A Look at Canadian Privacy and Anti-Spam Laws.

AuthorSirivar, Junior

CANADA'S comprehensive federal and provincial privacy laws regulate how organizations collect, use, and disclose personal information in the course of conducting or operating their businesses. These laws are intended to protect individual privacy rights and, in doing so, require that organizations take reasonable steps to ensure that such rights are sufficiently protected. Canadian privacy laws can have a significant impact on organizations' policies and practices while operating in Canada.

Organizations must establish reasonable security measures to protect personal information that crosses international borders. The obligations imposed by privacy laws supplement existing obligations respecting transparency, consent and safeguarding. Moreover, organizations need to provide assurances that the foreign third-party service provider's privacy practices provide a comparable level of protection as to that which is required under Canadian law, recognizing that the laws of the foreign jurisdiction cannot be overridden.

Canadian privacy laws provide a mechanism that is intended to facilitate more streamlined transactions where such transactions involve the collection, use or disclosure of personal information. Corporations operating, or looking to operate, in Canada must be aware of the obligations imposed on them by these laws as a failure to do so can have significant repercussions.

This paper will aid those that are operating or seeking to do business in Canada by promoting compliance with Canada's privacy and anti-spam laws, which will in turn prompt strong and effective business activities. Specifically, we discuss the obligations imposed by Canada's anti-spam legislation, more commonly referred to as "CASL," (1) as well as the other federal and provincial privacy laws that outline the framework and rules for the collection, use and disclosure of personal information by federally-regulated private-sector organizations operating across Canada.

These laws are not intended to restrict businesses from operating in Canada. Rather, they seek to support commerce, including electronic commerce, and promote the adaptability of the Canadian economy and market by clarifying expectations and rights for protecting an individual's privacy while in the process. Public confidence in the integrity of a business's operations is of key importance to operating successfully. By developing appropriate policies and corporate strategies, organizations can comply with the applicable privacy law requirements while mitigating risks associated with improperly collecting, using or disclosing personal information in potentially damaging manners.

  1. CASL: Canada's Anti-Spam Law

    1. General

      CASL is a comprehensive legislative regime created to combat spam. It is aimed at preventing organizations, including foreign ones, from sending unsolicited or misleading commercial electronic messages ("CEM") or programs to consumers without their consent. In particular, CASL introduces the requirement to obtain the consent of a recipient before an organization sends a CEM. This requirement extends to email messages, messages to social networking accounts and text messages to smart phones.

    2. Principles

      CASL came into force on July 1, 2014 and is widely considered to be among the most comprehensive, and to an extent onerous, commercial electronic messaging statutes in the world. It has significant implications for Canadian businesses, not-for-profit organizations, and individuals using electronic communications. CASL also applies to foreign organizations that operate or do business in Canada, or that send commercial electronic messages to Canada.

      CASL's provisions regarding CEMs extend far beyond typical "spam" emails. A CEM is an electronic message that is intended to encourage participation in a commercial activity. When determining if an electronic message encourages a commercial activity, the content of the message, the hyperlinks in the message or the contact information contained in the message may all be considered. Further, the types of commercial activities that would be considered to constitute a CEM include but are not limited to:

      (i) offers to purchase, sell, barter or lease a product, goods, a service, land or an interest or right in land;

      (ii) offers to provide a business, investment or gaming opportunity;

      (iii) advertisements or promotions of anything referred to in (i) or (ii); or

      (iv) promoting a person, including the public image of a person, as being a person who does anything referred to in any of (i), (ii) or (iii), or who intends to do so. (2)

      Organizations must therefore carefully scrutinize their use of email and other electronic messaging systems, including SMS, social networks and online portals.

      On January 15, 2015, provisions of CASL relating to unsolicited installation of computer programs or software came into force. These provisions prevent the installation of computer programs without an individual's consent. (3) CASL's computer programs provisions affect a wide range of platforms, from applications on personal computers, tablets and mobile devices, to programs embedded in consumer products, such as automobiles, TV sets, and home audio systems. CASL's computer program provisions apply only to programs that automatically install software on someone's computer; they do not apply to individuals installing software on their own devices.

    3. Consent

      Consent, as interpreted by CASL, can either refer to express consent, or under certain circumstances, implied consent. Express consent means that a person has clearly agreed to receive a CEM, prior to a CEM being sent to him or her. By requiring consent first, CASL has enabled an "opt-in" regime in relation to spam, unlike some other countries that have enabled "optout" regimes, like the United States. CASL's "opt-in" regime applies to both Canadian organizations and non-Canadian organizations so long as these organizations are sending commercial electronic messages to recipients within Canada. (4)

      Under certain circumstances, such as an existing business relationship between an organization and a recipient of a CEM, an organization may be able to rely on implied consent in sending CEMs. Other circumstances where implied consent may be relied upon are described in section 10(9) of CASL.

      The onus of proving consent is always on the sender. As a result, it is prudent for the sender of a CEM to employ good record-keeping practices, which may help the sender establish a due diligence defense in the case of an alleged violation of CASL. (5) Good record-keeping may include retaining hard copies or preferably electronic records of:

      1. all evidence of express and implied consent (e.g. audio recordings, copies of signed consent forms, completed electronic forms) from consumers who agree to receive CEMs;

      2. documented methods through which consent was collected;

      3. policies and procedures regarding CASL compliance; and

      4. all unsubscribe requests and resulting actions. (6)

      Diligent record keeping is of critical importance. Anything not in writing will be difficult to prove later in the event of a complaint. Moreover, lack of documentation makes it complicated--even impossible--to allow for internal management purposes such as tracking implied and express consents that have been previously obtained or even withdrawn.

    4. Enforcement

      Three federal agencies are responsible for the enforcement of CASL: (i) The Canadian Radiotelevision and Telecommunications Commission ("CRTC"), (ii) the Competition Bureau, and (iii) the Office of the Privacy Commissioner of Canada (the "Privacy Commissioner").

      The CTRC has the primary enforcement responsibility for CASL and is able to investigate, take action against, and set administrative monetary penalties for violations of CASL. For the most part, CASL is enforced by undertakings of the sender to remedy his/her actions, (7) and notices of violation. (8)

      CASL provides for significant administrative monetary penalties of up to CAD$1,000,000 per violation for individuals, and CAD$10,000,000 for organizations. In 2016, 22 notices of violation were issued by the CTRC for violations of CASL with associated penalties ranging from $5,000 to $650,000, (9) and in 2015 the CTRC issued a notice of violation for CAD$1,100,000 for sending CEMs to individuals without their consent, along with other violations of CASL. (10)

      The Competition Bureau is also enabled to enforce the law under CASL through more effectively addressing false and misleading representations and deceptive marketing practices. CASL enables the Privacy Commissioner to enforce the law regarding the collection of personal information through access to computer systems, as well as electronic address harvesting. (11)

    5. CASL's Private Right of Action

      It is anticipated that CASL will allow individuals and organizations to bring a private right of action ("PRA") in court against persons they allege to have violated the law. (12) The PRA will allow individuals and organizations to seek compensatory damages in an amount equal to the loss or damages suffered, or expenses incurred, as a result of the contravention. (13) There may be statutory damages imposed by the court in addition to the compensatory damages under this PRA. (14) An individual could claim for breaches of CASL including the improper transmission or rerouting of CEMs to other destinations than those intended by the sender, unauthorized installation of computer programs,or participating or promoting any of these activities. They can also bring claims for being the target of false or misleading CEMS under the Competition Act, that their electronic address has been obtained without their consent or that their personal information has been obtained through accessing a computer system without authorization in breach of the federal Personal Information Protection and Electronic Documents Act. (15)

      In the case of unsolicited emails, these statutory...

To continue reading

Request your trial

VLEX uses login cookies to provide you with a better browsing experience. If you click on 'Accept' or continue browsing this site we consider that you accept our cookie policy. ACCEPT