On July 1, 2015, Canada’s Anti-Spam Legislation (CASL) celebrated its one year anniversary. How has CASL been enforced during its first year and what lessons can be learned from its enforcement?
Canadians have taken CASL to heart
As of January 2015, more than 200,000 complaints were filed with the CRTC (the government body primarily tasked with enforcing CASL) for alleged violations of CASL. By July 2015, those numbers may have doubled. This suggests that Canadians are taking CASL seriously and are likely to continue to do so in the future.
No one is immune to CASL
Over the past year, the CRTC has imposed three significant (and publicly known) penalties for alleged violations of CASL:
- Compu-Finder, a small Quebec company reportedly in the business of providing management courses to business people, is facing a penalty of $1.1 million under CASL. According to the CRTC’s news release, this penalty was due to four alleged violations of CASL.
- The popular dating site PlentyofFish.com has agreed to pay a fine of $48,000 for alleged violations of CASL. According to the CRTC, PlentyofFish’s alleged violations stemmed from not “clearly and prominently” setting out an unsubscribe mechanism in emails to their members.
- Porter Airlines has agreed to pay a fine of $150,000 for alleged violations of CASL. Those alleged violations include not implementing unsubscribe requests within 10 days, and sending emails that did not include unsubscribe mechanisms that were “clearly and prominently” set out.
By publicly announcing these fines, the CRTC is sending a message that CASL’s enforcement is not reserved for the particularly egregious “spammers” or “hackers”. No one is immune to CASL’s enforcement and potentially significant fines (i.e., up to $1 million for an individual and up to $10 million for an organization).
The unsubscribe mechanism is important
CASL requires that each commercial electronic message contain an unsubscribe mechanism that is “clearly and prominently” set out. In addition, all unsubscribe requests must be implemented within 10 days of a request. PlentyofFish, Porter and Compu-Finder all faced penalties because they allegedly did not have an unsubscribe mechanism that met those requirements.
When developing a CASL compliance policy, it is important to focus on the unsubscribe mechanism and its implementation. That is because an organization is more likely to face a complaint from someone who deliberately chose to unsubscribe from receiving electronic messages from it, than from someone who did not unsubscribe.
Business to business communications are not exempt
There is a common misconception that emailing other businesses is exempt from CASL’s requirements. Although CASL contains a Business-to-Business (“B2B”) exemption, its application is quite narrow. It is not advisable to rely on that exemption for all B2B communications. Compu-Finder appears to have learned that the hard way. According to the CRTC’s news release, Compu-Finder’s $1.1 million fine allegedly arose from emails sent by Compu-Finder to other businesses.
To settle or not to settle (with the CRTC) – that is the question
An organization facing enforcement by the CRTC can respond to it in various manners.
First, it may challenge CASL’s enforcement before the CRTC’s tribunal and the courts. There are numerous grounds on which CASL can be challenged, including by launching a constitutional challenge to its application.
Alternatively, an organization can negotiate a settlement with the CRTC, as PlentyofFish and Porter did. There are many reasons for settling with the CRTC. For example, the penalty amount may be reduced in exchange for an undertaking to comply with CASL. A settlement may also have positive public relations consequences, as it sends a message that the organization is taking CASL seriously and intends to comply with it in the future.
There may be external stakeholders or interests that are driving the decision making process. For example, PlentyofFish has recently been sold to the New York based Match Group for $575 million . The negotiations for the sale could have been underway when the CRTC came knocking at PlentyofFish’s door. Presumably, settling with the CRTC (for an amount that can only be described as a “drop in the bucket”) removed a potential impediment to the sale.
CASL compliance and risk management
The most important lesson to be learned from this past year is that CASL compliance should form an integral part of all organizations’ risk management strategies. What Porter, PlentyofFish and Compu-Finder allegedly lacked was a proper CASL compliance policy. Organizations should develop and implement a comprehensive CASL compliance policy, or face the risk of being the next CASL enforcement targets.
- Swinging the privacy rights pendulum – The recent proposed amendments to Canada’s privacy law regime - November 28, 2023
- Breaking the “glassdoor” – Dealing with online reviews by employees - August 29, 2023
- The unreliability factor of using AI in the workplace - June 27, 2023