On the eve of Canada Day, let's consider what has happened on the enforcement front in the one year since the Canadian anti-spam legislation (CASL) came into effect.
Remember May and June of 2014? Conscientious organizations both in Canada and abroad were sending email blasts to Canadian mailing lists pleading for readers to opt in. For those of us trying to interpret the legislation, we hoped that the seemingly draconian provisions of CASL would be tempered by common sense and a realistic approach to enforcement. Surely technical breaches of CASL would not lead to significant financial penalties. Or would they?
Since CASL came into force, the CRTC has reported on four enforcement actions. Here's a snapshot of the results:
- Case #1 – October 2014 – The CRTC reported that, by "working with" a small (unnamed) Saskatchewan business and its ISP, the CRTC stopped "millions" of spam messages unwittingly sent by the Saskatchewan business from its server infected with malware. From the available report, the CRTC indicated that the small business "fully cooperated" and removed all traces of the malware. No financial penalties were levied.
- Case #2 – March 2015 – The CRTC issued a "Notice of Violation" to a company called Compu-Finder for breaching CASL and levied a $1.1 million penalty. This was a business to business situation in which emails without consent were allegedly sent and in which the email unsubscribe mechanism apparently did not function properly. The CRTC seemed to place special emphasis on the fact that 26% of all complaints received by the CRTC's Spam Reporting Centre during the period of investigation were attributable to this one company.
- Case #3 – March 2015 – Plentyoffish Media Inc. paid $48,000 as part of an undertaking for an alleged violation of CASL. The particular infraction committed by this company was that the "unsubscribe mechanism was not clearly and prominently set out and which could not be readily performed." According to the CRTC's report, Plentyoffish updated its unsubscribe mechanism "once made aware of the investigation by the CRTC."
- Case #4 – June 2015 –
Porter Airlines agreed to pay $150,000 as part of an undertaking
entered into with the CRTC. The CRTC alleged five CASL infractions,
- Sending commercial electronic messages without an unsubscribe mechanism
- Sending commercial electronic messages with an unsubscribe mechanism that was not set out "clearly and prominently"
- Sending commercial electronic messages that did not contain the required contact information disclosure
- Failing to honour unsubscribe requests within the 10 business day time frame mandated by CASL
- Failing to provide proof of consent for "each electronic address that received its commercial emails" for an approximate 8 month period
Notable in the Porter Airlines case was that Porter voluntarily entered into an undertaking with the CRTC, it apparently had no prior CASL infringement record and it "immediately" took steps to comply with the legislation once it was made aware of the CRTC's investigation. Yet, in spite of all of those mitigating factors, the CRTC still saw fit to require the payment of a $150,000 penalty.
What does all of this mean? Well, for starters, organizations need to remember that this is a statute that has specific, strict technical compliance requirements. The CRTC seems determined to enforce the letter of CASL and failure to comply with the minutiae of CASL's detailed requirements will not be tolerated. "Close enough" compliance is not good enough.
In addition, the CRTC does not seem to be willing to cut "first time offenders" any slack, even if they are willing to immediately do what is necessary to comply. While the first enforcement in October of 2014 seemed to indicate an inclination to work with business in a co-operative way to achieve compliance, subsequent reported enforcements indicate a more aggressive approach.
Surprisingly, one of these subsequent cases (Compu-Finder) even involved a "business to business" situation, and based on the policy behind CASL of protecting Canadian consumers against spam and malware, the fact that the CRTC issued a Notice of Violation in a business to business context was surprising. Regardless of whether the communication is a "business to consumer" or "business to business," it seems that the volumes of spam messages and complaints received by the CRTC in any particular case are important factors to the CRTC in assessing prosecution strategies.
We have also learned that, in spite of the first reported case, cooperation with the regulator and prompt remediation will not necessarily save an organization from a CASL penalty. In the most recent Porter Airlines case, even a well regarded and co-operative company such as Porter was not immune from the reach of CASL, notwithstanding the company's willingness to work with the CRTC and to immediately rectify its perceived CASL deficiencies.
These cases highlight the importance of having a compliance policy, a robust CASL compliance program, training, and proper tracking of consents and applicable exemptions/implied consents, should the CRTC come calling. These elements go towards establishing a due diligence defence.
CASL enforcement is a new, unfolding saga. We will continue to monitor the evolution of CASL and keep our readers informed about significant events as they occur.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.