First, the good news: Last month, Canada’s Minister of Innovation, Science, and Economic Development announced that the pending private right of action under the Canadian Anti-SPAM Law (CASL) would be delayed indefinitely—this was initially scheduled to come into effect on July 1, 2017. As many of us pointed out back when the law was enacted, unleashing the threat of frivolous litigation is likely to punish innocent companies to the tune of millions of dollars—in most cases companies that are trying to comply—while enriching trial attorneys and stifling many of the desirable email communications citizens have come to expect and appreciate.
In the statement announcing the delay, Navdeep Bains, the Canadian Minister, noted that while “Canadians deserve to be protected from spam and other electronic threats so that they can have confidence in digital technology,” the Canadian government is “committed to striking the right balance” to ensure that “businesses, charities, and other non-profit groups can continue to have reasonable ways to communicate electronically with Canadians.”
Of course, this doesn’t eliminate enforcement of the legislation, as the Canadian Government maintains the authority to levy fines for violations. Complaints about violations can be submitted through Fightspam.gc.ca, and complaints about unsolicited emails or malware may be turned over to the CRTC, which may investigate to determine if the message violates CASL. If the company is in violation, the CRTC has a range of enforcement tools available. The CRTC will assess each case based on a series of factors, including the nature of the violation, the company's history with CASL, whether the company benefited financially from the violation, and the company's ability to pay a penalty. Penalties for the most serious violations of CASL include a maximum penalty of up to $1 million for individuals and $10 million for businesses.
As for the bad news, this is a reminder, rather than a new development. That is, as enacted in 2014, CASL provided for a three-year grace period—through July 1, 2017—whereby companies were allowed to rely on consent being implied in cases of an existing business relationship. As this period has now ended July 1, 2017, covered entities must obtain express consent to send commercial electronic messages to a recipient, even if the sender has an existing business relationship with the recipient that previously included these covered commercial electronic messages.
For those of you who need a refresher, there is a wealth of information online. SIIA provided multiple webinars for members and made available various resources following enactment of CASL—these are archived here. Also, the Canadian government provides multiple resources to help with compliance, including a webinar information session, and an FAQ resource.