The CRTC could use Big Chicken for CASL

Morgan Spurlock is back!  You’ll remember Spurlock from his 2004 documentary Supersize Me, where he combined sharp film-making skills with performance art in eating nothing but food off the McDonald’s menu for a month. His dramatic weight gain and precarious decline in health over a mere 30 days of fast food offered a shocking real-world commentary on our everyday lives.

Now he’s back, with Supersize Me2:  Holy Chicken which premiered at the Toronto International Film Festival this week. This time, his work looks at the chicken industry, and more particularly, the words used by “Big Chicken” to convince the public that it’s healthy to eat fried chicken and reformulated chicken bits.

Big Chicken’s marketing approach is based on its use of language to change our behavior. Health-conscious consumers now avoid “deep fried chicken”, so instead they call it “crispy” or “grilled”, because that sounds healthier. A crispy chicken sandwich is just deep fried chicken in a sandwich, but it sounds so much healthier now. Big Chicken uses “free range”  to conjure up images of blissed-out chickens clucking through natural fields of abundant food; in reality all it means is that a door was left open on the enclosure to give the chickens the option of going into another small enclosure, even if none of the chickens actually left the crowded living area.

Have you heard any advertisements that chicken is “hormone free”. Of course it is! The use of hormones is illegal in the industry so all chicken you eat is hormone free, but again, the language is meant to shape our behaviour.

I wish someone in the Big Chicken industry would go to work for the CRTC.

The CRTC  is Canada’s Radio-Television and Telecommunications Commission. It was created in 1976 to regulate broadcasting and telecommunications, and its jurisdiction has crept into the enforcement of internet-related regulatory issues, which means the CRTC is the primary body enforcing Canada’s AntiSpam Legislation (CASL).

The CRTC has been enforcing CASL since CASL came into force in July, 2014. Throughout the transition periods the CRTC did a good job of communicating with the public. It educated us as to what was expected to be in compliance, toured across the country to meet with stakeholders, gave some idea of what the penalties would be for non-compliance, and followed through with enforcement activity. The CASL enforcement division of the CRTC was generally a responsive public-friendly group, with a useful informative website.

The CRTC then named the violators, punished them, and advertised the results so as to shape the behaviour of everyone subject to the law.

The system was working.

Then the CTRC got blindsided by Navdeep Bains. Mr. Bains, who is Canada’s Minister of Innovation, Science and Economic Development, gutted the CRTC’s CASL process, in response to pressure from self-interested lobby groups. For a full explanation of what he did and why it was a disappointing failure of leadership, click here.

Since then, we’ve heard nothing from the CRTC on its CASL approach. The usually public-friendly department has gone radio silent, not even responding to my telephone and email requests for guidance on future compliance.

Whether you approve of CASL or you hate it (and I recognize the haters far outnumber the approvers), it is the law of the land and it must be obeyed. The CRTC is the primary regulatory charged with its enforcement, both within Canada and internationally. As people subject to that law, we have the right to know the CRTC’s interpretations of some of the murkier sections, how it will enforce breaches, how it will integrate CASL with the new privacy and data laws in Canada and abroad, and what is its overall theme on CASL.

To not give this guidance is unfair to everyone subject to the law (that is, everyone who sends email), to the lawyers who are trying to advise on it, to the auditors trying to assess risk related to it, to Human Resources trying to build employee compliance, and to third parties who have built businesses on CASL compliance.

Big Chicken has figured out that the language used can be more important than the substance of the thing being discussed, and that how we describe things can change behaviour. The CRTC needs to return to its public-friendly approach so that we know how to behave to stay within the law. Crispy chicken, anyone?

The CRTC War on Spam starts nailing the little man

This Man was Fined $15,000 for Sending Marketing Emails – CASL and the CRTC

You run your own business. You’re not a corporation, you’re just one person working out of your basement. Cash flow is a little tight so you need a little more revenue. You email a simple marketing flyer to prospective customers. BOOM! The CRTC whacks you with a $15,000 fine.

Unlikely scenario? It happened last week to William Rapanos.

For the first time, the Canadian Radio-television and Telecommunications Commission (CRTC) fined an individual for CASL breaches, and if it happened to him, it can happen to you. The decision on the CRTC website is here.

Rogers Media, PlentyofFish Media, Porter Airlines, Kelloggs… all well-known corporate names that have been fined under CASL. The high-water mark is a fine of $1,100,000 issued to a numbered corp doing business as CompuFinder. Rapanos is the first human to be hit.

We’ve been warning of CASL (Canada’s AntiSpam Legislation) and its potentially horrific consequences since prior to its enactment by the feds in 2014. There are two key components to CASL. Number one is that before you send a business email or text, you have to have that intended recipient’s consent to receive that email or text AND you have to be able to prove you actually had that consent. Number two is that your emails must be transparent and contain an unsubscribe feature.

There are other sections and subtleties, but for today those are the guts of the statute.

What did Rapanos do to attract the CRTC’s attention? He emailed an inoffensive marketing flyer, in which he advertised being able to design and deliver flyers through Canada Post. The email didn’t include an unsubscribe feature or the other features required by the statute. Fifty people complained to the CRTC about receiving this flyer by email.

That’s all it took, fifty complainers. The CRTC investigated. Rapanos was fined $15,000.

Granted, he didn’t help himself. A notice from the CRTC is not a casual document – it is the start of an investigation from a regulator who has shown a willingness to fight at street level (recall that the CRTC has already obtained two separate warrants under CASL, enforced by the police). Rapanos’ response was that an unknown person hacked his router and the emails weren’t sent by him. Trumplike, he offered no evidence for this bald assertion and so his defence failed. As the CRTC held, “It is highly improbable … that Mr. Rapanos was the victim of an identity theft orchestrated solely for the purpose of sending unsolicited [emails] advertising a flyer distribution business.”

Think of the resources the CRTC must have dedicated to the investigation, prosecution and his appeal. Yes, Rapanos clearly breached the statute, but he’s a small time offender. All he did was use the internet to offer his services to a new target market. Who did he offend in a previous life to earn this kind of bad karma? He’s just a little guy.

And that, I think, is the point. This wasn’t a knee-jerk reaction from the regulator, and it wasn’t a random decision to prosecute him. Fifty complaints is a pittance. This was a carefully planned message, and that message is, no one is immune from CASL. Whether you’re the size of media giant Rogers or a little guy like William Rapanos, CASL applies to you. You’ve been warned.

It will get worse on July 1, 2017. As we’ve pointed out before (most recently here) that is when a new private right of action (PRA) is created by CASL. In other words, if you send an email, and you can’t prove you had prior consent to send it, the recipient can sue you. Then the onus is on you as the sender to prove you had prior consent to send it, not on the recipient to disprove it. This PRA supports class action litigation, and just to make it a full roundhouse kick in the groin, damages are assumed, which means the plaintiff wouldn’t even have to prove damages to win.

This is the law of the land, from the Arctic Circle to the Great Lakes waters. The CRTC has made it clear that we are all subject to it.

This isn’t an attack on the CRTC. Sure, that government body has messed up many times (follow Mark Goldberg on twitter @Mark_Goldberg for his frontline view of the CRTC’s travails), but here, it’s merely enforcing the law.

To their credit, the CRTC staff have done their best to warn us. They have toured the country holding information sessions, before the legislation was enacted and after. The website is full of useful, easy-to-read information. They have clearly communicated their intentions to the public. The CRTC also partnered with New Zealand to fight global spam. The problem is, the public hasn’t been listening.

Rapanos was picked to force you to listen. Get into CASL compliance now so you’re not the next one tied to the whipping post.

CASL – imposing fines to work.

What do the NFL Playoffs and CASL have in common? Freakonomics

Last September we looked at the NFL preseason, with the NFL imposing fines after the games for activities carried out during preseason play. The Commissioner’s office wanted to shape behaviour and used monetary penalties to effect the change it wanted, before the regular season began.

At that time we said, “The NFL told its teams that it would be enforcing the roughing rules more closely, and has followed through on that with financial penalties. Other players have to be taking notice and consequently changing how they play the game to comply with the rules.”

Now the regular season is over and we’re in the playoffs. The NFL is not levying those same fines, which leads one to believe the underlying behaviour has changed, meaning the financial penalties worked. The players are playing the game differently. Levitt and Dubner at Freakonomics would be impressed.

Freakonomics was an immensely influential book. Published in 2005, in addition to being fun and witty, it was one of the first books to bring data mining to the masses, showing how fresh looks at data can describe why people behave the way they do. Levitt and Dubner theorized that social, moral and financial incentives could explain why teachers cheated in Chicago, why the USA’s national violent crime rate fell, why sumo wrestling in Japan is often as scripted as the WWE, and why good parenting could have minimal impact on a child’s education.

Levitt and Dubner described the world as a system of intentional and accidental moral, social and financial incentives working  as push/pull levers to shape behaviour. Their work is as much sociology as it is economics. But it’s hard to argue with this theory, that incentives can cause us to change our behaviour.

This is the theory that has been embraced by the CRTC  (Canada’s Radio-Television and Telecommunications Commission). Created in 1976 to regulate broadcasting and telecommunications, the CRTC’s jurisdiction has crept into the enforcement of internet-related regulatory issues, which means the CRTC is the primary body enforcing Canada’s AntiSpam Legislation (CASL).

The CRTC has been levying Administrative Financial Penalties since CASL came into force in July, 2014. New rules governing computer programs came into force the following January. The CRTC has named the violators, punished them, and advertised the results so as to shape the behaviour of everyone subject to the law. The CRTC has even obtained two warrants to enter business premises to enforce CASL.

Visit the CRTC’s website here for the statute itself, the regulations, and the penalties already levied. The CRTC has defined the high standards it expects to be observed, and has made it clear that it won’t take violations lightly.

The NFL might be in the playoffs but CASL is just finishing its preseason. The regular season begins July 1, 2017.

That date is when a new private right of action is created by statute. In other words, if you send someone an email, and you can’t prove you had prior consent to send it, the person receiving that email can sue you. The onus is on you as the sender to prove consent, not on the recipient to disprove it.

Even worse for the sender of email, damages are assumed, which means the plaintiff is assumed to have been monetarily hurt by receiving an unwanted email. Further, this private right of action supports class action litigation.

If you want to research the basics of CASL and why your highly-paid defence lawyers will be very happy you’re not in compliance, go here. Please note this doesn’t apply only to what is typically thought of as ‘spam’; CASL applies to every email and text message you send.

Are you ready for CASL’s regular season? As we’ve said before, the CRTC has made it clear that a CASL-compliant model includes:

  1. a senior executive to champion the creation and implementation of your compliance model
  2. a senior executive to supervise compliance and respond to potential breaches
  3. Human Resources to add sections to the Employee Handbook on the proper use of email addresses and phone numbers
  4. initial training of all staff, directors and management
  5. annual testing to ensure continued compliance
  6. a technology model that has been architected to achieve all the business goals set out in CASL and as interpreted by the CRTC
  7. initial and on-going stress testing of the system

The incentives are in place to shape CASL-compliant behaviour. Perhaps CASL and its impacts can be a chapter in the next instalment of Freakonomics.

The CASL Fines are Starting to Pile Up

CASLThe CRTC recently rolled out another conviction under CASL.

Here are the barebones of CASL compliance from a video interview last January:

CASL is a piece of legislation with good intentions. It’s meant to enhance Canada’s economy and increase efficiencies by eliminating waste. That sounds great. What the government has done is passed a law that says if you send an electronic message to another person’s account you must have that person’s consent before you send that message. Notice it doesn’t say email. It says electronic communication. Notice it doesn’t say email account. The legislation reads, to an account. As a result it is so broad, so encompassing, that it catches every aspect of your business.

After talking about it since 2012, it was about a year ago that we started emphatically writing about Canada’s AntiSpam Legislation (“CASL”), when we wrote, “it is by far the most pernicious legislation I’ve ever seen.”

In another article we called it “corporate ebola” and elsewhere said that it poses a tremendous uninsurable risk for every business sending or receiving email in Canada.

We also warned that under CASL the CRTC (Canadian Radio-Television and Telecommunications Commission) had the power to obtain warrants, enforceable by the Royal Canadian Mounted Police. We can’t think of anyone who took it seriously at the time. They did when the CRTC obtained and enforced two warrants under CASL. Suddenly businesses were paying a bit more attention.

Other companies have treated CASL casually, and paid a hefty price. Look at CompuFinder (fined $1,100,000 for CASL infractions), Porter Airlines ($150,000), Plenty of Fish ($48,000), Rogers Media ($200,000) and Kellogg’s ($60,000).

From inside sources we know that Rogers’ legals for internal and external counsel was roughly $2,000,000, not including lost time and the resources then consumed by an after-the-fact compliance effort.

Look at the article here for background and links to prior articles spelling out what CASL is, what its requirements are, and why it will be extremely difficult to comply without a management-led attack on the issue.

The CRTC has told us it will enforce CASL to exacting high standards. An Enforcement Advisory published earlier this year described those very high standards.

That’s all background. On October 26, 2016, the CRTC found that Blackstone Learning Corp. committed nine violations of CASL by sending commercial electronic messages without consent, and imposed an administrative monetary penalty (AMP) of $50,000 on the company. The really scary part was that in the original notice of violation, the CRTC was seeking a AMP of $640,000. Six hundred and forty thousand dollars, for sending business emails.


So picture Blackstone getting that Notice of Violation. Its board of directors had a difficult decision to make: pay the $640,000 AMP, or pay its lawyers a crippling amount of money to fight the CRTC in the hope of having that AMP reduced to a manageable level. I don’t know how much Blackstone paid, but I do know the legal industry, so my guess is the legals for this process were at least $300,000. Not an easy decision.

Blackstone sent emails primarily to government employees, advertising educational and training services offered by the company. The employees complained to the CRTC that they had not consented to receiving those emails. The onus was then on Blackstone to prove to the CRTC that it had prior consent to send the emails. Since Blackstone could not prove on a balance of probabilities that it had express or implied consent, the CRTC found Blackstone guilty.

The Blackstone facts also addressed the internet practice known as “scraping”. Also known as “web harvesting” and “web data extraction”, scraping is an automated process that extracts information from thousands of websites. In this context, the target information is all email addresses posted at that website, and then the scraper will use that contact information to market its services to those email addresses. How those publicly posted email addresses can be legally used is called “the conspicuous publication exemption”.

For the first time, the CRTC offered a detailed analysis of the “conspicuous publication exemption” found in section 10 (9)(b) of CASL. That’s the good news, as it provides guidance and some certainty for compliance departments and Heads of Risk. The bad news is, the CRTC interpreted the exemption fairly narrowly, which guarantees future violations.

Here’s the CRTC’s own words from section 28 of the reasons:

Paragraph 10(9)(b) of the Act does not provide persons sending commercial electronic messages with a broad licence to contact any electronic address they find online; rather, it provides for circumstances in which consent can be implied by such publication, to be evaluated on a case-by-case basis. Pursuant to section 13 of the Act, the onus of proving consent, including the elements of implied consent under paragraph 10(9)(b) of the Act, rests with the person relying on it.

In its reasons, the CRTC did knock down the AMP to $50,000 from its initial $640,000, but think of the incredible legal fees Blackstone had to incur to achieve that. And that’s the reason we get so worked up about CASL; it’s not the potential for fines, it’s the staggering legal costs involved in defending a Notice of Violation. There aren’t many companies that can digest millions of dollars of uninsurable legal fees.

And it’s going to get worse. As of July 1, 2017, the CRTC isn’t your worry. As of that date, a private right of action will be created, which means that anyone can sue you and allege that you breached CASL. Then, as the CRTC pointed out in Blackstone, “the onus of proving consent … rests with the person relying on it.

That private right of action is supportable by class action litigation, with plaintiff lawyers working on contingency. Meanwhile, the legal defence fees will be in the millions of dollars.

It’s cheaper to get into compliance than to pay your lawyers. Get into compliance with CASL now.

Strap on your Helmet …

InvestorIntel_helmet01… and put in your mouthguard. The summer of 2017 is going to be brutal.

I’m not talking climate change, TrumpAftershock, the death of bumblebees, racism, the global shortage of cobalt or a refugee crisis. This is about the world-wide implications of the CRTC (Canadian Radio-Television and Communications Commission) enforcing Canada’s AntiSpam Legislation (CASL).

Unless you like paying global lawyers obscene amounts of money, pay attention.

The background to CASL is here. There are hotlinks in that article linking backwards to prior articles looking at the broad scope of the legislation, the search warrants already obtained by the CRTC under CASL (!!!), and the incredibly high standard of compliance required to meet the law.

CASL really has only two key requirements. The first is that you, as the sender of a commercial electronic message (CEM) (including any business email or text), are prohibited from sending that CEM unless you can prove you had prior consent to send it to that person. You have to be able to prove you had prior consent. You can’t email someone to ask for consent to email them.

Second, all CEM’s must be transparent – it must clearly disclose who the sender is and it must include a simple unsubscribe link. This element is fairly straightforward. If you apply some business intelligence, human resources training and forethought, you can comply with this part of CASL.

It all seems simple, doesn’t it.

Whether you like these two elements is not relevant. This has been the law in Canada for several years. It doesn’t matter if you think it’s a silly law or a disproportionate one – this is a law with global exposure, as the CRTC has assumed jurisdiction if the email is sent or received in Canada (just passing through an ISP doesn’t count). Does your business operate outside of Canada but email into Canada on occasion? You’re caught. Are you a Canadian business sending any email outside of Canada? You’re caught too.

It doesn’t matter if you don’t think you’re sending spam. Technically, even the sending of one errant email brings you within CASL’s walls.

The first element above is going to be the one that gets you in trouble. The CRTC seems to think so, too. Last week the Enforcement Branch of the CTRC issued an Enforcement Advisory titled “Notice for businesses and individuals on how to keep records of consent”. It’s a short scary document – please read it and then come back.

Scary, eh? How’s this sentence from the Advisory:  “The onus of proving consent always remains with the person(s) sending, causing or permitting the sending of CEMs.”

This reminds me of my time articling with Gord Wood and Geoff Adair. I began litigating, believing in the romantic abstraction that truth will be revealed and justice will be served. Mr. Adair, a renowned insurance litigator, knocked it into my naive head that the truth doesn’t matter in a court of law – only the truth you can prove. Find your facts, go get the evidence you need. What evidence do you have to support your position? If you can’t prove it, it doesn’t matter.

Likewise, the having of consent under CASL is not relevant. What matters is being able to prove you had that prior consent. Not being able to prove you had prior consent is the same as having no consent at all. You lose.

The CRTC has given all of us fair notice that this is the standard it expects to be met. You can’t say you weren’t warned.

But a CRTC isn’t really the problem. The Commission’s limited resources mean you can probably sleep at night without worrying about the CRTC showing up at your office tomorrow. What you should be afraid of is July 1, 2017. Mark that date in your calendar. That’s the day when your company’s breaches of CASL, until then relatively innocuous, can be punished by a private right of action. Anyone to whom you send an email or text will have the right to sue – all they have to prove is that they received your message, and then the onus shifts to you to prove you had prior consent to do so.

That’s what CASL itself and the CRTC’s Enforcement Advisory are telling us.

After you get sued, you will then need to put forward evidence that you had prior consent to send that email. This would be part of the discovery process in the litigation, and since this type of litigation supports class action litigation, your legal bills are going to be astronomical. And if any of the recipients are outside of Canada, watch for creative aggressive plaintiff counsel to figure out ways to trace liability back to that jurisdiction. Double the litigation, double the legal expenses.

Those legal bills may not be covered by insurance. To date, to the best of my knowledge, no insurance company has yet written a policy that will cover legals for CASL breaches, or pay damages for those breaches. (I met someone in Winnipeg who thought there might be an Alberta insurer underwriting this under a broad Comprehensive General Liability policy, but I haven’t seen it yet.)

Think of the CRTC having jurisdiction as being the pre-season. The season starts in 11 months when the private right of action is created. What do you need?

  1. a senior executive to champion the creation and implementation of your compliance model
  2. a senior executive to supervise compliance and respond to potential breaches
  3. Human Resources to add sections to the Employee Handbook on the proper use of email addresses and phone numbers
  4. initial training of all staff, directors and management
  5. annual testing to ensure continued compliance
  6. a technology model that has been architected to achieve all the business goals set out in CASL and as interpreted by the CRTC
  7. initial and on-going stress testing of the system

All of these items work together to create your due diligence defence.

This is not an easy list and it cannot be satisfied overnight. My best advice is to immediately investigate the out-sourcing of the technology model on an ongoing basis, and create your own internal HR and corporate policies to show best practices.

You’re in the game whether you want to be or not, so get your equipment on.

CASL: A high-level look at the looming disaster

Peter_Clausi1Sometimes Chicken Little is right. The sky is about to fall on every company that sends commercial email to any Canadian.

This is a large complicated issue to be digested in parts. Today is a high-level look at the looming disaster and we’ll get into details over the next few weeks.

It’s hard to believe that antispam legislation can be this disastrous, but it’s true. This is real. General Counsel, Risk Management and Compliance across Canada are scrambling to understand and then get in front of this issue, and the litigation lawyers see fortunes to be made from this. It is a massive problem and will get worse, with civil and criminal ramifications.

First off: CASL. Canadian AntiSpam Legislation. The full text of the statute is here. It applies across Canada, in every province and every territory.

Canada has the reasonable goal of wanting to increase the economy’s efficiency by discouraging spam. To help achieve this goal, under CASL, before you send an email for a business purpose you must have the intended recipient’s express or reasonably implied consent. If as the sender you can’t prove you had consent BEFORE you sent the message, you have sent spam and are in breach of CASL. If there is prior consent then it’s not spam and not a CASL breach.

(That’s a simple non-legal summary of the legislative impact. Next week we’ll get more technical with a more granular examination of the statutory definitions and exceptions.)

CASL compliance is about consent, not content. You need consent BEFORE you send the email. You cannot email someone to ask for consent to send that person email. If challenged, the onus is on you as the sender to prove you had prior consent.

Actually, it’s worse than that.

CASL applies not only to email but also to text messages, software updates, cookies, push marketing, BBMs, and any form of communication intended for an electronic account. It doesn’t matter whether the recipient is receiving the communication on a desktop, laptop, smartphone, tablet or smartTV, directly by email or through Facebook for business. It doesn’t matter whether it’s by WiFi, Bluetooth, NFC or ethernet; at home or in the mall; in the office or on the road. If you can’t prove you had consent BEFORE you sent the message to an account, you are in breach of CASL.

That’s draconian. And it’s even worse than that.

Every message you send must have a built-in unsubscribe feature. Must. If you don’t, you’re in breach of CASL.

The consequences of being in breach of CASL can be disastrous, including an investigation by the Canadian Radio-television Telecommunications Commission (CRTC) and possible fines. The maximum penalty for a violation is $1,000,000 for an individual and $10,000,000 for a corporation (section 20(4)). This doesn’t include the legal cost of defending against the investigation or the public relations fall-out that would have to be managed.

The statute is so broad, the consequences so harsh, that most of us in the compliance industry did not think it could be rigorously enforced. The CRTC simply lacked the resources or the will to enforce CASL in any meaningful way.

We were wrong.

In March of 2015, the CRTC gave notice of its intentions when it punished a numbered corp with an administrative monetary penalty of $1,100,000 for having sent emails without the recipients’ consents as well as for sending commercial emails that did not have a properly functioning unsubscribe mechanism. We didn’t criticize the penalty since the numbered corp was what we normally think of as a true spammer – atta go, CRTC!

Then Plenty of Fish got hit for $48,000. We didn’t really care since it’s a free dating website, so we all just giggled a little, albeit nervously.

We began to really care in June of this year when regional flyer Porter Airlines was hit by the CRTC for $150,000 for CASL breaches. And we really paid attention a few weeks ago when Rogers Communications agreed to a $200,000 fine, for the “offence” of sending corporate emails that did not always have a fully functioning “unsubscribe” mechanism.

Look at the email you send. Is there a fully functioning unsubscribe mechanism in every email you send?

Here is the link to the government of Canada’s website for these decisions.

These is some policy wisdom behind this for the empire builders at the CRTC. The CRTC has found itself marginalized over the years. There is no relevant battle left to be fought over television. Cable now polices itself – Bell watches Rogers who spies on Cogeco who tattle-tales on Shaw. Outside of the internet the CRTC has been reduced to a responsible parent in a room of sneaky but studious teenagers.

But on the internet, the CRTC has room to flex its muscles and carve out a space for itself.

And carve it is. The monetary penalties described above are bad enough. Then last week the CRTC announced it had issued its first warrant under CASL, aimed at a Toronto botnet server as part of a global effort to combat the Win32/Dorkbot malware. The warrant was granted by the Ontario Court of Justice and was carried out with the RCMP’s assistance.

A warrant is a court-blessed invasion into your affairs, allowing a law enforcement official to enter your home / business / car and peruse your personal affairs. Warrants are useful but dangerous government tools.

No one is going to complain about the CRTC getting a warrant to help attack a dangerous virus family, and that makes it the easy thin edge of the wedge. The larger question is, just as the CRTC went after Porter Airlines and Rogers after penalizing the true spammer, who will be next in the CRTC’s gunsights?

I have met with numerous companies to advise on this issue and assist them with getting into CASL compliance. They know that if challenged by the CRTC they have to be able to PROVE they are in compliance. That will consume IT and human resources as these issues are addressed. To date, I have seen only three companies that I believe are in full CASL compliance – everyone else is at risk of a CRTC investigation and penalty.

Wait, it gets even worse than that.

On July 1, 2017, anyone who alleges being affected by a CASL breach can apply to a judge for a order against the offender. In other words, I can sue you if you send an email to me and I don’t think I gave you consent in advance to send it. Then the onus is on you as the sender to prove you had my consent BEFORE you sent me that email.

The class action litigators are drooling over this. Director and officer insurance premiums will be affected as section 44 does impose liability for some corporate acts on the officers and directors. Data riders to general liability insurance will have to be purchased. Companies, both public and private, will have to be able to prove they are in CASL compliance or face class action litigation.

It is that bad and it is the law of Canada.

We will come back to CASL over the next few weeks to look at the law in greater detail. There are some exceptions and backdoors to be aware of, and the definitions matter. Until then, look at the email you send every day: are you in compliance? If not, you could be next.