CASL

On Friday, June 5, 2020, Canada’s Federal Court of Appeal (FCA) handed down its first decision regarding Canada’s Anti-Spam Legislation (CASL, the Act) in 3510395 Canada Inc v Canada (Attorney General). Many will likely know this case as “CompuFinder,” the operating name of 3510395 Canada Inc. The decision tackled some very big issues, namely the constitutionality of CASL itself, as discussed here by my colleague Shaun Brown, but also drilled down into humbler matters, such as the interpretation of CASL’s business to business exemption, “conspicuous publication” implied consent, and the law’s required unsubscribe mechanism for commercial electronic messages (CEMs). This post will focus on some of the practical outcomes of the FCA’s decision relating to these smaller matters. 

As any Canadian marketer will tell you, CASL’s 2014 coming into force led to a mad-dash among organizations in this country to bring their email marketing practices into compliance with the law. At the time, the CRTC provided some welcome guidance, however, as with any new law, there were lingering ambiguities as to where the line was drawn with regards to certain compliant versus non-compliant practices. In the intervening years, the CRTC has provided further guidance and decisions on CASL, but the FCA’s foray into CASL interpretation brings with it added clarity for lawyers and organizations regarding some of the law’s somewhat fuzzier concepts.  

Background 

CompuFinder was the subject of one of the CRTC’s first administrative monetary penalties under CASL, and it was a whopper: $1.1 million for some four violations of the Act (later reduced to $200,000). CompuFinder’s transgressions? It had sent 317 CEMs without the recipients’ consent or without a functioning unsubscribe mechanism as required by CASL (however, it should be noted that an Office of the Privacy Commissioner of Canada investigation suggested CompuFinder was a spammer of much larger proportions than this number suggests). Namely, CompuFinder, a provider of professional training courses, sent unsolicited emails to employees of businesses to whom it had previously provided courses and to certain email addresses it seemed to have gathered from telemarketing, online sources, and third parties. Eighty-seven of the CompuFinder emails cited by the CRTC contained two unsubscribe links, one functioning and one non-functioning.  

CompuFinder submitted representations to the CRTC, arguing that the emails it sent to the employees of its customers were subject to CASL’s “business to business” exemption and that it had individuals’ implied consent for other emails under CASL’s “conspicuous publication” provision. CompuFinder also argued that the functioning unsubscribe links within its emails should have negated the effect of the non-functioning links. The CRTC was unsympathetic to CompuFinder’s representations and upheld the $200,000 penalty. CompuFinder then appealed the CRTC’s decision to the FCA as permitted by Section 27 of CASL. 

What does CASL Say? 

Business–to–Business Exemption 

CASL’s “business to business” exemption is found in section 3(a)(ii) of its Electronic Commerce Protection Regulations. Section 3(a)(ii) states that CASL’s general consent requirement does not apply to a CEM that is sent by an employee, representative, consultant or franchisee of an organization to an employee, representative, consultant or franchisee of another organization if the organizations have a relationship and the message concerns the activities of the organization to which the message is sent. So in order for a CEM sent by an organization to fall into this category, three main conditions must be met:  

1. the recipient must be an employee, representative, consultant or franchisee of another organization; 
2. the two organizations must have a relationship; and 
3. the message must concern the activities of the recipient organization (in other words, must be relevant to the activities of the recipient). 

Sounds easy enough doesn’t it? But what exactly does it mean for two organizations to have a “relationship”? Is it the same thing as an “existing business relationship” as defined in CASL’s Section 10(10)? And organizations undertake many activities. For example, most organizations perform at least some accounting outside of their core activities, so would it be offside to send a message about accounting courses to an employee at a marketing company? Or conversely, a message about a marketing course to an employee at an accounting company?  

Not always so clear-cut is it?  

Implied Consent by Conspicuous Publication 

Section 10(9)(b) of CASL says that a person’s consent to receive CEMs is implied if three conditions are met:  

1. the recipient must have conspicuously published their electronic address or “caused” it to be conspicuously published; 
2. where published, the electronic address is not accompanied by a statement that the person does not wish to receive unsolicited CEMs; and 
3. the message must be relevant to the person’s business, role, functions or duties in a business or official capacity. 

The CRTC has provided some interpretation of this provision in its CASL FAQ. But the “relevance” of a message to a person’s business, role, functions or duties, tends to be somewhat of a subjective judgement call. As discussed below, likely the biggest implication from the FCA’s decision for marketers is its reiteration that the onus is on the sender to provide evidence that the three 10(9)(b) conditions are met.  

Functioning Unsubscribe 

I won’t delve into the specifics of CASL’s mandated unsubscribe mechanism here, but will highlight what the regulations say about the form it must take. Section 3 of the Electronic Commerce Protection Regulations (CRTC) requires the unsubscribe mechanism within a CEM “be set out clearly and prominently” and “be able to be readily performed.” So what happens when the sender includes two unsubscribe links in their CEM, one functioning and one non-functioning? Spoiler alert: the FCA deferred to the CRTC’s judgement on this one, and it wasn’t favourable to CompuFinder. 

Takeaways from the FCA Decision 

The Threshold for Establishing a Business-to-Business Relationship is Higher than that of an Existing Business Relationship 

Just because an organization sells a product or service to another doesn’t entitle it to send CEMs to the purchasing organization’s employees. CompuFinder argued that because certain organizations had purchased its courses in the past, it therefore had a relationship with the organizations’ employees for the purpose of the business-to-business exemption. The FCA deferred to the CRTC’s interpretation here, stating that there was nothing wrong with its determination that “contractual relationships comprehending a very limited number of transactions affecting very few employees do not constitute relationships for the purposes of the business-to-business exemption.” CompuFinder had provided proofs of payment from its customers for single training sessions of one or two employees as evidence of there being a relationship. Evidently, that was just not enough to form a relationship between CompuFinder and the recipient employees who had not purchased courses in the past. 

The threshold for establishing a “relationship” under the business-to-business exemption is higher than that of establishing an existing business relationship. CompuFinder argued that because an “existing business relationship” is defined within CASL, a “relationship” for the purpose of the business-to-business exemption must have a broader scope and be easier to make out. The FCA flatly disagreed, pointing out that while an existing business relationship would allow CompuFinder to send CEMs to the individuals who had paid for its courses, CompuFinder’s interpretation of the business-to-business exemption would allow it to not only send CEMs to those individuals, but to every one of their colleagues as well. In other words, it would open the floodgates to spam, an interpretation squarely at odds with CASL’s purpose. 

Lastly, CompuFinder argued that the CRTC inappropriately read into the business-to-business exemption a requirement that relationships can only be established through employees with authority to bind their organizations. The FCA did not agree. It noted that the CRTC said this might help in establishing evidence of a relationship, but it was neither determinative nor required.  

A Past Similar Purchase or Evidence of Intent to Purchase Can Satisfy Relevance Requirement of Business-to-Business Exemption 

Recall that to qualify for the business-to-business exemption, a CEM must concern the activities of the recipient organization (aka relevance). As the FCA noted, “The required connection between a good or service promoted in a CEM and the activities of the recipient organization will often be established simply by virtue of the relationship between the CEM-sending and receiving organizations, which will typically be based on the provision of that same good or service by the former to the latter.” In this regard, a past purchase or evidence of the recipient’s intention to purchase will likely meet the threshold for establishing relevance.  

If Relying on “Conspicuous Publication” Implied Consent, Be Diligent and Ready to Provide Proof 

The FCA sided with the CRTC’s finding that CompuFinder failed to show that the recipients of its emails had “conspicuously published or caused to be conspicuously published” their email addresses. The CRTC found that emails in a table of addresses provided by CompuFinder as evidence were taken from third-party directory websites that did not indicate whether their content was user-submitted. The takeaway here is that if you collect addresses from online directories, ensure there is a way to document that the corresponding individuals had either submitted the addresses themselves or caused them to be submitted. And don’t forget to make sure there is no disclaimer accompanying the addresses that the corresponding individuals do not wish to receive unsolicited emails (CompuFinder had apparently dropped the ball in that regard as well). 

Job Title Not Necessarily Enough to Establish Relevance to Person’s Business, Role, Functions or Duties for “Conspicuous Publication” Implied Consent 

As evidence of the relevance of its emails to recipients’ business, role, functions, or duties (the third requirement to meet the “Conspicuous Publication” exception), CompuFinder had included recipients’ job titles in its evidence table. The CRTC disagreed this was sufficient to establish relevance, finding that CompuFinder “merely speculated, from recipients’ job titles, what their functions might be, and then assumed that CEMs sent to them were relevant to those functions.” While the FCA did not rule out that job titles could adequately establish relevance in certain cases, it found CompuFinder’s speculative practices fell short.  

The lesson here is that organizations who wish to rely on the “conspicuous publication” exception should be ready to explicitly state the “business, role, functions or duties” of its CEM recipients and be prepared to demonstrate the relevance of the corresponding CEMs it sends as they relate to such business, role, functions, or duties.  

Unsubscribe Mechanisms: “Clearly and Prominently” Means Avoiding Obscurity and Confusion  

To meet the “clearly and prominently” requirements for unsubscribe mechanisms, organizations must avoid any elements within CEMs that may create obscurity or confusion around unsubscribe links. In other words, including a non-functioning unsubscribe link, even in the presence of another one that works, is a clear no-go.   

Conclusion 

CompuFinder’s saga is a lesson on the importance of having a diligent CASL compliance strategy in place. Such a strategy must include clearly documenting how consent is obtained and if relying on the business-to-business exemption or “conspicuous publication” implied consent, evidence of how CEMs are relevant to their recipients. Oh, and don’t forget to clean up those unsubscribe links!  

On Friday the Federal Court of Appeal (FCA) published a long-awaited decision in 3510395 Canada Inc. v. Canada. 3510395 Canada Inc. is “CompuFinder”, the Quebec-based company that earned the first administrative monetary penalty under CASL when it was penalized by CRTC staff for $1.1 million in March 2015. The company made representations to the Commission on the substance of the violations, as well as arguing that CASL is unconstitutional. On the substance, the Commission found that CompuFinder did commit most of the violations alleged, while reducing the penalty from $1.1 million to $200,000. The CRTC issued a separate decision finding that CASL is constitutional. CompuFinder appealed both decisions to the FCA.

The Court addressed both appeals in a single, 112 page decision. CompuFinder lost on every claim, with all three justices in agreement. The following summarises the issues addressed by the Court.

Constitutional issues

1. Jurisdiction: The Court found that CASL is within the federal government’s constitutional authority under the general branch of the trade and commerce power.
2. Freedom of expression: Although CASL infringes on freedom of expression protected under section 2(b) of the Charter of Rights and Freedoms (Charter), it is saved by section 1, which states that Charter rights and freedoms are subject to reasonable limits prescribed by law as can be demonstrably justified in a free and democratic society.
3. Section 11 of the Charter: CASL does not violate section 11 of the Charter, which guarantees certain the protections to any person charged with an offence. Contrary to the claims CompuFinder, CASL does not allow for the imposition of “true penal consequences”.
4. Section 7 of the Charter: CompuFinder attempted to argue that CASL violates a person’s right against self-incrimination under 7. The Court quickly dismissed this claim as section 7 can only be used by a corporation to challenge a law if there are “penal consequences” (and the Court found that there are none).
5. Section 8 of the Charter: The Court found that the investigatory powers exercised by the CRTC were well within the limits of section 8, which protects against unreasonable search or seizure.

Substantive Issues

1. Business-to-business exemption: None of the commercial electronic messages (“CEMs”) sent by CompuFinder qualify for the exemption for messages sent between businesses with a “relationship” in para. 3(a)(ii) of the Electronic Commerce Protection Regulations.
2. Implied consent: CompuFinder did not have implied consent to send CEMs based on the conspicuous publication of email addresses, pursuant to para. 10(9)(b) of CASL.
3. Non-compliant unsubscribe mechanism: CompuFinder violated CASL by sending CEMs that contained non-functioning unsubscribe mechanisms.

The overall outcome is not surprising, and it’s hard not to wonder why CompuFinder decided to throw so many different claims into the appeal instead of focussing on those that might stand the greatest likelihood of success. On the substance of the violations, CompuFinder’s actions were hard to defend. The facts in this case, combined with what was revealed through the detailed report of findings from the Office of the Privacy Commissioner (OPC) in 2016, suggest that CompuFinder engaged in very “aggressive” marketing practices that resulted in a lot of unwanted email (i.e., the type of thing that CASL was intended to prevent).

Outside of section 2(b), the Charter claims were also a long shot.

However, it was not clear or obvious whether the Court would determine that the federal government has the constitutional authority to implement CASL. There is still not a lot of case law applying the general branch of the trade and commerce power, and the limited cases from the Supreme Court have set a fairly high bar for its use. The Court’s analysis on this issue is probably the most important (if unsatisfying) aspect of this case.

The bottom line is that while there are many problems with CASL, it is, according to the FCA, constitutionally valid legislation, so unless CompuFinder is willing and able to appeal to the Supreme Court (the Supreme Court would have to agree to even hear an appeal), CASL is not going anywhere.

This post only considers the jurisdictional claims. Another post by Dustin Moores provides an analysis of the substantive claims, while a subsequent post will consider the section 2(b) freedom of expression claims.

The general trade and commerce power

Sections 91 and 92 of The Constitution Act, 1867 allocate responsibility to legislate on various matters between the federal and provincial governments. The federal government has jurisdiction over things like criminal law, banking, railways, patents, and the military. The provincial governments have authority over the delivery of health care, schools, property and civil rights, among other areas of a more local nature.

Being written so long ago, the Constitution doesn’t make reference to matters like “spam”, “email”, or “internet”. In fact, the Constitution doesn’t refer specifically to many of the things that governments do, meaning that it’s often unclear exactly where jurisdiction lies for a given matter.

The federal government relies on subsection 91(2) of the Constitution as the basis for CASL, which provides the federal government with authority over the general regulation of trade affecting Canada as a whole. This is why CASL applies only to activities, like sending commercial electronic messages (CEMs) and installing computer programs, that occur “in the course of commercial activity”; any purported application to non-commercial activity would fall outside the trade and commerce power.

Given the breadth of its wording, the general branch of the trade and commerce power has been carefully construed by the courts over the years to prevent its application from effectively “eviscerating” all provincial powers. The Supreme Court set a high bar for its application in General Motors of Canada Ltd. v. City National Leasing, 1989 CanLII 133 (SCC), that was arguably pushed even higher in Reference re Securities Act, 2011 SCC 66 (CanLII), in which that court rejected the federal government’s plan for a national securities regulator (a more narrow approach was approved by the Supreme Court in 2018).

The purposes and effects of CASL are not overbroad

The first step in assessing the constitutionality of a law is to determine its true purpose. The Court was only concerned with the legislative “regime” established by section 6 (the CEM requirements), and not the regimes established under sections 7 (alteration of transmission data) or 8 (installation of computer programs).

CompuFinder argued that section 6 goes beyond trade and commerce, capturing “all messages that might have a minor commercial purpose, regulate purely local messaging and interfere with contractual terms”, meaning that the true purpose of CASL is to “regulate unsolicited messages generally” (para. 52). In other words, CASL goes beyond merely regulating “commercial” electronic messaging, delving into purposes that would fall under provincial jurisdiction over municipalities, local matters and property and civil rights, rendering the general trade and commerce power inapplicable.

The Court rejected this characterization, accepting the purposes for CASL as stated in the legislation itself and by the government during the creation of the law. The Court observed that

Section 3 thus reveals that Parliament’s intention in legislating the impugned provisions was to create a scheme regulating the sending of CEMs in order to prevent impairment of the e-economy and costs to businesses and consumers, as well as to protect confidential information and Canadians’ confidence in e-commerce

…..

Parliamentary debates consistently support the conclusion that the purpose of CASL’s CEM scheme is to regulate unsolicited CEMs in order to combat spam and associated online threats in the interests of privacy and security in order to promote a healthy e-economy.

paras. 94 – 95

The Court also found that the direct and follow-through effects of CASL “do not appear to diverge substantially from its stated aim” (para. 99), regulating “only a narrow aspect” of commercial electronic messaging (para. 100). The Court considered the following factors in coming to this conclusion:

• CASL only applies to messages that encourage participation in commercial activity;
• CASL does not in any way affect the terms of any contract of sale, or otherwise interfere with contractual relations, as alleged by CompuFinder;
• CASL does not regulate the content of CEMs other than requiring an unsubscribe mechanism and certain identification information, and senders are otherwise free to include any content they see fit; and
• CASL does not displace or substantially duplicate any provincial legislation.

Provinces cannot replicate CASL

Having established the purpose of CASL, the next step is to assign the law to a “head of power”, either federal or provincial. CompuFinder attempted but failed to convince the Court that CASL falls within provincial jurisdiction under the Constitution over property and civil rights (s. 92(13)), and matters of a merely local or private nature in the province (s. 92(16)). The government relied on the general branch of the trade and commerce power under s. 91(2).

There is a five-part test for determining whether a federal law properly fits within the general trade and commerce power.

1. The law must be part of a regulatory scheme;
2. The scheme must be monitored by the continuing oversight of a regulatory agency;
3. The law must be concerned with trade as a whole rather than with a particular industry;
4. The legislation should be of a nature that provinces jointly or severally would be constitutionally incapable of enacting; and
5. The failure to include one or more provinces or localities in a legislative scheme would jeopardize the successful operation of the scheme in other parts of the country.

Parts 1-3, straightforward and easily met in this case, are not worth discussing.

But the Court also found that CASL meets parts 4 and 5, which are always the most difficult.

On part 4, the Court concluded that although the provinces “possess the constitutional capacity to enact uniform legislation regulating unsolicited CEMs… there can be no assurance that the provinces could address these issues on a sustained basis because the provinces retain the unfettered ability of resiling from any interprovincial scheme” (para. 124). In other words, as long as one of the provinces is able to back out, the provinces are “constitutionally incapable” of acting.

The focus of part 5 is not whether the federal government is best positioned to legislate on a given matter (i.e., the optimal policy outcome), but whether the regulated matters “are essential in the national interest, transcend provincial interests and are truly national in importance and scope” (para. 125). The Court accepted the government’s arguments that federal legislation is “essential”, largely because spammers could “easily” move their operations to the most lenient province and send spam across borders.

Sensible result from an imperfect test

The Court’s analysis of the general trade and commerce power is not very satisfying.

On part 4, it seems like a big leap – even contradictory and illogical – to conclude that provinces are constitutionally incapable of implementing a regime just because one province may decide not to do so.

The part 5 conclusions aren’t any stronger. Even if several provinces failed to enact anti-spam legislation, therefore becoming havens for companies to spam the rest of Canada, laws in other jurisdictions would be enforceable against those companies. Provincial laws are enforced against out of province companies all of the time. So it’s hard to say that the absence of one or more provinces would not undermine the whole regime.

At the same time, it would be ludicrous to argue that Canadians would be better served by a patchwork of provincial anti-spam laws. Although the purpose of the appeal was to effectively “kill” CASL because provinces are unlikely to act, the implications of hypothetical provincial regulation are a nightmare. That would only make the problems associated with CASL (lack of clarity, over-regulation, legal risk, high compliance costs) even worse. So if we have to deal with anti-spam legislation, it is unquestionably preferable to have a single, federal law. This is the lens the FCA is looking through in this aspect of the case: whether anti-spam legislation fits within federal or provincial jurisdiction (not whether there should be a law at all).

But taken to its extreme, the five-part test sets a bar that is arguably impossible to meet. So the FCA is stuck with a flawed test, and some compromise (creative legal maneuvering) is necessary if the federal government is ever going to be able to rely on the general trade and commerce power.