The Dangers of Implied Consent: Blackstone fined $50K

The Dangers of Implied Consent: Blackstone fined $50K

October 26, 2016, after close to two years of back and forth, the CRTC issued a Compliance and Enforcement Decision finding that Blackstone Learning Corp. violated Canada’s Anti-Spam Law (CASL) by sending commercial electronic messages (CEM) without consent. The initial penalty was calculated at $640,000 but was later adjusted to $50,000.

The notice of violation related to nine email campaigns, totally 385,668 messages, sent between July 9th and September 18th, 2014, to employees at twenty-five Canadian federal and provincial government organisations. The email campaigns resulted in at least 60 complaints to the CRTC’s Spam Reporting Centre.

When the CRTC began their investigation, Blackstone refused to cooperate, and when they received their notice of violation, on January 30, 2015, Blackstone appealed.

Blackstone argued that it had not violated CASL’s because it had implied consent to send the emails and that the penalty of $640,000 was unreasonably high.

Publically available email addresses

This is where it gets tricky. Blackstone’s defence was that the recipients’ email addresses were “conspicuously published” (i.e.: publically available email addresses).

However, the CRTC stated:

“the conspicuous publication exemption and the requirements thereof set out in paragraph 10(9)(b) of the Act set a higher standard than the simple public availability of electronic addresses”.

To meet the conspicuous publication exemption:

  • The electronic address must not be accompanied by a message specifically outlining that the individual does not want to receive unsolicited commercial messages.
  • The message must be relevant to the person’s business, role, functions, or duties in a business or official capacity.

The CRTC further clarified,

“the way that the email address is published, such as on the company’s website or through a third party, must lead to a reasonable understanding of consent to receive the type of commercial electronic message being sent“.

This is a significant argument of one of the few CASL exemptions. While public addresses may qualify for implied consent this “does not provide persons sending commercial electronic messages [CEMs] with a broad licence to contact any electronic address they find online”.

Why was the fine reduced

In considering an appropriate Penalty, the CRTC took into account the following considerations:

  • Purpose of the penalty: The Commission stated that the amount must be high enough to promote changes in behaviour, in effect a second chance, but not too high to put a person out of business (as this would negate any second chance).
  • Nature and scope of the violations: While almost 400,000 non-compliant messages were sent that disrupted the recipients and prompted at least 60 complaints to the Spam Reporting Centre; the violations took place only over a period of two months. The CRTC concluded that a penalty of $640,000 would be too high.
  • Ability to pay: After finally receiving Blackstone financial statements, it was evident that a penalty of $640,000 would significantly exceed Blackstone’s ability to pay.
  • Other factors – cooperation and self-correction: Blackstone’s failure to cooperate with the investigation increased the need for a penalty to ensure future compliance. However, the Commission saw some possibility of “self-correction” going forward and felt that a lower fine would be appropriate.

Based on these factors, the CRTC determined that a Penalty of $50,000 was a reasonable amount to encourage Blackstone to comply with CASL.

Lessons learned

Be careful if your email messages rely on an exception. Implied consent is evaluated on a case-by-case basis.  Under CASL, the sender must prove consent.  The CRTC “stress[es] the importance of detailed and adequate record-keeping for this reason.

Lastly, this case is an excellent example, as to why having a risk analysis (audit) as required by the CRTC is so important. A properly implemented compliance program will validate the way consents are collected and managed. This ensures that you are protected in case of an accidental violation.

0 replies

Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply

Your email address will not be published.