Posts

15 Recommendations to Strengthen and Simplify CASL

Following our testimony before the Standing Committee on Industry, Science and Technology of the House of Commons, and the rich and numerous exchanges we had with members of Parliament during the question period, we published a brief containing a series of recommendations to be taken into account in their review process of the Canadian Anti-Spam Law.

Here are the 15  recommendations that you can also download in its original PDF format:

—–

This brief presents a series of recommendations to supplement the presentation given by our president, Philippe Le Roux, at the Committee’s 79th meeting. The following recommendations support two main objectives:

  • Enhance the benefits of Canada’s anti-spam legislation (CASL) for consumers and businesses
  • Facilitate CASL compliance for businesses

1) Educate consumers about CASL

Consumers are aware of CASL’s existence, but they are not aware of the primary rules regarding consent. As a result, many complaints are being filed about messages that are fully compliant with the regulatory requirements but perceived by certain recipients as unsolicited. This places an unnecessary burden on enforcement agencies and creates needless friction between businesses and consumers.

R1: We recommend that a CASL education and outreach campaign be launched across the country to educate consumers about the kinds of messages and situations that are regulated as well as the defence mechanisms available, such as the Spam Reporting Centre (SRC) and the private right of action.

2) Educate businesses about CASL compliance

The main obstacle to CASL compliance is total or partial ignorance of the regulatory requirements. The latest studies show that less than 20% of Canadian businesses know that a compliance program is needed to make use of the due diligence defence. For small and medium enterprises, which account for 97% of Canadian businesses, this falls to less than 5%.

R2: We recommend that a campaign be launched to educate small businesses about the many regulatory requirements and the importance of compliance programs. This campaign should be carried out in cooperation with agencies that deal with small businesses, such as chambers of commerce, industry associations, and advocacy organizations such as the Canadian Federation of Independent Business (CFIB).

R3: We also recommend that the CRTC produce CASL awareness webinars based on the conferences given by the investigations and compliance team during the awareness campaign last spring in Toronto, and that these webinars be posted on its fightspam.gc.ca site.

3) Improve the fightspam.gc.ca website

The authoritative website for information about CASL is only updated a few times a year, leaving the perception that it is not really a topic of concern for businesses. As well, the site does not provide an objective-based user experience, but instead presents categories of information, making it very difficult for an inexperienced user to find what they are looking for. Lastly, the site hides the regulatory requirements for recordkeeping, the basis for most fines.

R4: We recommend that the fightspam.gc.ca website be redesigned based on a dual architecture: one section educating consumers about how CASL protects them, how to determine whether or not a message is compliant, and the various courses of action available if they receive a non-compliant message; and another section educating businesses about the requirements and the CRTC’s interpretations with respect to compliance.

4) Remove uncertainty surrounding the most common issues

During its two appearances before the Committee, the CRTC referred to some of the directives it has released over the past three years. We have identified about 100 common compliance issues affecting small businesses. The CRTC is clearly too slow to release information, adding stress and a needless burden on companies that wish to comply.

As well, the CRTC’s published decisions show that in each case, it has taken a narrow interpretation of CASL, each time creating an unreasonable requirement for small businesses that wish to comply. This way of dealing with businesses that make honest mistakes discourages small businesses from investing in compliance.

R5: We recommend that the CRTC establish an advisory committee made up of key stakeholders (consumer advocates, legal experts, email marketing experts, compliance experts) to identify and analyze the most common compliance issues and quickly release its compliance requirements and guides on these issues, in line with the advisory committee’s recommendations.

5) Oversee compliance services

CASL compliance service providers such as Certimail, Newport Thomson, AAM, Deloitte and KPMG are strategic allies for the CRTC in encouraging Canadian businesses to develop documented compliance programs. Despite our very limited resources, this year Certimail has educated more small businesses in Quebec than the CRTC has across Canada.

Companies would be more motivated to invest in a compliance program if they were assured that these programs are effective, which is not currently the case.

R6: We recommend that the CRTC publish codes of conduct that oversee, recognize and endorse industry-developed compliance programs, as is the case with the GDPR in Europe.

6) Range of fines

It is surprising that Canada’s biggest spammer, Compu-Finder, which generated up to 25% of the complaints filed with the CRTC at the time of investigation and consistently refused to cooperate throughout the process, was fined the same amount as Rogers Media, which acted in good faith and fully cooperated during the investigation.

As well, threatening a small business of 10–30 employees with $10 million in fines appears to be so disconnected from the reality of these businesses that they do not take CASL and its enforcement seriously and are not motivated to comply.

Although the $10 million cap needs to stay in place so that fines continue to serve as a deterrent and prevent multinationals from seeing fines as simply a cost of doing business, a graduated range of fines depending on the business, the offence and the context would make the threat more real and therefore more effective.

R7: We recommend that the CRTC set a range of fines taking into account the size of the business, its annual revenues, the number of complaints received, the seriousness of the offence, the intent and past history of the business. A minimum and maximum fine for each offence category could be set.

7) Private right of action (PRA)

As long as the number of fines remains negligible compared to the number of complaints (6 vs. 1.1 million), consumers and businesses need another avenue to protect their rights.

The PRA has a deterrence power that the CRTC has not been able to obtain in three years. We received 10 times the number of requests for information on compliance in spring 2017 than in spring 2014. This number plunged immediately following the government’s June 7 announcement that the measure was being postponed.

R8: We recommend that implementation of the private right of action be announced quickly with a deadline of July 1, 2018, so that businesses can be educated about the above recommended compliance requirements.

8) Limit withdrawals to the reference entity

The CRTC is currently interpreting “withdrawal of consent” more broadly than the consent itself. The following is an example given by the CRTC during a recent presentation in Toronto. If a consumer signs up for newsletters from Dove (a Johnson & Johnson brand), Johnson & Johnson cannot send that consumer commercial email messages (CEMs) about its other brands. However, if the consumer withdraws consent, by default this withdrawal must be applied to all CEMs sent by Johnson & Johnson, including those pertaining to brands for which there may be implicit or explicit consent, even though the consumer may not be aware that both brands belong to the same company.

R9: We recommend that withdrawal be limited to the brand in question, not the parent company’s entire line of brands, whose existence and breadth may be unknown to consumers

9) Transactional and service messages

Under section 6.6, transactional and service messages that do not require consent must now include withdrawal mechanisms, which imposes a burden on companies and creates confusion and frustration for consumers who receive them.

R10: We recommend that section 6.6 be simply repealed so that only identification information is required in such messages.

10) Differentiating the various types of commercial electronic messages

Currently, virtually all CEMs fit into three categories:

  • batch messages
  • automated marketing messages sent individually, but without human intervention
  • individual messages written and sent explicitly by someone for each mail out

However, CASL provides that, by default, withdrawal of consent in response to any of these messages must be interpreted as a withdrawal of consent for all commercial electronic messages of all types.

R11: We recommend that CASL be amended to reflect these different message categories and that the regulatory requirements take them into account, such as by limiting the scope of withdrawals to the category of message that initiated the withdrawal request by default.

11) Expand complaint forms and make them public

The current complaint form does not allow complainants to provide additional context when filing a complaint. This is extremely frustrating for some consumers, and it deprives investigators of information that could help validate and process complaints.

Furthermore, the SRC is a black box, and this lack of transparency is very frustrating to consumers who want to know if they are the only ones complaining about a company, and to companies interested in finding out how many complaints have been filed against them.

R12: We recommend that the complaint form be expanded to include fields that allow complainants to provide context about the offending messages, and that the complaints index be made accessible through an open data file as well as a web interface allowing searches on multiple criteria, including company names and brands. Of course, this information would be accompanied by a notice indicating the basis of the complaint has not been validated.

12) Speed up investigations to keep up with complaints

With just under 500 investigations and six fines issued in three years over more than 1.1 million complaints, the CRTC is leaving the impression that there is practically zero chance of getting caught. In fact, small businesses see CASL as little more than a game of Russian roulette with six bullets in a revolver with 1 million blanks, rather than a set of regulations that apply to everyone.

R13: We recommend that the CRTC develop mechanisms to automate complaint analysis and processing combined with a graduated range of fines to reduce the investigation workload required for each case.

R 14: We also recommend that companies subject to a first validated complaint receive a warning letter to raise awareness and to inform them that they could face investigations or fines.

13) Promote the benefits of CASL

Not only has CASL resulted in a sharp drop in spam in Canada, but it has also had a positive impact on the effectiveness of email marketing. The email marketing performance of Canadian companies has increased over 20% since CASL came into force. Promoting the competitive advantage of CASL compliance will help the government motivate businesses.

R15: We recommend that the government launch an education campaign about the effectiveness of email marketing when it complies with CASL best practices. This will allow companies to see the cost of compliance as an investment in marketing.

Those are our main recommendations based on four years working with dozens of small businesses of all sizes and in all fields to ensure they are compliant, as well as on over 20 years of expertise in effective email marketing. We are available to the Committee and its members to discuss these recommendations in greater detail.