During 2015, government agencies responsible for the enforcement of Canada's anti-spam law (commonly known as "CASL") issued important guidance for the interpretation of CASL and took significant first steps to enforce CASL against Canadian businesses. The guidance and enforcement actions are instructive for organizations that wish to comply with CASL's rules for the sending of commercial electronic messages and the installation of computer programs.
CASL
CASL creates a comprehensive regime of offences, enforcement mechanisms and potentially severe penalties designed to prohibit unsolicited or misleading commercial electronic messages ("CEMs"), the unauthorized commercial installation and use of computer programs on another person's computer system and other forms of online fraud.
For most organizations, the key parts of CASL are the rules for CEMs. Subject to limited exceptions, CASL creates an opt-in regime that prohibits the sending of a CEM unless the recipient has given informed consent (express or implied in limited circumstances) to receive the CEM and the CEM complies with prescribed formalities (including an effective and promptly implemented unsubscribe mechanism) and is not misleading.
CASL also prohibits, subject to limited exceptions, the commercial installation and use of a computer program on another person's computer system without the express consent of the owner or authorized user of the computer system. The computer program rules apply to almost any computer program (not just malware, spyware or other harmful programs) installed on almost any computing device (including mobile phones) as part of a commercial activity (regardless of expectation of profit).
CASL violations can result in potentially severe administrative monetary penalties (up to $10 million per violation for organizations and $1 million per violation for individuals), and civil liability through a private right of action (commencing July 1, 2017). The Canadian Radio-television and Telecommunications Commission ("CRTC"), the Competition Bureau and the Office of the Privacy Commissioner of Canada have enforcement responsibility under CASL, and have various enforcement tools for that purpose (e.g. preservation demands, production notices and warrants).
Guidance
CRTC and the Privacy Commissioner of Canada published in 2015 the following guidance documents:
- Canada's Anti-Spam Legislation Requirements for Installing Computer Programs, which explains CASL's rules for the installation of computer programs and CRTC's views regarding an important exception for "self-installed software".
- From Canada's Anti-Spam Legislation (CASL) Guidance on Implied Consent, which explains CASL's rules for consent and provide helpful guidance for CASL compliance.
- Anti-spam law's changes to Canadian federal privacy law: A guide for businesses doing e-marketing, which explains Canadian privacy law requirements for the use of personal information (including email addresses) to send CEMs.
Enforcement Action
CRTC and the Competition Bureau announced the following CASL enforcement actions in 2015:
- CEMs Sent without Consent or Unsubscribe Mechanism: CRTC issued the first Notice of Violation under CASL to Compu-Finder. The Notice imposed a $1.1 million administrative monetary penalty for "flagrantly" violating CASL by sending CEMs without the recipients' consent and with an ineffective unsubscribe mechanism.
- CEMs with Deficient Unsubscribe Mechanism: The online dating service PlentyofFish Media entered into an undertaking (settlement), including payment of a $48,000 administrative monetary penalty, with CRTC for the alleged sending of CEMs with an unsubscribe mechanism that was not clearly and prominently set out and could not be readily performed.
- CEMs with Deficient Unsubscribe Mechanism and Without Required Content: The national media company Rogers Media Inc. entered into an undertaking (settlement), including payment of a $200,000 administrative monetary penalty, with CRTC for the alleged sending of CEMs with an unsubscribe mechanism that did not function properly or could not be readily performed or with required content that was not valid for the required minimum 60 days. In addition, Rogers Media allegedly failed to honour some unsubscribe requests within 10 business days.
- CEMs Sent without Consent or Required Content: The regional airline Porter Airlines entered into an undertaking (settlement), including payment of a $150,000 administrative monetary penalty, with CRTC for the alleged sending of CEMs without proof of consent and the alleged sending of CEMs that did not contain required information or have a required unsubscribe mechanism.
- Misleading CEMs: The Competition Bureau commenced against two car rental companies, Aviscar and Budgetcar, proceedings seeking remedies (including $30 million in administrative monetary penalties and refunds to consumers) for alleged deceptive marketing practices (including sending false or misleading emails) regarding vehicle rental prices.
- Malware: CRTC announced its first ever CASL warrant to take down a Win32/Dorkbot command-and-control server located in Toronto, Canada as part of a coordinated international effort.