CASL survives constitutional challenge, FCA gives some insight

Yesterday the Federal Court of Appeal held that Canada’s Anti-Spam Legislation is intra vires Parliament and Charter-compliant. In doing so it opined on the scope of numerous CASL provisions, most-notably the so called “business-to-business  exclusion.”

CASL applies coast-to-coast-to-coast – passed under the federal trade and commerce power. It is known to be both strict and inelegantly drafted because it applies very broadly but carves out areas of activity piecemeal, though numerous exemptions and exclusions.

None of this caused the Court any problem. It rejected the appellant’s division of powers attack and its attack under sections 2(b), 11, 7 and 8 of the Charter. Ultimately the Court viewed CASL as addressing an important problem of national scope and focused enough to pass muster because its scope of application is tied to “commercial activity” (a concept with sufficient meaning) and because of its numerous exemptions and exclusions: “CASL thus establishes a complex legislative scheme that evinces a considerable degree of tailoring to meet its objectives.”

More practically, the Court affirmed a CRTC finding that e-mails sent by the appellant to market training courses employees of organizations did not fit within the Act’s business-to-business exclusion, which removes commercial electronic messages from all regulation if they are sent by an organization, “to an employee, representative, consultant or franchisee of another organization if the organizations have a relationship and the message concerns the activities of the organization to which the message is sent.”

Regarding the relationship requirement, the Court agreed with the CRTC that it will not be satisfied by mere proof a prior transaction with an employee of the organization to whom a message is sent. The Court used the term “partner organization” to characterize an organization that would qualify for exclusion. It also said that the requirement for exclusion is more demanding than the requirement for being in the type of business relationship that would only trigger deemed implied consent – i.e., an existing business relationship. The Court explained:

Finding an existing business relationship in the present case would permit the appellant to send CEMs to a person—an individual—who had paid the appellant for a course within the preceding two years. Finding a relationship for the purposes of the business-to-business exemption, on the other hand, would allow the appellant to send CEMs to not only the individual who took the course, or the individual who paid for the course, but to every other employee of the organization to which those individuals belong—and organizations can be very large indeed. The latter finding would expose a great many more people to the potentially harmful conduct that it is CASL’s raison d’être to regulate. This suggests, contrary to the appellant’s argument, that the evidentiary requirements for establishing a relationship for the purposes of the business-to-business exemption should in fact be more demanding than for an existing business relationship.

Although this will limit access to the exclusion, the Court did find that phrase “concerns the activities” does not limit organizations to sending e-mails that concern only the core business operations of the recipient organization.

I’ve addressed only the Court’s most significant interpretive finding. Yesterday’s decision also addresses (a) the purpose of CASL, (b) the meaning of “commercial electronic message”, (c) the relevance of one’s job title to establishing deemed implied consent and (d) the prescribed requirements for an unsubscribe mechanism.

3510395 Canada Inc. v. Canada (Attorney General), 2020 FCA 103.

With CASL, a little due diligence goes a long way

Everyone’s talking about Porter Airlines’ recent agreement to pay a $150,000 penalty for various CASL violations. Porter is a sophisticated marketer yet slipped up, so other organizations are now wondering what whether they are similarly exposed. (Perhaps this was the CRTC’s enforcement aim.)

CASL is a regulatory instrument that includes a due diligence defence. In other words, organizations can violate the act without liability if they have taken all reasonable steps to avoid the violation.

Due diligence is about using good, systematic processes to avoid bad things. Here’s a simple process for due diligence that me and my colleagues have employed and continue to employ with our clients:

  • Define your operational units and prioritize them in accordance with risk
  • If you can’t do them all, select key units for review
  • Identify a key individual for each unit, someone with the best knowledge of messaging practices
  • Ask the key individual to complete (in writing) a list-centric survey – a survey that aims to gather some basic information about all formal and informal address lists (It’s easier to identify lists than activities.)
  • Review the survey response and applicable website or sites and follow-up in writing with questions that help close major gaps
  • Have a telephone call to confirm understanding and discuss potential compliance issues
  • Draft a compliance memo – a point-form document that identifies the steps taken in the compliance review, the activities of concern and the compliance advice
  • Conduct any follow-up information gathering in response to the memo
  • Send the memo the the key individual for feedback on completeness
  • Finalize the memo

This is a not a difficult or costly process for review and remediation, though you should also budget for (a) some project management costs for a multi-unit review and (b) some multi-unit training, which is normally an appropriate follow-up to the review and remediation process.

If the Porter agreement is causing you worries, following a process like this is well worth it.