Posts

CASL’s first sanction against a foreign company

Sanction for the Irish site Ancestry.com

On April 24th, the CRTC announced an undertaking with Ancestry Ireland Unlimited Company (“Ancestry”), which hosts the Ancestry.com website. The latter uses emails to communicate with people registered on its online service, which allows the search for genealogical documents (family history, family trees, historical records, information based on genetic analysis, etc.).

The extraterritorial nature of CASL

This is the first time that a foreign company has been subject to a CRTC sanction in connection with the Canadian Anti-Spam Law (hereinafter CASL). Ancestry is an Irish company with no offices or employees in Canada. The provisions of CASL, however, indicate that it applies to any company that sends messages to Canadian subjects, regardless of the source of the messages.

Similarly, contrary to what many people believe, Canadian companies have to comply with CASL both in their sendouts to Canada and for commercial electronic messages, they send to the rest of the world.

A sanction even if the consents were legal

The CRTC was able to find that Ancestry had obtained valid consents to communicate with its contacts, that its messages contained the mandatory identification information as well as an unsubscribe link.

However, the company was still in the wrong according to the CRTC because their different databases did not synchronize the withdrawal of consents. A customer who unsubscribed from one list continued to receive messages from the other list.

The requirement to synchronize withdrawals of consent

CASL provides that a person must be able to unsubscribe from all commercial electronic messages from the company. In the absence of other choices in the unsubscribe process (ex.: to receive certain types of communications only), the person must by default be excluded from the receipt of all commercial communications.

This requirement of the law can become a concern for many. Indeed, in the majority of companies, there is no synchronization between the mailing lists and the sending of emails themselves, the email sending platforms being separated from CRM or databases. Many companies also often have no way of updating their consent for sending emails via Outlook if someone unsubscribes from their newsletter. Thus, a person could continue to receive communications, despite the fact that in principle, they have unsubscribed from all sendouts.

The compliance program is a must

Ancestry is, by this undertaking, obliged to comply with the Act with respect to the synchronization of its consents. It must therefore unsubscribe and remove from all its commercial communications any person who has indicated this desire, either directly or indirectly, within 10 working days of the request.

The company must also implement a compliance program under CASL which includes: “reviewing and revising current compliance practices […], as well as various other monitoring and auditing measures, including reporting mechanisms to CRTC staff regarding the implementation of the program.”1

Do not be the next company to be sanctioned

If you use an email sendout platform that does not synchronize consent withdrawals with other lists or with your internal email system, you’re in violation of CASL and you may be fined up to several hundreds of thousands of dollars.

If your company is not yet under investigation by one of the CASL enforcement authorities, there is still time to put your compliance program in place and protect yourself before it’s too late.

[Study] Marketing Professionals’ knowledge of CASL – Spoiler: It’s not good…

Today, the AMR (Quebec’s Association of Relationship Marketing) unveiled its first study asking Quebec marketing professional how well they know (or think they know) CASL (Canada’s Anti-Spam Law) and its compliance requirements. While the Canadian ministry, responsible for CASL, will soon respond to recommendations made by Parliament in the law’s first review and amendments, it was important to measure the understanding and application by Quebec professionals that are most impacted by it.

This study was conducted in collaboration with LJT, a law firm renowned for its expertise in marketing law, and Certimail, the Canadian leader in CASL compliance for SMBs.

Companies are not familiar with CASL

While 96% of respondents send commercial electronic messages (emails specifically), less than 6% correctly answered 7 simple questions about CASL and its application. Of the respondents (71%) who said they were familiar with CASL, 85% failed this basic test.

One in two believes that the Canadian Anti-Spam Legislation only regulates promotional items (i.e. newsletters), however, governs ALL commercial electronic communications (individual, group, batch, sales, transactional, regardless of whether there is promotional content or not).

10% of respondents are unaware that CASL applies to their organization and business practices.

It’s been three years since CASL has come into full enforcement, and yet professionals still don’t know its constraints and scope,” says Marc Roussin, president of the AMR. “Our association is, therefore, launching a series of activities to demystify the requirements of this law, that governs all commercial electronic messages.

A big misunderstanding of compliance

60% of respondents said their businesses are fully compliant with CASL. Yet, less than 10% have incorporated a withdrawal mechanism into employee email signatures, a CASL obligation. Barely 11% completed an audit, as recommended by the CRTC. Only 40% have a written compliance policy and 75% of companies have not yet trained their employees with regards to this law.

If one doesn’t know the real dangers to which they are exposed, a company can’t properly execute good risk management and governance,” says Sophie Deschênes-Hébert, a lawyer specializing in advertising and technology at LJT. “The results of the study show that in digital marketing, many make strategic decisions based on incomplete or inaccurate information and expose themselves to costly and easily avoidable consequences.

A misunderstanding of CASL directly affects one’s marketing effectiveness

Since the launch of CASL, approximately 9% of respondents stopped using email marketing altogether, while 11% reduced their use of this marketing channel.

This sort of practice is flawed because CASL and all its regulations equally applies to emails sent by employees. Several fines issued by the CRTC (ex.: William Rapanos and POF Media cases) show that sometimes only a few complaints are required for a company to be investigated.

Eliminating or reducing email marketing is also a bad business decision because, with a return on investment of 44 to 1, email still remains the most profitable digital marketing tool for companies and organizations.

Too many companies are afraid of this legislation, and it’s too bad because it’s an excellent opportunity to improve one’s marketing,” says Philippe Le Roux, president of Certimail. “Implementing a CASL compliance program not only protects you against fines but it improves marketing and operational effectiveness.

Since the introduction of CASL, email marketing indicators have improved significantly in Canada, according to a recent IBM global study.

AMR launches an outreach program

In light of the results of the study, AMR will be launching a program of activities to help marketers learn about CASL’s regulatory requirements and provide guidance to help them achieve business compliance. This program will launch on May 3rd, 2018 during a conference dedicated to email and compliance. During the event, the CRTC will present its CASL enforcement methods. Several experts will also share their knowledge and experiences regarding compliant and effective email marketing. Additionally, a series of webinars will allow professionals to deepen their knowledge and to benefit from tried and true advice.

Consult the complete study (in French only).

$1,25M fine for Enterprise, National, and Alamo

A negotiated fine

Enterprise Rent-A-Car Canada Company, which manages the Enterprise, National, and Alamo car rental companies, has recently agreed to pay, to the Competition Bureau, a $1,25 million fine for sending emails containing misleading promotions, a practice covered by the Canadian Anti-Spam Law (CASL).

The entire industry is targeted

In its press release, the Bureau states as a reminder to companies, that already $5.25 million has been fined to and paid by three other major companies in this industry: $3M paid by Avis Budget following an investigation concluded in March 2015; and Hertz Canada, which also manages Thrifty, was fined $1,25 million in the spring of 2017.

This reminder clearly shows that the Competition Bureau will continue investigating car rental companies, as misleading promotions seems to be a systemic practice. This targeting, of a specific industry, is reminiscent of the CRTC’s investigation with vocational training companies.

Again, consent is not enough

While most companies continue to believe that having consent with regards to their promotional messages is enough be compliant with the Canadian Anti-Spam Law, this fine, once again demonstrates that CASL is much more complex and demanding. In fact, there are around one hundred risks that must be analyzed to ensure that a company is in compliance with CASL. Not only because this law has many articles, but also because CASL touches upon certain articles of the Personal Information Protection and Electronic Documents Act (PIPEDA) and the Competition Act.

Moreover, while the fines imposed by the CRTC for issues of “consent” or “unsubscribe” are of the order of a few tens or hundreds of thousands of dollars per company, the fines given by the Competition Bureau due to “message content” is consistently greater than $ 1 million.

The importance of a compliance program

In the Tribunal agreement, Enterprise was required to implement a compliance program under the supervision of the Competition Bureau. While waiting to be investigated to implement its compliance program, Enterprise not only had to pay a hefty fine, but it also had to incur significant legal fees in collaboration with the investigation and to negotiate a settlement, satisfactory to the CRTC.

If your company is not the subject of such an investigation, there is still time to set up your compliance program and protect your business before it’s too late.

Parliamentary Report: The Canadian Anti-Spam Law Is Here to Stay

The government must maintain and reinforce the application of the Canadian Anti-Spam Law (CASL), but it must also clarify vague notions of the Act and its regulations, as ascertained by the thirteen recommendations in the CANADA’S ANTI-SPAM LEGISLATION: CLARIFICATIONS ARE IN ORDER.

The report, recently published by the House of Commons Standing Committee on Industry, Science, and Technology cites forty-one expert testimonies with analyses from approximately thirty memoirs over the course of ten weeks.

CASL is effective

Despite highly polarized interventions between lobbyists and business lawyers, who described CASL as a catastrophic situation, and consumer representatives, who believe that the fines are insufficient, parliamentary members relied on information provided by Certimail to conclude that, despite the constraints, CASL offers a good balance between consumer protection and business competitiveness, but that aspects of the law require clarification.

CASL must change its name

The first and last recommendations of the Committee are to change the short name “Canadian Anti-Spam Law (CASL)” to “Electronic Commerce Protection Act (ECPA)”. Members noticed that many companies do not feel concerned by the Law because they are not aware that CASL governs all commercial electronic communications, and not just spam or email marketing.

CASL must be clarified

Recommendations 2 to 8 call on the government to clarify and detail certain elements of CASL and its regulations to ensure that non-profit businesses and organisations better understand what is allowed or not.

The elements that the Committee recommends to clarify are:

  • the definition of “commercial electronic messages
  • the status of administrative and transactional messages
  • the status of messages between companies
  • notions of implied and express consent
  • the definition “email address”
  • messages that are exempt to section 6.6 of the Act
  • management of referral messages
  • the application of the Law as it applies to charities and non-profits organisations

These clarifications of the Law and its regulations will address some of the vague regulations, but it does not or will not change the CRTC’s compliance requirements.

The CRTC must take care of small businesses

In its ninth recommendation, the Committee wants the CRTC to make a significant effort to raise awareness, particularly among small businesses. This recommendation is based on a thorough evaluation of the CRTC’s work. The Committee emphasized in the report that all stakeholders were unanimous in saying that the CRTC must review its awareness activities and guidance documents to ensure that they are sufficient and effective—(very happy to see that part of my intervention was even quoted directly in the report, page 14) —indicating that the compliance requirements are hidden on the CRTC’s website and are not even listed on the fightspam.gc.ca website. The CRTC is therefore invited to redouble its awareness-raising efforts, particularly with small businesses.

Postponement of Civil and Class Actions

The Committee considers that the Private Right of Action (PRA), which allows civil or class actions to be launched after receiving a non-compliant message, must be maintained but suspended pending clarification and awareness-raising efforts. The Committee’s tenth recommendation also suggests that the Government assess whether the damages that may be claimed in this regard should be demonstrated.

The CRTC’s cooperation with the RCMP

During their testimony before the Committee, the CRTC indicated that it is currently less limited in its dealings with authorities in other countries than with the RCMP and other Canadian security agencies. The Committee heard the message and dedicates its eleventh recommendation to fostering cooperation between the CRTC and police authorities across the country.

Transparency in complaints, investigations, and fines

The CRTC and government are encouraged to find ways to make the investigation and fine-setting process more transparent while promoting access to data on complaints received and trends in problems.

I was happy to read that Certimail’s contribution was quoted a dozen times in the report. This not only made me proud of my first lobbying experience but glad to have helped our MPs to understand SMBs’ reality in regard to email marketing and CASL compliance. Upon reading the recommendations, it’s clear that Certimail’s pragmatic approach has served the interests of our clients much better than the dogmatism of the official lobbies like CFIB and Canadian Chamber of Commerce, that don’t really seem to know and understand the undertakings of being compliant or even email marketing at all.

 

Parliamentary Review of CASL: A Festival of Asinine Discourses

If you believe, like many do, that you still receive a lot of unsolicited messages (i.e., spam) in your inbox, you’re all hallucinating.

At least this is what the Canadian Chamber of Commerce seemed to imply when it told members today, during the second revision session of CASL by the Standing Committee on Industry, Science and Technology, that spam is no longer a problem.

Today’s session consisted of a long series of approximations and erroneous or exaggerated assertions. The discourses, whose similarity might suggest that they are secretly coordinated, all revolved around the same central idea:

Overseeing commercial electronic messages sent from businesses prevents the authorities from dealing with the “bad guys” who threaten IT security. So let’s give companies the opportunity to send all the messages they want to whomever they want because the real problem that the CRTC should be concentrating on are fraudsters.

This type of assertion is asinine: Imagine the CAA calling for the abolition of the driving rules so that the police can devote themselves to the fighting against terrorism.

Let’s look at and analyze the central pearls of this type of reasoning.

Spam is no longer a problem (???)

According to Scott Smith, Director, Intellectual Property and Innovation Policy at The Canadian Chamber of Commerce, spam is no longer a problem for Canadians. This hyperbolic assertion is taken from a report, supplied by anti-spam software vendor Trustwave, which Smith relies upon and states that anti-spam software blocks 99% of spam.

Even if this statement was objective and credible, how then does one explain the over 5,000 complaints that the CRTC continues to receive on a weekly basis, and the 1 million + complaints its registered in the last three years?

Technological illiteracy or misinformation?

The complexity of CASL has been rightly pointed out by speakers, especially when it comes to the various types of “implied consent”.

But to argue, as Mr. Smith did, that there is no technology that exists for businesses to manage consents, or that you have to invest a lot of money to do so, is to misinform and mock the intelligence of the members of the committee.

While not all marketing technology suppliers are up to regulatory compliance standards (a consequence of inadequate educational work on behalf of the CRTC regarding CASL), there are already several solutions available to manage and document different types of consent.

Providers, such as Dialogue Insight, iTracMarketer and Cyberimpact for mass mailings or emailChecker and CASL Cure for individual emails, all offer practical solutions tailored to all sizes of businesses, with costs that go from ten dollars to a few hundred a month.

A plethora of alternative facts

At a time when everyone is concerned about the phenomenon of “fake news” and its impact on society, it is impressive to see the number of “alternative facts” than the lobbyists delivered to the members of Parliament.

For example, Ms. Aïsha Fournier Diallo, Senior Legal Advisor at Desjardins General Insurance Group, daftly stated that CASL prevents her from sending SMSs to VISA Desjardins clients, informing them of their credit limit, or from sending password reset emails to customers.

Even Barry Sookman, senior partner of McCarthy Tétrault and considered a top figure in the field, gave testimony that could cast doubt on his credibility. He stated that CASL had no impact on fraudsters. In fact, because of CASL, the CRTC was able to dismantle an international network of cyber-pirates who sent out malware affecting millions of computers around the world.

He went on to illustrate the excessive nature CASL, by explaining that it prohibits a teenager from offering babysitting services to neighbors or prohibits a person from recommending their dentist to a friend. When deputy Eva Nassif challenged him, he acknowledged the exaggerated nature of his examples.

Me Sookman went on to talk about the perils that CASL causes to Canadians by referring to a National Post article, whereby American television game show Jeopardy had banned Canadian candidates specifically because of CASL. The producers of the show have since denied this fake news and indicated that Canadian candidates were never banned from the show, but that applications were simply suspended to take the time necessary to adapt its form to Canadian regulations.

Mr. Sookman even attempted to persuade the Honourable Maxime Bernier, (who addressed the fact that politicians should be held accountable under CASL) that if CASL applied to politicians, Mr. Bernier would not have been legally allowed to send messages to his list of 65,000 supporters during the Conservative Party’s leadership race. A false assertion because those 65,000 people subscribed to Maxime Bernier’s list to receive those messages.

Ignoring the real problems

What is most damaging in these testimonies and discourses, intended to represent the interests of businesses, is that the real issues and problems are ignored.

CASL and its enforcement by the CRTC pose real problems for SMBs, but at the same time, it’s an opportunity for businesses to improve their digital communications. Among these problems are:

  • The restrictive interpretation of rules by the CRTC
  • The numerous frequent situations still missing guidance from CRTC
  • The lack of clarity in the definition of commercial electronic messages
  • The challenge of documenting verbal consents
  • The lack of data on the volume of spam and its evolution
  • The lack of collaboration with Internet service providers
  • Etc.

We need a marketer in the room!

Having listened to the testimonies and debates of this session many times over, I’ve come to two conclusions:

1) Speakers, unfortunately, spent most of their time showing bad faith by demonizing CASL instead of using it to expose the real issues that affect businesses, so that members of Parliament can put in place solutions.

2) Entrusting the defense of digital and email marketing to lobbyists and lawyers who have no expertise in the field of email marketing is not the best way to improve CASL’s areas of contention, nor does it benefit companies, in particular, SMEs.

It’s time to start thinking about this law in terms of clear rules that make sense from a variety of angles and perspectives.

CASL’s first Parliamentary Review Session

The House of Commons Standing Committee on Industry, Science and Technology began yesterday their review of the Canadian Anti-Spam Law. The CRTC launched the presentation by addressing those key areas that are of concern to Parliamentary deputies. Little news has been made available to the public, but we’ve been on the watch and below you’ll find highlights from the review.

A questionable discretion

Considering that this law is the one that generates the most complaints from consumers, that it has been decried and actively challenged for years by lobbyists since its adoption seven years ago, it’s surprising that this review process was not publicly announced.

In fact, the only place where information has been disclosed is on the Committee’s agenda, which is generally followed only by professional lobbyists. However, given the importance of this legislation, and how much it affects ALL Canadian businesses, it was expected that this process would have been publicly announced, at least to those organizations concerned, to allow them to prepare for the Committee’s reflection.

One has to wonder what’s with all the discretion.

Department officials’ and the CRTC’s opening remarks

The first session was devoted to the hearing of department officials:

  • Mark Schaan, Director General, Marketplace Framework Policy Branch, Innovation, Science, and Economic Development Canada
  • Charles Taillefer, Director of Digital Transformation Service Sector in the Privacy and Data Protection Policy Branch, for Innovation, Science, and Economic Development Canada

Followed by CRTC officials:

In his address, Mr. Schaan gave a brief history of the law. He affirmed the law’s effectiveness and went on to say that spam has been reduced by more than one-third in Canada, explaining the importance of this legislation for the development of e-business in Canada.

The floor was then given to the CRTC. In his speech, Mr. Harroun cited the various enforcement mechanisms used to apply CASL, ranging from warning letters to administrative monetary penalties, to notices of violation and commitments.

He then highlighted the CRTC’s public education and awareness efforts, in particular for businesses, indicating that a total of 6 conferences were held in Toronto last May that reached 1,200 companies. One deputy member reminded him that Canada was not limited to Toronto. Finally, he explained the work done by the CRTC at the international level to develop collaborative agreements with the authorities of several other countries.

Requests for information are evolving

In response to the Committee’s first question, Mr. Harroun argued that requests for information received by the CRTC from businesses are increasingly about the development of compliance programs. While in 2014, the questions were more about the concept of consent and unsubscribe links. He then went on to stress the effectiveness of the various penalties that the CRTC can impose on companies.

The Private Right of Action

On June 7th, Minister Bains announced that he was temporarily suspending the private right of action (PRA), which was to begin on July 1, 2017, pending parliamentary scrutiny of CASL. It was therefore normal that the implementation of this right of appeal was the subject of several questions by members of the Committee.

These questions allowed Mr. Schaan to explain why the department had decided to suspend the PRA.

In particular, he explained that the main reasons are the risk of multiplying costly class action suits and the fact that there are still many gray areas concerning CASL compliance.

The CRTC, for its part, insisted that the PRA is an important enforcement tool and that similar measures are already present in the legislation of several countries, in particular, the United States, Australia, and the United Kingdom.

Already more than 1.1 million registered complaints

Mr. Barrat indicated that the CRTC has already registered more than 1.1 million complaints in its spam reporting center, which is the primary source used for investigations. And that complaints continue to enter at a rate of 5,000 per week. He also noted that complaints result from the activities of all industrial sectors and all sizes of businesses including the not-for-profit sector.

CASL is effective

As the committee continued, Mr. Schaan demonstrated the effectiveness of CASL by citing various independent reports. He referred to a US report showing that one year after the Act came into force, the number of emails received by Canadians decreased by 29%, and the volume of spam from Canada fell by 37%. He also cited a study done by Ipsos on behalf of CIRA showing that by October 2014, 62% of Canadians were aware of CASL and believe in its effectiveness. In fact, 84% of them had already taken advantage of it to reduce the volume of commercial messages they received. For their part, 49% of companies felt that the Canadian Anti-Spam Act Law had no impact on their marketing, 23% felt that the impact was minimal and 27% said they had a significant impact.

Mr. Schaan pointed out that Canada was one of the top 5 countries for generating spam. But since the passing of the bill, Canada is not even in the top 10.

The RCMP called in for collaboration

In a question on the means used to manage the international dimension of spam arriving in Canada, the CRTC explained that cooperation and agreements with authorities in other countries were increasing and that there was no particular difficulty at this level. However, he stressed that he doesn’t receive similar collaboration locally, particularly with the RCMP. He indicated help from them would be beneficial in enforcing CASL.

More than 30 completed investigations

The CRTC indicated that during the grace period it completed more than 30 investigations, of which only six have been made public to date. All other investigations are still in the process of negotiating commitments with collaborating companies. Some of the complaints received at the spam notification center are shared with the RCMP for criminal investigations to be conducted.

CASL as a benchmark

Witnesses indicated that the notion of consent as defined in the Canadian Anti-Spam Law is the benchmark for the ongoing revision of the Personal Information Protection and Electronic Documents Act currently being conducted by the Privacy Commissioner.

Meanwhile, MPs have made many parallels between the rules of CASL and that of the National Do Not Call List’s Rules, which is enforced by the same CRTC’s team and generates more than one hundred investigations per year for half the number of complaints received under CASL.

The CRTC is unable to provide numbers

A curious fact to note is that with each question relating to numbers and complaints or investigations, the CRTC was unable to answer. This was also the case when asked about the industrial sectors that generated the most complaints, the number of investigations and fines, and the types of complaints received.

When the Honourable Maxime Bernier inquired about the financial impact on businesses of becoming compliant, the CRTC was still unable to provide even estimates.

—–

You can listen to the full recording of the exchanges on the committee’s website until the transcription is published. Until then, we are currently taking steps to obtain the dates and participants of the next sessions, as well as to take part in the debates to present the point of view based on the dozens of SMBs in Quebec that we have already helped to implement CASL compliance programs.

 

CASL: First Fine To A Corporate Executive

The CRTC announced that Ghassan Halazon has paid, as an individual, a fine of $10,000 to relieve himself of his responsibilities as CEO, in violations of the Canadian Anti-Spam Law (CASL) committed by the company he ran at the time. This is the first time a corporate executive has been fined, and there are several lessons to be learned.

Enforcement of CASL is toughening up

Several observers misinterpreted the government’s decision to postpone the right to civil and collective redress at the end of 2017, as a sign of easing of the application of CASL. This is not the situation and Halazon’s case demonstrates this.

The CRTC has always stated that the three transitory years that companies had to implement their compliance program was sufficient and that those who have not yet done so have no excuse. In fact, Steven Harroun, the CRTC’s Chief Compliance & Enforcement Officer, said at a recent conference:

Commercial electronic messages are the primary source of what prompts Canadians to report cases that require follow-up investigation — commercial email messages that you or your organisation may be responsible for sending. Email messages account for more than three-quarters of incidents reported to us.

(…) 

Every business should have a compliance program in place to help ensure each commercial message or telemarketing call is compliant. If your practices are ever called into question, a thorough compliance program can help you in a due diligence defence.

(…)

But let me be clear, CASL and Unsolicited Telemarketing Rules are not new. And ignorance is not a defence.

Look at it this way—if I do a U-turn on the 401 and my defence to the police officer who pulls me over is that I did not know I couldn’t make a U-turn, I’m still getting the ticket.

The same applies if violations under these laws have been determined. There will be consequences, which could include administrative monetary penalties and the obligation to implement compliance programs. At best. And, at worst, public shaming that will keep your public relations department busy for a long time.

The message is clear, very quickly, several penalties a year will jump to several fines per month, as was the case with the National DNCL, another organisation regulated by the CRTC.

Why was Mr. Halazon fined?

In 2009, Mr. Halazon founded Cough Commerce, the company that launched TeamBuy.ca in 2010 and bought Dealfind.ca in 2013. Unfortunately, the merger wasn’t successful, and the company had to file for bankruptcy protection on August 29, 2014. Halazon’s business was then bought on September 24, 2014, by nCrowd, an American company specialising in bundle purchases.

Nevertheless, according to the CRTC, between July 2 and September 9, 2014, TeamBuy violated CASL, by sending several emails with a withdrawal mechanism that was not functioning well or was too complicated. Ghassan Halazon being at the time CEO of the company was found personally responsible under section 31 of the Act, which states that:

Directors, officers, etc., of corporations

31 An officer, director, agent or mandatary of a corporation that commits a violation is liable for the violation if they directed, authorised, assented to, acquiesced in or participated in the commission of the violation, whether or not the corporation is proceeded against.

C-level, directors, managers, administrators are all personally liable

Section 31, on which Halazon’s fine is based, is one of the many provisions of CASL that few people know about nor is it discussed by the media. It’s unfortunate, because corporate protection under this section is removed, and thus makes individuals such as directors, managers, administrators, etc. personally responsible for CASL violations.

The CRTC’s Chief Compliance and Enforcement Officer has made this clear in a recent statement:

Receipt of commercial emails is the primary source of complaints from Canadians who report cases requiring follow-up investigations, and you or your organisation may be held responsible for sending these commercial emails. 

The CRTC’s adamant actions…

Canada’s Anti-Spam Legislation came into force on July 1, 2014, and TeamBuy went bankrupt two months later. Yet, the CRTC investigated this case, for almost three years, for emails sent over a very short period. This unyielding behaviour runs counter to much of the CRTC’s reassuring PR speeches. What their actions do seem to mean is that:

  • That the notion of transition period is not taken into consideration and that the CRTC expects companies to have been compliant since July 2, 2014,
  • Their enforcement is not solely for the goal of compliance, but for punishment,
  • Everyone, at any time, past or present, is at risk of being fined.

Another surprising move by the CRTC

It is also surprising to note that while the case file was concluded on June 12, 2017, the CRTC waited until Friday afternoon to publish this news on its website, and this without issuing a press release − an approach often used in politics to make sure journalists don’t talk about it. 

Are you insured?

More and more organisations are now taking out liability insurances, commonly referred to as an Errors & Omissions insurance (E&O) to protect their employees. A common practice with NGOs to protect volunteers, but that is now becoming more standard practice for private businesses, in light of CASL.

N.B.: Savvy insurance companies are starting to exclude CASL from their policies if the company can not demonstrate that it has implemented a complete compliance program.

In conclusion

Each decision made and conference given by the CRTC sheds a little more light on their approach regarding investigations and fines. Regardless, the words of the CRTC’s Chief Compliance and Enforcement Officer must be taken seriously:

Each company should have a compliance program to help ensure that every commercial or telemarketing message is compliant. If your practices are challenged one day, a comprehensive compliance program can help you establish a due diligence defence.

Now then, considering that the emails you, your company and your employees sent, or send today can haunt you in the future, it’s more important than ever to protect yourself and to implement a compliance program. Speak with one of our experts for free.

 

CASL Compliance: How badly informed are Canadian and QC firms?

Seven years after its approval by Parliament and three years after it came into force, a Canada-wide survey shows that businesses, small and large, are still confused about CASL compliance, the types of messages it regulates, and the means to protect oneself from fines and lawsuits.

Canadian companies

The study, which was conducted recently by the Direct Marketing Association of Canada (DMAC) and law firm Fasken Martineau DuMoulin LLP, surveyed over 200 individuals directly responsible for CASL compliance of their organisation. Here are some of the highlights from the study:

  • 64% didn’t understand how to make their message CASL compliant beyond consent and an unsubscribe link
  • 46% were unaware that an organisation could be ordered to pay damages
  • 40% of them didn’t know that they can be held personally liable
  • 64% stated that their organisation did not (or didn’t know if their organisation had) a formal compliance policy
  • 63% believed that employees and staff don’t require CASL compliance training
  • 60% indicated that their company never performed a compliance audit

This is quite disconcerting, especially considering that the last 3 points are items required by the CRTC, to be able to defend oneself, should you face an investigation or prosecution.

No better for Quebec SMBs

Although this study was conducted amongst medium to large business in English Canada, a similar study was just recently published surveying Quebec SMBs.

  • Less than 5% of Quebec SMBs comply with CASL
  • More than 75% were unaware that companies could be fined, even if they have explicit consent
  • Only 35% knew that from July 1st, 2017 onwards, companies will be subject to civil or collective redress
  • 40% were surprised to learn that SMBs, as well as individuals, can face the same charges as large companies
  • 38% didn’t know that many QC companies have already been investigated and received fines
  • 1 out of 4 were unaware that CASL regulates individual emails, as well as text and social media messages

The CRTC’s shortcomings

Although the CRTC enforces CASL, informing and educating businesses is their greatest shortcoming. An article exists to help companies defend themselves, but it must meet the CRTC’s eight required categories. However, finding these requirements on an official website is very difficult.

The regulatory body does give presentations, but for the moment, it is almost exclusively to large law firms in Toronto. Unfortunately, 97% of Canadian companies are small businesses that can’t afford to do business with these big firms.

What can you do for yourself?

Canadian law states that “no one is supposed to ignore the law“.

A compliance program is also the only way to protect you and your business, and your employees, from tens or even hundreds of thousands of dollars in fines and legal fees.

So what do you do? You don’t want to stop your email marketing activities because it’s the top digital performer when it comes to ROI. We’ve done the calculations and penny for penny, all things considered, even a small investment in a compliance program is better than no investment at all.

 

 

1M Complaints: Insights into the CRTC’s investigation process

In the last 36 months, the CRTC received just over 922 262 complaints under CASL, representing more than 300,000 complaints a year! Demonstrating, that many Canadians support this legislation, and increasing continue to do so.

 

Près d'un million de plaintes pour la Loi Canadienne anti-pourriel

 

As the chart above shows, the daily volume of complaints has been growing steadily for over a year, exceeding 1,000 complaints per day since October 2016.

Mainly email, but text and instant message complaints are fast on the rise

According to the CRTC, email accounts for roughly two-thirds of complaints and SMS a good third. On the other hand, while the number of accusations about non-compliant emails has decreased by almost 10% in the past year, SMS denunciations have more than doubled. Additionally, although they represent only a tiny fraction of the total, instant message complaints are also growing.

Consent issues represent approximately two-thirds of the complaints received, but their growth is lower than for content or misleading subject claims that have increased by 60% over the past year. This suggests that the Competition Bureau, which handles these types of complaints, will continue to distribute heavy fines like it’s it’s done so with Budget, Avis and Amazon.

How cases are selected

In a presentation to IAB Canada in Spring 2017, the CRTC has stated that considering the international scope of spam, it has already entered into collaborative arrangements with the authorities of a dozen countries, including the United States, the United Kingdom, Australia, and the Netherlands.

These agreements are bilateral, meaning that the authorities exchange information with each other to initiate investigations, to investigate them further, or to prosecute and punish the perpetrators.

 

 

Although the CRTC didn’t share the criteria on which it relied to prompt past cases, they did explain that their investigations are triggered, not only by the data provided by their international and industry partners but also by the messages and information they receive at specific addresses on different websites. Commonly referred to as “Honeypots”.

What happens next?

When the CRTC conducts an inquiry, one of the first things it does, more often than not, is to send the company a request for information to be supported by the appropriate documentation. For example, in the context of “consent”, the CRTC will require the company to provide proof of consent of all persons to whom the company has sent emails to, for a particular period. This includes:

  • The type of consent (explicit or implied)
  • The date of consent
  • The information held on the person
  • A CSV file with the justificatory pieces for each consent
  • The company’s privacy policy
  • Database management guidelines for contacts
  • Electronic communication policies
  • Screenshots of subscription forms
  • etc.

Incontestably, documentation is crucial, yet it’s one of the least known aspects of Canada’s Anti-Spam Law. Without it, you are quite sure to be found guilty.

When you get a notice of violation…

When the CRTC has completed its investigation, it sends a notice of violation. The company then has 30 days to negotiate a voluntary commitment agreement.

A voluntary undertaking is not an admission of guilt, but rather is a negotiated settlement that includes an immediate payment as well as a commitment to take a series of steps to correct the alleged violations.  This includes establishing a comprehensive compliance program and implementing it.

To negotiate the terms of the voluntary agreement, you will need to document the steps you took to comply with CASL and to demonstrate your financial limitations. (It goes without saying that it is dangerous to conduct such negotiations without the support of an—expensive—lawyer specialised and experienced in negotiations with the CRTC.)

If you refuse to sign a voluntary agreement, you’ll receive a much bigger penalty, one that can be contested in the Court of Appeal, if you have the financial means to do so. That’s why, so far, all but one offender, CompuFinder, have committed to settlements and immediately paid the amounts negotiated with the CRTC.

The CRTC revealed that they don’t have a grid to determine penalty amounts. Primarily because of 1) the complexity of CASL, 2) the criteria relevant to each case, and 3) the need to be flexible enough to ensure that the fines are sufficiently dissuasive to be effective without putting companies into bankruptcy.

Les amendes infligées par le CRTC en vertu de la Loi Canadienne anti-pourrielSome of the  fines imposed by the CRTC under CASL

The compliance program is a requirement

The compliance program imposed in the voluntary commitment agreement is, according to the CRTC, the centrepiece of ensuring that a company no longer violates the Canada’s Anti-Spam Law.

In fact, for the CRTC, fines and voluntary commitments are in essence a means of encouraging ALL BUSINESSES to develop a compliance program that complies with its requirements.

(By the way, you’ll have greater peace of mind and save money if you implement a compliance program with Certimail, before any possible investigation than under the direct supervision of the CRTC.)

Worried about being investigated?

For people who have hidden a part of their wealth in a tax haven, but confess it to the tax authorities before the situation gets discovered, their chances of paying a fine or being penalised are minimal. The CRTC offers a similar opportunity under Canada’s Anti-Spam Legislation.

If you suddenly realise that your business has violated Canada’s Anti-Spam Legislation, you can contact the CRTC as part of its “voluntary disclosure” process.

Although the CRTC doesn’t guarantee that you won’t have a penalty to pay, it promises to be gentle in the handling your file. It will advise you on the best ways to permanently correct your situation with the mandatory compliance program.

The only requirement imposed by the CRTC is that you identify ALL the violations in your original statement. This implies that you must conduct a thorough audit to determine all breaches of compliance.

**Any violation discovered during the voluntary disclosure that was not reported in the original statement will be excluded from the declaration and sanctioned as if it had been found during a typical investigation.**

July 1st has come and gone, an audit and voluntary disclosure are the very minimums of protection. Ultimately though, a compliance program is mandatory and is your best protection.

 

IMPORTANT: CASL is NOT just an anti-spam law!

Combining the term “CASL” along with “Anti-Spam” when talking about email marketing, has created significant confusion affecting many businesses and organisations.

In practice, true anti-spam legislation would only affect activities considered spam (i.e., mass mailings of promotional content). CASL regulates, not just mass mailings but ANY electronic message sent in a commercial context, regardless of the number of recipients and the presence, or absence, of promotional content.

CASL’s official definition

“CASL” is not another term to represent “anti-spam. The Canadian Anti-Spam Legislation is defined as follows: “An Act to promote the efficiency and adaptability of the Canadian economy by regulating certain activities that discourage reliance on electronic means of carrying out commercial activities, and to amend the Canadian Radio-television and Telecommunications Commission Act, the Competition Act, the Personal Information Protection and Electronic Documents Act and the Telecommunications Act” (S.C. 2010, c. 23).

This definition explains that the purpose of the Act is to promote the development of e-businesses in a context of consumer confidence.

The act as defined automatically amends and modifies four important pieces of legislation − 1) the Canadian Radio-television and Telecommunications Commission Act, 2) the Competition Act, 3) the Personal Information Protection and Electronic Documents Act and 4) the Telecommunications Act.

CASL governs ALL your business emails

Since the act’s passing, studies have shown that Canadians are receiving less spam. In addition, because of renewed consumer confidence, open and click-through rates are on the rise again.

Unfortunately, though, too many companies have, wrongly, reduced their email marketing activities to avoid fines and prosecution. Even if you don’t send any newsletters or email promotions, you are still at risk of violating the Act and can face fines or even a lawsuit. This is because CASL applies to, and is in place to regulate, ALL electronic messages sent in a commercial context, not just promotional emails. This includes single emails that employees send throughout the day to potential clients, partners, and associates. As well as, newsletters, text messages, social media messages, etc.

Often when we discuss CASL with business owners or marketers, they’ll spontaneously list the steps they’ve taken to make their newsletters compliant. One has set up a subscription form; another uses an email platform to have an automatic “unsubscribe” link at the bottom of their newsletters. But when we ask them what they’ve done, so that the commercial emails that their employees send throughout the day are also compliant, they are confused and have no answers. Unless you are an NGO or political party, you can assume that 99% of all the messages that are sent by your business and employees are regulated by CASL.

One hundred rules that each message must respect

There are in fact 100 rules that ALL electronic messages (email, newsletters, text and social media messages, etc.) must comply with. Items include prior consent, the message’s content, sender identification, withdrawal mechanism rather than its presentation, etc.

For example, some companies are aware that their individual emails must also comply with CASL. However, they only think about consent requirements and completely forget, or are simply not aware, that these emails also require a withdrawal mechanism (ex.: “If you do not want to receive commercial messages from our company, please let us know by replying to this message“). If such a withdrawal mechanism is not indicated and included, then your emails violate the act.

Canada’s Anti-Spam Legislation is so complicated, and at times vague, that it’s almost impossible to be totally compliant. However, if you follow rigorous steps to be compliant and set-up a program, you will most likely avoid fines and prosecution. Consider it like a protection program or a license to communicate electronically.

How to protect yourself against fines and trials

Given the complexity of the Act, Parliament has provided a defence to protect honest businesses if they’ve done their due diligence.

Section 33 (1) of the Act states that No person shall be held liable for a violation if they prove that they have taken all reasonable precautions to prevent its commission”.

This implies that if a company can demonstrate that it has taken the appropriate actions to comply with the Act, they can not receive a fine or be convicted in a trial if the company or employees accidentally violate the Act.

ATTENTION THOUGH: The CRTC has defined that “proper precautions” means putting in place a documented compliance program that meets eight required categories.

Such a compliance program involves verifying the company’s practices and then implementing a written policy and ensuring that all employees respect it on a daily basis in their electronic communications.

The advantage is that as long as the company is in good faith and enforces its policy and compliance mechanisms, this program becomes a license that protects it from fines and lawsuits if ever it accidentally violates the Act.

Now that July 1st, 2017 has passed, the only way to protect yourself from CASL is to quickly implement a compliance program that meets the CRTC’s eight required categories.