Posts

CASL’s first sanction against a foreign company

/0 Comments/in , , , /by

Sanction for the Irish site Ancestry.com

On April 24th, the CRTC announced an undertaking with Ancestry Ireland Unlimited Company (“Ancestry”), which hosts the Ancestry.com website. The latter uses emails to communicate with people registered on its online service, which allows the search for genealogical documents (family history, family trees, historical records, information based on genetic analysis, etc.).

The extraterritorial nature of CASL

This is the first time that a foreign company has been subject to a CRTC sanction in connection with the Canadian Anti-Spam Law (hereinafter CASL). Ancestry is an Irish company with no offices or employees in Canada. The provisions of CASL, however, indicate that it applies to any company that sends messages to Canadian subjects, regardless of the source of the messages.

Similarly, contrary to what many people believe, Canadian companies have to comply with CASL both in their sendouts to Canada and for commercial electronic messages, they send to the rest of the world.

A sanction even if the consents were legal

The CRTC was able to find that Ancestry had obtained valid consents to communicate with its contacts, that its messages contained the mandatory identification information as well as an unsubscribe link.

However, the company was still in the wrong according to the CRTC because their different databases did not synchronize the withdrawal of consents. A customer who unsubscribed from one list continued to receive messages from the other list.

The requirement to synchronize withdrawals of consent

CASL provides that a person must be able to unsubscribe from all commercial electronic messages from the company. In the absence of other choices in the unsubscribe process (ex.: to receive certain types of communications only), the person must by default be excluded from the receipt of all commercial communications.

This requirement of the law can become a concern for many. Indeed, in the majority of companies, there is no synchronization between the mailing lists and the sending of emails themselves, the email sending platforms being separated from CRM or databases. Many companies also often have no way of updating their consent for sending emails via Outlook if someone unsubscribes from their newsletter. Thus, a person could continue to receive communications, despite the fact that in principle, they have unsubscribed from all sendouts.

The compliance program is a must

Ancestry is, by this undertaking, obliged to comply with the Act with respect to the synchronization of its consents. It must therefore unsubscribe and remove from all its commercial communications any person who has indicated this desire, either directly or indirectly, within 10 working days of the request.

The company must also implement a compliance program under CASL which includes: “reviewing and revising current compliance practices […], as well as various other monitoring and auditing measures, including reporting mechanisms to CRTC staff regarding the implementation of the program.”1

Do not be the next company to be sanctioned

If you use an email sendout platform that does not synchronize consent withdrawals with other lists or with your internal email system, you’re in violation of CASL and you may be fined up to several hundreds of thousands of dollars.

If your company is not yet under investigation by one of the CASL enforcement authorities, there is still time to put your compliance program in place and protect yourself before it’s too late.

$1,25M fine for Enterprise, National, and Alamo

/0 Comments/in , , /by

A negotiated fine

Enterprise Rent-A-Car Canada Company, which manages the Enterprise, National, and Alamo car rental companies, has recently agreed to pay, to the Competition Bureau, a $1,25 million fine for sending emails containing misleading promotions, a practice covered by the Canadian Anti-Spam Law (CASL).

The entire industry is targeted

In its press release, the Bureau states as a reminder to companies, that already $5.25 million has been fined to and paid by three other major companies in this industry: $3M paid by Avis Budget following an investigation concluded in March 2015; and Hertz Canada, which also manages Thrifty, was fined $1,25 million in the spring of 2017.

This reminder clearly shows that the Competition Bureau will continue investigating car rental companies, as misleading promotions seems to be a systemic practice. This targeting, of a specific industry, is reminiscent of the CRTC’s investigation with vocational training companies.

Again, consent is not enough

While most companies continue to believe that having consent with regards to their promotional messages is enough be compliant with the Canadian Anti-Spam Law, this fine, once again demonstrates that CASL is much more complex and demanding. In fact, there are around one hundred risks that must be analyzed to ensure that a company is in compliance with CASL. Not only because this law has many articles, but also because CASL touches upon certain articles of the Personal Information Protection and Electronic Documents Act (PIPEDA) and the Competition Act.

Moreover, while the fines imposed by the CRTC for issues of “consent” or “unsubscribe” are of the order of a few tens or hundreds of thousands of dollars per company, the fines given by the Competition Bureau due to “message content” is consistently greater than $ 1 million.

The importance of a compliance program

In the Tribunal agreement, Enterprise was required to implement a compliance program under the supervision of the Competition Bureau. While waiting to be investigated to implement its compliance program, Enterprise not only had to pay a hefty fine, but it also had to incur significant legal fees in collaboration with the investigation and to negotiate a settlement, satisfactory to the CRTC.

If your company is not the subject of such an investigation, there is still time to set up your compliance program and protect your business before it’s too late.

CASL: First Fine To A Corporate Executive

/0 Comments/in , , /by

The CRTC announced that Ghassan Halazon has paid, as an individual, a fine of $10,000 to relieve himself of his responsibilities as CEO, in violations of the Canadian Anti-Spam Law (CASL) committed by the company he ran at the time. This is the first time a corporate executive has been fined, and there are several lessons to be learned.

Enforcement of CASL is toughening up

Several observers misinterpreted the government’s decision to postpone the right to civil and collective redress at the end of 2017, as a sign of easing of the application of CASL. This is not the situation and Halazon’s case demonstrates this.

The CRTC has always stated that the three transitory years that companies had to implement their compliance program was sufficient and that those who have not yet done so have no excuse. In fact, Steven Harroun, the CRTC’s Chief Compliance & Enforcement Officer, said at a recent conference:

Commercial electronic messages are the primary source of what prompts Canadians to report cases that require follow-up investigation — commercial email messages that you or your organisation may be responsible for sending. Email messages account for more than three-quarters of incidents reported to us.

(…) 

Every business should have a compliance program in place to help ensure each commercial message or telemarketing call is compliant. If your practices are ever called into question, a thorough compliance program can help you in a due diligence defence.

(…)

But let me be clear, CASL and Unsolicited Telemarketing Rules are not new. And ignorance is not a defence.

Look at it this way—if I do a U-turn on the 401 and my defence to the police officer who pulls me over is that I did not know I couldn’t make a U-turn, I’m still getting the ticket.

The same applies if violations under these laws have been determined. There will be consequences, which could include administrative monetary penalties and the obligation to implement compliance programs. At best. And, at worst, public shaming that will keep your public relations department busy for a long time.

The message is clear, very quickly, several penalties a year will jump to several fines per month, as was the case with the National DNCL, another organisation regulated by the CRTC.

Why was Mr. Halazon fined?

In 2009, Mr. Halazon founded Cough Commerce, the company that launched TeamBuy.ca in 2010 and bought Dealfind.ca in 2013. Unfortunately, the merger wasn’t successful, and the company had to file for bankruptcy protection on August 29, 2014. Halazon’s business was then bought on September 24, 2014, by nCrowd, an American company specialising in bundle purchases.

Nevertheless, according to the CRTC, between July 2 and September 9, 2014, TeamBuy violated CASL, by sending several emails with a withdrawal mechanism that was not functioning well or was too complicated. Ghassan Halazon being at the time CEO of the company was found personally responsible under section 31 of the Act, which states that:

Directors, officers, etc., of corporations

31 An officer, director, agent or mandatary of a corporation that commits a violation is liable for the violation if they directed, authorised, assented to, acquiesced in or participated in the commission of the violation, whether or not the corporation is proceeded against.

C-level, directors, managers, administrators are all personally liable

Section 31, on which Halazon’s fine is based, is one of the many provisions of CASL that few people know about nor is it discussed by the media. It’s unfortunate, because corporate protection under this section is removed, and thus makes individuals such as directors, managers, administrators, etc. personally responsible for CASL violations.

The CRTC’s Chief Compliance and Enforcement Officer has made this clear in a recent statement:

Receipt of commercial emails is the primary source of complaints from Canadians who report cases requiring follow-up investigations, and you or your organisation may be held responsible for sending these commercial emails. 

The CRTC’s adamant actions…

Canada’s Anti-Spam Legislation came into force on July 1, 2014, and TeamBuy went bankrupt two months later. Yet, the CRTC investigated this case, for almost three years, for emails sent over a very short period. This unyielding behaviour runs counter to much of the CRTC’s reassuring PR speeches. What their actions do seem to mean is that:

  • That the notion of transition period is not taken into consideration and that the CRTC expects companies to have been compliant since July 2, 2014,
  • Their enforcement is not solely for the goal of compliance, but for punishment,
  • Everyone, at any time, past or present, is at risk of being fined.

Another surprising move by the CRTC

It is also surprising to note that while the case file was concluded on June 12, 2017, the CRTC waited until Friday afternoon to publish this news on its website, and this without issuing a press release − an approach often used in politics to make sure journalists don’t talk about it. 

Are you insured?

More and more organisations are now taking out liability insurances, commonly referred to as an Errors & Omissions insurance (E&O) to protect their employees. A common practice with NGOs to protect volunteers, but that is now becoming more standard practice for private businesses, in light of CASL.

N.B.: Savvy insurance companies are starting to exclude CASL from their policies if the company can not demonstrate that it has implemented a complete compliance program.

In conclusion

Each decision made and conference given by the CRTC sheds a little more light on their approach regarding investigations and fines. Regardless, the words of the CRTC’s Chief Compliance and Enforcement Officer must be taken seriously:

Each company should have a compliance program to help ensure that every commercial or telemarketing message is compliant. If your practices are challenged one day, a comprehensive compliance program can help you establish a due diligence defence.

Now then, considering that the emails you, your company and your employees sent, or send today can haunt you in the future, it’s more important than ever to protect yourself and to implement a compliance program. Speak with one of our experts for free.

 

Hertz & Thrifty to Pay Over One Million in Fines

/0 Comments/in , , /by

$1,25 Million Fine

The Competition Bureau of Canada recently announced that car rental companies, Hertz Canada Limited (Hertz) and Dollar Thrifty Automotive Group Canada Inc. (Thrifty), have agreed to pay a $250,000 fine plus additional fees for sending emails with deceptive promotions—advertised prices in said emails did not include certain mandatory service fees.

Mea Culpa

Upon hearing that the Competition Bureau of Canada was investigating similar practices from their competitors Avis and Budget, Hertz and Thrifty executives voluntarily approached the Bureau to address their own situation. This is probably why the fine of $1.25M is well below the $3M fine plus $250,000 of fees paid by Avis and Budget.

Once Again, Consent & An Unsubscribe Link Are Not Enough

This fine, once again, confirms that simply having the consent of recipients and including an unsubscribe link in one’s newsletters are not enough to be in good standing and to protect one’s self.

In fact, there are nearly a hundred risks that must be analyzed to ensure that a company complies with the Canadian Anti-Spam Law (CASL). CASL amends certain articles of the Personal Information Protection and Electronic Documents Act (PIPEDA) and the Competition Act. Thus one has to take these laws into consideration when sending commercial electronic messages.

The Importance of a Compliance Program

Hertz and Thrifty, in their agreement with the Competition Tribunal and in addition to their fines, had to commit to implementing a compliance program under the supervision of the Competition Bureau.

There’s no doubt that, had they been proactive in the implementation of a compliance program before being found at fault, they would have avoided paying such hefty fines (plus all the legal costs associated with their case).

If your business is not yet under investigation, there’s still time to set up your compliance program and protect yourself before it’s too late.

 

 

IMPORTANT: CASL is NOT just an anti-spam law!

/0 Comments/in /by

Combining the term “CASL” along with “Anti-Spam” when talking about email marketing, has created significant confusion affecting many businesses and organisations.

In practice, true anti-spam legislation would only affect activities considered spam (i.e., mass mailings of promotional content). CASL regulates, not just mass mailings but ANY electronic message sent in a commercial context, regardless of the number of recipients and the presence, or absence, of promotional content.

CASL’s official definition

“CASL” is not another term to represent “anti-spam. The Canadian Anti-Spam Legislation is defined as follows: “An Act to promote the efficiency and adaptability of the Canadian economy by regulating certain activities that discourage reliance on electronic means of carrying out commercial activities, and to amend the Canadian Radio-television and Telecommunications Commission Act, the Competition Act, the Personal Information Protection and Electronic Documents Act and the Telecommunications Act” (S.C. 2010, c. 23).

This definition explains that the purpose of the Act is to promote the development of e-businesses in a context of consumer confidence.

The act as defined automatically amends and modifies four important pieces of legislation − 1) the Canadian Radio-television and Telecommunications Commission Act, 2) the Competition Act, 3) the Personal Information Protection and Electronic Documents Act and 4) the Telecommunications Act.

CASL governs ALL your business emails

Since the act’s passing, studies have shown that Canadians are receiving less spam. In addition, because of renewed consumer confidence, open and click-through rates are on the rise again.

Unfortunately, though, too many companies have, wrongly, reduced their email marketing activities to avoid fines and prosecution. Even if you don’t send any newsletters or email promotions, you are still at risk of violating the Act and can face fines or even a lawsuit. This is because CASL applies to, and is in place to regulate, ALL electronic messages sent in a commercial context, not just promotional emails. This includes single emails that employees send throughout the day to potential clients, partners, and associates. As well as, newsletters, text messages, social media messages, etc.

Often when we discuss CASL with business owners or marketers, they’ll spontaneously list the steps they’ve taken to make their newsletters compliant. One has set up a subscription form; another uses an email platform to have an automatic “unsubscribe” link at the bottom of their newsletters. But when we ask them what they’ve done, so that the commercial emails that their employees send throughout the day are also compliant, they are confused and have no answers. Unless you are an NGO or political party, you can assume that 99% of all the messages that are sent by your business and employees are regulated by CASL.

One hundred rules that each message must respect

There are in fact 100 rules that ALL electronic messages (email, newsletters, text and social media messages, etc.) must comply with. Items include prior consent, the message’s content, sender identification, withdrawal mechanism rather than its presentation, etc.

For example, some companies are aware that their individual emails must also comply with CASL. However, they only think about consent requirements and completely forget, or are simply not aware, that these emails also require a withdrawal mechanism (ex.: “If you do not want to receive commercial messages from our company, please let us know by replying to this message“). If such a withdrawal mechanism is not indicated and included, then your emails violate the act.

Canada’s Anti-Spam Legislation is so complicated, and at times vague, that it’s almost impossible to be totally compliant. However, if you follow rigorous steps to be compliant and set-up a program, you will most likely avoid fines and prosecution. Consider it like a protection program or a license to communicate electronically.

How to protect yourself against fines and trials

Given the complexity of the Act, Parliament has provided a defence to protect honest businesses if they’ve done their due diligence.

Section 33 (1) of the Act states that No person shall be held liable for a violation if they prove that they have taken all reasonable precautions to prevent its commission”.

This implies that if a company can demonstrate that it has taken the appropriate actions to comply with the Act, they can not receive a fine or be convicted in a trial if the company or employees accidentally violate the Act.

ATTENTION THOUGH: The CRTC has defined that “proper precautions” means putting in place a documented compliance program that meets eight required categories.

Such a compliance program involves verifying the company’s practices and then implementing a written policy and ensuring that all employees respect it on a daily basis in their electronic communications.

The advantage is that as long as the company is in good faith and enforces its policy and compliance mechanisms, this program becomes a license that protects it from fines and lawsuits if ever it accidentally violates the Act.

Now that July 1st, 2017 has passed, the only way to protect yourself from CASL is to quickly implement a compliance program that meets the CRTC’s eight required categories.

 

 

 

 

Amazon complies but is still fined $1,1M!

/0 Comments/in , , , /by

Amazon’s emails complied with three essential principles of the Anti-Spam Act:

  1. Amazon sent messages only to those with whom it had consent,
  2. Each email contained a straightforward and efficient unsubscribe mechanism,
  3. Information to identify and contact the business (company name, mailing address and phone) was indicated.

So, why did Amazon agreed to pay a penalty of $1 million and the sum of $100,000 for certain investigative expenses incurred by a government regulator?

The devil is in the details

Although Amazon complied with the three top items of Canada’s Anti-Spam Law, there are still 53 pages of details and guidelines in the Act. In fact, after analysing the Act with marketing communications specialists and researchers at Université de Montréal’s Faculty of Law over the course of several months, we’ve identified more than 150 compliance risks for businesses.

For example, 99% of emails sent by a business are commercial, so they must comply with the Anti-Spam Act. This includes individual business emails. Do your emails have an unsubscribe mechanism? Your newsletters I’m sure do, but probably not your individual ones. Yet, it’s mandatory.

Canada’s Anti-Spam Law applies to four pieces of Legislation

The act is defined as follows: “An Act to promote the efficiency and adaptability of the Canadian economy by regulating certain activities that discourage reliance on electronic means of carrying out commercial activities, and to amend the 1) Canadian Radio-television and Telecommunications Commission Act, 2) the Competition Act, 3) the Personal Information Protection and Electronic Documents Act and 4) the Telecommunications Act” (S.C. 2010, c. 23).

Many SMBs are simply not aware of the reach of this legislation. It’s not just an anti-spam act; it’s a true code of “electronic” conduct for businesses. Additionally, journalists and commentators, regularly talk about the CRTC’s role in enforcing this act, but often omit the Competition Bureau’s (and other regulatory bodies’) involvement.

For example, if you violate one of the Competition Bureau’s articles through an email communication, you will be fined, and heavily. Note carefully; fines can reach up to $10 million when a violation is done via email.

The case of Amazon

Canada’s Competition Bureau stated, “With the adoption of Canada’s Anti‑Spam Legislation, provisions were added to the Competition Act to provide additional tools for addressing false or misleading representations in all forms of electronic messages. The Bureau’s investigation into Amazon’s price advertising was made per these provisions.”

So, because Amazon was promoting prices, by referring to savings in relationship to list prices, they were fined.

Amazon complies but is still fined $1,1 MIL!

Amazon complies but is still fined $1,1M for misleading pricing.

As indicated by the Competition Bureau, “Amazon often compared its prices to a regular price—or “List Price”— signaling attractive savings to consumers. The Bureau’s investigation concluded that these claims created the impression that prices for items offered on www.amazon.ca were lower than prevailing market prices. The Bureau determined that Amazon relied on its suppliers to provide list prices without verifying that those prices were accurate.

Although it’s primarily on Amazon.ca that these type of promotions are found, the Competition Bureau was able to convict Amazon because the company had communicated these promotions by email.

Not a first for the Competition Bureau

The case of Amazon is not the Competition Bureau’s first fine under CASL. They’ve already gone after car rental companies Avis and Budget for hiding certain mandatory fees in posted promotional pricing.

Additionally, the Competition Bureau said that it’s been documenting these situations since 2009 and fighting for years to prevent these types of practices. But it was only with the arrival of CASL that it finally had the means to do so.

The case of Avis and Budget pending before the Competition Tribunal was settled by the companies’ consent to pay $3M in fines and $250,000 in compensation to the Bureau. 

The mandatory compliance program is your only real protection

As these examples here illustrate, it’s almost impossible to be confident that you’ll never violate CASL, especially since many details of the Act are very vague and will only be clarified by actual cases in years to come.

It’s for this particularity that Parliament has provided in the Act a means to protect ones-self: if a business (or individual) can demonstrate that it has acted diligently to comply with the Act, it will be immune from sanctions. To “act diligently” means to have a compliance program that meets the CRTC’s eight requirements.

 

 

 

William Rapanos receives $15,000 in fines for emails sent in 2014!

/0 Comments/in , /by

In early 2017, the CRTC, for the first time, issued a fine to a single individual, and not a company.

William Rapanos (a.k.a. Bill Rapanos) a businessman and marketer from Toronto now living in B.C., was fined $15,000 for sending 58 emails contravening Canada’s Anti-Spam Law between July and October 2014.

This case is a huge lesson regarding the severity with which the CRTC enforces this law. Consider yourself warned.

Quite simply, CASL applies to non-business owners

One of the many elements of the Canadian Anti-Spam Legislation but that is little known to the public, is the fact that this act applies to individuals. The legislator clearly indicated this by specifying in the Act that the maximum penalties under this law are $10M for corporations and $1M for individuals.

It wasn’t Rapanos’ company that received the fine, but he himself, making him the first Canadian to be fined as an individual for a violation of Canada’s Anti-Spam Law.

This is important because it confirms that you don’t have to be a business owner, to be subject to Canada’s Anti-Spam Law.

For example, take the situation of a person who sends an email to their contact list to announce the sale of their used car on Craiglist; this type of email is considered a commercial email. The person sending this email can face a fine and prosecution if they don’t meet the many requirements of the law. Yikes!

Your older messages can still come to haunt you

Rapanos’ offences were committed during July and October 2014. During this time CASL had just come into force, but it wasn’t until April 22, 2016, nearly two years later, that the CRTC sent him a “notice of violation”.

In fact, the anti-spam legislation stipulates that you can file a complaint, or initiate a lawsuit for damages, up to three years after receiving a non-compliant message.

However, the CRTC can go as far back as they want to (up to July 1st, 2014) to investigate you. They can go three, four, five, ten years in the past to inquire about a company’s practices, or you.

This means that if you don’t have a compliance program in place or have committed to a “voluntary disclosure”, you can be subjected to fines or lawsuits, even if you stop sending emails and other electronic messages.

Investigations are not decided on the number of emails sent or complaints received

The $15,000 fine Rapanos received concerned only 58 emails sent over a period of four months, not 58,000, not 580 but 58. That’s less than 15 per month!

So imagine the several hundreds of thousands of complaints among the thousands of companies reported to the CRTC.

Everyone is in the CRTC radar. For example, Vancouver start-up Pof Media (PM) had to pay a fine of $48,000, even if the CRTC only received 70 complaints amongst the millions of weekly emails sent to PM members.

This confirms what the CRTC has always said, “the number of complaints it receives is not an essential factor for initiating an investigation”.

No one is safe, and presumably, the CRTC is taking stern action to make sure everyone implements a compliance program.

If you try to hide, you will eventually be found

In its decision, the CRTC emphasised that it requested and obtained the following information during their investigation:

  • Log files of the registrar who managed the addresses (DNS) of the website (firstunitedpartners.com) to which the emails pointed to
  • IP addresses of the ISP used to register and administer the site, provided by Bell
  • Telephone numbers used to register the domain name, provided by WIND and 7eleven Canada

Clearly, they are savvy in identifying and tracking offenders.

There is no presumption of innocence

It gets even more intense… The CRTC has confirmed that under the Administrative Monetary Penalties (AMP / SAP), the official name of its fines, the right to the presumption of innocence does not apply because its investigations are not “criminal proceedings”. Another little-known fact of Canada’s Anti-Spam Law amongst the majority of Canadians.

So remember, if you are the victim of an investigation, and challenge the decision before the Court of Appeal, you must provide proof of your innocence (and also bear the cost of an appeal).

The only defence that can be used is that of due diligence, which means that A) you have a compliance program that meets the CRTC’s eight requirements or B) you’ve submitted a “voluntary disclosure” along with the required comprehensive audit.

 

 

The Dangers of Implied Consent: Blackstone fined $50K

/0 Comments/in , /by

October 26, 2016, after close to two years of back and forth, the CRTC issued a Compliance and Enforcement Decision finding that Blackstone Learning Corp. violated Canada’s Anti-Spam Law (CASL) by sending commercial electronic messages (CEM) without consent. The initial penalty was calculated at $640,000 but was later adjusted to $50,000.

The notice of violation related to nine email campaigns, totally 385,668 messages, sent between July 9th and September 18th, 2014, to employees at twenty-five Canadian federal and provincial government organisations. The email campaigns resulted in at least 60 complaints to the CRTC’s Spam Reporting Centre.

When the CRTC began their investigation, Blackstone refused to cooperate, and when they received their notice of violation, on January 30, 2015, Blackstone appealed.

Blackstone argued that it had not violated CASL’s because it had implied consent to send the emails and that the penalty of $640,000 was unreasonably high.

Publically available email addresses

This is where it gets tricky. Blackstone’s defence was that the recipients’ email addresses were “conspicuously published” (i.e.: publically available email addresses).

However, the CRTC stated:

“the conspicuous publication exemption and the requirements thereof set out in paragraph 10(9)(b) of the Act set a higher standard than the simple public availability of electronic addresses”.

To meet the conspicuous publication exemption:

  • The electronic address must not be accompanied by a message specifically outlining that the individual does not want to receive unsolicited commercial messages.
  • The message must be relevant to the person’s business, role, functions, or duties in a business or official capacity.

The CRTC further clarified,

“the way that the email address is published, such as on the company’s website or through a third party, must lead to a reasonable understanding of consent to receive the type of commercial electronic message being sent“.

This is a significant argument of one of the few CASL exemptions. While public addresses may qualify for implied consent this “does not provide persons sending commercial electronic messages [CEMs] with a broad licence to contact any electronic address they find online”.

Why was the fine reduced

In considering an appropriate Penalty, the CRTC took into account the following considerations:

  • Purpose of the penalty: The Commission stated that the amount must be high enough to promote changes in behaviour, in effect a second chance, but not too high to put a person out of business (as this would negate any second chance).
  • Nature and scope of the violations: While almost 400,000 non-compliant messages were sent that disrupted the recipients and prompted at least 60 complaints to the Spam Reporting Centre; the violations took place only over a period of two months. The CRTC concluded that a penalty of $640,000 would be too high.
  • Ability to pay: After finally receiving Blackstone financial statements, it was evident that a penalty of $640,000 would significantly exceed Blackstone’s ability to pay.
  • Other factors – cooperation and self-correction: Blackstone’s failure to cooperate with the investigation increased the need for a penalty to ensure future compliance. However, the Commission saw some possibility of “self-correction” going forward and felt that a lower fine would be appropriate.

Based on these factors, the CRTC determined that a Penalty of $50,000 was a reasonable amount to encourage Blackstone to comply with CASL.

Lessons learned

Be careful if your email messages rely on an exception. Implied consent is evaluated on a case-by-case basis.  Under CASL, the sender must prove consent.  The CRTC “stress[es] the importance of detailed and adequate record-keeping for this reason.

Lastly, this case is an excellent example, as to why having a risk analysis (audit) as required by the CRTC is so important. A properly implemented compliance program will validate the way consents are collected and managed. This ensures that you are protected in case of an accidental violation.

Kellogg to Pay $60,000 for Mishandlings by a Third-Party & Lack of Records

/0 Comments/in , , /by

Last week the CRTC published an undertaking made by Kellogg Canada Inc. to pay a $60,000 fine after violating Canada’s Anti-Spam Law (CASL). A third party sent promotional email messages to recipients on behalf of Kellogg’s from October 1 to December 16, 2014. Apparently, Kellogg did have consent but was unable to provide records and proof. Without the proper documentation, the CRTC determined that these messages were sent without express or implied consent.

This case is a caution that companies need to ensure that their service providers comply fully with CASL. This judgement also stresses the importance of a company to have a compliance program in place, that meets the CRTC’s eight requirements, including proper record-keeping.

This means you must be able to, at all times, provide to the authorities a list of all the persons to whom you have sent electronic communications to during the last three years. You must supply proof of consent, that includes the date of consent for each one of your contacts, as well as transcripts of all the messages you sent to each contact.

Through the implementation of a proper compliance program, Kellogg has committed to review and revise its written policies and procedures, update its training programs to address CASL obligations, track CASL complaints and their resolution, and update its auditing mechanisms to assess compliance.

In a statement to ITBusiness.ca, Kellogg said, “We are aware and disappointed in our company’s alleged violation of Canada’s anti-spam legislation as it relates to commercial electronic messages sent by our third-party suppliers on behalf of Kellogg Canada in late 2014. … At Kellogg, consumers are at the heart of all we do, and we will continue to earn their trust and demonstrate a commitment to integrity and ethics each and every day.”

Note that service providers can be held accountable. Although it was not the case with Kellogg’s, the third party in this situation could have been fined for not respecting CASL, and/or Kellogg’s could have sued their third party supplier.

Update May 16th, 2017: This morning, IAB Canada invited two CRTC enforcement officers to Toronto, Kelly-Anne Smith, Legal Counsel, and Dana-Lynn Wood, Senior Enforcement Officer, to present the status of CASL enforcement. 

The CRTC has explained, in reference to the responsibility of agencies and technology platforms, that if the providers are involved in the content of the message, they may be held jointly liable for violations of Canada’s Anti-Spam Legislation. Learn more about what changes July 1st, 2017 here.

Violations of CASL can result in penalties up to $1 million per violation for individuals and up to $10 million per violation for organisations. Businesses, representatives, employees, officers, directors, and administrators can all be held personally liable and forced to pay a fine. A compliance program is your only defence. Click here to learn more about all the requirements.

 

CASL Fines: Rogers Media Pays $200K

/in , /by

The CRTC announced that Rogers Media, a subsidiary of the Rogers Communications group, has been fined $200,000 for violating the Canada’s Anti-Spam Law.

Sloppy unsubscribe mechanisms

The allegations against Rogers Media are related to non-compliant (i.e.: mismanaged) unsubscribe mechanisms in their commercial electronic messages.

Rogers Media agreed that its unsubscribe links did not always work, were not always easy to activate, and sometimes did not remain active for the required 60-days after the commercial message was sent. Rogers Media also acknowledged that unsubscribes were not always completed within the 10-day grace period.

It should be noted that Rogers Media was not fined for sending commercial messages to people who had not provided consent, like many other companies that were penalised by the CRTC, but only for the mismanagement of their unsubscribe mechanisms.

Total fines rise to nearly $31.5M

This file brings the total amount of fines issued by the CRTC to $1,498,000 plus the $30M in fines imposed by the Competition Bureau for a total of $31,498,000 in penalties under CASL.

SMBs represent 60% of the CRTC’s cases investigated under the Canadian Anti-Spam Act.

The fines released today include:

  • Compu-Finder, a Quebec SMB from Morin Heights, Quebec, fined $ 1.1M
  • Plentyoffish Media, a Vancouver-British Columbia SMB, fined $48,000
  • Avis, Budget, and AvisBudget Group, Toronto, Ontario received $10 million in fines each
  • Porter Airlines, Toronto to Ontario fined $150,000
  • Rogers Media, Toronto, Ontario, fined $200,000

Since the CRTC is not required to disclose all the details of its cases and/or investigations, other companies may have also have been fined for unknown amounts. (Are you one of them? We want to hear from you.)

Your only defence…

The only defence that the Act offers businesses is that of due diligence through the implementation of a compliance program that meets the CRTC’s eight requirements.