The PRA means an individual or organization that feels they have been affected by a contravention of the legislation can litigate to enforce the new private rights.
“I have met with a couple of the plaintiff class action firms who are counting the number of sleeps until July 1,” said Peter Clausi, executive vice president corporate affairs and general counsel at GTA Resources and Mining Inc. “I think they are going to wind up being the Wade Boggs of litigation — they’re going to go to the hall of fame hitting singles.”
Clausi was speaking Monday as part of a panel entitled Get Smart: Conquering CASL and the New Private Right of Action at the Canadian Corporate Counsel Association’s national conference in Toronto. He doesn’t think there will be multiple multi-million dollar settlements, but does predict there will be “strike suits” given the standard that the plaintiff has to meet which is “almost nothing and then damages are assumed.
“I have never seen a greater dichotomy between the pervasiveness of the legislation and the lack of knowledge about it than with CASL,” said Clausi. “We all think we’ve complied with CASL but I can pretty much guarantee you that there’s no one in the room in compliance with CASL today. It is a horrible, pervasive, invasive piece of legislation. It ought to keep you awake at nights.”
Clausi first started following CASL in 2011 and “thought they were kidding.” He stayed on top of the legislation and in July 2014 when CASL came into effect he saw the enforcement start to roll in.
He went on to say that the biggest risk in any business is actually every single person in that business who sends commercial electronic messages. “Every commercial electronic message you send is subject to CASL and odds are you are not in compliance,” he said.
CASL is not covered on cyber insurance riders and Clausi pointed out that there is no insurance policy yet available in Canada to cover CASL violations, further compounding the concern that it is coming into force in a matter of months.
“Without an insurance policy it’s coming out of your equity,” he cautioned the audience of in-house lawyers. “I know two insurance companies working on it and they’re struggling to get the wording right. From a businessperson’s perspective I find that a compelling reason for the PRA to be delayed. Not every business can afford to have it come out of its equity.”
In terms of trying to prepare for the PRA, the task should be shared by a number of stakeholders including HR and risk management.
“This is not an IT problem, this is not a law problem. The person who should be worried about this is the person responsible for risk management. They have to pull in human resources. You have to update policies and train employees and stress test the system,” he said.
The software updates section of CASL scares Clausi the most. A section of the legislation says you can’t install software on someone else’s device without prior consent. You are also not allowed to have software that “broadcasts” information without the person’s consent.
What really has Clausi uneasy about the pending PRA is software applications on phones. Apps that can access contacts on phones or GPS could be a problem.
“If you’re in a company that has your own app or an app developer, this might bring down your entire business,” he said. “The instant that app squirts the least bit of data back to the mother ship that’s a CASL breach.”
Heather Innes, former chief privacy officer with General Motors Canada and now retired, said the CRTC has “many investigations underway.
“What I’ve heard is if you are pulled into an investigation, whatever the ultimate outcome you will have spent thousands of hours trying to manage the investigation and respond to the inquiries made by the CRTC. It is rigorous,” she said.
So far several companies and one individual have been fined for alleged CASL violations. In September Kellogg Canada entered into an undertaking agreeing to pay $60,000. Dating site Plenty of Fish paid $48,000 for a violation in 2015 and the largest fine to date was $1.1 million in the Compu-Finder violation.
Most of the transgressions have been simple including unsubscribes didn’t work or didn’t have proof of consent.
“You can see that they mean business,” said Innes. “They are going to fine and even where people have simply made mistakes and promised to undertake to correct the mistakes and move forward which seems harsher than what most of us expected. These are companies that make good faith, often robust efforts to comply with CASL but something didn’t work in the early days.”
William Abbott, assistant general counsel and privacy ombudsman with Bell Canada, suggested the CRTC should consider a delay or suspension of statutory damages until after the statutory review of CASL in July.
“I know the minister’s office is considering that now,” he said.
To avoid such violation organizations will need to have good compliance programs with detailed record keeping.
“It’s not enough to do the right thing. Document it and understand the importance of consent including the fact people took training. Gather consents and keep them squirreled away,” said Abbott.
“We know for sure they’re going to enforce, that they’re watching, investigating and focusing on complaints. We know no organization is too small, they will go after individuals who make mistakes or who don’t know about the law,” said Innes.
She advised that there be one or more people in a marketing department responsible for testing every unsubscribe link before any email campaign is implemented.
“The big takeaway is if you’re issued a notice of violation you jump in during the first 30 days and get submissions into the CRTC. It can make a big difference on the penalties imposed upon you,” said Innes.
Updated April 18, 2017: Change in title for Heather Innes to former privacy officer, General Motors Canada.