Case study: Newsletters mistakenly flagged as spam… What to do?

If you send out a newsletter, chances are good that at least one recipient has unsubscribed, and in doing so, cited “spam” as their reason for unsubscribing. If you have Hotmail, Yahoo, or Google email addresses in your lists or CRM database, flagging an email as “spam” is even easier for them.

Even if your newsletter or communication is not “spam”, people nowadays get easily irritated and take out their anger on email by hitting that spam button. Sad story, but true.

Now without having to get into the details of email deliverability, each time an email you or your company sends is tagged as spam, there are checks and balances that go on in the background, affecting your email deliverability score. If you score reaches a certain level, or if the email platform you use to send emails receives a certain amount of “spam” hits, you could receive a warning or worse, be banned from sending emails.

This is unfortunately what happened to one of our clients.

Situation:

Our client’s email address acquisition process was not optimised, and although their communications were definitely not spam, their newsletters were flagged by some. They received warnings and were only a couple of emails away from being blacklisted. And undoubtedly, equally close to receiving a notice from the CRTC.

This was a huge concern for our client as email was crucial to their business model. Without it, they would not have been able to serve their users.

Solution:

They were in a precarious situation and they needed to act quickly. Our solution for them was simple, set them up with a CASL Compliance Program.

As per CASL:

“A person must not be found to be liable for a violation if they establish that they exercised due diligence to prevent the commission of the violation.”1

And as per the CRTC:

“The development and proper implementation of a documented and effective corporate compliance program is a useful risk-management strategy: it may (i) reduce the likelihood of businesses violating the rules and/or CASL, and (ii) help businesses establish a due diligence defence in the case of a violation of the rules or CASL.2

In our dealings with the CRTC, we know that they are not looking for companies and organizations to be perfect, but they do want them to be responsible.

Process:

As part of the process of establishing a Compliance Program, one of the first things that we did and that is required by the CRTC, is to perform a risk analysis.

We assessed our client’s situation according to one hundred items in our compliance grid, while at the same time searched for operational and marketing optimizations regarding electronic communications.

We then supplied them with a report of our audit, complete with recommendations for each issue, as well as optimisation tips and practical advice. Our client also operates in Europe so we provided GDPR recommendations as well.

They then fixed their issues, appointed a Compliance Officer, began documenting in the appropriate CASL registries, implemented a CASL Compliance Policy, and updated their Privacy Policy.

They are now CASL certified and can send electronic communications with peace of mind. They are no longer at risk of being blacklisted or of receiving a hefty fine.

If you’re wondering if any of your emails or newsletters may have been flagged as “spam”, give us a call and we’ll help you out. 514-867-1230

$100,000 in penalties for SMS messages non-compliant with CASL

A commitment to the CRTC

May 1st, 2018, the CRTC announced via news release that companies 9118-9076 QUÉBEC INC. and 9310-6359 QUÉBEC INC., operating as 514-TICKETS, whose principal activity is the resale of sports, cultural, and event tickets, has accepted an undertaking for alleged violations of the Canadian Anti-Spam Legislation (CASL). Under the latter, the companies pledged to pay a financial indemnity of $100,000 ($25,000 paid to the Receiver General for Canada and $75,000 in rebate coupons offered to clients).

This innovative form of sanction, combining customer discounts and fines, demonstrates that the CRTC’s intent is not to punish wrongdoers, but to force them to adopt CASL-compliant practices, which is inherent in the implementation of a CASL compliance program.

CASL’s application to text messages

This sanction is a milestone in the history of CASL compliance: it is the first time the CRTC has fined a company for violating the LAW by sending commercial electronic messages (CEMs) via text messages. 514-TICKETS would have, from July 3rd , 2014 to November 26th , 2016, sent CEMs via text message “without having obtained the consent of the recipients, and by not providing the necessary information to identify the sender, nor the information necessary to contact the sender“. More specifically, the majority of text CEMs were messages requesting consent to receive subsequent commercial offers.

The CRTC reiterated, in its news release, that CASL applies to any message sent —not only to an email address, but also to a telephone number account, or email account on social media— that is intended to encourage participation in a commercial activity.

If you don’t have consent, you cannot request consent

514-TICKETS should have, like any company sending CEMs, had prior consent before communicating with the recipients, but also include in its messages the information necessary to identify the sender, as well as the information to contact the sender. 514-TICKETS should also have included an unsubscribe mechanism, allowing the recipient to signal their desire to no longer receive communications from the company.

The Spam Reporting Centre is as efficient as ever

In this case, the CRTC’s investigation was initiated by reports sent to the Spam Reporting Center (SRC). This government authority transmits information received from consumers and other bodies, to the CRTC, the Competition Bureau, and/or the Office of the Privacy Commissioner of Canada depending on the nature of the alleged violation.

The importance of a compliance program

In their commitment to the CRTC, 9118-9076 QUÉBEC INC. and 9310-6359 QUÉBEC INC., have also been required to implement a CASL compliance program, which includes: “an audit and review of current compliance practices […], as well as various other monitoring and auditing measures, including reporting mechanisms to CRTC staff regarding the implementation of the program.”

If your company has not yet been investigated by any of the CASL enforcement authorities, there is still time to implement your compliance program and protect your business before it’s too late.

CASL’s first sanction against a foreign company

Sanction for the Irish site Ancestry.com

On April 24th, the CRTC announced an undertaking with Ancestry Ireland Unlimited Company (“Ancestry”), which hosts the Ancestry.com website. The latter uses emails to communicate with people registered on its online service, which allows the search for genealogical documents (family history, family trees, historical records, information based on genetic analysis, etc.).

The extraterritorial nature of CASL

This is the first time that a foreign company has been subject to a CRTC sanction in connection with the Canadian Anti-Spam Law (hereinafter CASL). Ancestry is an Irish company with no offices or employees in Canada. The provisions of CASL, however, indicate that it applies to any company that sends messages to Canadian subjects, regardless of the source of the messages.

Similarly, contrary to what many people believe, Canadian companies have to comply with CASL both in their sendouts to Canada and for commercial electronic messages, they send to the rest of the world.

A sanction even if the consents were legal

The CRTC was able to find that Ancestry had obtained valid consents to communicate with its contacts, that its messages contained the mandatory identification information as well as an unsubscribe link.

However, the company was still in the wrong according to the CRTC because their different databases did not synchronize the withdrawal of consents. A customer who unsubscribed from one list continued to receive messages from the other list.

The requirement to synchronize withdrawals of consent

CASL provides that a person must be able to unsubscribe from all commercial electronic messages from the company. In the absence of other choices in the unsubscribe process (ex.: to receive certain types of communications only), the person must by default be excluded from the receipt of all commercial communications.

This requirement of the law can become a concern for many. Indeed, in the majority of companies, there is no synchronization between the mailing lists and the sending of emails themselves, the email sending platforms being separated from CRM or databases. Many companies also often have no way of updating their consent for sending emails via Outlook if someone unsubscribes from their newsletter. Thus, a person could continue to receive communications, despite the fact that in principle, they have unsubscribed from all sendouts.

The compliance program is a must

Ancestry is, by this undertaking, obliged to comply with the Act with respect to the synchronization of its consents. It must therefore unsubscribe and remove from all its commercial communications any person who has indicated this desire, either directly or indirectly, within 10 working days of the request.

The company must also implement a compliance program under CASL which includes: “reviewing and revising current compliance practices […], as well as various other monitoring and auditing measures, including reporting mechanisms to CRTC staff regarding the implementation of the program.”1

Do not be the next company to be sanctioned

If you use an email sendout platform that does not synchronize consent withdrawals with other lists or with your internal email system, you’re in violation of CASL and you may be fined up to several hundreds of thousands of dollars.

If your company is not yet under investigation by one of the CASL enforcement authorities, there is still time to put your compliance program in place and protect yourself before it’s too late.

[Study] Marketing Professionals’ knowledge of CASL – Spoiler: It’s not good…

Today, the AMR (Quebec’s Association of Relationship Marketing) unveiled its first study asking Quebec marketing professional how well they know (or think they know) CASL (Canada’s Anti-Spam Law) and its compliance requirements. While the Canadian ministry, responsible for CASL, will soon respond to recommendations made by Parliament in the law’s first review and amendments, it was important to measure the understanding and application by Quebec professionals that are most impacted by it.

This study was conducted in collaboration with LJT, a law firm renowned for its expertise in marketing law, and Certimail, the Canadian leader in CASL compliance for SMBs.

Companies are not familiar with CASL

While 96% of respondents send commercial electronic messages (emails specifically), less than 6% correctly answered 7 simple questions about CASL and its application. Of the respondents (71%) who said they were familiar with CASL, 85% failed this basic test.

One in two believes that the Canadian Anti-Spam Legislation only regulates promotional items (i.e. newsletters), however, governs ALL commercial electronic communications (individual, group, batch, sales, transactional, regardless of whether there is promotional content or not).

10% of respondents are unaware that CASL applies to their organization and business practices.

It’s been three years since CASL has come into full enforcement, and yet professionals still don’t know its constraints and scope,” says Marc Roussin, president of the AMR. “Our association is, therefore, launching a series of activities to demystify the requirements of this law, that governs all commercial electronic messages.

A big misunderstanding of compliance

60% of respondents said their businesses are fully compliant with CASL. Yet, less than 10% have incorporated a withdrawal mechanism into employee email signatures, a CASL obligation. Barely 11% completed an audit, as recommended by the CRTC. Only 40% have a written compliance policy and 75% of companies have not yet trained their employees with regards to this law.

If one doesn’t know the real dangers to which they are exposed, a company can’t properly execute good risk management and governance,” says Sophie Deschênes-Hébert, a lawyer specializing in advertising and technology at LJT. “The results of the study show that in digital marketing, many make strategic decisions based on incomplete or inaccurate information and expose themselves to costly and easily avoidable consequences.

A misunderstanding of CASL directly affects one’s marketing effectiveness

Since the launch of CASL, approximately 9% of respondents stopped using email marketing altogether, while 11% reduced their use of this marketing channel.

This sort of practice is flawed because CASL and all its regulations equally applies to emails sent by employees. Several fines issued by the CRTC (ex.: William Rapanos and POF Media cases) show that sometimes only a few complaints are required for a company to be investigated.

Eliminating or reducing email marketing is also a bad business decision because, with a return on investment of 44 to 1, email still remains the most profitable digital marketing tool for companies and organizations.

Too many companies are afraid of this legislation, and it’s too bad because it’s an excellent opportunity to improve one’s marketing,” says Philippe Le Roux, president of Certimail. “Implementing a CASL compliance program not only protects you against fines but it improves marketing and operational effectiveness.

Since the introduction of CASL, email marketing indicators have improved significantly in Canada, according to a recent IBM global study.

AMR launches an outreach program

In light of the results of the study, AMR will be launching a program of activities to help marketers learn about CASL’s regulatory requirements and provide guidance to help them achieve business compliance. This program will launch on May 3rd, 2018 during a conference dedicated to email and compliance. During the event, the CRTC will present its CASL enforcement methods. Several experts will also share their knowledge and experiences regarding compliant and effective email marketing. Additionally, a series of webinars will allow professionals to deepen their knowledge and to benefit from tried and true advice.

Consult the complete study (in French only).

Parliamentary Report: The Canadian Anti-Spam Law Is Here to Stay

The government must maintain and reinforce the application of the Canadian Anti-Spam Law (CASL), but it must also clarify vague notions of the Act and its regulations, as ascertained by the thirteen recommendations in the CANADA’S ANTI-SPAM LEGISLATION: CLARIFICATIONS ARE IN ORDER.

The report, recently published by the House of Commons Standing Committee on Industry, Science, and Technology cites forty-one expert testimonies with analyses from approximately thirty memoirs over the course of ten weeks.

CASL is effective

Despite highly polarized interventions between lobbyists and business lawyers, who described CASL as a catastrophic situation, and consumer representatives, who believe that the fines are insufficient, parliamentary members relied on information provided by Certimail to conclude that, despite the constraints, CASL offers a good balance between consumer protection and business competitiveness, but that aspects of the law require clarification.

CASL must change its name

The first and last recommendations of the Committee are to change the short name “Canadian Anti-Spam Law (CASL)” to “Electronic Commerce Protection Act (ECPA)”. Members noticed that many companies do not feel concerned by the Law because they are not aware that CASL governs all commercial electronic communications, and not just spam or email marketing.

CASL must be clarified

Recommendations 2 to 8 call on the government to clarify and detail certain elements of CASL and its regulations to ensure that non-profit businesses and organisations better understand what is allowed or not.

The elements that the Committee recommends to clarify are:

  • the definition of “commercial electronic messages
  • the status of administrative and transactional messages
  • the status of messages between companies
  • notions of implied and express consent
  • the definition “email address”
  • messages that are exempt to section 6.6 of the Act
  • management of referral messages
  • the application of the Law as it applies to charities and non-profits organisations

These clarifications of the Law and its regulations will address some of the vague regulations, but it does not or will not change the CRTC’s compliance requirements.

The CRTC must take care of small businesses

In its ninth recommendation, the Committee wants the CRTC to make a significant effort to raise awareness, particularly among small businesses. This recommendation is based on a thorough evaluation of the CRTC’s work. The Committee emphasized in the report that all stakeholders were unanimous in saying that the CRTC must review its awareness activities and guidance documents to ensure that they are sufficient and effective—(very happy to see that part of my intervention was even quoted directly in the report, page 14) —indicating that the compliance requirements are hidden on the CRTC’s website and are not even listed on the fightspam.gc.ca website. The CRTC is therefore invited to redouble its awareness-raising efforts, particularly with small businesses.

Postponement of Civil and Class Actions

The Committee considers that the Private Right of Action (PRA), which allows civil or class actions to be launched after receiving a non-compliant message, must be maintained but suspended pending clarification and awareness-raising efforts. The Committee’s tenth recommendation also suggests that the Government assess whether the damages that may be claimed in this regard should be demonstrated.

The CRTC’s cooperation with the RCMP

During their testimony before the Committee, the CRTC indicated that it is currently less limited in its dealings with authorities in other countries than with the RCMP and other Canadian security agencies. The Committee heard the message and dedicates its eleventh recommendation to fostering cooperation between the CRTC and police authorities across the country.

Transparency in complaints, investigations, and fines

The CRTC and government are encouraged to find ways to make the investigation and fine-setting process more transparent while promoting access to data on complaints received and trends in problems.

I was happy to read that Certimail’s contribution was quoted a dozen times in the report. This not only made me proud of my first lobbying experience but glad to have helped our MPs to understand SMBs’ reality in regard to email marketing and CASL compliance. Upon reading the recommendations, it’s clear that Certimail’s pragmatic approach has served the interests of our clients much better than the dogmatism of the official lobbies like CFIB and Canadian Chamber of Commerce, that don’t really seem to know and understand the undertakings of being compliant or even email marketing at all.

 

Public Address of Philippe Le Roux Before the Parliamentary Committee on the Revision of CASL

Speech delivered by Philippe Le Roux, President of Certimail, during his testimony before the House of Commons Standing Committee on Industry, Science and Technology as part of the revision of the Canadian Anti-Spam Law.

Introduction

I want to thank the Committee for inviting me to testify today. Although not well covered by the media, the work of this committee is very important to the Canadian economy and its people.

I have of course followed the work of your Committee with great interest, and I have published a regular report on our blog. Unaccustomed to lobbying activities, I confess that I was particularly surprised by the number of approximations, exaggerations and alternative facts that you were served as scientific truths.

I will return to these statements later. As an Internet pioneer in Quebec, I founded in 1994 the first digital marketing agency through which I, for nearly 20 years, helped many organizations like VIA Rail, RDS, and Club Med USA to use the web to transform their marketing strategies, sales and sometimes even their business models.

I have always considered email as the heart of any digital marketing strategy and started to implement email marketing strategies for our customers in 1996. In 2013, I left the agency to establish Certimail whose mission is to help Canadian SMBs improve the effectiveness of their email marketing all the while complying with CASL. We are in fact the only company dedicated to CASL compliance.

Far from any dogmatism, the findings and recommendation that I present to you rely on my 20 years of email marketing experience, and 4 years devoted to analyzing CASL and its 13 regulatory documents to help tens of SMBs of all sizes to implement their compliance program based on the CRTC’s requirements.

The cost of conformity

Before going into the analysis of CASL and its application, I would like to answer a simple question that you asked at each of your sessions without ever getting an answer: to know what it costs a company to comply with CASL. The answer is simple; our certified compliance packages cost $ 699 for a sole proprietorship, $ 1,249 for a small business with less than 10 employees, and $ 3,000 to $ 15,000 for businesses with 11 to 300 employees. If my colleagues from Newport Thomson, Deloitte or KPMG who offer similar services to the largest companies were invited, they would tell you that their rates are between $ 25,000 and $ 100,000.

Surprisingly, neither the CRTC nor the industry associations have been able to provide you with this much needed and easily accessible information.

That being said, my intervention will focus on three points:

  • The importance and effectiveness of CASL
  • The inadequacy of the approach of the CRTC
  • Some recommendations to enhance the effectiveness of CASL all the while reducing its negative impacts

CASL’s relevance and effectiveness

It is as a marketing expert and socially motivated consumer that I wish to demonstrate to you that not only is CASL necessary but it is wanted.

Contrary to what was said by the many lobbyists who came before you, CASL is not a law on cybersecurity or IT risk, but a law that aims to develop consumer confidence in e-businesses.

In fact, as suggested in the report by the Task Force on Spam, CASL and its regulations are more like an Electronic Communications Highway Code than a Cyber-Threats Act.

When I crossed the Champlain Bridge this morning to attend this session, I noticed that the complex and stringent regulations put in place a century ago to supervise the few motorists at the time did not affect the development of this mode of transport.

And this Electronic Communications Highway Code, Canadians want it. They have demonstrated this by filing more than 1 million complaints in three years without having seen a single advertisement urging them to do so. And this support of CASL continues through the thousands of complaints filed every day.

This volume of complaints is enough to contradict the assertions delivered to you by the Canadian Chamber of Commerce in the last session. Receiving unsolicited commercial electronic messages is still a major problem for the vast majority of Canadians. Anti-spam technologies are becoming more efficient, but they have not solved the problem and are beginning to show their limitations.

The importance and effectiveness of CASL

In one year, CASL already reduced the volume of spam received in Canadian inboxes by 37%. This demonstrates the effectiveness of CASL for consumers.

But it is also effective for businesses, at least for those who want to do email marketing properly and not use it like traditional marketing à la Mad Men.

Since CASL came into effect, Canada has emerged from the pack to become one of the two countries where email marketing is by far the most effective. The second country is Australia, the only country that has broad and severe legislation similar to CASL.

For example, the reach rate (the proportion of outgoing messages that are visible to recipients in their email) is about 80% in most countries. In Canada, that rate rose from 79% in 2014 [1] to 90% today [2] . The only other country in the world that reaches a similar score is Australia.

Similarly, the open rate (the proportion of marketing emails opened by recipients) is from 12% [3] on the African continent to 24% [4] in the UK. With an open rate of 32% [5] Canada is second to Australia with 33%. Yet the open rate in Canada was only 26.2% in 2014 [6]

I have heard several witnesses claim that CASL affected the competitiveness of Canadian companies. Yet this is false. CASL is an excellent incentive to adopt best practices in the field and therefore to achieve better results. For almost 15 years Australia’s Spam Act is in force, and yet their economy does not seem to suffer particularly.

Reducing the scope of CASL would encourage Canadian companies to maintain an often outdated marketing approach rather than capitalize on innovation to be more competitive.

Especially since CETA enters into force just as Europe implements GDPR, a new legislation on data protection that seems to be modeled on CASL regarding electronic communications. Encouraging Canadian companies to comply with CASL gives them a leg up on the European market.

The inadequacy of the approach of the CRTC

That brings me to the second point I want to share with you, the inadequate approach of the CRTC. I could spend hours citing to you why the CRTC is failing in its implementation of CASL, but we do not have time, so I’ll just point out the main grievances.

Failure to properly educate Canadian companies

The first relates to communications, a gap that is denounced by Canadian companies according to various surveys done on CASL.

  • Aside from a small advertising campaign on the web and a few very limited presentations in 2014, the CRTC did nothing to educate businesses about CASL’s many rules. Mr. Harroun boasted that they sensitized 1200 companies in its different presentations in Toronto last spring. We should remind him that Canada is a little bigger and that at this rate, it will take a century to educate the millions of Canadian businesses that are still unaware of CASL and its details.
  • The Journal de l’assurance in May invited the CRTC to send a lecturer to Montreal this month to raise awareness amongst 400 companies in the sector during a one-day seminar on the subject. The CRTC declined the invitation in September, and the conference had to be canceled. These companies continue to ignore the rules of CASL and the importance of setting up a compliance program.
  • In May 2014, the CRTC issued a bulletin defining the criteria that a compliance program must adhere to for a company to demonstrate good diligence under Article 33 (1) of the Act should they need to defend themselves. The problem is that this newsletter is lost in the bowels of the CRTC’s website and is known only by a few specialists. There is no reference to the compliance program on fightspam.ca or in CALS’s FAQ. Yet the CRTC says in each of its private conferences that its main objective is to encourage companies to implement such program.

Yet three recent polls have estimated that 80 to 95% of Canadian businesses have no compliance program!

The website dedicated to informing consumers and businesses about anything related to CASL is not only poorly done and incomplete, but it is not even updated. The last notice dated more than a year ago!

The second major flaw of the CRTC relates to the interpretation of CASL and its regulations

In three years, the CRTC’s investigation and enforcement team issued just three interpretive materials while there are still dozens of unclear issues affecting most businesses. And do not try to call them for advice, they will refer you to an agent at the call center that prompts you to make your interpretation in the hopes that the CRTC will have the same interpretation should they investigate you.

Since I founded Certimail 4 years ago, I have been trying to establish contact with the CRTC’s investigation and compliance team: I sent out invitations via LinkedIn, emailed, phoned and left messages for Mr. Harroun’s assistant. I have never had any news until my name was confirmed as a guest witness by the committee this week. And this despite the fact that Mr. Harroun and his team constantly invite companies to contact them for advice on compliance.

And this is not the only double talk from the CRTC on CASL. It’s the same for investigations and fines. While the public discourse is that the CRTC does not want to lure companies to act in good faith and focuses on the offenders who are the most harmful, it is clear that in private conferences, the speech is totally different as demonstrated by the many fines given to companies acting in good faith Rogers, Porter, and even Kellogg’s Canada.

How does the CRTC explain the fact that it reduced to $ 200,000 from $ 1.1 million a fine imposed on Compu-Finder in 2015, an amount identical to that paid by Rogers who made minor errors next to the violations of Compu-Finder?

Recall that Compu-Finder is a company criticized in the media for years for its abusive email practices that illegally collected more than 400,000 email addresses of Canadian companies, which generated a quarter of complaints received by the CRTC to and who refused to collaborate during the investigation.

The third weakness of the CRTC is the volume of investigations

Mr. Harroun unveiled to you that the CRTC had opened 500 files (over 1.1 million complaints!) And completed 30 surveys including eight penalties that were made public in three years. How can we hope that companies feel concerned by CASL at this rate? In fact, companies feel they have more chance of winning the jackpot in the lottery than being investigated for their email practices.

I could go on for hours to present you with such aberrations that are detrimental to CASL’s objectives, but I’m out of time allotted to your questions, but I will be sending you our various recommendations shortly. These suggestions will help to improve the effectiveness of CASL all the while simplifying compliance for businesses.

 

[1] https://marketingland.com/study-email-deliverability-getting-easier-100074

[2] https://digital.returnpath.com/wp-content/uploads/main/2017/08/08104850/2017-Deliverability-Benchmark.pdf

[3] file: /// C: /Users/plr/Downloads/UVL12406USEN.PDF

[4] file: /// C: /Users/plr/Downloads/UVL12406USEN.PDF

[5] file: /// C: /Users/plr/Downloads/UVL12406USEN.PDF

[6] http://blog.inboxmarketer.com/the-state-of-email-marketing-in-canada-2016

 

Parliamentary Review of CASL: A Festival of Asinine Discourses

If you believe, like many do, that you still receive a lot of unsolicited messages (i.e., spam) in your inbox, you’re all hallucinating.

At least this is what the Canadian Chamber of Commerce seemed to imply when it told members today, during the second revision session of CASL by the Standing Committee on Industry, Science and Technology, that spam is no longer a problem.

Today’s session consisted of a long series of approximations and erroneous or exaggerated assertions. The discourses, whose similarity might suggest that they are secretly coordinated, all revolved around the same central idea:

Overseeing commercial electronic messages sent from businesses prevents the authorities from dealing with the “bad guys” who threaten IT security. So let’s give companies the opportunity to send all the messages they want to whomever they want because the real problem that the CRTC should be concentrating on are fraudsters.

This type of assertion is asinine: Imagine the CAA calling for the abolition of the driving rules so that the police can devote themselves to the fighting against terrorism.

Let’s look at and analyze the central pearls of this type of reasoning.

Spam is no longer a problem (???)

According to Scott Smith, Director, Intellectual Property and Innovation Policy at The Canadian Chamber of Commerce, spam is no longer a problem for Canadians. This hyperbolic assertion is taken from a report, supplied by anti-spam software vendor Trustwave, which Smith relies upon and states that anti-spam software blocks 99% of spam.

Even if this statement was objective and credible, how then does one explain the over 5,000 complaints that the CRTC continues to receive on a weekly basis, and the 1 million + complaints its registered in the last three years?

Technological illiteracy or misinformation?

The complexity of CASL has been rightly pointed out by speakers, especially when it comes to the various types of “implied consent”.

But to argue, as Mr. Smith did, that there is no technology that exists for businesses to manage consents, or that you have to invest a lot of money to do so, is to misinform and mock the intelligence of the members of the committee.

While not all marketing technology suppliers are up to regulatory compliance standards (a consequence of inadequate educational work on behalf of the CRTC regarding CASL), there are already several solutions available to manage and document different types of consent.

Providers, such as Dialogue Insight, iTracMarketer and Cyberimpact for mass mailings or emailChecker and CASL Cure for individual emails, all offer practical solutions tailored to all sizes of businesses, with costs that go from ten dollars to a few hundred a month.

A plethora of alternative facts

At a time when everyone is concerned about the phenomenon of “fake news” and its impact on society, it is impressive to see the number of “alternative facts” than the lobbyists delivered to the members of Parliament.

For example, Ms. Aïsha Fournier Diallo, Senior Legal Advisor at Desjardins General Insurance Group, daftly stated that CASL prevents her from sending SMSs to VISA Desjardins clients, informing them of their credit limit, or from sending password reset emails to customers.

Even Barry Sookman, senior partner of McCarthy Tétrault and considered a top figure in the field, gave testimony that could cast doubt on his credibility. He stated that CASL had no impact on fraudsters. In fact, because of CASL, the CRTC was able to dismantle an international network of cyber-pirates who sent out malware affecting millions of computers around the world.

He went on to illustrate the excessive nature CASL, by explaining that it prohibits a teenager from offering babysitting services to neighbors or prohibits a person from recommending their dentist to a friend. When deputy Eva Nassif challenged him, he acknowledged the exaggerated nature of his examples.

Me Sookman went on to talk about the perils that CASL causes to Canadians by referring to a National Post article, whereby American television game show Jeopardy had banned Canadian candidates specifically because of CASL. The producers of the show have since denied this fake news and indicated that Canadian candidates were never banned from the show, but that applications were simply suspended to take the time necessary to adapt its form to Canadian regulations.

Mr. Sookman even attempted to persuade the Honourable Maxime Bernier, (who addressed the fact that politicians should be held accountable under CASL) that if CASL applied to politicians, Mr. Bernier would not have been legally allowed to send messages to his list of 65,000 supporters during the Conservative Party’s leadership race. A false assertion because those 65,000 people subscribed to Maxime Bernier’s list to receive those messages.

Ignoring the real problems

What is most damaging in these testimonies and discourses, intended to represent the interests of businesses, is that the real issues and problems are ignored.

CASL and its enforcement by the CRTC pose real problems for SMBs, but at the same time, it’s an opportunity for businesses to improve their digital communications. Among these problems are:

  • The restrictive interpretation of rules by the CRTC
  • The numerous frequent situations still missing guidance from CRTC
  • The lack of clarity in the definition of commercial electronic messages
  • The challenge of documenting verbal consents
  • The lack of data on the volume of spam and its evolution
  • The lack of collaboration with Internet service providers
  • Etc.

We need a marketer in the room!

Having listened to the testimonies and debates of this session many times over, I’ve come to two conclusions:

1) Speakers, unfortunately, spent most of their time showing bad faith by demonizing CASL instead of using it to expose the real issues that affect businesses, so that members of Parliament can put in place solutions.

2) Entrusting the defense of digital and email marketing to lobbyists and lawyers who have no expertise in the field of email marketing is not the best way to improve CASL’s areas of contention, nor does it benefit companies, in particular, SMEs.

It’s time to start thinking about this law in terms of clear rules that make sense from a variety of angles and perspectives.

CASL’s first Parliamentary Review Session

The House of Commons Standing Committee on Industry, Science and Technology began yesterday their review of the Canadian Anti-Spam Law. The CRTC launched the presentation by addressing those key areas that are of concern to Parliamentary deputies. Little news has been made available to the public, but we’ve been on the watch and below you’ll find highlights from the review.

A questionable discretion

Considering that this law is the one that generates the most complaints from consumers, that it has been decried and actively challenged for years by lobbyists since its adoption seven years ago, it’s surprising that this review process was not publicly announced.

In fact, the only place where information has been disclosed is on the Committee’s agenda, which is generally followed only by professional lobbyists. However, given the importance of this legislation, and how much it affects ALL Canadian businesses, it was expected that this process would have been publicly announced, at least to those organizations concerned, to allow them to prepare for the Committee’s reflection.

One has to wonder what’s with all the discretion.

Department officials’ and the CRTC’s opening remarks

The first session was devoted to the hearing of department officials:

  • Mark Schaan, Director General, Marketplace Framework Policy Branch, Innovation, Science, and Economic Development Canada
  • Charles Taillefer, Director of Digital Transformation Service Sector in the Privacy and Data Protection Policy Branch, for Innovation, Science, and Economic Development Canada

Followed by CRTC officials:

In his address, Mr. Schaan gave a brief history of the law. He affirmed the law’s effectiveness and went on to say that spam has been reduced by more than one-third in Canada, explaining the importance of this legislation for the development of e-business in Canada.

The floor was then given to the CRTC. In his speech, Mr. Harroun cited the various enforcement mechanisms used to apply CASL, ranging from warning letters to administrative monetary penalties, to notices of violation and commitments.

He then highlighted the CRTC’s public education and awareness efforts, in particular for businesses, indicating that a total of 6 conferences were held in Toronto last May that reached 1,200 companies. One deputy member reminded him that Canada was not limited to Toronto. Finally, he explained the work done by the CRTC at the international level to develop collaborative agreements with the authorities of several other countries.

Requests for information are evolving

In response to the Committee’s first question, Mr. Harroun argued that requests for information received by the CRTC from businesses are increasingly about the development of compliance programs. While in 2014, the questions were more about the concept of consent and unsubscribe links. He then went on to stress the effectiveness of the various penalties that the CRTC can impose on companies.

The Private Right of Action

On June 7th, Minister Bains announced that he was temporarily suspending the private right of action (PRA), which was to begin on July 1, 2017, pending parliamentary scrutiny of CASL. It was therefore normal that the implementation of this right of appeal was the subject of several questions by members of the Committee.

These questions allowed Mr. Schaan to explain why the department had decided to suspend the PRA.

In particular, he explained that the main reasons are the risk of multiplying costly class action suits and the fact that there are still many gray areas concerning CASL compliance.

The CRTC, for its part, insisted that the PRA is an important enforcement tool and that similar measures are already present in the legislation of several countries, in particular, the United States, Australia, and the United Kingdom.

Already more than 1.1 million registered complaints

Mr. Barrat indicated that the CRTC has already registered more than 1.1 million complaints in its spam reporting center, which is the primary source used for investigations. And that complaints continue to enter at a rate of 5,000 per week. He also noted that complaints result from the activities of all industrial sectors and all sizes of businesses including the not-for-profit sector.

CASL is effective

As the committee continued, Mr. Schaan demonstrated the effectiveness of CASL by citing various independent reports. He referred to a US report showing that one year after the Act came into force, the number of emails received by Canadians decreased by 29%, and the volume of spam from Canada fell by 37%. He also cited a study done by Ipsos on behalf of CIRA showing that by October 2014, 62% of Canadians were aware of CASL and believe in its effectiveness. In fact, 84% of them had already taken advantage of it to reduce the volume of commercial messages they received. For their part, 49% of companies felt that the Canadian Anti-Spam Act Law had no impact on their marketing, 23% felt that the impact was minimal and 27% said they had a significant impact.

Mr. Schaan pointed out that Canada was one of the top 5 countries for generating spam. But since the passing of the bill, Canada is not even in the top 10.

The RCMP called in for collaboration

In a question on the means used to manage the international dimension of spam arriving in Canada, the CRTC explained that cooperation and agreements with authorities in other countries were increasing and that there was no particular difficulty at this level. However, he stressed that he doesn’t receive similar collaboration locally, particularly with the RCMP. He indicated help from them would be beneficial in enforcing CASL.

More than 30 completed investigations

The CRTC indicated that during the grace period it completed more than 30 investigations, of which only six have been made public to date. All other investigations are still in the process of negotiating commitments with collaborating companies. Some of the complaints received at the spam notification center are shared with the RCMP for criminal investigations to be conducted.

CASL as a benchmark

Witnesses indicated that the notion of consent as defined in the Canadian Anti-Spam Law is the benchmark for the ongoing revision of the Personal Information Protection and Electronic Documents Act currently being conducted by the Privacy Commissioner.

Meanwhile, MPs have made many parallels between the rules of CASL and that of the National Do Not Call List’s Rules, which is enforced by the same CRTC’s team and generates more than one hundred investigations per year for half the number of complaints received under CASL.

The CRTC is unable to provide numbers

A curious fact to note is that with each question relating to numbers and complaints or investigations, the CRTC was unable to answer. This was also the case when asked about the industrial sectors that generated the most complaints, the number of investigations and fines, and the types of complaints received.

When the Honourable Maxime Bernier inquired about the financial impact on businesses of becoming compliant, the CRTC was still unable to provide even estimates.

—–

You can listen to the full recording of the exchanges on the committee’s website until the transcription is published. Until then, we are currently taking steps to obtain the dates and participants of the next sessions, as well as to take part in the debates to present the point of view based on the dozens of SMBs in Quebec that we have already helped to implement CASL compliance programs.

 

CASL: First Fine To A Corporate Executive

The CRTC announced that Ghassan Halazon has paid, as an individual, a fine of $10,000 to relieve himself of his responsibilities as CEO, in violations of the Canadian Anti-Spam Law (CASL) committed by the company he ran at the time. This is the first time a corporate executive has been fined, and there are several lessons to be learned.

Enforcement of CASL is toughening up

Several observers misinterpreted the government’s decision to postpone the right to civil and collective redress at the end of 2017, as a sign of easing of the application of CASL. This is not the situation and Halazon’s case demonstrates this.

The CRTC has always stated that the three transitory years that companies had to implement their compliance program was sufficient and that those who have not yet done so have no excuse. In fact, Steven Harroun, the CRTC’s Chief Compliance & Enforcement Officer, said at a recent conference:

Commercial electronic messages are the primary source of what prompts Canadians to report cases that require follow-up investigation — commercial email messages that you or your organisation may be responsible for sending. Email messages account for more than three-quarters of incidents reported to us.

(…) 

Every business should have a compliance program in place to help ensure each commercial message or telemarketing call is compliant. If your practices are ever called into question, a thorough compliance program can help you in a due diligence defence.

(…)

But let me be clear, CASL and Unsolicited Telemarketing Rules are not new. And ignorance is not a defence.

Look at it this way—if I do a U-turn on the 401 and my defence to the police officer who pulls me over is that I did not know I couldn’t make a U-turn, I’m still getting the ticket.

The same applies if violations under these laws have been determined. There will be consequences, which could include administrative monetary penalties and the obligation to implement compliance programs. At best. And, at worst, public shaming that will keep your public relations department busy for a long time.

The message is clear, very quickly, several penalties a year will jump to several fines per month, as was the case with the National DNCL, another organisation regulated by the CRTC.

Why was Mr. Halazon fined?

In 2009, Mr. Halazon founded Cough Commerce, the company that launched TeamBuy.ca in 2010 and bought Dealfind.ca in 2013. Unfortunately, the merger wasn’t successful, and the company had to file for bankruptcy protection on August 29, 2014. Halazon’s business was then bought on September 24, 2014, by nCrowd, an American company specialising in bundle purchases.

Nevertheless, according to the CRTC, between July 2 and September 9, 2014, TeamBuy violated CASL, by sending several emails with a withdrawal mechanism that was not functioning well or was too complicated. Ghassan Halazon being at the time CEO of the company was found personally responsible under section 31 of the Act, which states that:

Directors, officers, etc., of corporations

31 An officer, director, agent or mandatary of a corporation that commits a violation is liable for the violation if they directed, authorised, assented to, acquiesced in or participated in the commission of the violation, whether or not the corporation is proceeded against.

C-level, directors, managers, administrators are all personally liable

Section 31, on which Halazon’s fine is based, is one of the many provisions of CASL that few people know about nor is it discussed by the media. It’s unfortunate, because corporate protection under this section is removed, and thus makes individuals such as directors, managers, administrators, etc. personally responsible for CASL violations.

The CRTC’s Chief Compliance and Enforcement Officer has made this clear in a recent statement:

Receipt of commercial emails is the primary source of complaints from Canadians who report cases requiring follow-up investigations, and you or your organisation may be held responsible for sending these commercial emails. 

The CRTC’s adamant actions…

Canada’s Anti-Spam Legislation came into force on July 1, 2014, and TeamBuy went bankrupt two months later. Yet, the CRTC investigated this case, for almost three years, for emails sent over a very short period. This unyielding behaviour runs counter to much of the CRTC’s reassuring PR speeches. What their actions do seem to mean is that:

  • That the notion of transition period is not taken into consideration and that the CRTC expects companies to have been compliant since July 2, 2014,
  • Their enforcement is not solely for the goal of compliance, but for punishment,
  • Everyone, at any time, past or present, is at risk of being fined.

Another surprising move by the CRTC

It is also surprising to note that while the case file was concluded on June 12, 2017, the CRTC waited until Friday afternoon to publish this news on its website, and this without issuing a press release − an approach often used in politics to make sure journalists don’t talk about it. 

Are you insured?

More and more organisations are now taking out liability insurances, commonly referred to as an Errors & Omissions insurance (E&O) to protect their employees. A common practice with NGOs to protect volunteers, but that is now becoming more standard practice for private businesses, in light of CASL.

N.B.: Savvy insurance companies are starting to exclude CASL from their policies if the company can not demonstrate that it has implemented a complete compliance program.

In conclusion

Each decision made and conference given by the CRTC sheds a little more light on their approach regarding investigations and fines. Regardless, the words of the CRTC’s Chief Compliance and Enforcement Officer must be taken seriously:

Each company should have a compliance program to help ensure that every commercial or telemarketing message is compliant. If your practices are challenged one day, a comprehensive compliance program can help you establish a due diligence defence.

Now then, considering that the emails you, your company and your employees sent, or send today can haunt you in the future, it’s more important than ever to protect yourself and to implement a compliance program. Speak with one of our experts for free.

 

1M Complaints: Insights into the CRTC’s investigation process

In the last 36 months, the CRTC received just over 922 262 complaints under CASL, representing more than 300,000 complaints a year! Demonstrating, that many Canadians support this legislation, and increasing continue to do so.

 

Près d'un million de plaintes pour la Loi Canadienne anti-pourriel

 

As the chart above shows, the daily volume of complaints has been growing steadily for over a year, exceeding 1,000 complaints per day since October 2016.

Mainly email, but text and instant message complaints are fast on the rise

According to the CRTC, email accounts for roughly two-thirds of complaints and SMS a good third. On the other hand, while the number of accusations about non-compliant emails has decreased by almost 10% in the past year, SMS denunciations have more than doubled. Additionally, although they represent only a tiny fraction of the total, instant message complaints are also growing.

Consent issues represent approximately two-thirds of the complaints received, but their growth is lower than for content or misleading subject claims that have increased by 60% over the past year. This suggests that the Competition Bureau, which handles these types of complaints, will continue to distribute heavy fines like it’s it’s done so with Budget, Avis and Amazon.

How cases are selected

In a presentation to IAB Canada in Spring 2017, the CRTC has stated that considering the international scope of spam, it has already entered into collaborative arrangements with the authorities of a dozen countries, including the United States, the United Kingdom, Australia, and the Netherlands.

These agreements are bilateral, meaning that the authorities exchange information with each other to initiate investigations, to investigate them further, or to prosecute and punish the perpetrators.

 

 

Although the CRTC didn’t share the criteria on which it relied to prompt past cases, they did explain that their investigations are triggered, not only by the data provided by their international and industry partners but also by the messages and information they receive at specific addresses on different websites. Commonly referred to as “Honeypots”.

What happens next?

When the CRTC conducts an inquiry, one of the first things it does, more often than not, is to send the company a request for information to be supported by the appropriate documentation. For example, in the context of “consent”, the CRTC will require the company to provide proof of consent of all persons to whom the company has sent emails to, for a particular period. This includes:

  • The type of consent (explicit or implied)
  • The date of consent
  • The information held on the person
  • A CSV file with the justificatory pieces for each consent
  • The company’s privacy policy
  • Database management guidelines for contacts
  • Electronic communication policies
  • Screenshots of subscription forms
  • etc.

Incontestably, documentation is crucial, yet it’s one of the least known aspects of Canada’s Anti-Spam Law. Without it, you are quite sure to be found guilty.

When you get a notice of violation…

When the CRTC has completed its investigation, it sends a notice of violation. The company then has 30 days to negotiate a voluntary commitment agreement.

A voluntary undertaking is not an admission of guilt, but rather is a negotiated settlement that includes an immediate payment as well as a commitment to take a series of steps to correct the alleged violations.  This includes establishing a comprehensive compliance program and implementing it.

To negotiate the terms of the voluntary agreement, you will need to document the steps you took to comply with CASL and to demonstrate your financial limitations. (It goes without saying that it is dangerous to conduct such negotiations without the support of an—expensive—lawyer specialised and experienced in negotiations with the CRTC.)

If you refuse to sign a voluntary agreement, you’ll receive a much bigger penalty, one that can be contested in the Court of Appeal, if you have the financial means to do so. That’s why, so far, all but one offender, CompuFinder, have committed to settlements and immediately paid the amounts negotiated with the CRTC.

The CRTC revealed that they don’t have a grid to determine penalty amounts. Primarily because of 1) the complexity of CASL, 2) the criteria relevant to each case, and 3) the need to be flexible enough to ensure that the fines are sufficiently dissuasive to be effective without putting companies into bankruptcy.

Les amendes infligées par le CRTC en vertu de la Loi Canadienne anti-pourrielSome of the  fines imposed by the CRTC under CASL

The compliance program is a requirement

The compliance program imposed in the voluntary commitment agreement is, according to the CRTC, the centrepiece of ensuring that a company no longer violates the Canada’s Anti-Spam Law.

In fact, for the CRTC, fines and voluntary commitments are in essence a means of encouraging ALL BUSINESSES to develop a compliance program that complies with its requirements.

(By the way, you’ll have greater peace of mind and save money if you implement a compliance program with Certimail, before any possible investigation than under the direct supervision of the CRTC.)

Worried about being investigated?

For people who have hidden a part of their wealth in a tax haven, but confess it to the tax authorities before the situation gets discovered, their chances of paying a fine or being penalised are minimal. The CRTC offers a similar opportunity under Canada’s Anti-Spam Legislation.

If you suddenly realise that your business has violated Canada’s Anti-Spam Legislation, you can contact the CRTC as part of its “voluntary disclosure” process.

Although the CRTC doesn’t guarantee that you won’t have a penalty to pay, it promises to be gentle in the handling your file. It will advise you on the best ways to permanently correct your situation with the mandatory compliance program.

The only requirement imposed by the CRTC is that you identify ALL the violations in your original statement. This implies that you must conduct a thorough audit to determine all breaches of compliance.

**Any violation discovered during the voluntary disclosure that was not reported in the original statement will be excluded from the declaration and sanctioned as if it had been found during a typical investigation.**

July 1st has come and gone, an audit and voluntary disclosure are the very minimums of protection. Ultimately though, a compliance program is mandatory and is your best protection.