One of the suggestions that came up quite a lot—from very small companies, from people who were both pro-CASL and anti-CASL, if I can say it that way, and from very large companies—was that there should be a gradient built in, with a warning letter first, then after a warning letter maybe a small penalty, and then a bigger penalty. Then someone else suggested there should be one penalty for accidentally sending an email out to 100,000 people as opposed to maliciously sending an email out to phish for addresses. There's a difference between inadvertent errors and malicious activity.
Should there be a gradient for first, second, and third infraction? Should there be something more severe for malicious versus non-malicious intent emails?