Posts

CASL: First Fine To A Corporate Executive

The CRTC announced that Ghassan Halazon has paid, as an individual, a fine of $10,000 to relieve himself of his responsibilities as CEO, in violations of the Canadian Anti-Spam Law (CASL) committed by the company he ran at the time. This is the first time a corporate executive has been fined, and there are several lessons to be learned.

Enforcement of CASL is toughening up

Several observers misinterpreted the government’s decision to postpone the right to civil and collective redress at the end of 2017, as a sign of easing of the application of CASL. This is not the situation and Halazon’s case demonstrates this.

The CRTC has always stated that the three transitory years that companies had to implement their compliance program was sufficient and that those who have not yet done so have no excuse. In fact, Steven Harroun, the CRTC’s Chief Compliance & Enforcement Officer, said at a recent conference:

Commercial electronic messages are the primary source of what prompts Canadians to report cases that require follow-up investigation — commercial email messages that you or your organisation may be responsible for sending. Email messages account for more than three-quarters of incidents reported to us.

(…) 

Every business should have a compliance program in place to help ensure each commercial message or telemarketing call is compliant. If your practices are ever called into question, a thorough compliance program can help you in a due diligence defence.

(…)

But let me be clear, CASL and Unsolicited Telemarketing Rules are not new. And ignorance is not a defence.

Look at it this way—if I do a U-turn on the 401 and my defence to the police officer who pulls me over is that I did not know I couldn’t make a U-turn, I’m still getting the ticket.

The same applies if violations under these laws have been determined. There will be consequences, which could include administrative monetary penalties and the obligation to implement compliance programs. At best. And, at worst, public shaming that will keep your public relations department busy for a long time.

The message is clear, very quickly, several penalties a year will jump to several fines per month, as was the case with the National DNCL, another organisation regulated by the CRTC.

Why was Mr. Halazon fined?

In 2009, Mr. Halazon founded Cough Commerce, the company that launched TeamBuy.ca in 2010 and bought Dealfind.ca in 2013. Unfortunately, the merger wasn’t successful, and the company had to file for bankruptcy protection on August 29, 2014. Halazon’s business was then bought on September 24, 2014, by nCrowd, an American company specialising in bundle purchases.

Nevertheless, according to the CRTC, between July 2 and September 9, 2014, TeamBuy violated CASL, by sending several emails with a withdrawal mechanism that was not functioning well or was too complicated. Ghassan Halazon being at the time CEO of the company was found personally responsible under section 31 of the Act, which states that:

Directors, officers, etc., of corporations

31 An officer, director, agent or mandatary of a corporation that commits a violation is liable for the violation if they directed, authorised, assented to, acquiesced in or participated in the commission of the violation, whether or not the corporation is proceeded against.

C-level, directors, managers, administrators are all personally liable

Section 31, on which Halazon’s fine is based, is one of the many provisions of CASL that few people know about nor is it discussed by the media. It’s unfortunate, because corporate protection under this section is removed, and thus makes individuals such as directors, managers, administrators, etc. personally responsible for CASL violations.

The CRTC’s Chief Compliance and Enforcement Officer has made this clear in a recent statement:

Receipt of commercial emails is the primary source of complaints from Canadians who report cases requiring follow-up investigations, and you or your organisation may be held responsible for sending these commercial emails. 

The CRTC’s adamant actions…

Canada’s Anti-Spam Legislation came into force on July 1, 2014, and TeamBuy went bankrupt two months later. Yet, the CRTC investigated this case, for almost three years, for emails sent over a very short period. This unyielding behaviour runs counter to much of the CRTC’s reassuring PR speeches. What their actions do seem to mean is that:

  • That the notion of transition period is not taken into consideration and that the CRTC expects companies to have been compliant since July 2, 2014,
  • Their enforcement is not solely for the goal of compliance, but for punishment,
  • Everyone, at any time, past or present, is at risk of being fined.

Another surprising move by the CRTC

It is also surprising to note that while the case file was concluded on June 12, 2017, the CRTC waited until Friday afternoon to publish this news on its website, and this without issuing a press release − an approach often used in politics to make sure journalists don’t talk about it. 

Are you insured?

More and more organisations are now taking out liability insurances, commonly referred to as an Errors & Omissions insurance (E&O) to protect their employees. A common practice with NGOs to protect volunteers, but that is now becoming more standard practice for private businesses, in light of CASL.

N.B.: Savvy insurance companies are starting to exclude CASL from their policies if the company can not demonstrate that it has implemented a complete compliance program.

In conclusion

Each decision made and conference given by the CRTC sheds a little more light on their approach regarding investigations and fines. Regardless, the words of the CRTC’s Chief Compliance and Enforcement Officer must be taken seriously:

Each company should have a compliance program to help ensure that every commercial or telemarketing message is compliant. If your practices are challenged one day, a comprehensive compliance program can help you establish a due diligence defence.

Now then, considering that the emails you, your company and your employees sent, or send today can haunt you in the future, it’s more important than ever to protect yourself and to implement a compliance program. Speak with one of our experts for free.

 

1M Complaints: Insights into the CRTC’s investigation process

In the last 36 months, the CRTC received just over 922 262 complaints under CASL, representing more than 300,000 complaints a year! Demonstrating, that many Canadians support this legislation, and increasing continue to do so.

 

Près d'un million de plaintes pour la Loi Canadienne anti-pourriel

 

As the chart above shows, the daily volume of complaints has been growing steadily for over a year, exceeding 1,000 complaints per day since October 2016.

Mainly email, but text and instant message complaints are fast on the rise

According to the CRTC, email accounts for roughly two-thirds of complaints and SMS a good third. On the other hand, while the number of accusations about non-compliant emails has decreased by almost 10% in the past year, SMS denunciations have more than doubled. Additionally, although they represent only a tiny fraction of the total, instant message complaints are also growing.

Consent issues represent approximately two-thirds of the complaints received, but their growth is lower than for content or misleading subject claims that have increased by 60% over the past year. This suggests that the Competition Bureau, which handles these types of complaints, will continue to distribute heavy fines like it’s it’s done so with Budget, Avis and Amazon.

How cases are selected

In a presentation to IAB Canada in Spring 2017, the CRTC has stated that considering the international scope of spam, it has already entered into collaborative arrangements with the authorities of a dozen countries, including the United States, the United Kingdom, Australia, and the Netherlands.

These agreements are bilateral, meaning that the authorities exchange information with each other to initiate investigations, to investigate them further, or to prosecute and punish the perpetrators.

 

 

Although the CRTC didn’t share the criteria on which it relied to prompt past cases, they did explain that their investigations are triggered, not only by the data provided by their international and industry partners but also by the messages and information they receive at specific addresses on different websites. Commonly referred to as “Honeypots”.

What happens next?

When the CRTC conducts an inquiry, one of the first things it does, more often than not, is to send the company a request for information to be supported by the appropriate documentation. For example, in the context of “consent”, the CRTC will require the company to provide proof of consent of all persons to whom the company has sent emails to, for a particular period. This includes:

  • The type of consent (explicit or implied)
  • The date of consent
  • The information held on the person
  • A CSV file with the justificatory pieces for each consent
  • The company’s privacy policy
  • Database management guidelines for contacts
  • Electronic communication policies
  • Screenshots of subscription forms
  • etc.

Incontestably, documentation is crucial, yet it’s one of the least known aspects of Canada’s Anti-Spam Law. Without it, you are quite sure to be found guilty.

When you get a notice of violation…

When the CRTC has completed its investigation, it sends a notice of violation. The company then has 30 days to negotiate a voluntary commitment agreement.

A voluntary undertaking is not an admission of guilt, but rather is a negotiated settlement that includes an immediate payment as well as a commitment to take a series of steps to correct the alleged violations.  This includes establishing a comprehensive compliance program and implementing it.

To negotiate the terms of the voluntary agreement, you will need to document the steps you took to comply with CASL and to demonstrate your financial limitations. (It goes without saying that it is dangerous to conduct such negotiations without the support of an—expensive—lawyer specialised and experienced in negotiations with the CRTC.)

If you refuse to sign a voluntary agreement, you’ll receive a much bigger penalty, one that can be contested in the Court of Appeal, if you have the financial means to do so. That’s why, so far, all but one offender, CompuFinder, have committed to settlements and immediately paid the amounts negotiated with the CRTC.

The CRTC revealed that they don’t have a grid to determine penalty amounts. Primarily because of 1) the complexity of CASL, 2) the criteria relevant to each case, and 3) the need to be flexible enough to ensure that the fines are sufficiently dissuasive to be effective without putting companies into bankruptcy.

Les amendes infligées par le CRTC en vertu de la Loi Canadienne anti-pourrielSome of the  fines imposed by the CRTC under CASL

The compliance program is a requirement

The compliance program imposed in the voluntary commitment agreement is, according to the CRTC, the centrepiece of ensuring that a company no longer violates the Canada’s Anti-Spam Law.

In fact, for the CRTC, fines and voluntary commitments are in essence a means of encouraging ALL BUSINESSES to develop a compliance program that complies with its requirements.

(By the way, you’ll have greater peace of mind and save money if you implement a compliance program with Certimail, before any possible investigation than under the direct supervision of the CRTC.)

Worried about being investigated?

For people who have hidden a part of their wealth in a tax haven, but confess it to the tax authorities before the situation gets discovered, their chances of paying a fine or being penalised are minimal. The CRTC offers a similar opportunity under Canada’s Anti-Spam Legislation.

If you suddenly realise that your business has violated Canada’s Anti-Spam Legislation, you can contact the CRTC as part of its “voluntary disclosure” process.

Although the CRTC doesn’t guarantee that you won’t have a penalty to pay, it promises to be gentle in the handling your file. It will advise you on the best ways to permanently correct your situation with the mandatory compliance program.

The only requirement imposed by the CRTC is that you identify ALL the violations in your original statement. This implies that you must conduct a thorough audit to determine all breaches of compliance.

**Any violation discovered during the voluntary disclosure that was not reported in the original statement will be excluded from the declaration and sanctioned as if it had been found during a typical investigation.**

July 1st has come and gone, an audit and voluntary disclosure are the very minimums of protection. Ultimately though, a compliance program is mandatory and is your best protection.