Canada’s Anti-Spam Law

Posts

Case study: Newsletters mistakenly flagged as spam… What to do?

28 June 2018/0 Comments/in CASL, Compliance, CRTC /by Rebecca Coggan

If you send out a newsletter, chances are good that at least one recipient has unsubscribed, and in doing so, cited “spam” as their reason for unsubscribing. If you have Hotmail, Yahoo, or Google email addresses in your lists or CRM database, flagging an email as “spam” is even easier for them.

Even if your newsletter or communication is not “spam”, people nowadays get easily irritated and take out their anger on email by hitting that spam button. Sad story, but true.

Now without having to get into the details of email deliverability, each time an email you or your company sends is tagged as spam, there are checks and balances that go on in the background, affecting your email deliverability score. If you score reaches a certain level, or if the email platform you use to send emails receives a certain amount of “spam” hits, you could receive a warning or worse, be banned from sending emails.

This is unfortunately what happened to one of our clients.

Situation:

Our client’s email address acquisition process was not optimised, and although their communications were definitely not spam, their newsletters were flagged by some. They received warnings and were only a couple of emails away from being blacklisted. And undoubtedly, equally close to receiving a notice from the CRTC.

This was a huge concern for our client as email was crucial to their business model. Without it, they would not have been able to serve their users.

Solution:

They were in a precarious situation and they needed to act quickly. Our solution for them was simple, set them up with a CASL Compliance Program.

As per CASL:

“A person must not be found to be liable for a violation if they establish that they exercised due diligence to prevent the commission of the violation.”¹

And as per the CRTC:

“The development and proper implementation of a documented and effective corporate compliance program is a useful risk-management strategy: it may (i) reduce the likelihood of businesses violating the rules and/or CASL, and (ii) help businesses establish a due diligence defence in the case of a violation of the rules or CASL.²

In our dealings with the CRTC, we know that they are not looking for companies and organizations to be perfect, but they do want them to be responsible.

Process:

As part of the process of establishing a Compliance Program, one of the first things that we did and that is required by the CRTC, is to perform a risk analysis.

We assessed our client’s situation according to one hundred items in our compliance grid, while at the same time searched for operational and marketing optimizations regarding electronic communications.

We then supplied them with a report of our audit, complete with recommendations for each issue, as well as optimisation tips and practical advice. Our client also operates in Europe so we provided GDPR recommendations as well.

They then fixed their issues, appointed a Compliance Officer, began documenting in the appropriate CASL registries, implemented a CASL Compliance Policy, and updated their Privacy Policy.

They are now CASL certified and can send electronic communications with peace of mind. They are no longer at risk of being blacklisted or of receiving a hefty fine.

—

If you’re wondering if any of your emails or newsletters may have been flagged as “spam”, give us a call and we’ll help you out. 514-867-1230

—

Parliamentary Review of CASL: A Festival of Asinine Discourses

6 October 2017/0 Comments/in CASL, CRTC, Email Marketing /by Philippe Le Roux

If you believe, like many do, that you still receive a lot of unsolicited messages (i.e., spam) in your inbox, you’re all hallucinating.

At least this is what the Canadian Chamber of Commerce seemed to imply when it told members today, during the second revision session of CASL by the Standing Committee on Industry, Science and Technology, that spam is no longer a problem.

Today’s session consisted of a long series of approximations and erroneous or exaggerated assertions. The discourses, whose similarity might suggest that they are secretly coordinated, all revolved around the same central idea:

Overseeing commercial electronic messages sent from businesses prevents the authorities from dealing with the “bad guys” who threaten IT security. So let’s give companies the opportunity to send all the messages they want to whomever they want because the real problem that the CRTC should be concentrating on are fraudsters.

This type of assertion is asinine: Imagine the CAA calling for the abolition of the driving rules so that the police can devote themselves to the fighting against terrorism.

Let’s look at and analyze the central pearls of this type of reasoning.

Spam is no longer a problem (???)

According to Scott Smith, Director, Intellectual Property and Innovation Policy at The Canadian Chamber of Commerce, spam is no longer a problem for Canadians. This hyperbolic assertion is taken from a report, supplied by anti-spam software vendor Trustwave, which Smith relies upon and states that anti-spam software blocks 99% of spam.

Even if this statement was objective and credible, how then does one explain the over 5,000 complaints that the CRTC continues to receive on a weekly basis, and the 1 million + complaints its registered in the last three years?

Technological illiteracy or misinformation?

The complexity of CASL has been rightly pointed out by speakers, especially when it comes to the various types of “implied consent”.

But to argue, as Mr. Smith did, that there is no technology that exists for businesses to manage consents, or that you have to invest a lot of money to do so, is to misinform and mock the intelligence of the members of the committee.

While not all marketing technology suppliers are up to regulatory compliance standards (a consequence of inadequate educational work on behalf of the CRTC regarding CASL), there are already several solutions available to manage and document different types of consent.

Providers, such as Dialogue Insight, iTracMarketer and Cyberimpact for mass mailings or emailChecker and CASL Cure for individual emails, all offer practical solutions tailored to all sizes of businesses, with costs that go from ten dollars to a few hundred a month.

A plethora of alternative facts

At a time when everyone is concerned about the phenomenon of “fake news” and its impact on society, it is impressive to see the number of “alternative facts” than the lobbyists delivered to the members of Parliament.

For example, Ms. Aïsha Fournier Diallo, Senior Legal Advisor at Desjardins General Insurance Group, daftly stated that CASL prevents her from sending SMSs to VISA Desjardins clients, informing them of their credit limit, or from sending password reset emails to customers.

Even Barry Sookman, senior partner of McCarthy Tétrault and considered a top figure in the field, gave testimony that could cast doubt on his credibility. He stated that CASL had no impact on fraudsters. In fact, because of CASL, the CRTC was able to dismantle an international network of cyber-pirates who sent out malware affecting millions of computers around the world.

He went on to illustrate the excessive nature CASL, by explaining that it prohibits a teenager from offering babysitting services to neighbors or prohibits a person from recommending their dentist to a friend. When deputy Eva Nassif challenged him, he acknowledged the exaggerated nature of his examples.

Me Sookman went on to talk about the perils that CASL causes to Canadians by referring to a National Post article, whereby American television game show Jeopardy had banned Canadian candidates specifically because of CASL. The producers of the show have since denied this fake news and indicated that Canadian candidates were never banned from the show, but that applications were simply suspended to take the time necessary to adapt its form to Canadian regulations.

Mr. Sookman even attempted to persuade the Honourable Maxime Bernier, (who addressed the fact that politicians should be held accountable under CASL) that if CASL applied to politicians, Mr. Bernier would not have been legally allowed to send messages to his list of 65,000 supporters during the Conservative Party’s leadership race. A false assertion because those 65,000 people subscribed to Maxime Bernier’s list to receive those messages.

Ignoring the real problems

What is most damaging in these testimonies and discourses, intended to represent the interests of businesses, is that the real issues and problems are ignored.

CASL and its enforcement by the CRTC pose real problems for SMBs, but at the same time, it’s an opportunity for businesses to improve their digital communications. Among these problems are:

The restrictive interpretation of rules by the CRTC
The numerous frequent situations still missing guidance from CRTC
The lack of clarity in the definition of commercial electronic messages
The challenge of documenting verbal consents
The lack of data on the volume of spam and its evolution
The lack of collaboration with Internet service providers
Etc.

We need a marketer in the room!

Having listened to the testimonies and debates of this session many times over, I’ve come to two conclusions:

1) Speakers, unfortunately, spent most of their time showing bad faith by demonizing CASL instead of using it to expose the real issues that affect businesses, so that members of Parliament can put in place solutions.

2) Entrusting the defense of digital and email marketing to lobbyists and lawyers who have no expertise in the field of email marketing is not the best way to improve CASL’s areas of contention, nor does it benefit companies, in particular, SMEs.

It’s time to start thinking about this law in terms of clear rules that make sense from a variety of angles and perspectives.

CASL’s first Parliamentary Review Session

26 September 2017/1 Comment/in CASL, CRTC /by Philippe Le Roux

The House of Commons Standing Committee on Industry, Science and Technology began yesterday their review of the Canadian Anti-Spam Law. The CRTC launched the presentation by addressing those key areas that are of concern to Parliamentary deputies. Little news has been made available to the public, but we’ve been on the watch and below you’ll find highlights from the review.

A questionable discretion

Considering that this law is the one that generates the most complaints from consumers, that it has been decried and actively challenged for years by lobbyists since its adoption seven years ago, it’s surprising that this review process was not publicly announced.

In fact, the only place where information has been disclosed is on the Committee’s agenda, which is generally followed only by professional lobbyists. However, given the importance of this legislation, and how much it affects ALL Canadian businesses, it was expected that this process would have been publicly announced, at least to those organizations concerned, to allow them to prepare for the Committee’s reflection.

One has to wonder what’s with all the discretion.

Department officials’ and the CRTC’s opening remarks

The first session was devoted to the hearing of department officials:

Mark Schaan, Director General, Marketplace Framework Policy Branch, Innovation, Science, and Economic Development Canada
Charles Taillefer, Director of Digital Transformation Service Sector in the Privacy and Data Protection Policy Branch, for Innovation, Science, and Economic Development Canada

Followed by CRTC officials:

Steven Harroun, Chief Compliance and Enforcement Officer
Neil Barrat, Manager, Strategic Policy & International Affairs
Kelly-Ann Smith, Senior Legal Counsel

In his address, Mr. Schaan gave a brief history of the law. He affirmed the law’s effectiveness and went on to say that spam has been reduced by more than one-third in Canada, explaining the importance of this legislation for the development of e-business in Canada.

The floor was then given to the CRTC. In his speech, Mr. Harroun cited the various enforcement mechanisms used to apply CASL, ranging from warning letters to administrative monetary penalties, to notices of violation and commitments.

He then highlighted the CRTC’s public education and awareness efforts, in particular for businesses, indicating that a total of 6 conferences were held in Toronto last May that reached 1,200 companies. One deputy member reminded him that Canada was not limited to Toronto. Finally, he explained the work done by the CRTC at the international level to develop collaborative agreements with the authorities of several other countries.

Requests for information are evolving

In response to the Committee’s first question, Mr. Harroun argued that requests for information received by the CRTC from businesses are increasingly about the development of compliance programs. While in 2014, the questions were more about the concept of consent and unsubscribe links. He then went on to stress the effectiveness of the various penalties that the CRTC can impose on companies.

The Private Right of Action

On June 7^th, Minister Bains announced that he was temporarily suspending the private right of action (PRA), which was to begin on July 1, 2017, pending parliamentary scrutiny of CASL. It was therefore normal that the implementation of this right of appeal was the subject of several questions by members of the Committee.

These questions allowed Mr. Schaan to explain why the department had decided to suspend the PRA.

In particular, he explained that the main reasons are the risk of multiplying costly class action suits and the fact that there are still many gray areas concerning CASL compliance.

The CRTC, for its part, insisted that the PRA is an important enforcement tool and that similar measures are already present in the legislation of several countries, in particular, the United States, Australia, and the United Kingdom.

Already more than 1.1 million registered complaints

Mr. Barrat indicated that the CRTC has already registered more than 1.1 million complaints in its spam reporting center, which is the primary source used for investigations. And that complaints continue to enter at a rate of 5,000 per week. He also noted that complaints result from the activities of all industrial sectors and all sizes of businesses including the not-for-profit sector.

CASL is effective

As the committee continued, Mr. Schaan demonstrated the effectiveness of CASL by citing various independent reports. He referred to a US report showing that one year after the Act came into force, the number of emails received by Canadians decreased by 29%, and the volume of spam from Canada fell by 37%. He also cited a study done by Ipsos on behalf of CIRA showing that by October 2014, 62% of Canadians were aware of CASL and believe in its effectiveness. In fact, 84% of them had already taken advantage of it to reduce the volume of commercial messages they received. For their part, 49% of companies felt that the Canadian Anti-Spam Act Law had no impact on their marketing, 23% felt that the impact was minimal and 27% said they had a significant impact.

Mr. Schaan pointed out that Canada was one of the top 5 countries for generating spam. But since the passing of the bill, Canada is not even in the top 10.

The RCMP called in for collaboration

In a question on the means used to manage the international dimension of spam arriving in Canada, the CRTC explained that cooperation and agreements with authorities in other countries were increasing and that there was no particular difficulty at this level. However, he stressed that he doesn’t receive similar collaboration locally, particularly with the RCMP. He indicated help from them would be beneficial in enforcing CASL.

More than 30 completed investigations

The CRTC indicated that during the grace period it completed more than 30 investigations, of which only six have been made public to date. All other investigations are still in the process of negotiating commitments with collaborating companies. Some of the complaints received at the spam notification center are shared with the RCMP for criminal investigations to be conducted.

CASL as a benchmark

Witnesses indicated that the notion of consent as defined in the Canadian Anti-Spam Law is the benchmark for the ongoing revision of the Personal Information Protection and Electronic Documents Act currently being conducted by the Privacy Commissioner.

Meanwhile, MPs have made many parallels between the rules of CASL and that of the National Do Not Call List’s Rules, which is enforced by the same CRTC’s team and generates more than one hundred investigations per year for half the number of complaints received under CASL.

The CRTC is unable to provide numbers

A curious fact to note is that with each question relating to numbers and complaints or investigations, the CRTC was unable to answer. This was also the case when asked about the industrial sectors that generated the most complaints, the number of investigations and fines, and the types of complaints received.

When the Honourable Maxime Bernier inquired about the financial impact on businesses of becoming compliant, the CRTC was still unable to provide even estimates.

—–

You can listen to the full recording of the exchanges on the committee’s website until the transcription is published. Until then, we are currently taking steps to obtain the dates and participants of the next sessions, as well as to take part in the debates to present the point of view based on the dozens of SMBs in Quebec that we have already helped to implement CASL compliance programs.

The Dangers of Implied Consent: Blackstone fined $50K

26 October 2016/0 Comments/in CASL, Fines /by Rebecca Coggan

October 26, 2016, after close to two years of back and forth, the CRTC issued a Compliance and Enforcement Decision finding that Blackstone Learning Corp. violated Canada’s Anti-Spam Law (CASL) by sending commercial electronic messages (CEM) without consent. The initial penalty was calculated at $640,000 but was later adjusted to $50,000.

The notice of violation related to nine email campaigns, totally 385,668 messages, sent between July 9^th and September 18^th, 2014, to employees at twenty-five Canadian federal and provincial government organisations. The email campaigns resulted in at least 60 complaints to the CRTC’s Spam Reporting Centre.

When the CRTC began their investigation, Blackstone refused to cooperate, and when they received their notice of violation, on January 30, 2015, Blackstone appealed.

Blackstone argued that it had not violated CASL’s because it had implied consent to send the emails and that the penalty of $640,000 was unreasonably high.

Publically available email addresses

This is where it gets tricky. Blackstone’s defence was that the recipients’ email addresses were “conspicuously published” (i.e.: publically available email addresses).

However, the CRTC stated:

“the conspicuous publication exemption and the requirements thereof set out in paragraph 10(9)(b) of the Act set a higher standard than the simple public availability of electronic addresses”.

To meet the conspicuous publication exemption:

The electronic address must not be accompanied by a message specifically outlining that the individual does not want to receive unsolicited commercial messages.
The message must be relevant to the person’s business, role, functions, or duties in a business or official capacity.

The CRTC further clarified,

“the way that the email address is published, such as on the company’s website or through a third party, must lead to a reasonable understanding of consent to receive the type of commercial electronic message being sent“.

This is a significant argument of one of the few CASL exemptions. While public addresses may qualify for implied consent this “does not provide persons sending commercial electronic messages [CEMs] with a broad licence to contact any electronic address they find online”.

Why was the fine reduced

In considering an appropriate Penalty, the CRTC took into account the following considerations:

Purpose of the penalty: The Commission stated that the amount must be high enough to promote changes in behaviour, in effect a second chance, but not too high to put a person out of business (as this would negate any second chance).
Nature and scope of the violations: While almost 400,000 non-compliant messages were sent that disrupted the recipients and prompted at least 60 complaints to the Spam Reporting Centre; the violations took place only over a period of two months. The CRTC concluded that a penalty of $640,000 would be too high.
Ability to pay: After finally receiving Blackstone financial statements, it was evident that a penalty of $640,000 would significantly exceed Blackstone’s ability to pay.
Other factors – cooperation and self-correction: Blackstone’s failure to cooperate with the investigation increased the need for a penalty to ensure future compliance. However, the Commission saw some possibility of “self-correction” going forward and felt that a lower fine would be appropriate.

Based on these factors, the CRTC determined that a Penalty of $50,000 was a reasonable amount to encourage Blackstone to comply with CASL.

Lessons learned

Be careful if your email messages rely on an exception. Implied consent is evaluated on a case-by-case basis. Under CASL, the sender must prove consent. The CRTC “stress[es] the importance of detailed and adequate record-keeping for this reason.”

Lastly, this case is an excellent example, as to why having a risk analysis (audit) as required by the CRTC is so important. A properly implemented compliance program will validate the way consents are collected and managed. This ensures that you are protected in case of an accidental violation.

CASL Fines: Rogers Media Pays $200K

20 November 2015/in CASL, Fines /by Philippe Le Roux

The CRTC announced that Rogers Media, a subsidiary of the Rogers Communications group, has been fined $200,000 for violating the Canada’s Anti-Spam Law.

Sloppy unsubscribe mechanisms

The allegations against Rogers Media are related to non-compliant (i.e.: mismanaged) unsubscribe mechanisms in their commercial electronic messages.

Rogers Media agreed that its unsubscribe links did not always work, were not always easy to activate, and sometimes did not remain active for the required 60-days after the commercial message was sent. Rogers Media also acknowledged that unsubscribes were not always completed within the 10-day grace period.

It should be noted that Rogers Media was not fined for sending commercial messages to people who had not provided consent, like many other companies that were penalised by the CRTC, but only for the mismanagement of their unsubscribe mechanisms.

Total fines rise to nearly $31.5M

This file brings the total amount of fines issued by the CRTC to $1,498,000 plus the $30M in fines imposed by the Competition Bureau for a total of $31,498,000 in penalties under CASL.

SMBs represent 60% of the CRTC’s cases investigated under the Canadian Anti-Spam Act.

The fines released today include:

Compu-Finder, a Quebec SMB from Morin Heights, Quebec, fined $ 1.1M
Plentyoffish Media, a Vancouver-British Columbia SMB, fined $48,000
Avis, Budget, and AvisBudget Group, Toronto, Ontario received $10 million in fines each
Porter Airlines, Toronto to Ontario fined $150,000
Rogers Media, Toronto, Ontario, fined $200,000

Since the CRTC is not required to disclose all the details of its cases and/or investigations, other companies may have also have been fined for unknown amounts. (Are you one of them? We want to hear from you.)

Your only defence…

The only defence that the Act offers businesses is that of due diligence through the implementation of a compliance program that meets the CRTC’s eight requirements.