CASL | Page 3 of 3

Posts

William Rapanos receives $15,000 in fines for emails sent in 2014!

10 March 2017/0 Comments/in CASL, Fines /by Philippe Le Roux

In early 2017, the CRTC, for the first time, issued a fine to a single individual, and not a company.

William Rapanos (a.k.a. Bill Rapanos) a businessman and marketer from Toronto now living in B.C., was fined $15,000 for sending 58 emails contravening Canada’s Anti-Spam Law between July and October 2014.

This case is a huge lesson regarding the severity with which the CRTC enforces this law. Consider yourself warned.

Quite simply, CASL applies to non-business owners

One of the many elements of the Canadian Anti-Spam Legislation but that is little known to the public, is the fact that this act applies to individuals. The legislator clearly indicated this by specifying in the Act that the maximum penalties under this law are $10M for corporations and $1M for individuals.

It wasn’t Rapanos’ company that received the fine, but he himself, making him the first Canadian to be fined as an individual for a violation of Canada’s Anti-Spam Law.

This is important because it confirms that you don’t have to be a business owner, to be subject to Canada’s Anti-Spam Law.

For example, take the situation of a person who sends an email to their contact list to announce the sale of their used car on Craiglist; this type of email is considered a commercial email. The person sending this email can face a fine and prosecution if they don’t meet the many requirements of the law. Yikes!

Your older messages can still come to haunt you

Rapanos’ offences were committed during July and October 2014. During this time CASL had just come into force, but it wasn’t until April 22, 2016, nearly two years later, that the CRTC sent him a “notice of violation”.

In fact, the anti-spam legislation stipulates that you can file a complaint, or initiate a lawsuit for damages, up to three years after receiving a non-compliant message.

However, the CRTC can go as far back as they want to (up to July 1^st, 2014) to investigate you. They can go three, four, five, ten years in the past to inquire about a company’s practices, or you.

This means that if you don’t have a compliance program in place or have committed to a “voluntary disclosure”, you can be subjected to fines or lawsuits, even if you stop sending emails and other electronic messages.

Investigations are not decided on the number of emails sent or complaints received

The $15,000 fine Rapanos received concerned only 58 emails sent over a period of four months, not 58,000, not 580 but 58. That’s less than 15 per month!

So imagine the several hundreds of thousands of complaints among the thousands of companies reported to the CRTC.

Everyone is in the CRTC radar. For example, Vancouver start-up Pof Media (PM) had to pay a fine of $48,000, even if the CRTC only received 70 complaints amongst the millions of weekly emails sent to PM members.

This confirms what the CRTC has always said, “the number of complaints it receives is not an essential factor for initiating an investigation”.

No one is safe, and presumably, the CRTC is taking stern action to make sure everyone implements a compliance program.

If you try to hide, you will eventually be found

In its decision, the CRTC emphasised that it requested and obtained the following information during their investigation:

Log files of the registrar who managed the addresses (DNS) of the website (firstunitedpartners.com) to which the emails pointed to
IP addresses of the ISP used to register and administer the site, provided by Bell
Telephone numbers used to register the domain name, provided by WIND and 7eleven Canada

Clearly, they are savvy in identifying and tracking offenders.

There is no presumption of innocence

It gets even more intense… The CRTC has confirmed that under the Administrative Monetary Penalties (AMP / SAP), the official name of its fines, the right to the presumption of innocence does not apply because its investigations are not “criminal proceedings”. Another little-known fact of Canada’s Anti-Spam Law amongst the majority of Canadians.

So remember, if you are the victim of an investigation, and challenge the decision before the Court of Appeal, you must provide proof of your innocence (and also bear the cost of an appeal).

The only defence that can be used is that of due diligence, which means that A) you have a compliance program that meets the CRTC’s eight requirements or B) you’ve submitted a “voluntary disclosure” along with the required comprehensive audit.

The Dangers of Implied Consent: Blackstone fined $50K

26 October 2016/0 Comments/in CASL, Fines /by Rebecca Coggan

October 26, 2016, after close to two years of back and forth, the CRTC issued a Compliance and Enforcement Decision finding that Blackstone Learning Corp. violated Canada’s Anti-Spam Law (CASL) by sending commercial electronic messages (CEM) without consent. The initial penalty was calculated at $640,000 but was later adjusted to $50,000.

The notice of violation related to nine email campaigns, totally 385,668 messages, sent between July 9^th and September 18^th, 2014, to employees at twenty-five Canadian federal and provincial government organisations. The email campaigns resulted in at least 60 complaints to the CRTC’s Spam Reporting Centre.

When the CRTC began their investigation, Blackstone refused to cooperate, and when they received their notice of violation, on January 30, 2015, Blackstone appealed.

Blackstone argued that it had not violated CASL’s because it had implied consent to send the emails and that the penalty of $640,000 was unreasonably high.

Publically available email addresses

This is where it gets tricky. Blackstone’s defence was that the recipients’ email addresses were “conspicuously published” (i.e.: publically available email addresses).

However, the CRTC stated:

“the conspicuous publication exemption and the requirements thereof set out in paragraph 10(9)(b) of the Act set a higher standard than the simple public availability of electronic addresses”.

To meet the conspicuous publication exemption:

The electronic address must not be accompanied by a message specifically outlining that the individual does not want to receive unsolicited commercial messages.
The message must be relevant to the person’s business, role, functions, or duties in a business or official capacity.

The CRTC further clarified,

“the way that the email address is published, such as on the company’s website or through a third party, must lead to a reasonable understanding of consent to receive the type of commercial electronic message being sent“.

This is a significant argument of one of the few CASL exemptions. While public addresses may qualify for implied consent this “does not provide persons sending commercial electronic messages [CEMs] with a broad licence to contact any electronic address they find online”.

Why was the fine reduced

In considering an appropriate Penalty, the CRTC took into account the following considerations:

Purpose of the penalty: The Commission stated that the amount must be high enough to promote changes in behaviour, in effect a second chance, but not too high to put a person out of business (as this would negate any second chance).
Nature and scope of the violations: While almost 400,000 non-compliant messages were sent that disrupted the recipients and prompted at least 60 complaints to the Spam Reporting Centre; the violations took place only over a period of two months. The CRTC concluded that a penalty of $640,000 would be too high.
Ability to pay: After finally receiving Blackstone financial statements, it was evident that a penalty of $640,000 would significantly exceed Blackstone’s ability to pay.
Other factors – cooperation and self-correction: Blackstone’s failure to cooperate with the investigation increased the need for a penalty to ensure future compliance. However, the Commission saw some possibility of “self-correction” going forward and felt that a lower fine would be appropriate.

Based on these factors, the CRTC determined that a Penalty of $50,000 was a reasonable amount to encourage Blackstone to comply with CASL.

Lessons learned

Be careful if your email messages rely on an exception. Implied consent is evaluated on a case-by-case basis. Under CASL, the sender must prove consent. The CRTC “stress[es] the importance of detailed and adequate record-keeping for this reason.”

Lastly, this case is an excellent example, as to why having a risk analysis (audit) as required by the CRTC is so important. A properly implemented compliance program will validate the way consents are collected and managed. This ensures that you are protected in case of an accidental violation.

Kellogg to Pay $60,000 for Mishandlings by a Third-Party & Lack of Records

1 September 2016/0 Comments/in CASL, Compliance, Fines /by Rebecca Coggan

Last week the CRTC published an undertaking made by Kellogg Canada Inc. to pay a $60,000 fine after violating Canada’s Anti-Spam Law (CASL). A third party sent promotional email messages to recipients on behalf of Kellogg’s from October 1 to December 16, 2014. Apparently, Kellogg did have consent but was unable to provide records and proof. Without the proper documentation, the CRTC determined that these messages were sent without express or implied consent.

This case is a caution that companies need to ensure that their service providers comply fully with CASL. This judgement also stresses the importance of a company to have a compliance program in place, that meets the CRTC’s eight requirements, including proper record-keeping.

This means you must be able to, at all times, provide to the authorities a list of all the persons to whom you have sent electronic communications to during the last three years. You must supply proof of consent, that includes the date of consent for each one of your contacts, as well as transcripts of all the messages you sent to each contact.

Through the implementation of a proper compliance program, Kellogg has committed to review and revise its written policies and procedures, update its training programs to address CASL obligations, track CASL complaints and their resolution, and update its auditing mechanisms to assess compliance.

In a statement to ITBusiness.ca, Kellogg said, “We are aware and disappointed in our company’s alleged violation of Canada’s anti-spam legislation as it relates to commercial electronic messages sent by our third-party suppliers on behalf of Kellogg Canada in late 2014. … At Kellogg, consumers are at the heart of all we do, and we will continue to earn their trust and demonstrate a commitment to integrity and ethics each and every day.”

Note that service providers can be held accountable. Although it was not the case with Kellogg’s, the third party in this situation could have been fined for not respecting CASL, and/or Kellogg’s could have sued their third party supplier.

Update May 16th, 2017: This morning, IAB Canada invited two CRTC enforcement officers to Toronto, Kelly-Anne Smith, Legal Counsel, and Dana-Lynn Wood, Senior Enforcement Officer, to present the status of CASL enforcement.

The CRTC has explained, in reference to the responsibility of agencies and technology platforms, that if the providers are involved in the content of the message, they may be held jointly liable for violations of Canada’s Anti-Spam Legislation. Learn more about what changes July 1st, 2017 here.

Violations of CASL can result in penalties up to $1 million per violation for individuals and up to $10 million per violation for organisations. Businesses, representatives, employees, officers, directors, and administrators can all be held personally liable and forced to pay a fine. A compliance program is your only defence. Click here to learn more about all the requirements.

CASL Fines: Rogers Media Pays $200K

20 November 2015/in CASL, Fines /by Philippe Le Roux

The CRTC announced that Rogers Media, a subsidiary of the Rogers Communications group, has been fined $200,000 for violating the Canada’s Anti-Spam Law.

Sloppy unsubscribe mechanisms

The allegations against Rogers Media are related to non-compliant (i.e.: mismanaged) unsubscribe mechanisms in their commercial electronic messages.

Rogers Media agreed that its unsubscribe links did not always work, were not always easy to activate, and sometimes did not remain active for the required 60-days after the commercial message was sent. Rogers Media also acknowledged that unsubscribes were not always completed within the 10-day grace period.

It should be noted that Rogers Media was not fined for sending commercial messages to people who had not provided consent, like many other companies that were penalised by the CRTC, but only for the mismanagement of their unsubscribe mechanisms.

Total fines rise to nearly $31.5M

This file brings the total amount of fines issued by the CRTC to $1,498,000 plus the $30M in fines imposed by the Competition Bureau for a total of $31,498,000 in penalties under CASL.

SMBs represent 60% of the CRTC’s cases investigated under the Canadian Anti-Spam Act.

The fines released today include:

Compu-Finder, a Quebec SMB from Morin Heights, Quebec, fined $ 1.1M
Plentyoffish Media, a Vancouver-British Columbia SMB, fined $48,000
Avis, Budget, and AvisBudget Group, Toronto, Ontario received $10 million in fines each
Porter Airlines, Toronto to Ontario fined $150,000
Rogers Media, Toronto, Ontario, fined $200,000

Since the CRTC is not required to disclose all the details of its cases and/or investigations, other companies may have also have been fined for unknown amounts. (Are you one of them? We want to hear from you.)

Your only defence…

The only defence that the Act offers businesses is that of due diligence through the implementation of a compliance program that meets the CRTC’s eight requirements.

CASL: A challenge for museums and cultural organisations

21 October 2015/in CASL, Compliance /by Philippe Le Roux

This summer, we were mandated by Montreal’s Museum of Contemporary Art to implement a compliance program.

In addition to the pleasure of working with such a prestigious institution and collaborating with Espace Courbe, the team in charge of the museum’s technology changes, we witnessed first-hand just how much more complex Canada’s Anti-Spam Law is for museums and most cultural institutions than it is for businesses.

Below are some of our findings that, hopefully, can help your organisation improve the effectiveness of your electronic communications, all the while respecting the Canadian Anti-Spam Act.

A law that applies to all

First, let’s demystify a common myth:

Non-profit organisations and charities are NOT exempt from CASL. Compliance applies to all types of organisations.

Many believe that their status as an NPO, or even as a charity exempts them from CASL. This is false! The law applies to all natural and legal individuals and companies who send commercial electronic messages to or from Canada.

Additionally, non-profit organisations, charities and foundations that engage in commercial transactions (such as the sale of tickets, objects or production contracts) are subject to the CASL. Only some of their commercial messages are exempt.

Even municipal governments and Crown corporations such as Hydro-Québec, VIA Rail or Place des Arts must comply. In fact, only the federal and provincial governments are exempt from CASL.

A complexity specific to cultural institutions

The Canadian Anti-Spam Act imposes precise rules regarding the people that we can communicate with electronically. Most companies need to consider two types of relationships: customers and potential customers.

In the case of museums and many other cultural institutions, patrons, members, donors, guests of premieres, as well as volunteers and individuals providing support (past, present, and future) are all potential people with whom we can communicate to.

All these sub-types of customers and potential customers create a complexity, that causes many cultural institutions to limit their communications to only those who have given their explicit consent by completing a website form. This solution may appear simple but it’s costly in the end.

Savvy marketers and organisations know that it takes much less time and money to convince a former patron to return than to attract a new one. Your past invitees, patrons, members, donors, etc. are a gold mine. The good news is that you can profit from this gold mine as the Canadian Anti-Spam Act and its regulations have specific clauses for cultural organisations.

The two-year rule for patrons and members

Paragraphs 10, 13 and 14 of section 10 of CASL allows you to send unrestricted commercial electronic messages to all your customers, that have completed a transaction within the last two years. For patrons or members of a service, this two-year period begins on the end-date of a membership or programming period. This right, of course, becomes null and void if the person has indicated to you in the meantime their refusal to receive such communications from you.

This means that you can contact most of your donors, patrons, and members of the past two years to persuade them to rediscover your exhibitions or programs, even if they have never filled out an explicit consent form. Our experience with several cultural organisations has taught us that former patrons are often the easiest ones to reconquer if approached in the right way. You might be surprised to discover how many of them you can easily reconvert with a series of gradual re-engagement emails.

An exception for soliciting donations

As austerity becomes a dogma to which most of our politicians seem to prostrate, the development and sustainability of cultural organisations increasingly depends on donations made to them directly or through a foundation.

It should be noted that any message whose primary purpose is to raise funds for charity is exempt from Canada’s Anti-Spam Law. So you can send these messages to all your contacts as long as it’s the primary purpose of your message, not a backdoor way of putting your business activities forward.

N.B.: A message inviting the recipient to contribute to the fundraising campaign, may include a reference to your other activities as long as this reference remains marginal. However, if these activities contribute to the organisation’s profits, your message suddenly becomes a commercial message and no longer benefit from the exemption.

Always try to get explicit consent

While the Canadian Anti-Spam Act offers many opportunities to send messages based on implicit consent, every message you send should be seen as an opportunity to seek explicit consent, by inviting people to complete a form (donation, subscription, profile update, etc.) in which the request for explicit consent is present.

Whatever you do, do not send a message asking for explicit consent. Because 1), in certain situations it is illegal to do so, and 2) most of the time these messages get consent rates below 20%. Also, a lack of response or consent could be interpreted as a unsubscribe request and prevent you from continuing to send messages to these people.

Make sure you consent request is well worded

CASL states that consent must be clear, that is to say, the right to send electronic communications is limited to the type of communications to which the recipient has consented to. Many cultural organisations continue to ask for consent concerning their “newsletters”. Worded this way, you are not allowed to send any other type of electronic communication. An easy solution is to change “newsletters” to “electronic communications”.

Transforming threat into opportunity

For many organisations, CASL is perceived as a threat. Nobody wants to be investigated, receive a heavy fine, or be publically shamed by the media. Unfortunately, too many organisations decide to reduce or even worse, stop their email marketing activities altogether. A move that can hurt an organisation financially in the long-run.

Instead, transform this threat into an opportunity. Implementing a compliance program is an excellent opportunity to revise and update your organisation’s electronic communication practices. For most of our customers, this review has allowed them to maintain or increase the number of people they can send commercial messages to, and increase the effectiveness of their communications.

If you want to discuss your specific situation and see what would be the most economical, simple and effective way to make your organisation CASL compliant all the while improving your marketing effectiveness, speak with one of our experts.

SMB Plenty of Fish to pay $48K for a form!

25 March 2015/0 Comments/in CASL, CRTC, Fines /by Philippe Le Roux

In no less than three weeks after issuing its first fine, the CRTC announced that PlentyOfFish Media Inc., a Vancouver SMB, has also been fined under Canada’s Anti-Spam Act.

PlentyOfFish Media Inc. is a 75-employee Vancouver-based company that manages the popular free dating site Plenty of Fish, a destination with over 90M users.

Consent was not an issue

The facts compiled by the CRTC cover the period from July 1, 2014 (when CASL first came into effect) to October 8, 2014 (when the CRTC informed the company that it was subject to an investigation).

Over this period, the CRTC criticised Plentyoffish Media for not having a clear enough unsubscribe link and a form too complex to complete the process.

N.B.: The complaints received by the CRTC concerned emails sent to registered members of the site, and therefore to persons who had given their consent to receive them. So, consent was never an issue.

This fine is a case in point that even with consent as well as an unsubscribe link and form; businesses can still pay fines. One must be diligent. And PlentyOfFish showed their diligence by immediately paying their $48,000 fine and correcting the problem.

The CRTC makes its point clear

By giving a relatively small fine compared to the $1.1M one imposed at the beginning of the month to Compu-Finder, the CRTC is showing that it understands CASL, how to enforce it, and adjusts their fines based on the situation at hand.

It’s clear though, acting blindly in goodwill is not enough to avoid penalties.

In fact, as the CRTC stated in an Information Bulletin, that the only way to protect yourself against fines is to conduct a complete audit of your company and have a compliance policy which corrects those weaknesses identified by the audit.

If Plentyoffish had taken such action with Certimail or a consultant, they wouldn’t have had to pay this penalty and endure the bad-press that came with it.

And now what about you? Have you done an audit set up your program to avoid this kind of situation?

Even With Consent Avis & Budget To Pay $3M

11 March 2015/0 Comments/in CASL, Competition Bureau, Fines /by Philippe Le Roux

(Update March 23, 2017) In a joint agreement before the Competition Tribunal, the Avis Budget Group (ABG) agreed to pay a $3 million penalty along with a $250,000 fee. Let’s also add the lawyers’ expenses on top of this, which has probably been very costly for ABG considering how long these parties have been fighting it out in court.

—–

The Competition Bureau, issued a news release, stating that under the Canadian Anti-Spam Act (CASL), it is asking the Competition Tribunal to impose $10 million fines (each) to the Avis Budget Group, and its two subsidiaries Aviscar and Budgetcar, in addition to forcing them to reimburse consumers fines of up to $35 million. These fines are the first to be imposed by the Competition Bureau under CASL.

Consent was not an issue

While most journalists and observers have emphasised the importance of consent when referring to CASL, this exemplary penalty demonstrates the complexity and reach of Canada’s Anti-Spam Law. The Competition Bureau asked the Competition Tribunal to impose the maximum amount allowed by law to each of the three companies, not because of a problem of consent, but because of misleading promotional content in their emails.

It should be noted that the Canadian Anti-Spam Legislation goes much further than prohibiting spam. The Act contains 70 different rules for each commercial electronic message sent. Furthermore, it also amends the Competition Act by allowing the Competition Bureau to issue fines under CASL when a company violates Section 74.011 of the Competition Act.

And so this is the basis for the case of the Avis Budget Group violation. The Competition Bureau believes that the promotions advertised by the group were misleading because the listed prices were 35% lower than the actual price the consumer paid.

In its Notice of Application, the Competition Bureau examined the promotions in their various formats, from websites to mobile applications to radio and print advertisements. But it was because these promotions were also sent by email, that fines of $10M could be imposed plus $35M to consumers that had been wronged.

The importance of carrying out a complete compliance audit

Many companies and industry observers erroneously believe that Canada’s Anti-Spam Law only imposes obligations regarding consent. The CRTC itself contributes to this false perception through its Business FAQs (How can businesses ensure they are in full compliance with CASL?)

This false perception is what led to the flurry of emails around July 1^st, 2014 requesting consumers for their consent (an action that was completely unnecessary for businesses and in certain cases illegal).

CASL is complicated, there are many rules a commercial electronic message must adhere to, and some of the regulations can be unclear at times due to weak jurisprudence. The best way to protect your business is to conduct a comprehensive compliance audit (you are required to do so to be compliant according to the CRTC) and to implement a compliance policy that corrects any weaknesses identified during the audit.

This is what the CRTC recommends for all businesses that want to avoid penalties.