CASL’s first sanction against a foreign company

Sanction for the Irish site

On April 24th, the CRTC announced an undertaking with Ancestry Ireland Unlimited Company (“Ancestry”), which hosts the website. The latter uses emails to communicate with people registered on its online service, which allows the search for genealogical documents (family history, family trees, historical records, information based on genetic analysis, etc.).

The extraterritorial nature of CASL

This is the first time that a foreign company has been subject to a CRTC sanction in connection with the Canadian Anti-Spam Law (hereinafter CASL). Ancestry is an Irish company with no offices or employees in Canada. The provisions of CASL, however, indicate that it applies to any company that sends messages to Canadian subjects, regardless of the source of the messages.

Similarly, contrary to what many people believe, Canadian companies have to comply with CASL both in their sendouts to Canada and for commercial electronic messages, they send to the rest of the world.

A sanction even if the consents were legal

The CRTC was able to find that Ancestry had obtained valid consents to communicate with its contacts, that its messages contained the mandatory identification information as well as an unsubscribe link.

However, the company was still in the wrong according to the CRTC because their different databases did not synchronize the withdrawal of consents. A customer who unsubscribed from one list continued to receive messages from the other list.

The requirement to synchronize withdrawals of consent

CASL provides that a person must be able to unsubscribe from all commercial electronic messages from the company. In the absence of other choices in the unsubscribe process (ex.: to receive certain types of communications only), the person must by default be excluded from the receipt of all commercial communications.

This requirement of the law can become a concern for many. Indeed, in the majority of companies, there is no synchronization between the mailing lists and the sending of emails themselves, the email sending platforms being separated from CRM or databases. Many companies also often have no way of updating their consent for sending emails via Outlook if someone unsubscribes from their newsletter. Thus, a person could continue to receive communications, despite the fact that in principle, they have unsubscribed from all sendouts.

The compliance program is a must

Ancestry is, by this undertaking, obliged to comply with the Act with respect to the synchronization of its consents. It must therefore unsubscribe and remove from all its commercial communications any person who has indicated this desire, either directly or indirectly, within 10 working days of the request.

The company must also implement a compliance program under CASL which includes: “reviewing and revising current compliance practices […], as well as various other monitoring and auditing measures, including reporting mechanisms to CRTC staff regarding the implementation of the program.”1

Do not be the next company to be sanctioned

If you use an email sendout platform that does not synchronize consent withdrawals with other lists or with your internal email system, you’re in violation of CASL and you may be fined up to several hundreds of thousands of dollars.

If your company is not yet under investigation by one of the CASL enforcement authorities, there is still time to put your compliance program in place and protect yourself before it’s too late.

CASL Fines: Rogers Media Pays $200K

The CRTC announced that Rogers Media, a subsidiary of the Rogers Communications group, has been fined $200,000 for violating the Canada’s Anti-Spam Law.

Sloppy unsubscribe mechanisms

The allegations against Rogers Media are related to non-compliant (i.e.: mismanaged) unsubscribe mechanisms in their commercial electronic messages.

Rogers Media agreed that its unsubscribe links did not always work, were not always easy to activate, and sometimes did not remain active for the required 60-days after the commercial message was sent. Rogers Media also acknowledged that unsubscribes were not always completed within the 10-day grace period.

It should be noted that Rogers Media was not fined for sending commercial messages to people who had not provided consent, like many other companies that were penalised by the CRTC, but only for the mismanagement of their unsubscribe mechanisms.

Total fines rise to nearly $31.5M

This file brings the total amount of fines issued by the CRTC to $1,498,000 plus the $30M in fines imposed by the Competition Bureau for a total of $31,498,000 in penalties under CASL.

SMBs represent 60% of the CRTC’s cases investigated under the Canadian Anti-Spam Act.

The fines released today include:

  • Compu-Finder, a Quebec SMB from Morin Heights, Quebec, fined $ 1.1M
  • Plentyoffish Media, a Vancouver-British Columbia SMB, fined $48,000
  • Avis, Budget, and AvisBudget Group, Toronto, Ontario received $10 million in fines each
  • Porter Airlines, Toronto to Ontario fined $150,000
  • Rogers Media, Toronto, Ontario, fined $200,000

Since the CRTC is not required to disclose all the details of its cases and/or investigations, other companies may have also have been fined for unknown amounts. (Are you one of them? We want to hear from you.)

Your only defence…

The only defence that the Act offers businesses is that of due diligence through the implementation of a compliance program that meets the CRTC’s eight requirements.