Posts

CASL: First Fine To A Corporate Executive

The CRTC announced that Ghassan Halazon has paid, as an individual, a fine of $10,000 to relieve himself of his responsibilities as CEO, in violations of the Canadian Anti-Spam Law (CASL) committed by the company he ran at the time. This is the first time a corporate executive has been fined, and there are several lessons to be learned.

Enforcement of CASL is toughening up

Several observers misinterpreted the government’s decision to postpone the right to civil and collective redress at the end of 2017, as a sign of easing of the application of CASL. This is not the situation and Halazon’s case demonstrates this.

The CRTC has always stated that the three transitory years that companies had to implement their compliance program was sufficient and that those who have not yet done so have no excuse. In fact, Steven Harroun, the CRTC’s Chief Compliance & Enforcement Officer, said at a recent conference:

Commercial electronic messages are the primary source of what prompts Canadians to report cases that require follow-up investigation — commercial email messages that you or your organisation may be responsible for sending. Email messages account for more than three-quarters of incidents reported to us.

(…) 

Every business should have a compliance program in place to help ensure each commercial message or telemarketing call is compliant. If your practices are ever called into question, a thorough compliance program can help you in a due diligence defence.

(…)

But let me be clear, CASL and Unsolicited Telemarketing Rules are not new. And ignorance is not a defence.

Look at it this way—if I do a U-turn on the 401 and my defence to the police officer who pulls me over is that I did not know I couldn’t make a U-turn, I’m still getting the ticket.

The same applies if violations under these laws have been determined. There will be consequences, which could include administrative monetary penalties and the obligation to implement compliance programs. At best. And, at worst, public shaming that will keep your public relations department busy for a long time.

The message is clear, very quickly, several penalties a year will jump to several fines per month, as was the case with the National DNCL, another organisation regulated by the CRTC.

Why was Mr. Halazon fined?

In 2009, Mr. Halazon founded Cough Commerce, the company that launched TeamBuy.ca in 2010 and bought Dealfind.ca in 2013. Unfortunately, the merger wasn’t successful, and the company had to file for bankruptcy protection on August 29, 2014. Halazon’s business was then bought on September 24, 2014, by nCrowd, an American company specialising in bundle purchases.

Nevertheless, according to the CRTC, between July 2 and September 9, 2014, TeamBuy violated CASL, by sending several emails with a withdrawal mechanism that was not functioning well or was too complicated. Ghassan Halazon being at the time CEO of the company was found personally responsible under section 31 of the Act, which states that:

Directors, officers, etc., of corporations

31 An officer, director, agent or mandatary of a corporation that commits a violation is liable for the violation if they directed, authorised, assented to, acquiesced in or participated in the commission of the violation, whether or not the corporation is proceeded against.

C-level, directors, managers, administrators are all personally liable

Section 31, on which Halazon’s fine is based, is one of the many provisions of CASL that few people know about nor is it discussed by the media. It’s unfortunate, because corporate protection under this section is removed, and thus makes individuals such as directors, managers, administrators, etc. personally responsible for CASL violations.

The CRTC’s Chief Compliance and Enforcement Officer has made this clear in a recent statement:

Receipt of commercial emails is the primary source of complaints from Canadians who report cases requiring follow-up investigations, and you or your organisation may be held responsible for sending these commercial emails. 

The CRTC’s adamant actions…

Canada’s Anti-Spam Legislation came into force on July 1, 2014, and TeamBuy went bankrupt two months later. Yet, the CRTC investigated this case, for almost three years, for emails sent over a very short period. This unyielding behaviour runs counter to much of the CRTC’s reassuring PR speeches. What their actions do seem to mean is that:

  • That the notion of transition period is not taken into consideration and that the CRTC expects companies to have been compliant since July 2, 2014,
  • Their enforcement is not solely for the goal of compliance, but for punishment,
  • Everyone, at any time, past or present, is at risk of being fined.

Another surprising move by the CRTC

It is also surprising to note that while the case file was concluded on June 12, 2017, the CRTC waited until Friday afternoon to publish this news on its website, and this without issuing a press release − an approach often used in politics to make sure journalists don’t talk about it. 

Are you insured?

More and more organisations are now taking out liability insurances, commonly referred to as an Errors & Omissions insurance (E&O) to protect their employees. A common practice with NGOs to protect volunteers, but that is now becoming more standard practice for private businesses, in light of CASL.

N.B.: Savvy insurance companies are starting to exclude CASL from their policies if the company can not demonstrate that it has implemented a complete compliance program.

In conclusion

Each decision made and conference given by the CRTC sheds a little more light on their approach regarding investigations and fines. Regardless, the words of the CRTC’s Chief Compliance and Enforcement Officer must be taken seriously:

Each company should have a compliance program to help ensure that every commercial or telemarketing message is compliant. If your practices are challenged one day, a comprehensive compliance program can help you establish a due diligence defence.

Now then, considering that the emails you, your company and your employees sent, or send today can haunt you in the future, it’s more important than ever to protect yourself and to implement a compliance program. Speak with one of our experts for free.

 

CASL: The 6 most common mistakes you weren’t aware of

Most companies believe that they already comply with CASL. But, of the majority of businesses we’ve met, they are in fact, not compliant, simply because they aren’t aware of the complexities and details of this law. Unfortunately, this ignorance is already costing companies and employees, heavily.

Of the approximately 100 compliance rules and items we validate for our clients, we’ve identified the 6 most common mistakes and how to resolve them. Check and see if your company’s compliance level is what you believe it to be.

N.B.: This is not a substitute for a compliance program as required by the CRTC, but is an easy way to assess whether your business is as compliant as you think it is. A full compliance program, which meets the CRTC’s eight required categories, is the only way to truly protect yourself from costly penalties and prosecution. Section 33 (1) of the Act states that “No person shall be held liable for a violation if they prove that they have taken all reasonable precautions to prevent its commission”.

Mistake #1: No unsubscribe mechanism in individual emails

While most companies ensure that they have an unsubscribe link in their newsletters, there is very little compliance with this requirement for their individual emails.

Simply put, CASL makes no distinction between a promotional newsletter sent to thousands of people and an email sent from one employee to another person. In both cases, these are “commercial electronic messages”, and the Act requires that each message includes mandatory information and a mechanism for unsubscribing.

Solution:

Make sure that your business email signatures and all of your employees’ email signatures include a statement indicating how one can withdrawal from your business’ communications.

For example:

If you receive an email from an employee at Deloitte Canada, you’ll note that their signatures always include the following statement: “If you do not wish to receive future Deloitte business emails, please send this email to ‘[email protected]‘. Similarly, at Certimail, my colleagues and I consistently include in our email signatures the following sentence, “If you no longer wish to receive commercial messages from Certimail, please indicate this by replying to this message”. Voilà. It’s as simple as that.

Mistake #2: Misworded newsletter sign-up forms

As per Canada’s Anti-Spam Legislation, the concept of consent is not equivocal; it is explicit. That is to say, the wording of consent given determines what one has the right to send and receive.

This means then if your subscription form refers to newsletters, consent, therefore, applies to newsletters and no other type of commercial email or communication. For example, this means that one or a series of emails from sales (news about promos, blog articles, “I think you might find this useful”, etc.) are in violation of the law, and risk fines.

Solution:
Check the wording on ALL your consent forms, so that they don’t limit your electronic communications, by using broader text, as illustrated in the example below.

For example:

On the left, taken from our website, consent is requested for advice and promotions for all electronic communications (see the form for yourself, and don’t be shy to sign up to stay informed of the law). On the right, consent is limited to newsletters, forcing a company to request permission again for other types of electronic messages.

Good and bad newsletter sign-ups

Good and bad newsletter sign-ups

Mistake #3: Records of ALL email communications are not kept

Many SMBs typically erase emails from their inboxes as soon as the content is no longer needed, useful, or relevant. People typically do this to free their attention span, and consequently, disk space.

Such a practice is dangerous under the Canada’s Anti-Spam Legislation. The CRTC requires that businesses retain the text of all their commercial emails should an investigation arise. Without these records, you have no way of defending yourself.

Solution:
Implement an email protocol to automatically archive messages on a server (IMAP or Exchange) or manually archive messages to folders instead of deleting them.

Mistake #4: Proof and records of consent are not kept

When under investigation by the CRTC, many SMBs justify themselves with the following: “We only send our newsletters to those who have registered on our website“.

In a notice published in July 2016, the CRTC states that a company claiming to have obtained consent for the sending of a commercial electronic message must provide proof of that consent and must retain all evidence of such consent (such as, but not limited to, completed forms, audio recordings, etc.).

Most US platforms such as MailChimp, Campaign Monitor, SalesForce, etc. don’t keep records of consent.

When a person, who once gave you consent in the past, makes changes to his or her profile, that new information replaces the original data. In the event of an investigation, you will not be able to provide proof that you once had that individual’s consent.

Solution 1:

Consider using a Canadian ESP, such as Cyberimpact or Cakemail. They are optimised for CASL and automatically archive and keep records of consent.

Solution 2:

Archive all your data by implementing an automatic or manual daily export of all the information and activity regarding your sendout lists. 

Mistake #5: Copies of forms and their version histories are not kept

Some SMBs do their due diligence and retain consent data provided through form submissions, such as the date, time and IP address of the user. Unfortunately, this information is not enough to prove consent.

Remember, consent must be explicit and not equivocal. You must, therefore, be able to provide proof that the information displayed on the form, that the user completed, was explicit. Considering the investigation process, if and when the CRTC contacts you, the chances are strong that your website has undergone a redesign or changes, and a form from a year ago is not the same as it is today.

Solution 1:

Consider using a Canadian ESP, one that automatically archives copies of forms.

Solution 2:
Take a screen shot with a time stamp of each of your consent forms every time you change or update your website or forms.

Mistake #6: No written compliance policy

While you may take all necessary measures to comply, you are never entirely immune to the error of an employee, subcontractor or technical problem that may put you in a violation of the law.

Fortunately, section 33.1 of Canada’s Anti-Spam Law provides some support and “defence” for businesses that have demonstrated good governance; though only if you have taken all the necessary measures to be compliant. The CRTC has stated that these measures must include a formal compliance program that meets eight specific requirements. One of these requirements is to have a written compliance policy that employees know and respect. Failure to do so will result in disciplinary action.

Solution:
Write your CASL policy following a full risk audit and analysis, and make sure your employees understand and apply it.

Running a business without having a written CASL policy like riding a motorcycle without a helmet: “It’s safe as long as there’s no accident”

What’s your score?

If you’re already aware of and make none of these mistakes, then bravo! You are one of the very few companies that do their due diligence. But there are over 100 rules to respect, so formalising your compliance program should be quick and inexpensive if you haven’t already done so. It would be a shame to be so savvy, yet fined for one of the 100 rules and regulations.

If you’ve found that some of these 6 mistakes apply to your business, it’s proof that you’re not compliant. July 1st has passed, and fines and class actions are multiplying. There are over 100 rules to respect, so now is the time to set up your compliance program to protect yourself, your employees, and your business.

We’re here to assess your situation, and to provide you with an inexpensive yet highly effective way, to set up a compliance program, which meets the CRTC’s requirements.

We know and understand that businesses don’t always have the cash or want to make the time to set up a program immediately, but our solutions are specially adapted to the reality of independent workers, small businesses to medium ones.

 

William Rapanos receives $15,000 in fines for emails sent in 2014!

In early 2017, the CRTC, for the first time, issued a fine to a single individual, and not a company.

William Rapanos (a.k.a. Bill Rapanos) a businessman and marketer from Toronto now living in B.C., was fined $15,000 for sending 58 emails contravening Canada’s Anti-Spam Law between July and October 2014.

This case is a huge lesson regarding the severity with which the CRTC enforces this law. Consider yourself warned.

Quite simply, CASL applies to non-business owners

One of the many elements of the Canadian Anti-Spam Legislation but that is little known to the public, is the fact that this act applies to individuals. The legislator clearly indicated this by specifying in the Act that the maximum penalties under this law are $10M for corporations and $1M for individuals.

It wasn’t Rapanos’ company that received the fine, but he himself, making him the first Canadian to be fined as an individual for a violation of Canada’s Anti-Spam Law.

This is important because it confirms that you don’t have to be a business owner, to be subject to Canada’s Anti-Spam Law.

For example, take the situation of a person who sends an email to their contact list to announce the sale of their used car on Craiglist; this type of email is considered a commercial email. The person sending this email can face a fine and prosecution if they don’t meet the many requirements of the law. Yikes!

Your older messages can still come to haunt you

Rapanos’ offences were committed during July and October 2014. During this time CASL had just come into force, but it wasn’t until April 22, 2016, nearly two years later, that the CRTC sent him a “notice of violation”.

In fact, the anti-spam legislation stipulates that you can file a complaint, or initiate a lawsuit for damages, up to three years after receiving a non-compliant message.

However, the CRTC can go as far back as they want to (up to July 1st, 2014) to investigate you. They can go three, four, five, ten years in the past to inquire about a company’s practices, or you.

This means that if you don’t have a compliance program in place or have committed to a “voluntary disclosure”, you can be subjected to fines or lawsuits, even if you stop sending emails and other electronic messages.

Investigations are not decided on the number of emails sent or complaints received

The $15,000 fine Rapanos received concerned only 58 emails sent over a period of four months, not 58,000, not 580 but 58. That’s less than 15 per month!

So imagine the several hundreds of thousands of complaints among the thousands of companies reported to the CRTC.

Everyone is in the CRTC radar. For example, Vancouver start-up Pof Media (PM) had to pay a fine of $48,000, even if the CRTC only received 70 complaints amongst the millions of weekly emails sent to PM members.

This confirms what the CRTC has always said, “the number of complaints it receives is not an essential factor for initiating an investigation”.

No one is safe, and presumably, the CRTC is taking stern action to make sure everyone implements a compliance program.

If you try to hide, you will eventually be found

In its decision, the CRTC emphasised that it requested and obtained the following information during their investigation:

  • Log files of the registrar who managed the addresses (DNS) of the website (firstunitedpartners.com) to which the emails pointed to
  • IP addresses of the ISP used to register and administer the site, provided by Bell
  • Telephone numbers used to register the domain name, provided by WIND and 7eleven Canada

Clearly, they are savvy in identifying and tracking offenders.

There is no presumption of innocence

It gets even more intense… The CRTC has confirmed that under the Administrative Monetary Penalties (AMP / SAP), the official name of its fines, the right to the presumption of innocence does not apply because its investigations are not “criminal proceedings”. Another little-known fact of Canada’s Anti-Spam Law amongst the majority of Canadians.

So remember, if you are the victim of an investigation, and challenge the decision before the Court of Appeal, you must provide proof of your innocence (and also bear the cost of an appeal).

The only defence that can be used is that of due diligence, which means that A) you have a compliance program that meets the CRTC’s eight requirements or B) you’ve submitted a “voluntary disclosure” along with the required comprehensive audit.