Countdown to July 1, 2017 – CASL transition period ending

In less than a year CASL (Canada’s Anti-Spam Law), the key parts of which came into force on July 1, 2014 and January 15, 2015, will become more a lot more impactful for organizations. 

Firstly and most importantly, the three-year transition period that commenced July 1, 2014 for commercial electronic messages (CEMs) will end[1].  This transitional provision has provided significant flexibility (effectively a qualified grandfathering) for organizations that have a history of communicating electronically with their contacts.

Secondly, CASL’s private right of action (PRA) – which provides significant monetary remedies for persons affected by non-complying electronic messages – will come into force on July 1, 2017[2].

Thirdly, it is likely that enforcement of the law – by the CRTC, the Office of the Privacy Commissioner and the Competition Bureau – will become more rigorous.  All three agencies now have “tested the waters” with investigative actions under CASL[3], the Personal Information Protection and Electronic Documents Act (PIPEDA)[4] and the Competition Act[5] respectively. Using these actions as reference points, the agencies have provided guidance regarding their enforcement approach and priorities[6].

From an operational perspective, the end of the three-year transition period likely will have the greatest impact in practical terms – and should be the main focus of an organization’s CASL compliance upgrades over the next 11 months.  However the significant potential risks posed by the PRA will require organizations to redouble scrutiny of their overall CASL compliance systems and, as required, initiate and/or upgrade their review and audit of those systems.  This coincidence of compliance dictates provides a critical opportunity for organizations to adopt risk management and avoidance strategies that respond to the liability challenges of the PRA.

The transition period 

The transition period provides a basis of implied consent that is significantly more flexible than the standard implied consent rule available for existing business and non-business relationships between organizations and their contacts (i.e. existing or prior customers, donors, volunteers).  In essence, it states that where any of these relationships existed prior to July 1, 2014 (using the same criteria as the standard implied consent rules, but without the time limitations), consent to receive CEMs from the organization will be implied for the duration of the transition period, provided that the organization has used CEMs in at least some of its prior communications with a contact. 

What this means is that if an organization, for example, has sold or leased a product to a contact, at any time in the past, or – to give another example – a contact has made an inquiry respecting such a potential transaction, at any time in the past, provided there has been at least some communication via CEM, consent for the organization to send CEMs is implied.  Therefore while, as we know, CASL does not grandfather prior consents obtained under other rules such as PIPEDA, the three-year transitional rule in effect provides a time-limited grandfathering of relationships extending back in time, without limitation as to when a relationship was established.

The transition period has served two key functions.  Firstly, by the more flexible nature of its requirements, it has enabled organizations to be less precise in satisfying the criteria otherwise applicable under the existing business relationship and non-business relationship rules.  Specifically, the lack of requirement for any historical time period enables potentially a less rigorous system requirement for qualifying – and ultimately disqualifying – the functional criteria (e.g. purchase transaction, application, inquiry, charity volunteer work, membership in a non-profit organization) to support satisfying the implied consent rule.  The end of the transition period dictates for those organizations that have been relying, in effect, on the flexibility provided by this rule to backstop their intended compliance with CASL’s standard implied consent rules, and which intend to rely going forward significantly on implied consent, an opportunity to review and reconfirm their compliance systems.

Secondly and very importantly, the transition period has provided organizations with an additional three-year window in which to obtain express consent or, looked at differently, to ensure compliance with one or other of the Act’s consent exceptions or implied consent rules.  We all remember the crush of compliance-focused activities prior to the initial July 1, 2014 effective date for CASL’s CEM requirements, including the extensive express consent capture strategies undertaken by many organizations.  In reality however, most organizations were able to benefit from a further three years enabled by the transition period to address these objectives.  Now that we are down to the last 11 months of the transition period, organizations should be refocusing their strategies to achieve full compliance under the category, or categories, of exemption or consent that they intend to rely on as part of their overall CASL compliance framework.

For example, organizations may want to review and refocus their database criteria for establishing category compliance and, using potentially more refined criteria applied to their databases, reconfirm and potentially extend the full scope of their qualifying contacts.

While clearly there is not as wide potential scope to communicate with contacts as existed prior to July 1, 2014, the transition period provides a significant opportunity to redouble efforts to obtain express consent.  Key to taking advantage of this opportunity of course will be an organization’s ability to satisfy the required criteria.  Appropriate records will be required.

Private right of action

The end of the transition period and the opportunity that it creates to review and reconfirm/upgrade systems is instructive in the context of the coming into force of CASL’s private right of action.

The private right of action, in effect, gives a monetary remedy to persons (i.e. both individuals and businesses) affected by any of: a contravention of sections 6 – 9 of CASL; a false or misleading electronic message under CASL’s amendments to the Competition Act; or the new e-mail harvesting provisions of PIPEDA effected under CASL.  The potential remedies are significant – in addition to actual losses or expenses, persons may recover, without any proof of loss, $200 for each non-compliant CEM up to a maximum of $1,000,000 per day or in the case of computer hacking, misleading electronic messages or e-mail harvesting, up to $1,000,000 per day.  The potential risks of private litigation under the PRA and particularly in the event of a class action could be – not to be understated – potentially devastating and point to an important need for organizations to focus on their CASL-related risk management and avoidance strategies.

Due diligence defence

As noted, the end of CASL’s transition period provides a timely intervention for organizations to prepare themselves for potential risks under the PRA.  Of key importance is to understand that, in respect of any alleged contravention of the applicable CASL, Competition Act, or PIPEDA provisions, the defence of due diligence applies – in effect stating that a person will not be found to have contravened a provision if they can establish that they exercised due diligence to avoid such non-compliance[7].  Due diligence involves not only putting in place compliant systems and procedures but also reviewing them on a regular basis and where necessary making adjustments to ensure that they meet the legislative requirements.   

CASL’s three-year transition period significantly may be viewed as a “testing out” period for organizations – not only to acquire experience with their own CASL compliance procedures and requirements – but also to learn from the guidance offered by the regulatory agencies through their enforcement actions and proactive guidance information.  Conducting a review and potential upgrade of systems in connection with the end of the transition period should be considered a key element in an organization’s CASL-related risk management and avoidance strategy.   Such a review and, as required, system upgrade would address in an important way a requirement to show due diligence in the face of an action commenced under the PRA.

Takeaways

There are 11 months remaining before the end of CASL’s transition period and the coming into force of its new private right of action.  This timing offers organizations opportunities both to ensure their systems are compliant (and potentially to upgrade them) and to institute risk management/avoidance strategies that will be critical in responding to the challenges posed by the PRA.  Such system reviews and potential upgrades importantly can respond to the need to demonstrate due diligence in the face of an allegation of non-compliance under the PRA, or by a regulatory agency.

It can be expected that, with the end of the transition period and the experience gained through the regulatory agencies’ initiatives to date, compliance scrutiny and enforcement activity will become more focussed and potentially more rigorous, underlining the need for organizations to take advantage of this time-frame to reconfirm their CASL compliance status.

  

 

For more information please contact:                    

David Young                       416-968-6286                     david@davidyounglaw.ca

Note:     The foregoing does not constitute legal advice. Readers are cautioned that for application to specific situations, legal advice should be obtained.

© David Young Law 2016

Read the Full PDF

– Single Click to open. Right Click to Save Locally


[4]See: PIPEDA Report of Findings #2016-003, Investigation into the personal information handling practices of “Compu-Finder” (3510395 Canada Inc.), April 21, 2016.

[6] See for example, Office of the Privacy Commissioner of Canada blog post, Required reading for email marketers:  a case study in how not to collect and use e-mail addresses, May 27, 2016.