EDITOR: | December 10th, 2015 | 11 Comments

CASL: A high-level look at the looming disaster

| December 10, 2015 | 11 Comments
image_pdfimage_print

Peter_Clausi1Sometimes Chicken Little is right. The sky is about to fall on every company that sends commercial email to any Canadian.

This is a large complicated issue to be digested in parts. Today is a high-level look at the looming disaster and we’ll get into details over the next few weeks.

It’s hard to believe that antispam legislation can be this disastrous, but it’s true. This is real. General Counsel, Risk Management and Compliance across Canada are scrambling to understand and then get in front of this issue, and the litigation lawyers see fortunes to be made from this. It is a massive problem and will get worse, with civil and criminal ramifications.

First off: CASL. Canadian AntiSpam Legislation. The full text of the statute is here. It applies across Canada, in every province and every territory.

Canada has the reasonable goal of wanting to increase the economy’s efficiency by discouraging spam. To help achieve this goal, under CASL, before you send an email for a business purpose you must have the intended recipient’s express or reasonably implied consent. If as the sender you can’t prove you had consent BEFORE you sent the message, you have sent spam and are in breach of CASL. If there is prior consent then it’s not spam and not a CASL breach.

(That’s a simple non-legal summary of the legislative impact. Next week we’ll get more technical with a more granular examination of the statutory definitions and exceptions.)

CASL compliance is about consent, not content. You need consent BEFORE you send the email. You cannot email someone to ask for consent to send that person email. If challenged, the onus is on you as the sender to prove you had prior consent.

Actually, it’s worse than that.

CASL applies not only to email but also to text messages, software updates, cookies, push marketing, BBMs, and any form of communication intended for an electronic account. It doesn’t matter whether the recipient is receiving the communication on a desktop, laptop, smartphone, tablet or smartTV, directly by email or through Facebook for business. It doesn’t matter whether it’s by WiFi, Bluetooth, NFC or ethernet; at home or in the mall; in the office or on the road. If you can’t prove you had consent BEFORE you sent the message to an account, you are in breach of CASL.

That’s draconian. And it’s even worse than that.

Every message you send must have a built-in unsubscribe feature. Must. If you don’t, you’re in breach of CASL.

The consequences of being in breach of CASL can be disastrous, including an investigation by the Canadian Radio-television Telecommunications Commission (CRTC) and possible fines. The maximum penalty for a violation is $1,000,000 for an individual and $10,000,000 for a corporation (section 20(4)). This doesn’t include the legal cost of defending against the investigation or the public relations fall-out that would have to be managed.

The statute is so broad, the consequences so harsh, that most of us in the compliance industry did not think it could be rigorously enforced. The CRTC simply lacked the resources or the will to enforce CASL in any meaningful way.

We were wrong.

In March of 2015, the CRTC gave notice of its intentions when it punished a numbered corp with an administrative monetary penalty of $1,100,000 for having sent emails without the recipients’ consents as well as for sending commercial emails that did not have a properly functioning unsubscribe mechanism. We didn’t criticize the penalty since the numbered corp was what we normally think of as a true spammer – atta go, CRTC!

Then Plenty of Fish got hit for $48,000. We didn’t really care since it’s a free dating website, so we all just giggled a little, albeit nervously.

We began to really care in June of this year when regional flyer Porter Airlines was hit by the CRTC for $150,000 for CASL breaches. And we really paid attention a few weeks ago when Rogers Communications agreed to a $200,000 fine, for the “offence” of sending corporate emails that did not always have a fully functioning “unsubscribe” mechanism.

Look at the email you send. Is there a fully functioning unsubscribe mechanism in every email you send?

Here is the link to the government of Canada’s website for these decisions.

These is some policy wisdom behind this for the empire builders at the CRTC. The CRTC has found itself marginalized over the years. There is no relevant battle left to be fought over television. Cable now polices itself – Bell watches Rogers who spies on Cogeco who tattle-tales on Shaw. Outside of the internet the CRTC has been reduced to a responsible parent in a room of sneaky but studious teenagers.

But on the internet, the CRTC has room to flex its muscles and carve out a space for itself.

And carve it is. The monetary penalties described above are bad enough. Then last week the CRTC announced it had issued its first warrant under CASL, aimed at a Toronto botnet server as part of a global effort to combat the Win32/Dorkbot malware. The warrant was granted by the Ontario Court of Justice and was carried out with the RCMP’s assistance.

A warrant is a court-blessed invasion into your affairs, allowing a law enforcement official to enter your home / business / car and peruse your personal affairs. Warrants are useful but dangerous government tools.

No one is going to complain about the CRTC getting a warrant to help attack a dangerous virus family, and that makes it the easy thin edge of the wedge. The larger question is, just as the CRTC went after Porter Airlines and Rogers after penalizing the true spammer, who will be next in the CRTC’s gunsights?

I have met with numerous companies to advise on this issue and assist them with getting into CASL compliance. They know that if challenged by the CRTC they have to be able to PROVE they are in compliance. That will consume IT and human resources as these issues are addressed. To date, I have seen only three companies that I believe are in full CASL compliance – everyone else is at risk of a CRTC investigation and penalty.

Wait, it gets even worse than that.

On July 1, 2017, anyone who alleges being affected by a CASL breach can apply to a judge for a order against the offender. In other words, I can sue you if you send an email to me and I don’t think I gave you consent in advance to send it. Then the onus is on you as the sender to prove you had my consent BEFORE you sent me that email.

The class action litigators are drooling over this. Director and officer insurance premiums will be affected as section 44 does impose liability for some corporate acts on the officers and directors. Data riders to general liability insurance will have to be purchased. Companies, both public and private, will have to be able to prove they are in CASL compliance or face class action litigation.

It is that bad and it is the law of Canada.

We will come back to CASL over the next few weeks to look at the law in greater detail. There are some exceptions and backdoors to be aware of, and the definitions matter. Until then, look at the email you send every day: are you in compliance? If not, you could be next.


Peter Clausi

Editor:

Mr. Clausi is an experienced investment banker, executive and director. A graduate of Osgoode Hall Law School called to Ontario's bar in 1990, Mr. Clausi ... <Read more about Peter Clausi>


Copyright © 2017 InvestorIntel Corp. All rights reserved. More & Disclaimer »


Comments

  • Janet

    This is a really good article Mr. Clausi and the first I have read on the subject that is so clear. Will definitely be watching for the next installment.

    December 10, 2015 - 2:03 PM

  • A high-level look at the looming disaster | casl cure

    […] the original post for the full […]

    December 10, 2015 - 4:12 PM

  • Upaknee

    Hi Peter,

    Excellent article! At Upaknee, we believe this is a very important conversation to be having. We first and foremost think that CASL is an important initiative, however, we would like to see the CRTC take priority in going after the major spam gangs in Canada, not Canadian corporations like Rogers and Porter Airlines. This will truly help to eliminate harmful CEMs.

    As a CASL-compliant cloud messaging company, we believe compliance can be easy and cost effective, given the right tools and information. Part of our duty as an anti-spam initiative is to make CASL less scary and the more we talk about it and share best practices for protection, the more we can enable organizations to be proactive in protecting themselves.

    Looking forward to your next article,

    The Upaknee Team

    December 10, 2015 - 5:19 PM

  • Adrian Nixon

    Hi Peter, A great piece of work, this will have lots of unintended consequences. I wonder how this applies internationally? The Canadian Government cannot act beyond its borders but visitors to your lovely country might have to think carefully if they feel exposed to this one…

    Adrian

    December 11, 2015 - 4:26 AM

  • Post navigation CASL: A high-level look at the looming disaster – How To Stop Junk Email

    […] Post navigation CASL: A high-level look at the looming disaster […]

    December 11, 2015 - 9:32 AM

  • David Collier-Brown

    I’m actually pleased to see the CRTC going after people with fake or failing “unsubscribe” buttons. All too many just throw the unsubscribe into the bit-bucket.

    Chose your email supplier carefully: if they’re Canadian, they’ll know how to handle CASL. Or they’ll be announcing bankruptcy (;-))

    –dave

    December 12, 2015 - 10:55 AM

  • Peter Clausi (author)

    Thanks, all, for the input. The response by email and by phone has been tremendous. To the poster from Upaknee, could you please email me directly at pclausi@brantcapital.ca so we can continue that discussion offline. Thanks.

    December 16, 2015 - 3:28 PM

  • 2016: Cybersecurity, Corporate Ebola and CASL | InvestorIntel

    […] in compliance has the potential to wipe out your company. It is that serious. See a recent article here that outlines why CASL should be seen as corporate […]

    January 11, 2016 - 12:24 PM

  • Breaking News: Another Warrant Issued Under CASL | InvestorIntel

    […] have in another article and in a video interview stressed the real dangers inherent in not being in CASL compliance. Yes, […]

    January 27, 2016 - 12:37 PM

  • Christopher Ecclestone

    Great piece.. Which raises a question. If I give my card to a company at a mining conference and ask them to add me to their mailing list, this presumably does not count! In any other context this would be something of an “invitation to treat” in the legal sense so why not when it relates to corporate communications?

    On a more prosaic level what happens when you drop your card into the fishbowl at a conference or a restaurant for a “free monthly draw”. This is obviously me knowing that the restaurant is fishing for addresses for a mailing list, but under CASL this is presumably seen as having nothing to do with establishing a relationship between myself and the “fish-bowl” owner. Canada is alas in the grip of a nanny-state mentality from on high that makes Scandinavia in the 1970s look like a “hands-off” society.

    February 29, 2016 - 6:00 AM

  • Peter Clausi

    Christopher, you’re asking the rights questions. Rather than “invitation to treat”, though, we have to distinguish between express and implied consent. There’s also the concept of “conspicuous publication” of your contact information. Finally, keep in mind this is larger than just “email”. So far we’ve helped about a dozen companies with their CASL issues, and the Human Resources element is as large as the technology solutions.

    February 29, 2016 - 10:05 AM

Leave a Reply

Your email address will not be published. Required fields are marked *