In 2020, the Federal Court of Appeal and the Canadian Radio-television and Telecommunications Commission issued important decisions and guidance regarding the validity and interpretation of Canada’s Anti-Spam Legislation (commonly known as “CASL”).
CASL creates a comprehensive regime of offences, enforcement mechanisms and potentially severe penalties designed to prohibit the sending of unsolicited commercial electronic messages (CEMs), the unauthorized commercial installation and use of computer programs on another person’s computer system, and other forms of online fraud. Following are some key aspects of CASL:
- CASL creates an opt-in regime that prohibits, subject to limited exceptions, the sending of a CEM unless the recipient has given consent (express or implied in limited circumstances) to receive the CEM and the CEM complies with prescribed formalities (e.g., information about the sender and an effective and promptly implemented unsubscribe mechanism).
- CASL prohibits, subject to limited exceptions, the installation and use of a computer program on another person’s computer system, in the course of a commercial activity, without the express consent of the owner or authorized user of the computer system.
- CASL imposes liability on organizations and individuals (including corporate directors and officers) for direct and indirect/vicarious CASL violations. CASL provides a due diligence defence.
- CASL violations can result in regulatory penalties of up to $10 million per violation for an organization and $1 million per violation for an individual. CASL includes a private right of action that is not in force.
The Canadian Radio-television and Telecommunications Commission (CRTC) is responsible for enforcing CASL’s rules regarding CEMs and computer programs. Since CASL came into force in 2014, the CRTC has taken enforcement action against organizations and individuals who have violated CASL, and issued enforcement decisions and accepted voluntary undertakings (settlements).
Federal Court of Appeal decision – CompuFinder appeal
The Federal Court of Appeal’s decision in an appeal by CompuFinder from CRTC compliance and enforcement decisions confirmed the constitutional validity of CASL and provided important guidance regarding the interpretation of CASL’s rules for sending CEMs. In summary, the court held as follows:
- CASL is constitutionally valid because it is within Parliament’s legislative jurisdiction over general trade and commerce affecting Canada as a whole and does not violate Canada’s Charter of Rights and Freedoms.
- The “business-to-business” exemption for certain kinds of CEMs, set out in CASL’s Electronic Commerce Protection Regulations, requires the CEM-sending organization have a relationship with the CEM-receiving organization (not just some of the CEM-receiving organization’s employees) that is based on more than “a very limited number of transactions affecting very few employees”, and each CEM must be relevant to the CEM-receiving organization’s activities.
- The “conspicuous publication rule”, which provides that a person gives implied consent to receive certain business-related unsolicited CEMs at their published electronic address if specified criteria are satisfied, is a narrow rule that does not permit the mining of email addresses from third-party directory websites or sites containing notices against unsolicited emails.
- A CEM with two unsubscribe mechanisms – one that works properly and another that does not work – does not comply with CASL’s requirement that each CEM include an unsubscribe mechanism that is set out clearly and prominently and able to be readily performed. (more information)
In September 2020, the CRTC announced that Canadian student note-sharing platform OneClass had entered into an undertaking with the CRTC to settle alleged CASL violations related to sending CEMs without consent and installing on students’ computers without consent a Chrome browser extension that collected personal information (including usernames and passwords) stored on the computers contrary to the students’ reasonable expectations. The undertaking included requirements that OneClass pay a $100,000 penalty, comply with CASL and implement a CASL compliance program. (more information)
In September 2020, the CRTC published updated guidance titled Canada’s Anti-Spam Legislation Requirements for Installing Computer Programs. The guidance discusses CRTC’s interpretation of various aspects of CASL’s computer program rules, including: (1) the exception for self-installed computer programs; (2) who constitutes the “owner” or “authorized user” of a computer; (3) the meaning of “caused to be installed”; (4) deemed consent to the installation of certain kinds of computer programs; (5) requirements for valid consent to the installation of a computer program and to updates or upgrades to a previously installed computer program; and (6) examples of invasive computer programs for which additional information disclosures and separate express consents are required. (more information)
In November 2020, the CRTC, the Office of the Privacy Commissioner of Canada and the Competition Bureau issued a news release reminding companies involved in the mobile applications industry of their obligations under CASL, the Personal Information Protection and Electronic Documents Act and the Competition Act. The news release identifies activities that raise legal compliance concerns, including: (1) apps that collect or use personal information (e.g., electronic addresses) without consent; (2) apps that do not identify their functions (e.g., allowing information sharing with other computers or automatically downloading other programs on the user’s devices) to obtain informed consent from the user before installation; and (3) apps designed to spam users’ friends and contacts. The regulators also jointly issued letters to companies involved in the mobile applications industry recommending that they review their practices and take preventive or corrective measures where necessary. (more information)