On June 5, 2020, the Federal Court of Appeal issued its decision dismissing appeals by CompuFinder challenging the constitutional validity and enforcement of Canada’s Anti-Spam Legislation (commonly known as “CASL”). The Court’s decision provides important interpretive guidance regarding CASL’s rules for implied consent and unsubscribe mechanisms and the exemption for business-to-business commercial electronic messages.
CASL
CASL creates a comprehensive regime of prohibitions, enforcement mechanisms and potentially severe penalties designed to prohibit the sending of unsolicited commercial electronic messages (CEMs), the unauthorized commercial installation and use of computer programs on another person’s computer system and other forms of online fraud.
For most organizations, the key parts of CASL are the rules for CEMs. Subject to limited exceptions, CASL creates an opt-in regime that prohibits the sending of a CEM unless the recipient has given consent (express or implied in limited circumstances) to receive the CEM and the CEM includes prescribed information and an effective and easy-to-use unsubscribe mechanism.
CASL imposes liability not only on an organization that directly violates CASL, but also on an organization that causes or permits a CASL violation, or aids, induces or procures a CASL violation. CASL also provides that an organization is vicariously liable for CASL violations by its employees and agents within the scope of their employment or authority, and corporate directors and officers are personally liable if they direct, authorize or assent to, or acquiesce or participate in, a CASL violation.
CASL violations can result in potentially severe administrative monetary penalties (AMPs) – up to $10 million per violation for an organization and $1 million per violation for an individual – in regulatory enforcement proceedings. CASL includes a private right of action that is not in force.
The Canadian Radio-television and Telecommunications Commission (CRTC) is responsible for enforcing CASL’s rules regarding CEMs. Since CASL came into force in 2014, the CRTC has taken enforcement action against organizations and individuals who have violated CASL, and has issued enforcement decisions and accepted voluntary undertakings (settlements). See BLG bulletins CASL – Year in Review 2019, CASL – Year in Review 2018, CASL – Year in Review 2017, CASL – Year in Review 2016 and CASL – Year in Review 2015.
The CRTC Decisions
In 2014, CompuFinder conducted three unsolicited email campaigns advertising its educational and training services. Complaints to the Spam Reporting Centre led to an investigation that resulted in the issuance of a notice of violation imposing a $1.1 million AMP against CompuFinder. For more details, see BLG bulletin CRTC Issues $1.1 Million Penalty for CASL Violation.
CompuFinder applied to the CRTC for review of the notice of violation. CompuFinder argued that its emails were exempted from CASL (based on CASL’s business-to-business exemption) or were sent based on implied consent (based on CASL’s conspicuous publication rule), and included a valid unsubscribe mechanism. CompuFinder also challenged CASL’s constitutional validity.
The CRTC issued two decisions. In the first decision, the CRTC held that CASL is constitutionally valid and does not violate the Canadian Charter of Rights and Freedoms. In the second decision, the CRTC held that CompuFinder violated CASL by sending CEMs without consent or a compliant unsubscribe mechanism (because each CEM included a second non-functioning unsubscribe mechanism). The CRTC held that the $1.1 million AMP specified in the notice of violation was not justified, and instead imposed a $200,000 AMP. For more details, see BLG bulletin CASL Enforcement Decision – Interpretive Guidance for Compliance and Penalties.
The Federal Court of Appeal Decision
CompuFinder appealed the CRTC’s decisions to the Federal Court of Appeal. The Court dismissed the appeals.
The Court held that CASL is constitutionally valid because it is within Parliament’s legislative jurisdiction over general trade and commerce affecting Canada as a whole. The Court also held that CASL does not violate Canada’s Charter of Rights and Freedoms because CASL imposes a justified infringement on constitutionally protected freedom of commercial expression, and does not infringe other rights protected by the Charter.
The Court held that the CRTC did not misinterpret or misapply CASL’s business-to-business exemption or conspicuous publication rule, or CASL’s requirements for an easy-to-use unsubscribe mechanism.
The Court’s decision provides important interpretive guidance on each issue.
1. BUSINESS-TO-BUSINESS EXEMPTION
The “business-to-business” exemption, set out in the Electronic Commerce Protection Regulations, provides that CASL does not apply to a CEM if: (a) the CEM is sent by an employee of one organization to an employee of another organization; (b) the organizations have a “relationship”; and (c) the CEM concerns the activities of the receiving organization. The Court provided the following guidance regarding the exemption:
- The exemption requires the CEM-sending organization to have a relationship with the CEM-receiving organization, not just some of the CEM-receiving organization’s employees.
- The required “relationship” between the CEM-sending and receiving organizations is more demanding than an “existing business relationship” that establishes implied consent by an individual, because the exemption allows CEMs to be sent to all of the CEM-receiving organization’s employees. “Contractual relationships comprehending a very limited number of transactions affecting very few employees do not constitute relationships for the purposes of the … exemption”.
- The exemption is not limited to CEMs concerning the CEM-receiving organization’s core business operations. The exemption permits the sending of CEMs concerning any of the CEM-receiving organization’s activities. The required connection between a good or service promoted in a CEM and the activities of the CEM-receiving organization “will often be established simply by virtue of the relationship between the CEM-sending and receiving organizations, which will typically be based on the provision of that same good or service by the former to the latter”.
2. CONSPICUOUS PUBLICATION RULE
CASL provides that a person gives implied consent to receive unsolicited CEMs at their electronic address if: (a) the person has conspicuously published, or has caused to be conspicuously published, their electronic address; (b) the publication is not accompanied by a statement that the person does not wish to receive unsolicited CEMs at the electronic address; and (c) the CEM is relevant to the person’s business, role, functions or duties in a business or official capacity. The Court provided the following guidance regarding the conspicuous publication rule:
- The rule does not permit the mining of email addresses from third-party directory websites or sites containing notices against unsolicited emails.
- An organization that seeks to rely on the rule has the burden of establishing all three criteria required for the application of the rule, including the requirement that the CEM recipient conspicuously published their email address or caused it to be published.
- An organization that relies on the rule should be prepared to state explicitly the “business, role, functions or duties” of CEM recipients, and explicitly explain the relevance of the CEMs to the recipient’s business, role, functions or duties. A CEM recipient’s job title does not necessarily establish their official business, role, functions or duties, or the relevance of a CEM.
3. UNSUBSCRIBE MECHANISM
CASL requires each CEM to include an unsubscribe mechanism that enables the CEM recipient to indicate, at no cost to the recipient, the wish to no longer receive CEMs. The Electronic Commerce Protection Regulations (CRTC) require that unsubscribe mechanisms be “able to be readily performed”. The CRTC’s Compliance and Enforcement Information Bulletin CRTC 2012-548 explains that an unsubscribe mechanism must be consumer-friendly, accessed “without difficulty or delay” and “simple, quick and easy” for a consumer to use.
The Court explained that including two unsubscribe mechanisms – one that functions properly and a second that does not function – in a CEM is confusing and potentially frustrating to the CEM recipient and does not comply with CASL’s requirements that an unsubscribe mechanism be set out clearly and prominently and be able to be readily performed.
Comment
The CompuFinder case demonstrates the importance of a credible and effective CASL compliance program as a risk management strategy to reduce the likelihood of CASL contraventions and to help establish a due diligence defense and ameliorate potential sanctions if a CASL contravention occurs. For more information, see BLG bulletins Canada’s Anti-Spam Legislation – Regulatory Guidance, CASL Compliance Programs – Preparing for Litigation and Preparing for CASL’s Private Right of Action.
With respect to each of the CASL rules considered by the Court:
- Organizations that rely on the business-to-business exemption to send CEMs should ensure that they are able to prove (with admissible documentary evidence) that they have a sufficient “relationship” with each CEM-receiving organization and that each CEM is relevant to the CEM-receiving organization’s activities.
- Organizations that rely on the conspicuous publication rule to establish implied consent to receive CEMs should be mindful of all three elements required by the rule, and should ensure that they are able to prove (with admissible documentary evidence) all three elements for each CEM. Organizations should consider the CRTC’s Enforcement Advisory - Notice for businesses and individuals on how to keep records of consent.
- Organizations should ensure that each CEM regulated by CASL contains a single, CASL-compliant unsubscribe mechanism, and that each unsubscribe request is promptly implemented. Organizations should consider the CRTC’s guidance regarding unsubscribe mechanisms, including Compliance and Enforcement Information Bulletin CRTC 2012-548, Frequently Asked Questions about Canada’s Anti-Spam Legislation and Know Your Responsibility When Managing Consent.
Organizations should also be mindful that Canadian privacy laws regulate the collection, use and disclosure of certain kinds of personal information used to send CEMs. Consequently, organizations should ensure that their marketing activities comply with both CASL and applicable privacy laws. For more information see BLG bulletin Canadian Privacy Commissioner Issues Guidance for Privacy Law and CASL Compliance.