enforcement actions:
- Sending CEMs without a Valid Unsubscribe Mechanism: In January 2018, the CRTC accepted an undertaking by Ancestry Ireland Unlimited Company, operator of the Ancestry online genealogy service, to settle alleged CASL violations regarding the sending of promotional emails without a CASL-compliant unsubscribe mechanism. Ancestry allegedly emailed its customers two kinds of CEMs, each with its own unsubscribe or preference management system, so that it was not possible for a customer to use a single operation to unsubscribe from both kinds of CEMs. The lack of a single unsubscribe operation allegedly did not comply with the CASL requirement for an easily performed unsubscribe mechanism that allows the recipient to unsubscribe from receiving any future CEMs. (more information)
- Sending CEMs to Mobile Devices: On May 1, 2018, the CRTC announced that the companies operating the 514-BILLETS ticket resale business agreed to pay $100,000 as part of a voluntary settlement of alleged CASL violations regarding the sending of text messages without the recipients’ consent and without prescribed information about the message sender. The undertaking was the first settlement of an investigation regarding the sending of text messages to mobile devices. (more information)
- Liability for Aiding a CASL Violation: On July 11, 2018, the CRTC issued notices of violation imposing penalties totalling $250,000 against two online advertising businesses for allegedly violating CASL by aiding their anonymous customers to distribute online ads that surreptitiously installed malicious computer programs in violation of CASL’s computer program rules. According to the CRTC’s announcement and investigation summary, the two businesses were warned that their services were being used to distribute malvertising, but they did not implement safeguards to prevent those activities. (more information)
Regulatory Guidance
In November 2018, the CRTC issued Compliance and Enforcement Information Bulletin CRTC 2018-415 titled “Guidelines on the Commission’s approach to section 9 of Canada’s anti-spam legislation (CASL)” to provide guidance regarding CASL section 9, which imposes liability on persons who “aid, induce, procure or cause to be procured” a CASL violation. The Bulletin explains the CRTC’s approach to section 9, includes examples of organizations to which section 9 could apply and activities that could result in non-compliance, and provides guidance for organizations seeking to manage associated risks. The Bulletin explains the CRTC’s view that CASL section 9 imposes strict liability on persons who assist a CASL violation, and that businesses that provide products or services that could be used to commit CASL violations must implement proactive measures to prevent identified risks, even if that means going beyond industry standards. (more information)
Government Response to Parliamentary Committee Report
In December 2017, the House of Commons Standing Committee on Industry, Science and Technology issued a report titled “Clarifications Are in Order”, in which the Committee recommended changes to CASL to clarify the scope and application of CASL and to reduce the cost of compliance and better focus enforcement. In April 2018, the federal government released an official response to the report. The response states the government’s intention “to work closely with stakeholders to identify ways to improve the areas that are the object of the Committee’s recommendations”, and to “investigate further the impact of implementing the private right of action and to consider options for its implementation”.