skip to main content
Back to all blog posts

Posted in: Data Security/Privacy

Mar 1, 2017

July 1, 2017 - Private Right of Action Under Canada's Anti-Spam Law (CASL) - The Day Businesses Shake Their Head

By Paige Backman

If you've heard anything about CASL lately, you are aware that as of July 1, 2017, individuals and organizations are entitled to bring a "private right of action" in the courts against those that contravene certain provisions of Canada's Anti-Spam Law ("CASL"). Potential damages of up to $1 million per day may be imposed. I refer to the blog by Aaron Baer "Are You Compliant With Canada's Anti-Spam Law (CASL)? If Not, Expect Lawsuits Starting on July 1 of This Year."

For over three years, businesses have been spending significant resources trying to understand CASL and comply with it. Given the broad application of CASL and potential inconsistencies in the application of certain key CASL provisions, it has not been an exercise enjoyed by many. However, in the backdrop, there was some level of comfort that the regulators enforcing CASL would only go after either the most egregious contraveners of CASL or those whose heads mounted on the CASL spit would serve a purpose (a spit being a pointed rod on which meat is impaled for roasting).

This feeling of comfort may have been misguided, but the limited resources of the Canadian Radio-Television and Telecommunications Commission ("CRTC") provided some practical limitation on what issues would be addressed and how they would be addressed. This changes on July 1, 2017.

As of July 1, 2017, a person may bring an action in court where the person alleges that they are affected by an act or omission:

  1. that constitutes a contravention under Sections 6 to 9 of CASL. Sections 6 to 9 of CASL are the heart of the legislation setting out the core rules for transmission of commercial electronic messages, the alteration of transmission data and the installation of computer programs;
  2. that results from false or misleading electronic messages within the meaning of amendments to the Competition Act; or
  3. that relates to a violation of the email harvesting and use provisions in Sections 7.1(2) and (3) of the Personal Information Protection and Electronic Documents Act ("PIPEDA").

The number and nature of persons who may be affected by an act or omission of CASL and who may be in a position to breach an action is quite broad. As a result, the practical limitations on who may be subject to claims for breaching CASL have been significantly reduced.

The litigation bar, both plaintiff and defence side, are preparing. Businesses are shaking their heads.

Successful court actions arising from contravening CASL can result in awards equaling amounts of loss or damages suffered and expenses incurred ("compensatory damages"), in addition to non-compensatory damages up to a maximum of $1 million per day of contravention. There are many factors that courts are to consider when determining non-compensatory damages, but proof of injury suffered is not required.

Even with CASL complaints opening up to private litigation and the courts, the regulators still have a place at the table. Regulators built in mechanisms that incent people to settle with them (whether the businesses were wrong or not). The court is prohibited from considering an application against a person for statutory damages under paragraph 51(1)(b) of CASL if the person has entered into an undertaking with the CRTC or has been served with a notice of violation by the CRTC regarding the same conduct.

Another interesting twist in this next stage of CASL enforcement is the question of whether a cause of action can be brought for contraventions of CASL that occurred prior to July 1, 2017. Historically, many espoused that the private right of action should exist solely for contraventions that occur on or after July 1, 2017. However, but for an amendment to CASL that clarifies this issue, it will be up to the courts to determine the claims properly brought before them. Given the breadth of CASL's application and complexities in complying, it would be unfortunate if the private rights of action under CASL applied to pre-July 1, 2017 activities when CASL's application and interpretations of certain key provisions were and continue to be worked out.

Related Categories

Related Blogs

Posted in: Data Security/Privacy

Insights TheSpotlight
Phishing Risk Deemed Sufficient in Alberta to Trigger “Real Risk Of Significant Harm” Threshold By Steve J. Tenai Mar 13, 2018 Since 2010, Alberta’s Personal Information Protection Act (“PIPA”) requires private sector organizations to notify the Office of the Information and Privacy Commissioner (“OIPC”) of a breach of personal information where a “reasonable person would con...

Posted in: Data Security/Privacy

Insights TheSpotlight
Cybersecurity Disclosure Guidance for Public Companies By Steve J. Tenai Mar 01, 2018 On February 21, 2018, the United States Securities and Exchange Commission issued interpretive guidance on cybersecurity disclosure obligations for public companies subject to U.S. securities laws. The Guidance underscores that public companies should inform investors about material cybersecurity...

Posted in: Data Security/Privacy

Insights TheSpotlight
Embracing Artificial Intelligence at Your Law Firm 3 Keys to Successfully Introducing AI By Aaron Baer Jan 05, 2018 Advances in technology are transforming entire industries: Airbnb and Uber have wreaked havoc on the hotel and taxi industries; Netflix and online-streaming have turned the media industry on its head; self-driving cars are set to revolutionize the automotive industry.