Final regulations for CASL were released Dec. 4 with exceptions for charities, third-party referrals, and political parties, and a delay to when private right of actions can happen (which will facilitate lawsuits). That means compliance planning should go into high gear now even though many businesses will likely need more clarity on what they have to do and when, says Michael Fekete, a partner with Osler Hoskin & Harcourt LLP in Toronto.
“Complete your gap analysis if you haven’t already and put compliance planning at the top of the agenda,” says Fekete. “What makes matters worse is we expected nine to 12 months lead time before coming into force and it’s going to be a mad dash for many companies. What’s frustrating too is we’re still waiting for guidelines from the CRTC mentioned in the regulatory impact statement. It is such broadly drafted legislation that even the scope of what’s covered and what’s not covered is open — a key issue we said they needed to address.
“Although we’ve known about this law for three years you can only take compliance planning so far,” says Fekete. “The devil is in the details and we don’t have all the details yet.”
Changes will need to be made to company databases with regard to what data is collected and retained and message templates will need to be changed, which can be done now. The guidelines will hopefully further clarify what is required, but Fekete says there is “no longer the luxury of waiting to see how things are going to work out through the regulations.”
The law, which addresses the sending of commercial electronic messages, does now reflect a change in deadlines for unsolicited installation of computer programs and software, now pushed to Jan. 15, 2015 (most other countries in the world don’t address this) and private right of actions will be delayed until July 1, 2017.
The private right of action delay was brought in to “avoid mass class actions being brought against organizations given they want to give the CRTC time to understand and implement the law before the courts have to apply it,” says Tricia Kuhl, an associate with Blake Cassels & Graydon LLP in Montreal.
But Kuhl notes while the pressure is on for companies to comply by next July, the government has indicated it will “go after bad actors first — the real spammers, the really egregious ones. Legitimate business should have some time to get onside without facing large fines.”
The fact private right of actions was delayed is “significant,” says Sanjeev Dhawan, senior legal counsel with Hydro One Networks Inc. “I think most organizations are not ready for this. It gives people time to respond to the seriousness of this act. I thought the private right of action would have been a burdensome obligation on organizations. I thought that was a significant concession at this point.”
Dhawan also points out the legislation continues to require an “opt-in” from consumers when it would have been easier to “opt-out” as most other jurisdictions have. The cost to business, he says, will be significant.
“The compliance costs are going to be staggering. Do we really need this as the economy is only beginning to recover? It’s targeting commercial messages but that’s not spam,” says Dhawan.
The legislation will challenge the ability of small and medium-sized businesses to comply with a further level of regulation. Even though the government claims the regulations have exceptions for small business, it doesn’t clearly spell out what they are, says Steve Szentesi of Steve Szentesi Law Corp. in Vancouver. He calls the law “overkill.”
The penalties for CASL are stiff. If your organization is deemed to have sent non-consented electronic messages it can mean up to $1 million for individuals and $10 million for corporations. When the private right of action comes into play receivers of messages can also sue for $200 for each individual communication.
“The costs and annoyance for companies significantly outweigh the purported benefits,” says Szentesi. His clients are small to medium-sized companies such as real estate agents. “It’s just another case of legislators not understanding businesses. It’s overkill for an issue that’s not significant enough to do this. It’s a proportionality issue — $1-million individual fine and $10-million corporate fine for spam? We’ve had corruption law for 15 years and we’ve had one or two prosecutions. When you compare price-fixing of auto parts versus spam — what, you can’t just delete the message?”
Political parties and registered charities also get an exception with the finalized regulations but there may be some fine print they need to examine to be sure they don’t violate the legislation.
“There is an exemption for the consent [and format of e-mails] for charities but the message sent out has to be primarily for fundraising purposes,” says Jonathan Lau, senior legal counsel with TVO, a registered charity in Ontario. “Where it can be tricky is how far charities may stretch what that means. For example, some charities send status updates or e-blasts. So charities need to be careful about the content of their messages as they may unwittingly fall afoul of the exception.”
There are also exceptions, that will be seen as favourable by social media users says Kuhl, for “electronic messaging services” which will mean less onerous requirements for social media sites.
While it is timely that the final regulations came down during budget season for most companies, Fekete says the resources required to get up to speed will be “significant.”
“The legislation is broader in material ways than legislation in other jurisdictions and the reason there has been a three-year delay from enactment to finalization is because industry has tried to get clarity and exemptions so it would have a more reasonable application. While the regulations provide some assistance most businesses and organizations will still be left with many questions,” he says.
Kuhl concurs the law, with its “opt-in” consent requirement and significant fines — and even imprisonment — make it some of the toughest anti-spam legislation in the world. If an organization is sending a message to an individual or organization listed as part of a list of foreign countries they must comply with the legislation in that country. If they don’t they would then be doubly punished — by the country sending they are sending the message to and under the Canadian legislation.
“There will be lots of litigation ahead,” says Kuhl. “If you look at the list of countries it includes Pakistan, Mozambique, Burkina Faso — it’s going to be very challenging for organizations in Canada to make sure they are in compliance with anti-spam laws in those countries. However whenever a business operates in another country, they need to be in compliance with the local laws so from a compliance perspective it’s not shocking.”