Intermediary Liability Under CASL
|Lawyer||Monique McAlister, Peter Ruby|
|Area||Litigation, Privacy and Data Protection|
The Canadian Radio-television and Telecommunications Commission (CRTC) recently released Guidelines on its approach to intermediary liability under Canada’s anti-spam legislation (CASL). According to the Guidelines, innocent intermediaries may be found liable “even if they did not intend to do so, or were unaware that their activities enabled or facilitated contraventions of CASL by a third party”.
Examples of intermediaries whose activities may place them at risk of non-compliance include:
- advertising brokers
- electronic marketers
- software and application developers
- software and application distributors
- telecommunications and internet service providers
- payment processing system operators.
Given that CASL violations can result in penalties of up to $10 million per violation, businesses should familiarize themselves with the CRTC’s Guidelines, exercise due diligence and implement preventions and safeguards to manage their risks for compliance, as described below.
What You Don’t Know Can Hurt You
As you may be aware, CASL prohibits the following direct actions:
- sending, causing or permitting to be sent, commercial electronic messages (CEMs) without express or implied consent (i.e., spamming);
- altering, or causing to be altered, transmission data in electronic messages, in the course of a commercial activity, without express consent (i.e., unwanted redirection or phishing); and
- installing, or causing to be installed, a computer program on another person’s computer in the course of a commercial activity without express consent, or causing electronic messages to be sent after such installation (i.e., malware, viruses and botnets).
But did you know it is also prohibited under section 9 of CASL “to aid, induce, procure or cause to be procured” any of the above activities?
According to the CRTC Guidelines, section 9 may apply to individuals or organizations “facilitating commercial activity, by electronic means, by providing enabling services, technical or otherwise”. It could also apply to “those who receive direct or indirect financial benefit” from a CASL violation.
Know Your Risks
Importantly, the Guidelines stipulate that “while awareness of violations may be a factor when assessing section 9 violations, it is not necessary to be found liable”.
The CRTC expects businesses to understand the risks associated with the nature of their industries and take precautionary measures to mitigate those risks.
When assessing intermediary liability, the CRTC will consider:
- the level of control over the activity that led to the violation, and the extent to which the intermediary could have prevented or stopped the activity;
- the degree of connection between the intermediary and the prohibited actions; and
- whether the intermediary took reasonable steps to prevent or stop the violation from occurring.
Manage Your Risks
Intermediaries may not be found liable if they establish that they exercised due diligence to prevent commission of the CASL violation. This includes:
- implementing prevention measures;
- implementing measures to detect, notify and share information on possible violations;
- allocating resources towards the remediation of threats;
- assisting in recovery efforts for users whose devices and accounts have been compromised; and
- documenting any measures taken to prevent CASL violations.
Examples of preventative measures recommended by the CRTC are onerous and include:
- monitoring third party activities;
- performing diligent and consistent audits;
- seeking legal and other expert advice;
- implementing a robust compliance program; and
- incorporating regular threat and risk assessments into the business’ technological infrastructure.
Other measures include:
- validating clients’ identities;
- being cognizant of location discrepancies;
- obtaining further proof of identity such as incorporation records;
- refraining from doing business with those seeking total anonymity;
- researching the reputation of potential clients;
- detecting and documenting possible violations; and
- reporting any violation to the relevant authorities.
Above and Beyond Industry Standards
To avoid significant fines, businesses must protect themselves by establishing a proper system to prevent CASL violations. They must also take reasonable steps to ensure the effective operation of compliance measures through ongoing management and active oversight.
The CRTC emphasizes that simply following industry standards may be insufficient. Where a threat or vulnerability has been identified, steps should be taken to address it, even if that means surpassing industry standards.
For more information on the Guidelines, please contact any member of our Privacy Law Group.