Attention! Privacy Law: New Obligations for ALL Businesses

According to the Canadian Chamber of Commerce, in 2016, 53% of Canadian businesses were victims of sensitive data loss. In recent years, millions of Canadians discovered that their personal data had been stolen from Bell Canada, Equifax, Uber, CIBC, Winners, and others.

These breaches have led the government to oblige companies to systematically disclose any incidents that may have affected the personal information they hold on their customers.

On November 1, 2018, the Digital Privacy Act will come into force, adding provisions to the Personal Information Protection and Electronic Documents Act, better known by its acronym “PIPEDA”.

Keeping and maintaining a “register”

The Act requires organizations to keep a record of all “breaches of security measures” for 24 months after the date of the breach, which must be available to the Privacy Commissioner at all times.

“Breach of security measures” means any loss, unauthorized access or unauthorized disclosure of personal information. This could be the loss or theft of a USB key, a hard drive or a computer that had personal information1. Or, the discovery of an attempt to hack a server or a virus that affected a computer or network on which such data was located. It may also be the discovery that an employee accessed such data without following proper procedures.

Companies must, therefore, document every security problem affecting personal information, whether it is computerized, material or human and whether or not there has been any damage.

Informing the authorities

In addition, an organization must notify the Privacy Commissioner as soon as a breach of security measures could result in “serious harm”.

The definition of “serious harm” is much broader than we might think. This includes “bodily injury, humiliation, damage to reputation or relationships, financial loss, identity theft, adverse effect on the credit file, property damage or loss, and loss of employment opportunities or business opportunities or professional activities “2.

Your company must, therefore, perform a risk assessment for each incident to determine the harm by considering, in particular, the sensitivity of the personal information in question and the likelihood that the information will be misused.

For example, if you are an SMB, you will have to proceed with notifications, if any or all of the following situations occurs:

  • you have discovered a virus affecting the server or computer where your database is located;
  • your website has been the victim of a hacking attempt;
  • an employee did not follow a procedure;
  • a former employee took personal data with them

Of course, there are many situations that could lead to “security breaches” in organizations collecting personal information, and a complete enumeration of such information is impossible.

Notifying those affected

When you discover that an incident may have resulted in the disclosure of personal data, you must inform everyone whose data has been compromised. Even if you are not sure if their data has been disclosed.

It is never pleasant to tell customers that one has mismanaged their information and that it may have been compromised. But if it’s done the right way and, most importantly, quickly, your customers will appreciate your diligence in sparing them the consequences.

The content of the notifications

Notices informing the data subject and the Privacy Commissioner of the infringement must contain specific information allowing them to be informed about the measures to be taken to reduce the risk of harm. The notice to your customers must include the following, at the very minimum:

  • the circumstances of the incident;
  • the date or period of the incident;
  • the nature of the personal information affected by the incident;
  • what steps the organization has taken to reduce the risk of harm;
  • measures that any interested party can take to reduce the risk of harm;
  • contact information allowing the individual to inquire further about the incident.

The notice to the Commissioner must have the same content except that it must include the number of individuals affected by the infringement.

Aligning with Europe’s GDPR

These latest amendments are binding on businesses, but by adopting them, Canada is moving closer to the obligations imposed in Europe since May 25 by the GDPR, which will facilitate the transfer of information between European organizations and Canadian ones.

For all things security, prevention has always been the best form of protection. Conducting an audit of your personal information management policies and practices as part of implementing a Canadian Anti-Spam Act compliance program, is both, a practical and cost-effective way to get you up to speed quickly, protected from lawsuits, fines and other obligations that could greatly affect the trust of your clients towards you and your business.


Canadian Companies Face California’s New Privacy Law

Until recently, the United States was lagging behind in the protection of personal information. So it was great surprise that on June 28, California adopted the California Consumer Privacy Act (CCPA), which will come into force in January 2020.

And like all new laws of this type, its application goes beyond borders and therefore concerns Canadian companies that have customers in California. The good news is that companies that do not meet any of the criteria below are not affected at this time.

The CCPA applies to any organization, that has personal information of California residents, and that such organisation:

  • Has gross annual revenues greater than $25 million USD;


  • Buys, receives, sells or shares the personal information of more than 50,000 California residents;


  • Earns 50% or more of its annual revenue by selling information of California residents.


The California law is similar in many respects to Canadian law, the Personal Information Protection and Electronic Documents Act (PIPEDA), but it also distances itself from many others. Compliance with PIPEDA is therefore not sufficient to comply with the CCPA.

Here are the main differences:

Right of access: Both statutes contain the right for consumers to be informed of the existence and use of their personal information and to have access to it. However, unlike Canadian law, California law does not provide an exception to this right that would allow a business to deny access to a consumer.

Right to erasure: Under Canadian law, organizations may retain personal information as long as it is necessary for the purpose for which it was collected, which implies the right of the consumer to request the deletion of the information once the goals are fulfilled. At first glance, the California law offers a broader right to request that information be removed, period. However, it provides for several rather vague exceptions which diminish the scope of the right and thus makes it similar to that of PIPEDA.

Right to portability: unlike the Canadian law, the California law provides for the right to data portability, that is, consumers have the right to receive their information in a structured format, commonly used to transmit data to another entity without interference from the original entity.

Consent: The California law does not place much importance on consent, unlike the Canadian law that bases the lawfulness of consent collection on either implicit (opt-out) or opt-in (consumer) consent. The CCPA, however, gives Californians the right to opt-out of the sale of their personal information. This right, therefore, requires organizations to include on their website a clear link to a form for such an opt-out.

Anti-Discrimination: Both Acts contain provisions prohibiting organizations from requiring consumers to consent to the collection of their information for the purpose of obtaining goods or services or having them at a given price. The California law is more flexible because it allows organizations to offer discounts to individuals consenting to the collection or use of their information.

Applications: While the Canadian law requires organizations to have accessible and easy-to-use complaints procedures, the California law requires at least two forms of communication; a toll-free telephone number and a website.


In Canada, the Privacy Commissioner does not have the power to impose fines for contraventions of PIPEDA and consumers do not have a private right of action.

California, on the other hand, has been much stricter in enforcing its law: Consumers have a private right of action, that is to say, the right to pursue an enterprise for civil or collective liability for breaches of security obligations, without any prejudice.

The CCPA also provides for penalties of up to $7,500 USD per violation.


If your company collects or has personal information of California residents, you may be subject to the CCPA, which puts you at great risk of civil actions by consumers, as they do not have to prove damages to claim compensation. Even if you comply with Canadian law.

As the Internet allows you to trade with consumers and businesses around the world, it’s becoming increasingly important to verify that your data management and e-marketing practices meet regulatory requirements.

Do not hesitate to speak with a Certimail advisor to see if you are affected by this new legislation.

Case study: Newsletters mistakenly flagged as spam… What to do?

If you send out a newsletter, chances are good that at least one recipient has unsubscribed, and in doing so, cited “spam” as their reason for unsubscribing. If you have Hotmail, Yahoo, or Google email addresses in your lists or CRM database, flagging an email as “spam” is even easier for them.

Even if your newsletter or communication is not “spam”, people nowadays get easily irritated and take out their anger on email by hitting that spam button. Sad story, but true.

Now without having to get into the details of email deliverability, each time an email you or your company sends is tagged as spam, there are checks and balances that go on in the background, affecting your email deliverability score. If you score reaches a certain level, or if the email platform you use to send emails receives a certain amount of “spam” hits, you could receive a warning or worse, be banned from sending emails.

This is unfortunately what happened to one of our clients.


Our client’s email address acquisition process was not optimised, and although their communications were definitely not spam, their newsletters were flagged by some. They received warnings and were only a couple of emails away from being blacklisted. And undoubtedly, equally close to receiving a notice from the CRTC.

This was a huge concern for our client as email was crucial to their business model. Without it, they would not have been able to serve their users.


They were in a precarious situation and they needed to act quickly. Our solution for them was simple, set them up with a CASL Compliance Program.

As per CASL:

“A person must not be found to be liable for a violation if they establish that they exercised due diligence to prevent the commission of the violation.”1

And as per the CRTC:

“The development and proper implementation of a documented and effective corporate compliance program is a useful risk-management strategy: it may (i) reduce the likelihood of businesses violating the rules and/or CASL, and (ii) help businesses establish a due diligence defence in the case of a violation of the rules or CASL.2

In our dealings with the CRTC, we know that they are not looking for companies and organizations to be perfect, but they do want them to be responsible.


As part of the process of establishing a Compliance Program, one of the first things that we did and that is required by the CRTC, is to perform a risk analysis.

We assessed our client’s situation according to one hundred items in our compliance grid, while at the same time searched for operational and marketing optimizations regarding electronic communications.

We then supplied them with a report of our audit, complete with recommendations for each issue, as well as optimisation tips and practical advice. Our client also operates in Europe so we provided GDPR recommendations as well.

They then fixed their issues, appointed a Compliance Officer, began documenting in the appropriate CASL registries, implemented a CASL Compliance Policy, and updated their Privacy Policy.

They are now CASL certified and can send electronic communications with peace of mind. They are no longer at risk of being blacklisted or of receiving a hefty fine.

If you’re wondering if any of your emails or newsletters may have been flagged as “spam”, give us a call and we’ll help you out. 514-867-1230

B2B Sales: Simple Email Trick to Quick-Start New Lead Relationships (and be CASL & GDPR Compliant Too)

For those of us that work in B2B, networking is a great opportunity to meet potential clients. Talking with as many targeted individuals as possible and exchanging business cards at these conferences or events are our priorities.

But what’s next? Often we’ll add these cards to our sales pipeline sheets or CRM applications, waiting for the “right moment/opportunity/situation” to contact them. And regularly, these contacts get added to a “newsletter” list.

I often compare B2B sales to dating. You’re not going to move to “first base” with someone before you go on a date. Receiving a newsletter from someone you met at a conference, without sending them a follow-up email first, is kind of like this.

And when the person receives the newsletter, often the first thing that comes to mind is, “I never signed up to receive this” accompanied with feelings of infringement. And now, the chances of that potential client becoming a client have been greatly reduced. Or worse, your newsletter or communications are reported as spam.

But what if there were a way to go about things just slightly differently…

Imagine a simple email that could nurture that lead, and move them forward towards becoming a client instead of deterring them. An email that is also 100% compliant in the eyes of Canada’s Anti-Spam Law (CASL) and the European General Data Protection Regulation (GDPR)?

So let’s start over again…

You’re at a business conference or event and you exchange business cards with a potential client, partner, supplier, etc. You both agree to stay in touch. You add that contact to your sales pipeline sheet or CRM application.

The very next thing you’ll want to do is to send the following email:

Here’s why this email is so effective:

First off, we’re making them feel good by being nice (it was a pleasure meeting you”), giving (“I’d like to learn more about your…”), respectful (“would it be okay with you…?”), and reassuring (“whatever we send your way will be of value”) —All qualities the majority of humans appreciate and act positively towards.

We’re also meeting the legal requirements by being clear in what can be expected by the contact replying to the email (receiving future communications).

Lastly, the email is not a dead-end, as indicated by the anticipation of a future conversation.

Oh and regarding the subject line “Hi First Name…”; in B2B, the words “hi” with the person’s name followed by “…” is opened by over 95% of recipients. That’s a great open rate!

If the contact doesn’t reply back. It’s ok, you still made a good impression.

The next thing you’ll want to do is to add “implied consent – B2B exception” as your CASL consent status to that contact, along with a photo of the business card and the date and name of the event where you met. Add “legitimate interest” as your GDPR Lawful Base.

If the contact replies back positively, great! The contact’s CASL consent status is now “express”.

So there you have it, a simple email that makes all the difference. Be sure to make it your own by using your own words and expressions.

Every single email is an opportunity. Imagine all the possibilities.


Did you like this article? Sign up to receive our communications and receive a 1-hour FREE consultation plus a surprise bonus.


How to Segment Email Contacts for Performance and Compliance

With the arrival of the GDPR and with CASL in full force, we are legally obliged to document and classify our contacts —either by implied/express consent for CASL and/or by citing one of the six lawful bases for GDPR.

This legal obligation is actually a great opportunity to update and revise those existing relationships.

When was the last time you UPDATED and CLEANED UP your CRM or contact lists?

Like the majority of most professionals and companies, it has probably been some time since your contacts were last updated or cleaned up. It’s a time-consuming task, and often other priorities take precedence. Once a contact has been entered into our address book, our profile tables, our CRM, our databases, it just kind of sits there.

But imagine what it would be like if you took the time to consider how those contacts, how those business relationships could evolve. Suddenly, opportunities come to mind.

Imagine what it would be like if that cold lead became a client for one of your new products or services. Imagine what it might be like if those one-time buyers transformed into frequent shoppers.

If we are more pertinent in our offerings to our contacts, clients, customers, leads, etc., through proper segmentation, these opportunities can become realities.

Here’s how to go about it…

#1 – Classify contacts according to “Legal” status

Because of our legal obligations to CASL and GDPR, you’ll want to attribute either an “implied/express consent” status or a “lawful base” to each of your contacts. It may sound time-consuming but this process is quite easy if you know the law or if you work with a professional (wink, wink).

#2 – Attribute business variable tags

Next up, you’re going to want to add tags or group your contacts based on business variables.  For B2B, this can include company type, size, industry, relationship to your business, etc. For B2C, you can use an RFM matrix model, or add items such as “high spender”, “frequent shopper”, etc.

When you segment emails on these variables, your best opportunities suddenly come into focus, and the time spent on marketing efforts is used more effectively.

For example, instead of sending a general promo to your entire list, you’ll send a more specific incentive to just your high-spenders. Resulting in more overall direct sales at a higher cart value.

# 3 – Attribute personal interests

Lastly, you’ll want to attribute personal interests and preferences to your contacts, so that you can personalize content. This can include language, gender, activities, etc.

For example, perhaps you run a tourism company and offer different excursions. Certain customers are going to be more interested in one type of activity than others. By asking them what activities interest them on sign up forms, or based on past purchases, or links clicked in emails, you can determine which activities interest a contact most.

By doing this, email conversations and communications suddenly become more relevant, pertinent and meaningful to your audience.

Your contacts will reward your efforts with increased open and click-through rates and increased sales and revenue.

Remember, every single email is an opportunity. Imagine all the possibilities.


Did you like this article? Sign up to receive our communications and receive a 1-hour FREE consultation plus a surprise bonus.


GDPR Compliance & Emails: What Canadian SMBs Need to Know

The European Union’s General Data Protection Regulation (GDPR) comes into effect May 25th, and although details of the law are still being worked out, when it comes into effect, in the eyes of European law, an organization must demonstrate they are being lawful and must be able to prove compliance.

Who is subject to GDPR?

For those of us here in North America who do business with European countries, we are subject to GDPR because of international collaboration between authorities. Specifically, though, GDPR applies to:

  • Any organization that collects, changes, transmits, erases, or otherwise uses or stores the personal data of EU citizens. (Personal data is any piece of data that, used alone or with other data, could identify a person).
  • Any person or organization which, alone or jointly with others, determines the purposes and means of the processing of personal data, known as the “Controller”, is accountable under GDPR.
  • Any organization sending emails to individuals in the European Union is subject to GDPR, regardless of the originating country of the emails.

What are the two main DIFFERENCES between CASL and GDPR?

  1. Commercial Electronic Message vs. Data Protection

The biggest differentiator between CASL and GDPR is that CASL governs Commercial Electronic Messages (CEMs) while GDPR governs data security and protection.

  1. Compliance Program vs. Lawful Bases

When proving compliance, a CASL Compliance Program that meets the CRTC’s eight requirements is one’s only defense in Canada. For GDPR, an individual or organization may reference one of the six lawful bases, as long as one can prove and demonstrate that they respected all the details and took all the action required of the lawful base cited.

About Consent

Some lawful bases don’t apply to all businesses and marketers, but if you send emails, you’ll want to know about Consent as a Lawful Base.

Remember, a company must be able to fully justify why they are collecting the information of an individual or organization, to what means they are using it, and how that information is being protected.

Consent is one of the ways, and the easiest for email marketers, to prove lawfulness and compliance in the eyes of GDPR. However, there are strict requirements and you will need to obtain explicit consent moving forward from all your subscribers or from anyone that fills out forms on your web pages to receive communications from you, if you use Consent as a lawful base.

Important: unlike CASL there is no implied consent in the eyes of GDPR nor are there B2B exceptions. There is only explicit consent. Note that:

  • Consent must be specific to distinct purposes.
  • Silence, pre-ticked boxes or inactivity does not constitute consent; data subjects must explicitly opt-in to the storage, use, and management of their personal data. A double opt-in procedure is the best and safest way forward.
  • Separate consent must be obtained for different processing activities, which means you must be clear about how the data will be used when you obtain consent. The opt-in message that is used has to state all the ways you could possibly use the personal data you collect and how you are protecting that data. (ex.: state that you take data protection seriously by including a link to your Privacy Policy, and indicate that a person can access, rectify, or erase their data at any time.)
  • Consent must be verifiable and requires a written record of when and how someone agreed to let you process their personal data.

Access, Rectify, and Erase

Additionally, as you collect an individual’s data through your online forms (ex.: first name, last name, email, etc.) under GDPR an individual must able be to access, rectify and erase their data at any given time. Thus, we suggest that you include a section in your Privacy Policy as to how an individual may go about this (ex.: by sending an email with the request to [email protected]).

Record keeping and a centralized database

Within the rules and regulations of both CASL and GDPR, good record-keeping practices is not only necessary to establish a due diligence defense in the event of complaints against your business, but good recording keeping helps businesses (i) identify potential non-compliance issues, (ii) investigate and respond to consumer complaints, (iii) respond to questions about the business’s practices and procedures, (iv) monitor their corporate compliance program, (v) and identify the need for corrective actions and demonstrate that these actions were implemented.

Additionally, in order to meet the requirements of GDPR regarding Data Privacy and Consent, a centralized database for contact management, processing and documentation are helpful, not only for client relationships, smooth and efficient operations, but also for proving lawfulness and compliance.

As an individual or organization that sends emails, for marketing or business purposes, what’s your best bet?

A CASL compliance program is considered the gold-standard and best in breed where it comes to protecting yourself against hefty fines. Remember CASL applies to individual emails as much as group emails and newsletters regardless of whether there is promotion content or not.

Implementing a CASL compliance program, that meets all the requirements of the CRTC, is not only required by the law in Canada, but by doing so, you’ll increase your protection with regards to GDPR.



CASL: What’s changed since July 1st?

After three long years, the grace period has ended, and companies must have established and implemented a compliance program. Businesses can no longer defend themselves by explaining that they weren’t aware of all the criteria necessary to be compliant.

From now on, to whom can you send messages to?


From now on, you may only send electronic business messages to:

  • persons who have given explicit consent,
  • clients who have made at least one transaction in the last two years,
  • individuals who have requested, within the last six months, to receive business information.

ATT: For all other contacts, you can no longer send them communications. This includes sending a consent request. The CRTC was very clear on this subject: an email requesting consent is a commercial electronic message and can not be sent without prior consent! 

What to do about leased or purchased lists?

The CRTC argued that when you obtain lists from a third party, you must verify that your supplier has obtained the appropriate consent for each contact. This includes consent for the type of communication (medium & content) one can send to an individual.

The CRTC clarified that in order to discharge your liability you must demonstrate that you’ve taken action to verify the legality of the consents obtained by your supplier. Otherwise, or if the CRTC deems that your actions are insufficient, you will be held responsible.

This practice also applies to directories. Before using the information from a repertory, you must verify that you have the right to do so and that the publisher of the directory obtained the proper consents. Otherwise, you will be held responsible.

Can agencies, ESPs and CRM suppliers be held responsible?

The CRTC has explained, in reference to the responsibility of agencies and technology platforms, that if the suppliers are involved in the content of the message, they may be held jointly liable for violations of Canada’s Anti-Spam Legislation.

For example, this applies to agencies that write copy and design emails (and other electronic messages) for their clients, as well as ESPs and CRMs that offer dynamic content customization or dynamic segmentation.

We’ll be consulting with our partner lawyers shortly for more information. Stay tuned for a detailed article on this subject.

Polls & Surveys

With regards to emails inviting individuals to participate in a poll, if the survey is just a study, it does not fall within the definition of a commercial electronic message and therefore does not require prior consent.

However, if the poll or survey refers to a product or promotes it, even subtly, it must meet all the requirements of CASL.

A good rule of thumb is to ask yourself if the individual who completes the survey can guess the name of the company or brand. If so, your survey is likely to be in violation of the law.

SMS and MMS messages

Although there are less commercial text messages sent in Canada than in other countries, consumer complaints about them are on the rise and these messages are in the CRTC’s viewfinder.

The CRTC explained that if companies send text messages for commercial (not necessarily promotional) purposes, or plan to do so, they must ensure that their compliance program covers these types of messages.

ATT: If a person is not on the National Do Not Call List (NDNCL), this does not mean you have consent to send them text messages.

Whereas the NDNCL uses an opt-out procedure (a person has to contact them to be removed from their list), Canada’s Anti-Spam Law uses an opt-in principle (individuals must give you permission to be contacted).

Transactional messages

The CRTC has clarified that transactional messages such as the confirmation of a transaction, change of password, scheduled alert, etc.) are not considered a commercial electronic message, as long as it does not contain a commercial offer. Also, transactional messages can be sent even if the person has withdrawn their consent.

However, the CRTC has made it clear that these transactional messages must comply with all the provisions of CASL, including those articles referring to “mandatory information” and “unsubscribe mechanisms”.

Brands and parent companies

When the CRTC discussed this point during an IAB presentation, the crowd told them they were crazy. Take note: Any withdrawal of consent applies to the whole company by default (affiliates and parent companies included), and not the just the brand or business indicated in the unsubscribe form.

Let’s take Loblaws and Shopper’s Drug Mart as an example: if a consumer unsubscribes from the Loblaws supermarket newsletter, consent is automatically withdrawn from the entire company and not just from supermarket communications. If the consumer was subscribed to the Shopper’s Drug Mart newsletter at the time when they withdrew their consent to Loblaws, under the law, they should no longer receive Shopper’s Drug Mart newsletters.

The only way to manage this situation legally is to propose an unsubscribe form in which the consumer can choose the brands from which he or she wishes to remain subscribed to.

When the CRTC was told that this was a bit crazy, their response was “We don’t know how you operate, guys! So come and talk to us so that we can understand you better”.

In conclusion, the law is tricky. For those not who are not vigilant or proactive, they will eventually be heavily fined and required to complete their compliance program.

The solutions and compliance programs offered by Certimail, built in collaboration with researchers from the Faculty of Law at Université de Montréal, meet the new requirements of the CRTC.

If you already have a program set up by us, you have nothing to change. You’re covered.

If you don’t have a compliance program, our experts are at your disposal to assess your situation and can offer you an efficient and inexpensive program that meets the CRTC’s requirements.


CASL: First Fine To A Corporate Executive

The CRTC announced that Ghassan Halazon has paid, as an individual, a fine of $10,000 to relieve himself of his responsibilities as CEO, in violations of the Canadian Anti-Spam Law (CASL) committed by the company he ran at the time. This is the first time a corporate executive has been fined, and there are several lessons to be learned.

Enforcement of CASL is toughening up

Several observers misinterpreted the government’s decision to postpone the right to civil and collective redress at the end of 2017, as a sign of easing of the application of CASL. This is not the situation and Halazon’s case demonstrates this.

The CRTC has always stated that the three transitory years that companies had to implement their compliance program was sufficient and that those who have not yet done so have no excuse. In fact, Steven Harroun, the CRTC’s Chief Compliance & Enforcement Officer, said at a recent conference:

Commercial electronic messages are the primary source of what prompts Canadians to report cases that require follow-up investigation — commercial email messages that you or your organisation may be responsible for sending. Email messages account for more than three-quarters of incidents reported to us.


Every business should have a compliance program in place to help ensure each commercial message or telemarketing call is compliant. If your practices are ever called into question, a thorough compliance program can help you in a due diligence defence.


But let me be clear, CASL and Unsolicited Telemarketing Rules are not new. And ignorance is not a defence.

Look at it this way—if I do a U-turn on the 401 and my defence to the police officer who pulls me over is that I did not know I couldn’t make a U-turn, I’m still getting the ticket.

The same applies if violations under these laws have been determined. There will be consequences, which could include administrative monetary penalties and the obligation to implement compliance programs. At best. And, at worst, public shaming that will keep your public relations department busy for a long time.

The message is clear, very quickly, several penalties a year will jump to several fines per month, as was the case with the National DNCL, another organisation regulated by the CRTC.

Why was Mr. Halazon fined?

In 2009, Mr. Halazon founded Cough Commerce, the company that launched in 2010 and bought in 2013. Unfortunately, the merger wasn’t successful, and the company had to file for bankruptcy protection on August 29, 2014. Halazon’s business was then bought on September 24, 2014, by nCrowd, an American company specialising in bundle purchases.

Nevertheless, according to the CRTC, between July 2 and September 9, 2014, TeamBuy violated CASL, by sending several emails with a withdrawal mechanism that was not functioning well or was too complicated. Ghassan Halazon being at the time CEO of the company was found personally responsible under section 31 of the Act, which states that:

Directors, officers, etc., of corporations

31 An officer, director, agent or mandatary of a corporation that commits a violation is liable for the violation if they directed, authorised, assented to, acquiesced in or participated in the commission of the violation, whether or not the corporation is proceeded against.

C-level, directors, managers, administrators are all personally liable

Section 31, on which Halazon’s fine is based, is one of the many provisions of CASL that few people know about nor is it discussed by the media. It’s unfortunate, because corporate protection under this section is removed, and thus makes individuals such as directors, managers, administrators, etc. personally responsible for CASL violations.

The CRTC’s Chief Compliance and Enforcement Officer has made this clear in a recent statement:

Receipt of commercial emails is the primary source of complaints from Canadians who report cases requiring follow-up investigations, and you or your organisation may be held responsible for sending these commercial emails. 

The CRTC’s adamant actions…

Canada’s Anti-Spam Legislation came into force on July 1, 2014, and TeamBuy went bankrupt two months later. Yet, the CRTC investigated this case, for almost three years, for emails sent over a very short period. This unyielding behaviour runs counter to much of the CRTC’s reassuring PR speeches. What their actions do seem to mean is that:

  • That the notion of transition period is not taken into consideration and that the CRTC expects companies to have been compliant since July 2, 2014,
  • Their enforcement is not solely for the goal of compliance, but for punishment,
  • Everyone, at any time, past or present, is at risk of being fined.

Another surprising move by the CRTC

It is also surprising to note that while the case file was concluded on June 12, 2017, the CRTC waited until Friday afternoon to publish this news on its website, and this without issuing a press release − an approach often used in politics to make sure journalists don’t talk about it. 

Are you insured?

More and more organisations are now taking out liability insurances, commonly referred to as an Errors & Omissions insurance (E&O) to protect their employees. A common practice with NGOs to protect volunteers, but that is now becoming more standard practice for private businesses, in light of CASL.

N.B.: Savvy insurance companies are starting to exclude CASL from their policies if the company can not demonstrate that it has implemented a complete compliance program.

In conclusion

Each decision made and conference given by the CRTC sheds a little more light on their approach regarding investigations and fines. Regardless, the words of the CRTC’s Chief Compliance and Enforcement Officer must be taken seriously:

Each company should have a compliance program to help ensure that every commercial or telemarketing message is compliant. If your practices are challenged one day, a comprehensive compliance program can help you establish a due diligence defence.

Now then, considering that the emails you, your company and your employees sent, or send today can haunt you in the future, it’s more important than ever to protect yourself and to implement a compliance program. Speak with one of our experts for free.


CASL Compliance: How badly informed are Canadian and QC firms?

Seven years after its approval by Parliament and three years after it came into force, a Canada-wide survey shows that businesses, small and large, are still confused about CASL compliance, the types of messages it regulates, and the means to protect oneself from fines and lawsuits.

Canadian companies

The study, which was conducted recently by the Direct Marketing Association of Canada (DMAC) and law firm Fasken Martineau DuMoulin LLP, surveyed over 200 individuals directly responsible for CASL compliance of their organisation. Here are some of the highlights from the study:

  • 64% didn’t understand how to make their message CASL compliant beyond consent and an unsubscribe link
  • 46% were unaware that an organisation could be ordered to pay damages
  • 40% of them didn’t know that they can be held personally liable
  • 64% stated that their organisation did not (or didn’t know if their organisation had) a formal compliance policy
  • 63% believed that employees and staff don’t require CASL compliance training
  • 60% indicated that their company never performed a compliance audit

This is quite disconcerting, especially considering that the last 3 points are items required by the CRTC, to be able to defend oneself, should you face an investigation or prosecution.

No better for Quebec SMBs

Although this study was conducted amongst medium to large business in English Canada, a similar study was just recently published surveying Quebec SMBs.

  • Less than 5% of Quebec SMBs comply with CASL
  • More than 75% were unaware that companies could be fined, even if they have explicit consent
  • Only 35% knew that from July 1st, 2017 onwards, companies will be subject to civil or collective redress
  • 40% were surprised to learn that SMBs, as well as individuals, can face the same charges as large companies
  • 38% didn’t know that many QC companies have already been investigated and received fines
  • 1 out of 4 were unaware that CASL regulates individual emails, as well as text and social media messages

The CRTC’s shortcomings

Although the CRTC enforces CASL, informing and educating businesses is their greatest shortcoming. An article exists to help companies defend themselves, but it must meet the CRTC’s eight required categories. However, finding these requirements on an official website is very difficult.

The regulatory body does give presentations, but for the moment, it is almost exclusively to large law firms in Toronto. Unfortunately, 97% of Canadian companies are small businesses that can’t afford to do business with these big firms.

What can you do for yourself?

Canadian law states that “no one is supposed to ignore the law“.

A compliance program is also the only way to protect you and your business, and your employees, from tens or even hundreds of thousands of dollars in fines and legal fees.

So what do you do? You don’t want to stop your email marketing activities because it’s the top digital performer when it comes to ROI. We’ve done the calculations and penny for penny, all things considered, even a small investment in a compliance program is better than no investment at all.



CASL: A challenge for museums and cultural organisations

This summer, we were mandated by Montreal’s Museum of Contemporary Art to implement a compliance program.

In addition to the pleasure of working with such a prestigious institution and collaborating with Espace Courbe, the team in charge of the museum’s technology changes, we witnessed first-hand just how much more complex Canada’s Anti-Spam Law is for museums and most cultural institutions than it is for businesses.

Below are some of our findings that, hopefully, can help your organisation improve the effectiveness of your electronic communications, all the while respecting the Canadian Anti-Spam Act.

A law that applies to all

First, let’s demystify a common myth:

Non-profit organisations and charities are NOT exempt from CASL. Compliance applies to all types of organisations.

Many believe that their status as an NPO, or even as a charity exempts them from CASL. This is false! The law applies to all natural and legal individuals and companies who send commercial electronic messages to or from Canada.

Additionally, non-profit organisations, charities and foundations that engage in commercial transactions (such as the sale of tickets, objects or production contracts) are subject to the CASL. Only some of their commercial messages are exempt.

Even municipal governments and Crown corporations such as Hydro-Québec, VIA Rail or Place des Arts must comply. In fact, only the federal and provincial governments are exempt from CASL.

A complexity specific to cultural institutions

The Canadian Anti-Spam Act imposes precise rules regarding the people that we can communicate with electronically. Most companies need to consider two types of relationships: customers and potential customers.

In the case of museums and many other cultural institutions, patrons, members, donors, guests of premieres, as well as volunteers and individuals providing support (past, present, and future) are all potential people with whom we can communicate to.

All these sub-types of customers and potential customers create a complexity, that causes many cultural institutions to limit their communications to only those who have given their explicit consent by completing a website form. This solution may appear simple but it’s costly in the end.

Savvy marketers and organisations know that it takes much less time and money to convince a former patron to return than to attract a new one. Your past invitees, patrons, members, donors, etc. are a gold mine. The good news is that you can profit from this gold mine as the Canadian Anti-Spam Act and its regulations have specific clauses for cultural organisations.

The two-year rule for patrons and members

Paragraphs 10, 13 and 14 of section 10 of CASL allows you to send unrestricted commercial electronic messages to all your customers, that have completed a transaction within the last two years. For patrons or members of a service, this two-year period begins on the end-date of a membership or programming period. This right, of course, becomes null and void if the person has indicated to you in the meantime their refusal to receive such communications from you.

This means that you can contact most of your donors, patrons, and members of the past two years to persuade them to rediscover your exhibitions or programs, even if they have never filled out an explicit consent form. Our experience with several cultural organisations has taught us that former patrons are often the easiest ones to reconquer if approached in the right way. You might be surprised to discover how many of them you can easily reconvert with a series of gradual re-engagement emails.

An exception for soliciting donations

As austerity becomes a dogma to which most of our politicians seem to prostrate, the development and sustainability of cultural organisations increasingly depends on donations made to them directly or through a foundation.

It should be noted that any message whose primary purpose is to raise funds for charity is exempt from Canada’s Anti-Spam Law. So you can send these messages to all your contacts as long as it’s the primary purpose of your message, not a backdoor way of putting your business activities forward.

N.B.: A message inviting the recipient to contribute to the fundraising campaign, may include a reference to your other activities as long as this reference remains marginal. However, if these activities contribute to the organisation’s profits, your message suddenly becomes a commercial message and no longer benefit from the exemption.

Always try to get explicit consent

While the Canadian Anti-Spam Act offers many opportunities to send messages based on implicit consent, every message you send should be seen as an opportunity to seek explicit consent, by inviting people to complete a form (donation, subscription, profile update, etc.) in which the request for explicit consent is present.

Whatever you do, do not send a message asking for explicit consent. Because 1), in certain situations it is illegal to do so, and 2) most of the time these messages get consent rates below 20%. Also, a lack of response or consent could be interpreted as a unsubscribe request and prevent you from continuing to send messages to these people.

Make sure you consent request is well worded

CASL states that consent must be clear, that is to say, the right to send electronic communications is limited to the type of communications to which the recipient has consented to. Many cultural organisations continue to ask for consent concerning their “newsletters”. Worded this way, you are not allowed to send any other type of electronic communication. An easy solution is to change “newsletters” to “electronic communications”.

Transforming threat into opportunity

For many organisations, CASL is perceived as a threat. Nobody wants to be investigated, receive a heavy fine, or be publically shamed by the media. Unfortunately, too many organisations decide to reduce or even worse, stop their email marketing activities altogether. A move that can hurt an organisation financially in the long-run.

Instead, transform this threat into an opportunity. Implementing a compliance program is an excellent opportunity to revise and update your organisation’s electronic communication practices. For most of our customers, this review has allowed them to maintain or increase the number of people they can send commercial messages to, and increase the effectiveness of their communications.

If you want to discuss your specific situation and see what would be the most economical, simple and effective way to make your organisation CASL compliant all the while improving your marketing effectiveness, speak with one of our experts.