CASL: Small firms should care, too

Canada’s Anti-Spam Legislation, which came into force in 2014, has been a significant topic of discussion over the past few years. The upcoming end of the three-year transition period and the recently delayed private right of action that was to commence on July 1 has renewed the conversation.

Kevin Cheung
Canada’s Anti-Spam Legislation, which came into force in 2014, has been a significant topic of discussion over the past few years. The upcoming end of the three-year transition period and the recently delayed private right of action that was to commence on July 1 has renewed the conversation. For a variety of reasons, many small businesses, including sole and small law firms, have ignored CASL. Given the stiff penalties and the imminent end of the transition period, however, now is the time for you and your clients to review policy and procedures to ensure compliance.

More than spam

With “spam” in its title, CASL is, unfortunately, often misunderstood as being limited to spam. However, the legislation covers anybody that sends commercial electronic messages. CEMs are broadly defined in the legislation, and messages that may be helpful or not regarded as “spam” can be caught in the definition. For example, e-newsletters to your clients, press releases and links to your website and blog may all be considered CEMs. CEMs also encompass emails, texts, tweets and other social media messaging.    
 
CASL prohibits distributing CEMs without the express or implied consent of the recipient. Such messages must include standard forms such as sender identification information and an option to unsubscribe from future messages. The legislation also targets message routing by requiring express consent for altering the transmission data or the rerouting of a message to a different location than that specified by the sender. CASL also targets spyware/malware by prohibiting the installation of a computer program on a user’s device without express consent.  

The law has been phased in over three years, beginning on July 1, 2014.  July 1 of this year marks the end of the transition period and also was supposed to be the beginning of a private right of action. However, the federal government recently postponed the coming into force of the ability to sue for CASL violations, pending further review of the legislation. Despite the three-year transition, surveys suggest that businesses, large and small, still do not fully understand CASL.   

While the private right of action has been suspended, the administrative monetary penalties are still in force. They are severe and can destroy small firms. The Canadian Radio-television and Telecommunications Commission has the power to levy fines against individuals up to $1 million and corporations up to $10 million. The CRTC has already levied significant fines (i.e., $1.1 million fine against Compu-Finder, $200,000 against Rogers Media Inc. and $150,000 against Porter Airlines). Harsh enforcement against legitimate small businesses may be unlikely, but the private right of action would expose such businesses to multiple lawsuits or class actions.

While the intent of CASL was to target organized spamming, distributors of malware and identity thieves, the lack of exemptions for those sending legitimate CEMs or those sending limited amounts of emails means that even small firms and businesses must comply.

Consent is key

Compliance with CASL revolves around consent by the recipient of CEMs. Consent can be implied or express.

Implied consent comes with conditions. Existing business and non-business relationships as of July 1, 2014 became implied consents that expired, at the latest, on July 1 of this year. This gave businesses three years to obtain express consent to CEMs. Implied consents are still valid, but they come with expiration dates. As such, proper and updated record keeping of the nature and timing of consents is extremely important. Furthermore, firms and their business clients should have procedures to obtain express consent.        

Pain points for small firms and businesses  

For sole and small firms, the lawyer is the communications and marketing department. It is, therefore, incumbent upon you to understand how CASL works. Like many small businesses, small firms may mistakenly think CASL does not apply to them as they do not distribute traditional “spam.” They may believe that they do not have the technology or budget to do all that is required to comply with the legislation. Many businesses are left not knowing how to come into compliance or believe it will be too much work to do so. Many are also unaware of the severe monetary penalties for violations or the fact that, if they serve as directors or officers, they may be personally liable for their organization’s breaches of CASL.  

Small firms need to review their CEMs and develop policies and procedures to ensure compliance. The confusion over the legislation is also an opportunity to help clients and potential clients better understand CASL.       

Despite the delay of the private right of action, CASL is here to stay in one form or another. While there is a cost to adapting to the legislation, the potentially devastating consequences of non-compliance mean firms and their clients, no matter what the size of the organization, cannot afford to ignore the legislation any longer.