Is your business ready for CASL’s private right of action?


Businesses have less than seven months to get their houses in order before Canada’s Anti-Spam Legislation's (CASL) private right of action provisions come into effect next summer, according to Toronto technology and business lawyer Peter Murphy.

Although most of CASL's anti-spam provisions have been on the books since 2014, CASL's private right of action was given a three-year phase-in period, he tells

"CASL’s private right of action provisions will kick in on July 1, 2017, enabling any person to launch lawsuits against violating organizations,” says Murphy, a partner at Shibley Righton LLP. "In addition to actual damages suffered for a breach of CASL's anti-spam and anti-malware provisions, courts will be able to award applicants statutory damages of $200 for each contravention of CASL up to $1 million for each day on which a contravention occurred. This is separate from the CRTC's power to issue administrative monetary penalties of up to $10,000,000 against offending corporations, which has been in place since July 1, 2014."

CASL generally prohibits the sending of commercial electronic messages without the recipient's consent, including email messages, text messages and personal electronic messages sent to social networking accounts. According to Murphy, any electronic message that is sent in or to Canada may be subject to CASL if one of its purposes is the encouragement of participation in a commercial activity. Even routine non-promotional emails can be caught, he says, if they include an advertisement or some promotional wording in the message.

"Understanding the range of electronic messages the organization sends is the first step," Murphy explains. ”The sender must determine if CASL will apply to the electronic messages it wishes to send, and if so, whether an exemption or an implied consent will be present under CASL. If the electronic message is neither exempt from CASL nor the beneficiary of an implied consent, the sender will need the express, opt-in consent of the recipient."

The onus is on the sender to prove they have the necessary consents, so organizations will need a tracking mechanism if they don’t already have one, he points out.

“They must keep records of their consents — including how the consent was granted or, where CASL permits, why a consent is implied,” Murphy notes.

The collection of express consent must follow particular requirements under CASL, he adds.

“Web sites and forms that allow users to sign up for electronic promotional updates must identify what the sender plans to do with the user’s email address,” Murphy tells “They must also identify who will use the email addresses and inform the email address holders they can withdraw their consent at any time.”

Companies need to ensure they have effective unsubscribe functions for email messaging, and that they act on those requests in a timely manner, Murphy says. Organizations that send commercial electronic messages without an unsubscribe function that meets CASL requirements may also be subject to the private right of action.

"Much of the enforcement activity of the CRTC to date has focused on insufficient unsubscribe functions, so we can expect this will be reflected in private rights of action,” Murphy notes. “Insufficient unsubscribe functionality is something that really bugs people, perhaps even more than receiving an unsolicited email. And the repeated receipt of an unsolicited message really bothers people because they feel helpless to stop receiving them.”

Organizations that still haven’t implemented a CASL compliance program, including tracking of consents and maintaining records to back them up, should be very concerned about the upcoming private right of action, Murphy warns.

“For example, organizations that send promotional emails to customers who previously purchased a good or service from them have an implied consent under CASL, but that only lasts for a two-year period from their last purchase,” he explains. “Organizations that don’t have express consent from these recipients must track the time period from when they last purchased the sender's product or service and cease sending them commercial electronic messages when the implied consent expires,” he says. "For many organizations, establishing this kind of record keeping is a real challenge."

Ignoring CASL is not an option, says Murphy.

“Directors, officers and agents of an organization that breaches CASL can be held personally liable for the breach where they directed, authorized, assented to, acquiesced in or participated in the contravention,” he says. “Every director in Canada should be concerned if their corporation is not following a comprehensive CASL compliance plan."

Looking to the future, Murphy says the private right of action will be exercised in situations where a breach of CASL makes it economical for someone to do so, and that will open the door to the possibility of class actions.

“Being on the losing end of a CASL enforcement will also have negative repercussions as far as publicity,” he adds. “Consumers have come to expect good electronic messaging practices from the organizations they interact with. That's just good business.”

Name and Title