The Canadian Anti-Spam Legislation (CASL) is now showing that it has strong teeth. CASL requires companies operating in Canada to obtain affirmative opt-in consent prior to sending commercial electronic messages (CEMs), such as emails or text messages, within Canada. In addition, any CEM sent must contain certain identification information and provide recipients with a means of opting out or unsubscribing from future messages. These requirements were enacted in December 2010, and CASL provided a grace period that ended on July 1, 2014. Now that CASL is subject to enforcement, the Canadian Radio-television and Telecommunications Commission (CRTC), which is charged with enforcing CASL, has announced two enforcement actions that should place organizations operating in Canada on notice that violations of the law may result in significant penalties.
In the first announced action, on March 5, 2015, the CRTC’s chief compliance and enforcement officer issued a Notice of Violation and a CA$1.1 million penalty to a Quebec-based company, Compu-Finder, for four violations of CASL. These violations, which persisted from July 2014 to September 2014, allegedly included sending unsolicited email (including business-to-business messages) and failing to include a functioning unsubscribe mechanism. The CRTC also alleged that Compu-Finder “scoured” websites to obtain email addresses, and that Compu-Finder’s actions were the source of 26 percent of the spam complaints the CRTC received in the period Compu-Finder was sending the unsolicited emails. Under the terms of the Notice of Violation, Compu-Finder had thirty days to file written representations to the CRTC to contest the charges or to pay the penalty.
In the second action, the CRTC announced on March 25, 2015, that online dating website operator Plentyoffish Media Inc. entered into an undertaking (essentially, a binding promise that may be entered into before or after a Notice of Violation is issued) and paid CA$48,000 to the CRTC as an “administrative monetary penalty” for an alleged violation of CASL. In addition, Plentyoffish was required to develop and implement a program to ensure that its marketing activities comply with CASL, including staff training and education and the development of relevant corporate policies and procedures. The CRTC commenced its investigation of Plentyoffish following complaints that commercial emails Plentyoffish sent to its registered users from July 2014 through October 2014 did not have an unsubscribe mechanism that was clearly and prominently visible and readily performable. In comments, the CRTC noted the importance organizations must place on ensuring that the content of their CEMs meet CASL requirements. Notably, the Plentyoffish enforcement led to an undertaking, and it appears that no Notice of Violation will follow, likely because Plentyoffish took prompt steps to cease its CASL non-compliance by updating its unsubscribe mechanism to comply with law.
These cases did not involve the maximum administrative monetary penalties that the CRTC may seek under CASL: such penalties reach CA$10 million for organizations and CA$1 million for individuals. Other enforcement mechanisms available to the CRTC, beyond Notices of Violation and undertakings with administrative monetary penalties, include warning letters, preservation demands, production notices, and restraining orders. In addition, commencing July 1, 2017, individuals will have a private right of action under CASL. Individuals will be permitted to seek court orders awarding actual and statutory damages resulting from CASL violations; statutory damages may reach as high as CA$1 million for each day on which a CASL violation occurred. Note, however, that no private litigant may receive statutory damages for CASL violations where the defendant entity has received a Notice of Violation from, or has entered into an undertaking with, the CRTC. Thus, once the private right of action becomes available in mid-2017, entities that have failed to comply with CASL will have ample reason to cooperate with the CRTC if cooperation may lead to reduced remediation costs. Nevertheless, avoiding CASL violations should be a priority for all organizations conducting business in Canada. As a result, organizations should: (i) review their CEM mechanisms for CASL compliance, ensuring appropriate unsubscribe mechanisms are in place and that recipient consent has been obtained; (ii) ensure the implementation of robust CASL policies and procedures; and (iii) carry out CASL training in connection with general marketing compliance training.