skip to main content
Back to all blog posts

Posted in: Data Security/Privacy

Mar 1, 2017

July 1, 2017 - Private Right of Action Under Canada's Anti-Spam Law (CASL) - The Day Businesses Shake Their Head

By Paige Backman

If you've heard anything about CASL lately, you are aware that as of July 1, 2017, individuals and organizations are entitled to bring a "private right of action" in the courts against those that contravene certain provisions of Canada's Anti-Spam Law ("CASL"). Potential damages of up to $1 million per day may be imposed. I refer to the blog by Aaron Baer "Are You Compliant With Canada's Anti-Spam Law (CASL)? If Not, Expect Lawsuits Starting on July 1 of This Year."

For over three years, businesses have been spending significant resources trying to understand CASL and comply with it. Given the broad application of CASL and potential inconsistencies in the application of certain key CASL provisions, it has not been an exercise enjoyed by many. However, in the backdrop, there was some level of comfort that the regulators enforcing CASL would only go after either the most egregious contraveners of CASL or those whose heads mounted on the CASL spit would serve a purpose (a spit being a pointed rod on which meat is impaled for roasting).

This feeling of comfort may have been misguided, but the limited resources of the Canadian Radio-Television and Telecommunications Commission ("CRTC") provided some practical limitation on what issues would be addressed and how they would be addressed. This changes on July 1, 2017.

As of July 1, 2017, a person may bring an action in court where the person alleges that they are affected by an act or omission:

  1. that constitutes a contravention under Sections 6 to 9 of CASL. Sections 6 to 9 of CASL are the heart of the legislation setting out the core rules for transmission of commercial electronic messages, the alteration of transmission data and the installation of computer programs;
  2. that results from false or misleading electronic messages within the meaning of amendments to the Competition Act; or
  3. that relates to a violation of the email harvesting and use provisions in Sections 7.1(2) and (3) of the Personal Information Protection and Electronic Documents Act ("PIPEDA").

The number and nature of persons who may be affected by an act or omission of CASL and who may be in a position to breach an action is quite broad. As a result, the practical limitations on who may be subject to claims for breaching CASL have been significantly reduced.

The litigation bar, both plaintiff and defence side, are preparing. Businesses are shaking their heads.

Successful court actions arising from contravening CASL can result in awards equaling amounts of loss or damages suffered and expenses incurred ("compensatory damages"), in addition to non-compensatory damages up to a maximum of $1 million per day of contravention. There are many factors that courts are to consider when determining non-compensatory damages, but proof of injury suffered is not required.

Even with CASL complaints opening up to private litigation and the courts, the regulators still have a place at the table. Regulators built in mechanisms that incent people to settle with them (whether the businesses were wrong or not). The court is prohibited from considering an application against a person for statutory damages under paragraph 51(1)(b) of CASL if the person has entered into an undertaking with the CRTC or has been served with a notice of violation by the CRTC regarding the same conduct.

Another interesting twist in this next stage of CASL enforcement is the question of whether a cause of action can be brought for contraventions of CASL that occurred prior to July 1, 2017. Historically, many espoused that the private right of action should exist solely for contraventions that occur on or after July 1, 2017. However, but for an amendment to CASL that clarifies this issue, it will be up to the courts to determine the claims properly brought before them. Given the breadth of CASL's application and complexities in complying, it would be unfortunate if the private rights of action under CASL applied to pre-July 1, 2017 activities when CASL's application and interpretations of certain key provisions were and continue to be worked out.

Related Categories

Related Blogs

Posted in: GDPR | Data Security/Privacy | Data Protection

Insights TheSpotlight
GDPR Now in Force Has Worldwide Reach By Paige Backman and Ara Dungca Jun 19, 2018 The General Data Protection Regulation was implemented on May 25, 2018. While it officially only affects European citizens, it has worldwide effects. As discussed previously on The Spotlight, any organization offering goods or services to residents of the European Union are expected to comply wit...

Posted in: Data Security/Privacy | Data Protection

Insights TheSpotlight
Notifying Consumers of Data Breaches: New Regulations By Stephen Crawford Apr 24, 2018 The federal government has introduced new regulations setting out what information must be disclosed to consumers and to the Privacy Commissioner after a data breach. These regulations will take effect on November 1, 2018.

Posted in: Data Protection | Privacy | Data Security/Privacy

Insights TheSpotlight
New Notification Requirements for Data Breaches By Stephen Crawford Apr 13, 2018 As of November 1, 2018, if your organization suffers a data breach, new reporting requirements will be in place that may require you to notify consumers and the Privacy Commissioner of the breach – or else face a fine of up to $100,000.