A well-guarded CASL: Canada’s anti-spam regime held constitutional3510395 Canada Inc. v. Canada (Attorney General), 2020 FCA 103 (CanLII)
On June 5, 2020, the Federal Court of Appeal (the “FCA”) released its decision in the appeals raised by 3510395 Canada Inc. aka CompuFinder (the “Appellant”) in response to two decisions by the Canadian Radio-Television and Telecommunications Commission (the “CRTC”). These decisions related to promotional messages the Appellant sent regarding its professional training courses that were found to be in violation of the law known as Canada’s Anti-Spam Law (“CASL”)1. The CRTC’s initial decision imposed a C$1,100,000 fine on the Appellant, with the CRTC reducing this fine to C$200,000 in its second decision.
The FCA’s ruling is significant because it confirms the FCA’s view that one of CASL’s core features, the regulation of commercial electronic messages (“CEMs”), is constitutional. While this finding will be of interest to lawyers and future CASL investigation targets, the specific facts that led to the FCA upholding the CRTC’s C$200,000 fine also merit review. Given the ubiquity of electronic communication, it is essential for all businesses to establish clear, customized, and internally-enforced controls with respect to electronic communication practices to both ensure compliance and, even more importantly, document efforts to comply with the law. This case establishes that CASL has teeth and the CRTC will investigate complaints and penalize non-compliance. Considering CASL’s broad scope and the fact that perfect compliance is practically impossible, businesses should pay close attention to this development.
A. CASL basics
CASL was enacted by the Canadian Government to “reinforce best practices in email marketing and combat spam and related issues”. While the moniker “CASL” has stuck, the law is far more a wholesale regulation of all commercial electronic interactions than a simple law about “spam”, as evidenced by entire parts of the law having nothing to do with the sending of electronic messages.2
Even the provisions that regulate CEMs are implemented through a regulatory regime (the “CEM Regime”) that outright prohibits the sending of CEMs unless certain requirements are met: first, the recipient must have consented to the receipt of the CEM from the sender; second, the sender must include certain information in the CEM; and, last, the CEM must include a clear, prominent, and ready-to-be-performed unsubscribe mechanism.
The potential penalties for violating CASL are equally notable: while the controversial “private right of action” is on seemingly-indefinite hold, the CRTC can administer monetary penalties up to $1,000,000 in the case of an individual and up to $10,000,000 in the case of a business or organization. Furthermore, there is potential for directors’ and officers’ liability - this represents a risk profile that greatly exceeds the potential personal and individual liability directors face for significantly more harmful conduct, such as breaches of consumer protection law, privacy law, or corporate law. To date, the largest single penalty issued by the CRTC to a corporation under CASL was in this case, but the CRTC has also imposed a $100,000 fine on a CEO, showing that the CRTC will indeed exercise its right to hold directors and officers individually liable for breaches of the legislation.
The sweeping regulation of all commercial communication combined with the potential for severe monetary penalties created by the CASL regime merits the constitutional review undertaken in this decision.
B. CRTC case background
The Appellant conducted at least three marketing campaigns between July and September 2014, during which it sent at least 451 CEMs to various recipients promoting its education and training services. Following investigation by the CRTC, the Appellant was issued a notice of violation (“NOV”) for failing to obtain recipient consent and ensure functioning “unsubscribe” links in all CEMs. In its press release for the NOV, the CRTC noted that 26% of all complaints the CRTC received under CASL in the training industry stemmed from CEMs from this particular Appellant. The CRTC fined the Appellant C$1,100,000 and stated that the Appellant "...flagrantly violated the basic principles of the law..." by continuing to send unsolicited CEMs to e-mail addresses it located by “scouring websites” even after CASL came into force, as well as that "[c]omplaints submitted to the Spam Reporting Centre clearly indicate that consumers didn't find Compu-Finder's offerings relevant to them.” The CRTC’s Chief Compliance and Enforcement Officer noted to the CBC:
"They have not made any effort to change their business practices [after CASL] ... People were unsubscribing and they were still getting emails, and some even made additional efforts to contact the company to say, 'I unsubscribed, I'm still receiving emails,' and despite those additional efforts they were still getting emails."
The Appellant responded to the NOV and made representations to the CRTC pursuant to its rights under Section 24 and Section 25 of CASL, denying a violation of CASL and arguing that CASL is unconstitutional, among other things. On review, the CRTC’s tone changed a bit, noting that there were at least a few procedural irregularities with the earlier investigation: in fact, several of the messages that were the subject of the NOV were not human-readable, some were sent before CASL came into force, and some were literally blank. Thus, the scope of the review was narrowed to 317 messages, with the CRTC concluding that these messages still violated CASL for lack of consent and, in many cases, lack of a functioning unsubscribe mechanism. The CRTC also determined that CASL is both valid and Charter compliant. The CRTC did, however, reduce the penalty to C$200,000 both because the Appellant had taken “laudable step[s] toward compliance” and the C$1,100,000 would “place CompuFinder’s ability to continue doing business at risk.”
The Appellant appealed the CRTC’s rulings to the FCA.
C. Constitutionality of CASL
Constitutionality of CASL— Federal powers
The FCA first analyzed the purpose and effect of the CEM Scheme and then considered whether it was a valid exercise of the Federal Government’s power to make laws with respect to trade and commerce under Section 91(2) of the Constitution Act, 1867. On the first point, the FCA concluded that the main thrust of the CEM Scheme was to “regulate the public’s ability to send unsolicited CEMs in order to guard against the threats that such messages can pose to Canada’s e-economy” (para. 110). On the second point, the FCA determined that the CEM Scheme was a valid use of the Federal Government’s trade and commerce power for the following reasons, in accordance with the analysis established in General Motors of Canada Ltd. v. City National Leasing,  1 S.C.R. 641:
- The CEM Scheme is part of a regulatory scheme.
- The CEM Scheme is monitored by the continuing oversight of a regulatory agency (here, the CRTC).
- The CEM Scheme is concerned with trade as a whole, rather than with a particular industry. In coming to this conclusion, the FCA noted that (i) e-commerce is not confined to a single industry, (ii) the CEM Scheme regulates CEMs, which are a narrow aspect of electronic messaging, and (iii) the CEM Scheme leaves room for provincial regulation.
- The provinces would be constitutionally incapable of enacting the CEM Scheme because individual provinces would be capable of withdrawing from such an interprovincial scheme.
- The failure to include one or more provinces in the CEM Scheme would jeopardize the successful operation of the scheme in other parts of Canada. This is because spammers would be able to disseminate CEMs from servers located in provinces with more lenient regulations.
We note that consumer protection regulation (for example, the regulation of the distance sales contracts that form the basis of all e-commerce and, likely, the substance of many CEMs) is solidly within the realm of provincial jurisdiction, and such provincial regulation almost certainly meets all the above criteria, but the FCA dealt with this by ruling that CASL’s CEM Regime “does not regulate the contracts of any particular business or trade [but applies] to the exceedingly wide array of businesses and trades that participate in e-commerce” (para. 105).
No violation of Charter ss. 7, 8, s. 11
The FCA found that the CEM Scheme does not violate the following sections of the Charter:
- Section 11, which grants procedural rights to “any person charged with an offence”, because this section only applies to criminal offences. Since the administrative sanction at issue did not reach the threshold of a true penal consequence, Section 11 offered no protection.
- Section 7, which grants everyone the right to “life, liberty and security of the person”, because, although “a corporation charged with a penal provision may challenge that provision on the basis that it violates a human being’s Section 7 rights” (para. 229), there were no criminal charges nor any pending penal consequences.
- Section 8, which grants everyone the right to “be secure against unreasonable search or seizure”, because there was no unreasonable seizure in this case (CASL only permits the compulsion of documents and does not permit physical searches of premises, which the FCA acknowledged as more intrusive).
Justified violation of Charter s. 1 Freedom of Expression
Commentators will no doubt have divergent opinions on this portion of the FCA decision. While the Attorney General of Canada acknowledged that the CEM Scheme violated the freedom of expression rights found in Section 2(b) of the Canadian Charter of Rights and Freedoms (the “Charter”), it argued, and the FCA accepted, that the violation is justified pursuant to Section 1 of the Charter. Applying the standard Oakes test, the FCA found:
- The CEM Scheme is “prescribed by law” since it was both: (a) validly enacted by the Federal Government pursuant to its power to make laws with respect to trade and commerce; and (b) is “sufficiently precise to delineate an area or zone of risk” (para. 151).
- The purpose of the CEM Scheme (i.e. to regulate CEMs that: (a) impair the e-economy; (b) impose additional costs on businesses and consumers; (c) compromise privacy; and (d) undermine the confidence of Canadians in the use of electronic communication to carry out commercial activities) is sufficiently important to justify limiting freedom of expression rights.
- There is a rational connection between the purpose of the CEM Scheme and the means chosen by the Federal Government to achieve the CEM Scheme. Specifically, by prescribing ways to legally disseminate CEMs, as well as by incorporating a number of exceptions and exclusions, the CEM Scheme is sufficiently tailored to its stated purpose and is not over-inclusive.
- Although there are other means by which the Federal Government could regulate CEMs, the chosen scheme (which provides for an “opt-in” approach, has an open-ended definition of CEM, and prescribes specific circumstances where consent can be implied) falls within a range of reasonable options to be considered minimally impairing.
- The benefits provided by the CEM Scheme outweigh its detrimental effects. In coming to this conclusion, the FCA noted that “commercial expression is not as jealously guarded as some other forms of expression” (para. 194).
We make several initial observations in connection with the FCA’s rationale for these conclusions. In discussing CASL’s objective, the FCA rightly points out that CASL is not designed to merely address “harmful spam” (think deceptive medication ads, lottery schemes, phishing, malware attacks, and the like), but is instead meant to regulate a “wide range of commercial messages, far beyond what could be considered ‘the most damaging and deceptive forms of spam’”, in effect any commercial messages that could controvert the efficiency of e-commerce or undermine Canadians’ confidence (para. 168). This is an important point, as there is no bright line test for what qualifies as “spam”, in the same way that there is no accepted bright line test for what qualifies as “bad art”: you know it when you experience it, but rarely do you think of yourself as the perpetrator. Put another way, in trying to prevent “spam”, an unavoidable consequence will be capturing messages from those who do not view themselves as spammers simply because the criteria are fuzzy.
The decision shows that the parties and the FCA judges spent quite some time considering the opt-in vs opt-out aspects of CASL, but we feel that this does not get at the core of the issue. For example, the FCA frames the true problem of unsolicited messages in the following passage:
The proper question in this regard is not whether an email containing a coupon ranks among “the most harmful and misleading forms of online threats” […] The more appropriate inquiry is whether an inundation of emails offering an array of coupons, which a recipient did not consent to, and which the recipient is powerless to bring to an end, can impair the efficiency or optimal use of, or undermine a recipient’s confidence in, email as a means of carrying out commercial activities. (para. 169, underlining ours)
We argue that it is the latter, underlined part of this passage that truly needs to be tackled by legislation in order to address consumers’ collective “inundation” and “powerless” vulnerability. While the FCA does not base its decision solely on the opt-in vs. opt-out debate, modern forms of principles-based law, such as the European General Data Protection Regulation, eschew the fiction of user consent as a framework for regulating electronic interactions. When the FCA cites (at para. 177) a 2005 study to argue against an opt-out model on the modern Internet in the year 2020, it states the “fundamental issue with the opt-out model is that it permits spammers to continue sending spam”; this is an overly simplistic argument that ignores the fiction of the effectiveness or relevance of opt-in consent on electronic transactions. First, this “inundation” is a problem that technology has largely dealt with (automatic unsubscribes, advanced spam filters, focused inboxes, better firewalls and, detection systems, and external-message flags, to name a few), meaning that users are less and less inundated in a meaningful way by spam. Second, and more importantly, replacing the inundation of spam with an inundation of checkboxes, “I agree” buttons and click-through consent helps nobody; users are expected to click through checkboxes and scroll through text so often to get the thing they want (particularly in today’s “freemium” and “one-click” e-commerce economy) that the efficacy is questionable. Put another way, given the current flow of ecommerce interactions and technological developments with respect to email and inbox management, the friction of an opt-in consent regime is unlikely to be any more protective or helpful to ecommerce consumers than the friction of an opt-out consent. Rather, it is a combination of helpful technology and a meaningful, enforced unsubscribe mechanism that is most likely to combat unwanted messages in Canadians’ inboxes.
We also note that the FCA seems to discard the concerns about CASL’s breadth without much deliberation on just how impairing the CEM Regime is to e-commerce. Section 1(2) of CASL defines a CEM as essentially including any message that it would be reasonable to conclude has “as one of its purposes” the encouragement of participation in a commercial activity. The Appellant raised this by arguing that the law’s objective is too broad and the CEM Scheme is not minimally intrusive, as the FCA states at paragraph 157:
Contrary to the appellant’s claims, CASL does not ban all speech or expression with any possibility or semblance of commerciality, or that might be, may be or could be viewed as having a slight, faint, or minor commercial element, aspect, nature or purpose […] In reality, CASL’s prohibition captures electronic messages that it would be reasonable to conclude have—not could, might or may have—as their purpose, or one of their purposes, to encourage participation in a commercial activity.
We respectfully disagree with this assertion after having advised clients on CASL since before the law came into force. One does not have to spend much time developing examples to illustrate this point: a non-profit or political party that wants to recognize a sponsor’s or constituent’s logo in a message to its mailing list (the message is exempt by regulation if the primary purpose is for fundraising, but not otherwise, making it a CEM); a business that wants to advise customers about its response to the COVID-19 pandemic (certainly a public health concern, but arguably to make sure that the customer has the confidence to frequent the business, qualifying it as a CEM); a sender’s signature block that touts awards, features, or marketing hype as opposed to factual contact information (the “always be closing” mantra theoretically turning every email into a CEM). The breadth of CASL’s plain language definition of a CEM merely having commerciality as “one of its purposes” (as opposed to, say, a dominant purpose or a primary purpose) raises the spectre that any message, even one is that not intended to be commercial or where commerciality “could, might or may have” a “slight, faint or minor” purpose, comes with a potentially significant liability for both companies and their directors and officers—with CASL permitting penalties up to C$10,000,000.
This concern regarding the breadth of the definition of a CEM is compounded by the fact that the links contained within a CEM factor into the analysis of whether it is a CEM. Take for instance an employee with a link to the homepage of the company in their signature—a ubiquitous practice—who messages a client to wish them and their company a happy anniversary. As drafted, the nature of what is currently available on the company’s homepage could tip the scales in favour of such a message being deemed a CEM. The FCA brushes aside the Appellant’s raising of this concern at paragraph 148, stating “a sender can never know with exactitude the risk incurred by including a link in an electronic message but neither are they destitute of any idea or guidance in this regard.” This is a reductive view that seems to ignore that virtually every message in the modern Internet is sent with rich links and images, with the linked content constantly changing largely outside of the control of the sender of the message.
We note that the Standing Committee on Industry, Science and Technology tabled a report in 2017, three years after CASL came into force, was entitled “Canada’s Anti-Spam Legislation: Clarifications Are In Order”. This report framed clear legislative failures as “clarification” recommendations that are quite fundamental in nature, including: renaming the law (to reflect its breadth properly); properly defining a “CEM” (so that they become “clear and understandable for parties subject to the legislation”); clarifying what is meant by “implied consent” and “express consent” (so that the law does not “create unintended costs of compliance”); and clarifying “whether business-to-business electronic messages fall under the definition of a CEM”.3 The report went so far as to specifically call out the CRTC, saying it should “increase efforts to educate Canadians, especially small businesses, with the goal of improving awareness and understanding of the Act and its regulations as well as increasing awareness of the technological tools available to assist in complying with the legislation.” Even with the FCA noting at paragraph 187 that “the recommendations do no more than call for clarification on some of CASL’s terms”, the report makes clear that these clarifications must come in the form of legislative amendments or at least substantial regulatory changes:
The Act under review is no ordinary legislation. It makes extensive changes to the conduct of electronic commerce in Canada by requiring that individuals and organizations alter longstanding practices […] The Act and its regulations require clarifications to reduce the cost of compliance and better focus enforcement. Provisions defining CEM, consent, and “business-to-business” messages, among others, warrant the attention of the Government of Canada.
Perhaps the Appellant was unimaginative in its attempts to establish the non-minimal impairment of CASL, or perhaps the FCA did not come to appreciate either the true problem undermining Canadians’ confidence and efficiency in e-commerce or the degree to which legitimate Canadian businesses struggle to comply with CASL in a way that most of the world’s spammers do not. Either way, it is incredible to see CASL, touted as one of the toughest anti-spam laws in the world, described as “minimally impairing” to freedom of expression.
D. Guidance from the facts of the case
The FCA made three key determinations in respect of the case’s specific facts. First, the relationship between the Appellant and the recipient of its messages was not sufficient to constitute a “relationship” for the purposes of the business-to-business exception found in Section 3(a)(ii) of the Governor in Council Regulations. This section exempts from regulation a CEM that is sent by an employee of one organization to an employee of another organization if: (a) those organizations have a relationship; and (b) the CEM concerns the activities of the receiving organization. The FCA determined that the fact that the recipient was an employee of an organization that had paid for another one of its employees to take a course with the Appellant was not sufficient to establish a relationship for the purposes of the exemption. However, the FCA did clarify that an organization may send CEMs related to activities other than those which constitute the recipient organization’s “core business”, and that the CEMs sent in this case would have satisfied the “activities of the receiving organization” requirement if the Appellant had been able to prove that the recipient had purchased similar courses in the past or intended to purchase them in the future.
Second, the Appellant could not rely on the implied consent exemption in Section 10(9)(b) of CASL, known as the “business card rule” or “profile page rule”. That section requires that: (a) the recipient has conspicuously published or caused to be conspicuously published their electronic address; (b) the publication is not accompanied by a statement that the recipient does not wish to receive CEMs; and (c) the CEM is relevant to the business, role, functions, or duties of the recipient individual or organization. In this case, the FCA concluded that the Appellant could not rely on the implied consent exemption because some of the recipient email addresses were taken from third-party websites that did not indicate whether the users had submitted their email addresses. As a result, the Appellant could not prove that it had met the first condition noted above. Additionally, the FCA stated that the Appellant could not meet the second condition since some of the email addresses were collected from websites that stated that unsolicited CEMs should not be sent to addresses in their terms and conditions. The FCA also noted that the Appellant’s reliance on the recipients’ job titles was insufficient to determine whether the CEM was relevant to the “the business, role, functions or duties of the recipient individual or organization”. The FCA clarified that organizations sending CEMs pursuant to this exemption should be prepared to explain why the CEM is relevant to the recipient’s business, role, functions, or duties (and not just their title).
Last, the FCA determined that the Appellant violated the requirement with respect to unsubscribe mechanisms. Section 6(2)(c) of CASL requires each CEM to include an unsubscribe mechanism, and the regulations make it clear that the mechanism must be “set out clearly and prominently” and “readily performed”. Here, although the Appellant’s CEMs did contain a functional unsubscribe link, the FCA concluded that the Appellant had failed to meet the requirements because many of the CEMs contained a second unsubscribe link that produced an error message. The FCA noted that the addition of a second non-functional unsubscribe link could create confusion, cause delay, and compromise the simplicity with which the mechanism is supposed to function. On this point, we note that the CRTC’s originally-proposed regulations required that the unsubscribe mechanism be capable of being performed within two clicks, and so senders must be careful to keep unsubscribe friction as low as possible.
E. Key takeaways
Given that this case provides essentially the only non-obiter judicial consideration of CASL to date, there are some key takeaways that are applicable to all businesses:
- Senders should obtain express consent to send CEMs where possible, and use exemptions and implied consent to get that express consent. CASL is designed to make express consent the “gold standard”, and implied consent or other exceptions may be difficult to manage efficiently in the conduct of many businesses. The burden of establishing consent is on the sender, and practicality dictates that this requires conscious choices at the sender’s organization and not an over-reliance on implication or assumptions. Express consent does not expire until a recipient unsubscribes, and moreover is usually easier to prove. All forms of consent, whether express or implied, should be carefully documented, as should the methods by which they were obtained or established.
- Businesses should take unsubscribe requests seriously and have effective, well-documented processes to make unsubscribing pain-free and efficient for recipients. A business’s customer service team should be on the lookout for unsubscribe requests and action them quickly.
- Senders should not rely on the business-to-business exemption without first carefully assessing whether the communication actually falls within its scope. The following excerpt from this case might provide some guidance in this regard: “the required connection between a good or service promoted in a CEM and the activities of the recipient organization will often be established simply by virtue of the relationship between the CEM-sending and receiving organizations, which will typically be based on the provision of that same good or service by the former to the latter” (para. 245).
- Unless and until CASL is amended to provide further clarification regarding the kinds of communications actually meant to be included in those that “encourage participation in a commercial activity”, there is potential for this provision to capture a vast array of communications. As such, senders should carefully vet all message content, as well as the content of any links to be included in such messages.
- Businesses should draft internal policies and procedures to ensure CASL compliance, as well as have ongoing monitoring and record-keeping relating to compliance with these policies. The CRTC has published guidelines on the development and implementation of CASL compliance programs which may be helpful in this regard. Having a well-developed compliance program is critical in the event of a truly unintentional misstep, as there is a defence of due diligence available.
CASL is a sweeping piece of legislation and the CRTC can severely penalize both individuals and businesses who contravene its provisions. Due to the breadth of CASL’s provisions and the assessment of compliance on a case-by-case basis, it bears repeating that that all consents and methods of obtaining consent should be carefully documented, that written policies and procedures for compliance should be established and followed, and that unsubscribe mechanisms should be simple and functional.
This article provides only general information about legal issues and developments, and is not intended to provide specific legal advice. Please see our disclaimer for more details.
 We always stare in amazement at the embarrassingly-verbose name of the law: An Act to promote the efficiency and adaptability of the Canadian economy by regulating certain activities that discourage reliance on electronic means of carrying out commercial activities, and to amend the Canadian Radio-television and Telecommunications Commission Act, the Competition Act, the Personal Information Protection and Electronic Documents Act and the Telecommunications Act (S.C. 2010, c. 23)
 See, for example, CASL s. 7 which prohibits alteration of transmission data, or CASL s. 8 which regulates the installation and communication of computer programs on others’ computing devices.
 There are of course more recommendations, but these “clarifications” are at the heart of the Appellant’s case in this instance.