Federal government looks to overhaul parts of CASL

Four years after Canada's Anti-Spam Legislation was enacted, the Ministry of Innovation, Science and Economic Development has pledged to change it, in response to a parliamentary committee, which pointed to glaring flaws that were creating confusion for those trying to comply with the law.

Federal government looks to overhaul parts of CASL
Stikeman Elliott LLP lawyer David Elder says getting explicit consent before they can reach out to people has proven to be a challenge for charities.

Four years after Canada's Anti-Spam Legislation was enacted, the Ministry of Innovation, Science and Economic Development has pledged to change it, in response to a parliamentary committee, which pointed to glaring flaws that were creating confusion for those trying to comply with the law.

In December of last year, the standing committee on industry, science and technology delivered a report to Parliament titled “Canada’s Anti-Spam Legislation: Clarifications are in Order.

“Basically, CASL is well-intentioned legislation that was poorly executed. It is overly prescriptive, overly broad and has penalties that, if applied as written, can lead to disproportionate penalties on companies who are trying to comply,” says Michael Fekete, partner at Osler Hoskin & Harcourt LLP.

CASL was intended to protect people from receiving unsolicited commercial electronic messages via email, social networking accounts and text messages, as well as to combat false representations of products and services promoted online. It also prohibited installing computer programs during commercial activity without the express consent of the person operating that computer system.

According to the government’s report, the standing committee had based its recommendations on consultation with the CRTC, the Competition Bureau and the Office of the Privacy Commissioner, which are the three agencies tasked with enforcing the act, as well as charities, large and small businesses, non-profits, experts and other stakeholders, all of whom served as witnesses.

Responding to the committee’s findings, the government said it will clarify certain definitions and provisions in the act, including what qualifies as a commercial electronic message, whether business-to-business messaging fit this definition, the definition of “electronic address,” the provisions regarding implied consent and express consent and the act’s application to charities and non-profits.

The government said it will undergo a further consultation process with stakeholders, in order to adjust the law.

“We advise hundreds of clients with CASL and clients who are very much trying to do everything they can to comply but find the prescriptive rules in CASL to be challenging in day-to-day operations,” says Fekete.

“The definition of commercial electronic message is very broad and rather than making it clear that its messages are promotional or marketing in nature, the statute is drafted in a way that may capture messages that are more information-oriented but have tangential marketing benefits. But it’s not the primary purpose for which the message is sent,” he says.

For example, customer satisfaction surveys, newsletters for customers and recall notifications, though not intended to encourage the receiver to purchase something, can run afoul of the law, which is probably not what Parliament intended, says Fekete.

The provisions in CASL that prohibit the installation of computer programs, including updates, need a “serious rethink,” he says.

Though much of CASL is based on laws active in other jurisdictions, Fekete says the provisions on installation are unique.

“The compliance with those provisions is exceptionally difficult in a world where software is ubiquitous, software operates in the background and often operates on devices, which do not have a user interface,” he says.

The Canadian approach to “implied consent,” as in when a consumer can reasonably expect to receive an electronic communication, is much more rigid in CASL than other jurisdictions and its definition, as well as the definition of “express consent” is too prescriptive, says Fekete.

Another recommendation was that the government reconsider how the law applies to charities, business-to-business communications and non-profits.

The consent requirements for charities may be too strict, says David Elder, counsel and chief privacy officer for Stikeman Elliott LLP.

“To have to get explicit consent before they can reach out to people, generally, is proven to be a challenge for a lot of those organizations who are already challenged to raise funds,” he says.

In July 2017, a private right of action was intended to come into effect, which would allow anyone who received an unsolicited commercial electronic message to sue. The private right of action was scheduled for three years after enactment but was suspended indefinitely.

According to the act, the suing party would not have to prove any costs incurred from the spam and could get up to $200.

“Theoretically, anyone who gets a marketing email message that they didn’t consent to could sue for $200,” says Elder.

Marketing is not typically done with one message at a time; marketers will often send out 100,000 messages at a time, says Elder.

“There you have a notional class of 100,000 people who got a message that they weren’t supposed to. Multiply that for $200 a pop and that makes for a pretty attractive settlement,” he says.

The overly broad standing to sue, prescriptive nature of the statute and no need to prove actual damages make the private right of action problematic, says Fekete.

“The private right of action, as drafted, creates the perfect storm conditions for frivolous class actions,” says Fekete.

In the government’s report, it states that, regarding the private right of action, it intends to “investigate further” its impact and consider whether damages should be awarded when a party can prove a tangible harm.

Fekete says that to fix the statutory right of action, the government may need to limit standing to sue to organizations that are significantly impacted by spam and malware or simply not bring it into force.

In general, Fekete says, the scope of the legislation needs to be made clearer and less broad, prescriptive rules need to be replaced with more general, technology-neutral language that allows organizations to be creative in how they meet transparency and consent requirements.

“I know that the government is aware of the problems in the legislation and it would surprise me if they don’t take steps to address those problems because it would be beneficial for everybody. There’s good public policy reasons to make the tactical changes to the legislation that can be made to achieve the appropriate balance,” Fekete says.