In the last 36 months, the CRTC received just over 922 262 complaints under CASL, representing more than 300,000 complaints a year! Demonstrating, that many Canadians support this legislation, and increasing continue to do so.
As the chart above shows, the daily volume of complaints has been growing steadily for over a year, exceeding 1,000 complaints per day since October 2016.
Mainly email, but text and instant message complaints are fast on the rise
According to the CRTC, email accounts for roughly two-thirds of complaints and SMS a good third. On the other hand, while the number of accusations about non-compliant emails has decreased by almost 10% in the past year, SMS denunciations have more than doubled. Additionally, although they represent only a tiny fraction of the total, instant message complaints are also growing.
Consent issues represent approximately two-thirds of the complaints received, but their growth is lower than for content or misleading subject claims that have increased by 60% over the past year. This suggests that the Competition Bureau, which handles these types of complaints, will continue to distribute heavy fines like it’s it’s done so with Budget, Avis and Amazon.
How cases are selected
In a presentation to IAB Canada in Spring 2017, the CRTC has stated that considering the international scope of spam, it has already entered into collaborative arrangements with the authorities of a dozen countries, including the United States, the United Kingdom, Australia, and the Netherlands.
These agreements are bilateral, meaning that the authorities exchange information with each other to initiate investigations, to investigate them further, or to prosecute and punish the perpetrators.
Although the CRTC didn’t share the criteria on which it relied to prompt past cases, they did explain that their investigations are triggered, not only by the data provided by their international and industry partners but also by the messages and information they receive at specific addresses on different websites. Commonly referred to as “Honeypots”.
What happens next?
When the CRTC conducts an inquiry, one of the first things it does, more often than not, is to send the company a request for information to be supported by the appropriate documentation. For example, in the context of “consent”, the CRTC will require the company to provide proof of consent of all persons to whom the company has sent emails to, for a particular period. This includes:
- The type of consent (explicit or implied)
- The date of consent
- The information held on the person
- A CSV file with the justificatory pieces for each consent
- Database management guidelines for contacts
- Electronic communication policies
- Screenshots of subscription forms
Incontestably, documentation is crucial, yet it’s one of the least known aspects of Canada’s Anti-Spam Law. Without it, you are quite sure to be found guilty.
When you get a notice of violation…
When the CRTC has completed its investigation, it sends a notice of violation. The company then has 30 days to negotiate a voluntary commitment agreement.
A voluntary undertaking is not an admission of guilt, but rather is a negotiated settlement that includes an immediate payment as well as a commitment to take a series of steps to correct the alleged violations. This includes establishing a comprehensive compliance program and implementing it.
To negotiate the terms of the voluntary agreement, you will need to document the steps you took to comply with CASL and to demonstrate your financial limitations. (It goes without saying that it is dangerous to conduct such negotiations without the support of an—expensive—lawyer specialised and experienced in negotiations with the CRTC.)
If you refuse to sign a voluntary agreement, you’ll receive a much bigger penalty, one that can be contested in the Court of Appeal, if you have the financial means to do so. That’s why, so far, all but one offender, CompuFinder, have committed to settlements and immediately paid the amounts negotiated with the CRTC.
The CRTC revealed that they don’t have a grid to determine penalty amounts. Primarily because of 1) the complexity of CASL, 2) the criteria relevant to each case, and 3) the need to be flexible enough to ensure that the fines are sufficiently dissuasive to be effective without putting companies into bankruptcy.
The compliance program is a requirement
The compliance program imposed in the voluntary commitment agreement is, according to the CRTC, the centrepiece of ensuring that a company no longer violates the Canada’s Anti-Spam Law.
In fact, for the CRTC, fines and voluntary commitments are in essence a means of encouraging ALL BUSINESSES to develop a compliance program that complies with its requirements.
(By the way, you’ll have greater peace of mind and save money if you implement a compliance program with Certimail, before any possible investigation than under the direct supervision of the CRTC.)
Worried about being investigated?
For people who have hidden a part of their wealth in a tax haven, but confess it to the tax authorities before the situation gets discovered, their chances of paying a fine or being penalised are minimal. The CRTC offers a similar opportunity under Canada’s Anti-Spam Legislation.
If you suddenly realise that your business has violated Canada’s Anti-Spam Legislation, you can contact the CRTC as part of its “voluntary disclosure” process.
Although the CRTC doesn’t guarantee that you won’t have a penalty to pay, it promises to be gentle in the handling your file. It will advise you on the best ways to permanently correct your situation with the mandatory compliance program.
The only requirement imposed by the CRTC is that you identify ALL the violations in your original statement. This implies that you must conduct a thorough audit to determine all breaches of compliance.
**Any violation discovered during the voluntary disclosure that was not reported in the original statement will be excluded from the declaration and sanctioned as if it had been found during a typical investigation.**
July 1st has come and gone, an audit and voluntary disclosure are the very minimums of protection. Ultimately though, a compliance program is mandatory and is your best protection.