Most of Canada’s anti-spam law (CASL) came into effect on July 1, 2014. However, not all of the provisions of CASL came into force at that time. On July 1, 2017, the provisions of CASL that provide for a private right of action for a breach of CASL are scheduled to come into force. This will represent a big change and a big risk for businesses.
Right now, CASL is enforced by the Canadian Radio-television and Telecommunications Commission, the Privacy Commissioner of Canada and the Competition Bureau. These regulators can, and have, enforced breaches of CASL.
Starting on July 1, 2017, individuals, or more likely class action lawyers, will be able to sue any company or other business that breaches certain provisions of CASL, such as:
- Sending a commercial electronic message (such as an email) without consent of the recipient or that does not otherwise comply with CASL
- Altering transmission data (hacking) so that the message is delivered to a different destination other than the one specified by the sender
- Installing computer programs, such as cookies, malware or viruses, on someone’s computer without their consent
- Aiding, inducing, procuring or causing any of the things listed above
- Breaching the provisions of the Personal Information Protection and Electronic Documents Act (PIPEDA) against using computer programs to collect email addresses
- Breaching PIPEDA by collecting personal information by illegally accessing someone’s computer system
- Breaching the Competition Act by using email to send false or misleading information
Under CASL’s private right of action, not only would a corporation or business be liable for the breaches listed above, but its directors and officers would also be personally liable if they directed, authorized, assented to or acquiesced in the breach. Directors, officers and their corporation would be jointly and severally liable, which means that each would be liable for the entire amount of the damages. Businesses would also be liable for any actions of their employees if the breach was within the scope of their duties.
The private right of action will give complainants the right to receive compensatory damages for any losses that they have suffered. In addition, it also gives them the right to receive what are called statutory damages for the breaches described above. For instance, the statutory damages for sending non-compliant emails are $200 for each breach, up to a maximum of $1 million per day. The statutory damages for hacking transmission data, installing unauthorized computer programs, collecting email addresses and collecting personal information are a maximum of $1 million per day. A person who sues under these provisions can claim these amounts without having to show that he or she suffered any actual losses as a result of the breach. This is likely to provide a strong incentive for class action lawsuits for any of these types of breaches.
One important thing to note is that if a business enters into a voluntary settlement or undertaking with the applicable regulator, then it will not be subject to the statutory damages. This will provide a strong incentive for any business that learns of a breach to enter into a voluntary settlement with the regulator.
To protect themselves, business owners should review their email and other computer practices to make sure that they are in compliance with CASL and avoid any risk of either being sued in a class action or being prosecuted by the regulators.