Preparing for CASL’s Private Right of Action

By Bradley J. Freedman, Katherine M. McNeill , Ira Nishisato | September 9, 2018

Organizations should take steps now to verify their CASL compliance

Mitigate the risks of CASL regulatory enforcement and private litigation.

Commencing July 1, 2017, CASL contraventions will be subject to enforcement through private litigation, including class proceedings, by individuals and organizations seeking compensatory damages and potentially substantial statutory damages.

CASL - Overview

CASL creates a comprehensive regime of offences, enforcement mechanisms and potentially severe penalties (including liability for employers and corporate directors and officers) designed to prohibit unsolicited or misleading commercial electronic messages, the unauthorized commercial installation and use of computer programs on another person's computer system and other forms of online fraud (such as identity theft and phishing).

For most organizations, the key parts of CASL are the rules for sending commercial electronic messages ("CEMs"). Subject to important but limited exceptions, CASL creates an opt-in regime that prohibits the sending of a CEM unless: (1) the recipient has given consent (express or implied in limited circumstances) to receive the CEM; (2) the CEM complies with prescribed formalities (including information disclosure and an effective and promptly implemented unsubscribe mechanism); and (3) the CEM is not misleading in any respect (including in the sender information, subject matter information and body of the message). An organization that sends a CEM has the onus of proving that the recipient consented to receive the CEM.

Subject to important but limited exceptions, a CEM is any kind of electronic message (e.g. email, text messages and social media private messages) sent to an electronic address if one of the message's purposes (not limited to the sole or primary purpose) is to encourage the recipient to participate in a commercial activity (e.g. a transaction, act or conduct of a commercial character), regardless of expectation of profit. In addition, an electronic message sent to request consent to receive CEMs is deemed a CEM. Subject to important but limited exceptions, the CEM rules apply to a CEM if a computer system in Canada is used to send or access the CEM, regardless of the location of the sender or recipient. The CEM rules apply even if a CEM is sent to a single recipient.

An organization is liable for CASL contraventions by the organization's employees and agents (including independent service providers engaged by the organization to send CEMs on the organization's behalf) acting within the scope of their employment or authority. A corporate director or officer is liable for the corporation's CASL contraventions if the director or officer "directed, authorized, assented to, acquiesced in or participated in" the commission of the contravention. However, organizations and individuals may avoid liability for CASL contraventions if they establish that they exercised due diligence to prevent the commission of the contravention.

Contravention of CASL's CEM rules can result in: (1) potentially severe administrative monetary penalties (up to $10 million per violation for an organization and $1 million per violation for an individual) in regulatory proceedings; and (2) commencing July 1, 2017, potential civil liability for compensatory damages and potentially substantial statutory (non-compensatory) damages in private litigation (including class proceedings) brought by a person affected by the contravention.

The Canadian Radio-television and Telecommunications Commission ("CRTC") has regulatory and enforcement authority for CASL's CEM rules, and broad enforcement powers for that purpose. Since CASL came into effect on July 1, 2014, the CRTC has taken enforcement action against organizations and individuals who have violated CASL's CEM rules, including by sending CEMs without consent, without required information disclosure or without a required or properly functioning unsubscribe mechanism, and by failing to honour unsubscribe requests within 10 business days. The CRTC has issued enforcement decisions and accepted voluntary undertakings (settlements) imposing administrative monetary penalties ranging from $15,000 to $1.1 million. For more information, see BLG bulletins CASL - Year in Review 2016 and CASL - Year in Review 2015.

Private Litigation

General

Commencing July 1, 2017, any individual or organization affected by a CASL contravention (e.g. the sending of a CEM without consent or required information disclosure or formalities) may sue the persons who committed the contravention or are otherwise liable for the contravention and seek: (1) compensation for actual loss, damage and expense suffered or incurred by the applicant; and (2) statutory (non-compensatory) damages.

Statutory damages for a contravention of CASL's CEM rules are subject to a maximum of $200 for each contravention, not exceeding $1,000,000 for each day on which the contravention occurred. CASL requires a court to consider all relevant circumstances when determining the appropriate amount of statutory damages to be imposed on a respondent, including the purpose of the statutory damages award (i.e. to promote CASL compliance), the nature and scope of the CASL contravention, the respondent's history with previous CASL contraventions and enforcement actions, the respondent's financial benefit from the CASL contravention, the respondent's ability to pay the award and whether the applicant has received compensation in connection with the CASL contravention.

The private right of action is in addition to regulatory enforcement, and a CASL contravention might be subject to both regulatory enforcement and private litigation. However, there are limiting rules that apply to claims for statutory damages. In particular, CASL provides that: (1) a court may not award statutory damages against a person for a CASL contravention after a regulator has issued a notice of violation against the person for the contravention or the person has entered into a voluntary undertaking (settlement) with a regulator for the contravention; and (2) if a court determines that it may consider a claim for statutory damages against a person for a CASL contravention, then a regulator may not issue a notice of violation against the person for the contravention and the person may not enter into a voluntary undertaking (settlement) with a regulator for the contravention.

Class Proceedings

CASL's private right of action will likely be invoked to support class proceedings seeking compensation and statutory damages on behalf of large groups of persons affected by unlawful CEM campaigns. Class proceedings for CASL contraventions will be required to comply with existing procedures for class proceedings, which require that a proposed class proceeding be certified by a court before it can proceed. There are various requirements for certification of a proposed class proceeding, which usually include a judicial determination that: (1) the claims of the proposed class members raise common issues; (2) the proposed class proceeding is the preferable procedure for the resolution of the common issues; and (3) the applicant will fairly and adequately represent the interests of the proposed class members.

Preparing for July 1, 2017

There are a number of steps that organizations can take, both before and after July 1, 2017, to enhance their CASL compliance and mitigate the risks of CASL litigation and regulatory enforcement. For example:

CASL Compliance Program

An organization should review and update/improve its CASL compliance program to reduce the likelihood of CASL contraventions, and to help establish a due diligence defence and mitigate potential regulatory penalties and statutory damages if a CASL contravention occurs. The CRTC's Compliance and Enforcement Information Bulletin CRTC 2014-326 - Guidelines to help businesses develop corporate compliance programs (2014-06-19) provides helpful guidance regarding CASL compliance programs. Additional guidance may be found in decisions issued in CASL enforcement proceedings and in related compliance undertakings. For more information, see BLG bulletin CASL Compliance Programs - Preparing for Litigation.

Due Diligence Documentation

An organization should create and maintain a comprehensive and detailed record of all CASL compliance efforts by the organization and its directors and officers (including documented periodic reports to directors and officers) that may be used to establish a credible due diligence defence to liability for CASL contraventions. The documents should be reliable and otherwise admissible into evidence in legal and regulatory proceedings.

Complaint/Litigation Response Team

An organization should establish a written plan, and designate an appropriate team of internal personnel and external advisors (including legal counsel and public relations consultants), for responding to CASL complaints, private litigation and regulatory enforcement. The plan should include appropriate checklists and guidelines for: (1) internal and external communications and reporting; (2) establishing and maintaining legal privilege for legal advice and litigation-related communications; (3) giving notice to insurers; and (4) determining whether the organization should attempt to negotiate a voluntary undertaking with the appropriate regulator before the CASL contravention is subject to private litigation.

Organizations should be mindful that Canadian privacy laws regulate the collection, use and disclosure of certain kinds of personal information to send CEMs. Accordingly, organizations should ensure that their marketing activities regarding CEMs comply with both CASL and applicable privacy laws.

This article originally appeared on Martindale Legal Marketing Network. Republished with permission of the authors.

The views expressed in this document are solely the views of the author(s). This document is intended for informational purposes only and is not legal advice or a substitute for consultation with a licensed legal professional in a particular case or circumstance.

Unsure about Cybersecurity & Incoming Privacy Laws?

PROTECT YOUR BUSINESS

Learn how to correctly navigate cyber legislation from leading Canadian and U.S. legal experts in the field.

LEARN MORE

Bradley J. Freedman

Website

Bradley Freedman is a National Leader of our Cybersecurity Law Group, Vancouver Regional Leader of our Technology Law Group, and a partner in our national Privacy and Data Protection, Intellectual Property and Information Technology groups. Bradley focuses his practice on technology, intellectual property, the Internet, electronic commerce, and related matters, and is recognized as a leading lawyer in these areas of law by the foremost legal rankings publications. Bradley advises clients in negotiating, structuring and documenting transactions and business arrangements, and acts as counsel in litigation, arbitration and mediation. He has appeared before the Supreme Court of British Columbia, the British Columbia Court of Appeal, the Federal Court of Canada, the Federal Court of Appeal, the Trademarks Opposition Board, and international commercial arbitration tribunals.

Bradley is also a Domain-Name Dispute Arbitrator for both the World Intellectual Property Organization and the British Columbia International Commercial Arbitration Centre.

Katherine M. McNeill

Website

Katherine McNeill is an associate in the Corporate Commercial Group in our Vancouver office. Katherine's practice focuses on advising private businesses across a range of industries on corporate and commercial law matters. Katherine also works with clients on technology, privacy and related matters.

Ira Nishisato

Website

Ira Nishisato is a Litigation Partner based in Toronto and National Leader of BLG's Cybersecurity and Cyber-Risk Management Practice. A widely-recognized expert in civil litigation, Ira currently serves as Co-Chair of the Litigation Committee of the International Bar Association (IBA). Ira's practice focuses on complex commercial litigation, commercial fraud, intellectual property litigation, cybersecurity and information technology litigation, and international disputes and investigations. He has unique expertise in extraordinary remedies including Anton Piller (civil search), Mareva (asset freezing) and Norwich Pharmacal (equitable discovery) orders, and has appeared in nearly 100 injunction proceedings before Canadian courts. Ira has litigated a diverse array of cases over his career, including cases involving administrative law, anti-piracy and anti-counterfeiting, asset tracing and recovery, banking, broadcasting and telecommunications, class actions/mass torts, computer and Internet law, contempt proceedings, cybersecurity and cybercrime (including privacy, data protection and information security), conflict of laws, constitutional law, contracts, corporate/commercial law, defamation, fiduciary duties, fraud, intellectual property, labour and employment, officer and director liability, product liability, professional negligence, public and private international law, and shareholder disputes. He has also brought numerous applications for the enforcement of foreign arbitral awards and judgments, for letters of request/letters rogatory, and to stay proceedings on jurisdictional grounds. Ira appears before all levels of courts in Canada, including the Supreme Court of Canada, Federal Court of Appeal, Ontario Court of Appeal, Federal Court, Ontario Divisional Court and Superior Court of Justice. He also appears regularly before the Commercial Court in Toronto. He is a frequent speaker at national and international conferences and since 2001, he has been the author of the annual text Ontario Litigator's Pocket Reference that is widely used by lawyers throughout Ontario.

Posted in Anti-Spam Legislation, CASL Private Right Of Action, Cybersecurity, Cybersecurity News