Posts

CASL Compliance: How badly informed are Canadian and QC firms?

Seven years after its approval by Parliament and three years after it came into force, a Canada-wide survey shows that businesses, small and large, are still confused about CASL compliance, the types of messages it regulates, and the means to protect oneself from fines and lawsuits.

Canadian companies

The study, which was conducted recently by the Direct Marketing Association of Canada (DMAC) and law firm Fasken Martineau DuMoulin LLP, surveyed over 200 individuals directly responsible for CASL compliance of their organisation. Here are some of the highlights from the study:

  • 64% didn’t understand how to make their message CASL compliant beyond consent and an unsubscribe link
  • 46% were unaware that an organisation could be ordered to pay damages
  • 40% of them didn’t know that they can be held personally liable
  • 64% stated that their organisation did not (or didn’t know if their organisation had) a formal compliance policy
  • 63% believed that employees and staff don’t require CASL compliance training
  • 60% indicated that their company never performed a compliance audit

This is quite disconcerting, especially considering that the last 3 points are items required by the CRTC, to be able to defend oneself, should you face an investigation or prosecution.

No better for Quebec SMBs

Although this study was conducted amongst medium to large business in English Canada, a similar study was just recently published surveying Quebec SMBs.

  • Less than 5% of Quebec SMBs comply with CASL
  • More than 75% were unaware that companies could be fined, even if they have explicit consent
  • Only 35% knew that from July 1st, 2017 onwards, companies will be subject to civil or collective redress
  • 40% were surprised to learn that SMBs, as well as individuals, can face the same charges as large companies
  • 38% didn’t know that many QC companies have already been investigated and received fines
  • 1 out of 4 were unaware that CASL regulates individual emails, as well as text and social media messages

The CRTC’s shortcomings

Although the CRTC enforces CASL, informing and educating businesses is their greatest shortcoming. An article exists to help companies defend themselves, but it must meet the CRTC’s eight required categories. However, finding these requirements on an official website is very difficult.

The regulatory body does give presentations, but for the moment, it is almost exclusively to large law firms in Toronto. Unfortunately, 97% of Canadian companies are small businesses that can’t afford to do business with these big firms.

What can you do for yourself?

Canadian law states that “no one is supposed to ignore the law“.

A compliance program is also the only way to protect you and your business, and your employees, from tens or even hundreds of thousands of dollars in fines and legal fees.

So what do you do? You don’t want to stop your email marketing activities because it’s the top digital performer when it comes to ROI. We’ve done the calculations and penny for penny, all things considered, even a small investment in a compliance program is better than no investment at all.

 

 

1M Complaints: Insights into the CRTC’s investigation process

In the last 36 months, the CRTC received just over 922 262 complaints under CASL, representing more than 300,000 complaints a year! Demonstrating, that many Canadians support this legislation, and increasing continue to do so.

 

Près d'un million de plaintes pour la Loi Canadienne anti-pourriel

 

As the chart above shows, the daily volume of complaints has been growing steadily for over a year, exceeding 1,000 complaints per day since October 2016.

Mainly email, but text and instant message complaints are fast on the rise

According to the CRTC, email accounts for roughly two-thirds of complaints and SMS a good third. On the other hand, while the number of accusations about non-compliant emails has decreased by almost 10% in the past year, SMS denunciations have more than doubled. Additionally, although they represent only a tiny fraction of the total, instant message complaints are also growing.

Consent issues represent approximately two-thirds of the complaints received, but their growth is lower than for content or misleading subject claims that have increased by 60% over the past year. This suggests that the Competition Bureau, which handles these types of complaints, will continue to distribute heavy fines like it’s it’s done so with Budget, Avis and Amazon.

How cases are selected

In a presentation to IAB Canada in Spring 2017, the CRTC has stated that considering the international scope of spam, it has already entered into collaborative arrangements with the authorities of a dozen countries, including the United States, the United Kingdom, Australia, and the Netherlands.

These agreements are bilateral, meaning that the authorities exchange information with each other to initiate investigations, to investigate them further, or to prosecute and punish the perpetrators.

 

 

Although the CRTC didn’t share the criteria on which it relied to prompt past cases, they did explain that their investigations are triggered, not only by the data provided by their international and industry partners but also by the messages and information they receive at specific addresses on different websites. Commonly referred to as “Honeypots”.

What happens next?

When the CRTC conducts an inquiry, one of the first things it does, more often than not, is to send the company a request for information to be supported by the appropriate documentation. For example, in the context of “consent”, the CRTC will require the company to provide proof of consent of all persons to whom the company has sent emails to, for a particular period. This includes:

  • The type of consent (explicit or implied)
  • The date of consent
  • The information held on the person
  • A CSV file with the justificatory pieces for each consent
  • The company’s privacy policy
  • Database management guidelines for contacts
  • Electronic communication policies
  • Screenshots of subscription forms
  • etc.

Incontestably, documentation is crucial, yet it’s one of the least known aspects of Canada’s Anti-Spam Law. Without it, you are quite sure to be found guilty.

When you get a notice of violation…

When the CRTC has completed its investigation, it sends a notice of violation. The company then has 30 days to negotiate a voluntary commitment agreement.

A voluntary undertaking is not an admission of guilt, but rather is a negotiated settlement that includes an immediate payment as well as a commitment to take a series of steps to correct the alleged violations.  This includes establishing a comprehensive compliance program and implementing it.

To negotiate the terms of the voluntary agreement, you will need to document the steps you took to comply with CASL and to demonstrate your financial limitations. (It goes without saying that it is dangerous to conduct such negotiations without the support of an—expensive—lawyer specialised and experienced in negotiations with the CRTC.)

If you refuse to sign a voluntary agreement, you’ll receive a much bigger penalty, one that can be contested in the Court of Appeal, if you have the financial means to do so. That’s why, so far, all but one offender, CompuFinder, have committed to settlements and immediately paid the amounts negotiated with the CRTC.

The CRTC revealed that they don’t have a grid to determine penalty amounts. Primarily because of 1) the complexity of CASL, 2) the criteria relevant to each case, and 3) the need to be flexible enough to ensure that the fines are sufficiently dissuasive to be effective without putting companies into bankruptcy.

Les amendes infligées par le CRTC en vertu de la Loi Canadienne anti-pourrielSome of the  fines imposed by the CRTC under CASL

The compliance program is a requirement

The compliance program imposed in the voluntary commitment agreement is, according to the CRTC, the centrepiece of ensuring that a company no longer violates the Canada’s Anti-Spam Law.

In fact, for the CRTC, fines and voluntary commitments are in essence a means of encouraging ALL BUSINESSES to develop a compliance program that complies with its requirements.

(By the way, you’ll have greater peace of mind and save money if you implement a compliance program with Certimail, before any possible investigation than under the direct supervision of the CRTC.)

Worried about being investigated?

For people who have hidden a part of their wealth in a tax haven, but confess it to the tax authorities before the situation gets discovered, their chances of paying a fine or being penalised are minimal. The CRTC offers a similar opportunity under Canada’s Anti-Spam Legislation.

If you suddenly realise that your business has violated Canada’s Anti-Spam Legislation, you can contact the CRTC as part of its “voluntary disclosure” process.

Although the CRTC doesn’t guarantee that you won’t have a penalty to pay, it promises to be gentle in the handling your file. It will advise you on the best ways to permanently correct your situation with the mandatory compliance program.

The only requirement imposed by the CRTC is that you identify ALL the violations in your original statement. This implies that you must conduct a thorough audit to determine all breaches of compliance.

**Any violation discovered during the voluntary disclosure that was not reported in the original statement will be excluded from the declaration and sanctioned as if it had been found during a typical investigation.**

July 1st has come and gone, an audit and voluntary disclosure are the very minimums of protection. Ultimately though, a compliance program is mandatory and is your best protection.

 

CASL: The 6 most common mistakes you weren’t aware of

Most companies believe that they already comply with CASL. But, of the majority of businesses we’ve met, they are in fact, not compliant, simply because they aren’t aware of the complexities and details of this law. Unfortunately, this ignorance is already costing companies and employees, heavily.

Of the approximately 100 compliance rules and items we validate for our clients, we’ve identified the 6 most common mistakes and how to resolve them. Check and see if your company’s compliance level is what you believe it to be.

N.B.: This is not a substitute for a compliance program as required by the CRTC, but is an easy way to assess whether your business is as compliant as you think it is. A full compliance program, which meets the CRTC’s eight required categories, is the only way to truly protect yourself from costly penalties and prosecution. Section 33 (1) of the Act states that “No person shall be held liable for a violation if they prove that they have taken all reasonable precautions to prevent its commission”.

Mistake #1: No unsubscribe mechanism in individual emails

While most companies ensure that they have an unsubscribe link in their newsletters, there is very little compliance with this requirement for their individual emails.

Simply put, CASL makes no distinction between a promotional newsletter sent to thousands of people and an email sent from one employee to another person. In both cases, these are “commercial electronic messages”, and the Act requires that each message includes mandatory information and a mechanism for unsubscribing.

Solution:

Make sure that your business email signatures and all of your employees’ email signatures include a statement indicating how one can withdrawal from your business’ communications.

For example:

If you receive an email from an employee at Deloitte Canada, you’ll note that their signatures always include the following statement: “If you do not wish to receive future Deloitte business emails, please send this email to ‘[email protected]‘. Similarly, at Certimail, my colleagues and I consistently include in our email signatures the following sentence, “If you no longer wish to receive commercial messages from Certimail, please indicate this by replying to this message”. Voilà. It’s as simple as that.

Mistake #2: Misworded newsletter sign-up forms

As per Canada’s Anti-Spam Legislation, the concept of consent is not equivocal; it is explicit. That is to say, the wording of consent given determines what one has the right to send and receive.

This means then if your subscription form refers to newsletters, consent, therefore, applies to newsletters and no other type of commercial email or communication. For example, this means that one or a series of emails from sales (news about promos, blog articles, “I think you might find this useful”, etc.) are in violation of the law, and risk fines.

Solution:
Check the wording on ALL your consent forms, so that they don’t limit your electronic communications, by using broader text, as illustrated in the example below.

For example:

On the left, taken from our website, consent is requested for advice and promotions for all electronic communications (see the form for yourself, and don’t be shy to sign up to stay informed of the law). On the right, consent is limited to newsletters, forcing a company to request permission again for other types of electronic messages.

Good and bad newsletter sign-ups

Good and bad newsletter sign-ups

Mistake #3: Records of ALL email communications are not kept

Many SMBs typically erase emails from their inboxes as soon as the content is no longer needed, useful, or relevant. People typically do this to free their attention span, and consequently, disk space.

Such a practice is dangerous under the Canada’s Anti-Spam Legislation. The CRTC requires that businesses retain the text of all their commercial emails should an investigation arise. Without these records, you have no way of defending yourself.

Solution:
Implement an email protocol to automatically archive messages on a server (IMAP or Exchange) or manually archive messages to folders instead of deleting them.

Mistake #4: Proof and records of consent are not kept

When under investigation by the CRTC, many SMBs justify themselves with the following: “We only send our newsletters to those who have registered on our website“.

In a notice published in July 2016, the CRTC states that a company claiming to have obtained consent for the sending of a commercial electronic message must provide proof of that consent and must retain all evidence of such consent (such as, but not limited to, completed forms, audio recordings, etc.).

Most US platforms such as MailChimp, Campaign Monitor, SalesForce, etc. don’t keep records of consent.

When a person, who once gave you consent in the past, makes changes to his or her profile, that new information replaces the original data. In the event of an investigation, you will not be able to provide proof that you once had that individual’s consent.

Solution 1:

Consider using a Canadian ESP, such as Cyberimpact or Cakemail. They are optimised for CASL and automatically archive and keep records of consent.

Solution 2:

Archive all your data by implementing an automatic or manual daily export of all the information and activity regarding your sendout lists. 

Mistake #5: Copies of forms and their version histories are not kept

Some SMBs do their due diligence and retain consent data provided through form submissions, such as the date, time and IP address of the user. Unfortunately, this information is not enough to prove consent.

Remember, consent must be explicit and not equivocal. You must, therefore, be able to provide proof that the information displayed on the form, that the user completed, was explicit. Considering the investigation process, if and when the CRTC contacts you, the chances are strong that your website has undergone a redesign or changes, and a form from a year ago is not the same as it is today.

Solution 1:

Consider using a Canadian ESP, one that automatically archives copies of forms.

Solution 2:
Take a screen shot with a time stamp of each of your consent forms every time you change or update your website or forms.

Mistake #6: No written compliance policy

While you may take all necessary measures to comply, you are never entirely immune to the error of an employee, subcontractor or technical problem that may put you in a violation of the law.

Fortunately, section 33.1 of Canada’s Anti-Spam Law provides some support and “defence” for businesses that have demonstrated good governance; though only if you have taken all the necessary measures to be compliant. The CRTC has stated that these measures must include a formal compliance program that meets eight specific requirements. One of these requirements is to have a written compliance policy that employees know and respect. Failure to do so will result in disciplinary action.

Solution:
Write your CASL policy following a full risk audit and analysis, and make sure your employees understand and apply it.

Running a business without having a written CASL policy like riding a motorcycle without a helmet: “It’s safe as long as there’s no accident”

What’s your score?

If you’re already aware of and make none of these mistakes, then bravo! You are one of the very few companies that do their due diligence. But there are over 100 rules to respect, so formalising your compliance program should be quick and inexpensive if you haven’t already done so. It would be a shame to be so savvy, yet fined for one of the 100 rules and regulations.

If you’ve found that some of these 6 mistakes apply to your business, it’s proof that you’re not compliant. July 1st has passed, and fines and class actions are multiplying. There are over 100 rules to respect, so now is the time to set up your compliance program to protect yourself, your employees, and your business.

We’re here to assess your situation, and to provide you with an inexpensive yet highly effective way, to set up a compliance program, which meets the CRTC’s requirements.

We know and understand that businesses don’t always have the cash or want to make the time to set up a program immediately, but our solutions are specially adapted to the reality of independent workers, small businesses to medium ones.

 

IMPORTANT: CASL is NOT just an anti-spam law!

Combining the term “CASL” along with “Anti-Spam” when talking about email marketing, has created significant confusion affecting many businesses and organisations.

In practice, true anti-spam legislation would only affect activities considered spam (i.e., mass mailings of promotional content). CASL regulates, not just mass mailings but ANY electronic message sent in a commercial context, regardless of the number of recipients and the presence, or absence, of promotional content.

CASL’s official definition

“CASL” is not another term to represent “anti-spam. The Canadian Anti-Spam Legislation is defined as follows: “An Act to promote the efficiency and adaptability of the Canadian economy by regulating certain activities that discourage reliance on electronic means of carrying out commercial activities, and to amend the Canadian Radio-television and Telecommunications Commission Act, the Competition Act, the Personal Information Protection and Electronic Documents Act and the Telecommunications Act” (S.C. 2010, c. 23).

This definition explains that the purpose of the Act is to promote the development of e-businesses in a context of consumer confidence.

The act as defined automatically amends and modifies four important pieces of legislation − 1) the Canadian Radio-television and Telecommunications Commission Act, 2) the Competition Act, 3) the Personal Information Protection and Electronic Documents Act and 4) the Telecommunications Act.

CASL governs ALL your business emails

Since the act’s passing, studies have shown that Canadians are receiving less spam. In addition, because of renewed consumer confidence, open and click-through rates are on the rise again.

Unfortunately, though, too many companies have, wrongly, reduced their email marketing activities to avoid fines and prosecution. Even if you don’t send any newsletters or email promotions, you are still at risk of violating the Act and can face fines or even a lawsuit. This is because CASL applies to, and is in place to regulate, ALL electronic messages sent in a commercial context, not just promotional emails. This includes single emails that employees send throughout the day to potential clients, partners, and associates. As well as, newsletters, text messages, social media messages, etc.

Often when we discuss CASL with business owners or marketers, they’ll spontaneously list the steps they’ve taken to make their newsletters compliant. One has set up a subscription form; another uses an email platform to have an automatic “unsubscribe” link at the bottom of their newsletters. But when we ask them what they’ve done, so that the commercial emails that their employees send throughout the day are also compliant, they are confused and have no answers. Unless you are an NGO or political party, you can assume that 99% of all the messages that are sent by your business and employees are regulated by CASL.

One hundred rules that each message must respect

There are in fact 100 rules that ALL electronic messages (email, newsletters, text and social media messages, etc.) must comply with. Items include prior consent, the message’s content, sender identification, withdrawal mechanism rather than its presentation, etc.

For example, some companies are aware that their individual emails must also comply with CASL. However, they only think about consent requirements and completely forget, or are simply not aware, that these emails also require a withdrawal mechanism (ex.: “If you do not want to receive commercial messages from our company, please let us know by replying to this message“). If such a withdrawal mechanism is not indicated and included, then your emails violate the act.

Canada’s Anti-Spam Legislation is so complicated, and at times vague, that it’s almost impossible to be totally compliant. However, if you follow rigorous steps to be compliant and set-up a program, you will most likely avoid fines and prosecution. Consider it like a protection program or a license to communicate electronically.

How to protect yourself against fines and trials

Given the complexity of the Act, Parliament has provided a defence to protect honest businesses if they’ve done their due diligence.

Section 33 (1) of the Act states that No person shall be held liable for a violation if they prove that they have taken all reasonable precautions to prevent its commission”.

This implies that if a company can demonstrate that it has taken the appropriate actions to comply with the Act, they can not receive a fine or be convicted in a trial if the company or employees accidentally violate the Act.

ATTENTION THOUGH: The CRTC has defined that “proper precautions” means putting in place a documented compliance program that meets eight required categories.

Such a compliance program involves verifying the company’s practices and then implementing a written policy and ensuring that all employees respect it on a daily basis in their electronic communications.

The advantage is that as long as the company is in good faith and enforces its policy and compliance mechanisms, this program becomes a license that protects it from fines and lawsuits if ever it accidentally violates the Act.

Now that July 1st, 2017 has passed, the only way to protect yourself from CASL is to quickly implement a compliance program that meets the CRTC’s eight required categories.

 

 

 

 

Amazon complies but is still fined $1,1M!

Amazon’s emails complied with three essential principles of the Anti-Spam Act:

  1. Amazon sent messages only to those with whom it had consent,
  2. Each email contained a straightforward and efficient unsubscribe mechanism,
  3. Information to identify and contact the business (company name, mailing address and phone) was indicated.

So, why did Amazon agreed to pay a penalty of $1 million and the sum of $100,000 for certain investigative expenses incurred by a government regulator?

The devil is in the details

Although Amazon complied with the three top items of Canada’s Anti-Spam Law, there are still 53 pages of details and guidelines in the Act. In fact, after analysing the Act with marketing communications specialists and researchers at Université de Montréal’s Faculty of Law over the course of several months, we’ve identified more than 150 compliance risks for businesses.

For example, 99% of emails sent by a business are commercial, so they must comply with the Anti-Spam Act. This includes individual business emails. Do your emails have an unsubscribe mechanism? Your newsletters I’m sure do, but probably not your individual ones. Yet, it’s mandatory.

Canada’s Anti-Spam Law applies to four pieces of Legislation

The act is defined as follows: “An Act to promote the efficiency and adaptability of the Canadian economy by regulating certain activities that discourage reliance on electronic means of carrying out commercial activities, and to amend the 1) Canadian Radio-television and Telecommunications Commission Act, 2) the Competition Act, 3) the Personal Information Protection and Electronic Documents Act and 4) the Telecommunications Act” (S.C. 2010, c. 23).

Many SMBs are simply not aware of the reach of this legislation. It’s not just an anti-spam act; it’s a true code of “electronic” conduct for businesses. Additionally, journalists and commentators, regularly talk about the CRTC’s role in enforcing this act, but often omit the Competition Bureau’s (and other regulatory bodies’) involvement.

For example, if you violate one of the Competition Bureau’s articles through an email communication, you will be fined, and heavily. Note carefully; fines can reach up to $10 million when a violation is done via email.

The case of Amazon

Canada’s Competition Bureau stated, “With the adoption of Canada’s Anti‑Spam Legislation, provisions were added to the Competition Act to provide additional tools for addressing false or misleading representations in all forms of electronic messages. The Bureau’s investigation into Amazon’s price advertising was made per these provisions.”

So, because Amazon was promoting prices, by referring to savings in relationship to list prices, they were fined.

Amazon complies but is still fined $1,1 MIL!

Amazon complies but is still fined $1,1M for misleading pricing.

As indicated by the Competition Bureau, “Amazon often compared its prices to a regular price—or “List Price”— signaling attractive savings to consumers. The Bureau’s investigation concluded that these claims created the impression that prices for items offered on www.amazon.ca were lower than prevailing market prices. The Bureau determined that Amazon relied on its suppliers to provide list prices without verifying that those prices were accurate.

Although it’s primarily on Amazon.ca that these type of promotions are found, the Competition Bureau was able to convict Amazon because the company had communicated these promotions by email.

Not a first for the Competition Bureau

The case of Amazon is not the Competition Bureau’s first fine under CASL. They’ve already gone after car rental companies Avis and Budget for hiding certain mandatory fees in posted promotional pricing.

Additionally, the Competition Bureau said that it’s been documenting these situations since 2009 and fighting for years to prevent these types of practices. But it was only with the arrival of CASL that it finally had the means to do so.

The case of Avis and Budget pending before the Competition Tribunal was settled by the companies’ consent to pay $3M in fines and $250,000 in compensation to the Bureau. 

The mandatory compliance program is your only real protection

As these examples here illustrate, it’s almost impossible to be confident that you’ll never violate CASL, especially since many details of the Act are very vague and will only be clarified by actual cases in years to come.

It’s for this particularity that Parliament has provided in the Act a means to protect ones-self: if a business (or individual) can demonstrate that it has acted diligently to comply with the Act, it will be immune from sanctions. To “act diligently” means to have a compliance program that meets the CRTC’s eight requirements.

 

 

 

William Rapanos receives $15,000 in fines for emails sent in 2014!

In early 2017, the CRTC, for the first time, issued a fine to a single individual, and not a company.

William Rapanos (a.k.a. Bill Rapanos) a businessman and marketer from Toronto now living in B.C., was fined $15,000 for sending 58 emails contravening Canada’s Anti-Spam Law between July and October 2014.

This case is a huge lesson regarding the severity with which the CRTC enforces this law. Consider yourself warned.

Quite simply, CASL applies to non-business owners

One of the many elements of the Canadian Anti-Spam Legislation but that is little known to the public, is the fact that this act applies to individuals. The legislator clearly indicated this by specifying in the Act that the maximum penalties under this law are $10M for corporations and $1M for individuals.

It wasn’t Rapanos’ company that received the fine, but he himself, making him the first Canadian to be fined as an individual for a violation of Canada’s Anti-Spam Law.

This is important because it confirms that you don’t have to be a business owner, to be subject to Canada’s Anti-Spam Law.

For example, take the situation of a person who sends an email to their contact list to announce the sale of their used car on Craiglist; this type of email is considered a commercial email. The person sending this email can face a fine and prosecution if they don’t meet the many requirements of the law. Yikes!

Your older messages can still come to haunt you

Rapanos’ offences were committed during July and October 2014. During this time CASL had just come into force, but it wasn’t until April 22, 2016, nearly two years later, that the CRTC sent him a “notice of violation”.

In fact, the anti-spam legislation stipulates that you can file a complaint, or initiate a lawsuit for damages, up to three years after receiving a non-compliant message.

However, the CRTC can go as far back as they want to (up to July 1st, 2014) to investigate you. They can go three, four, five, ten years in the past to inquire about a company’s practices, or you.

This means that if you don’t have a compliance program in place or have committed to a “voluntary disclosure”, you can be subjected to fines or lawsuits, even if you stop sending emails and other electronic messages.

Investigations are not decided on the number of emails sent or complaints received

The $15,000 fine Rapanos received concerned only 58 emails sent over a period of four months, not 58,000, not 580 but 58. That’s less than 15 per month!

So imagine the several hundreds of thousands of complaints among the thousands of companies reported to the CRTC.

Everyone is in the CRTC radar. For example, Vancouver start-up Pof Media (PM) had to pay a fine of $48,000, even if the CRTC only received 70 complaints amongst the millions of weekly emails sent to PM members.

This confirms what the CRTC has always said, “the number of complaints it receives is not an essential factor for initiating an investigation”.

No one is safe, and presumably, the CRTC is taking stern action to make sure everyone implements a compliance program.

If you try to hide, you will eventually be found

In its decision, the CRTC emphasised that it requested and obtained the following information during their investigation:

  • Log files of the registrar who managed the addresses (DNS) of the website (firstunitedpartners.com) to which the emails pointed to
  • IP addresses of the ISP used to register and administer the site, provided by Bell
  • Telephone numbers used to register the domain name, provided by WIND and 7eleven Canada

Clearly, they are savvy in identifying and tracking offenders.

There is no presumption of innocence

It gets even more intense… The CRTC has confirmed that under the Administrative Monetary Penalties (AMP / SAP), the official name of its fines, the right to the presumption of innocence does not apply because its investigations are not “criminal proceedings”. Another little-known fact of Canada’s Anti-Spam Law amongst the majority of Canadians.

So remember, if you are the victim of an investigation, and challenge the decision before the Court of Appeal, you must provide proof of your innocence (and also bear the cost of an appeal).

The only defence that can be used is that of due diligence, which means that A) you have a compliance program that meets the CRTC’s eight requirements or B) you’ve submitted a “voluntary disclosure” along with the required comprehensive audit.