The undertaking resulted from an alleged failure to obtain
consent from recipients prior to sending commercial electronic
messages. The alleged violations apparently occurred over an
11-week period in late 2014.
As with previous undertakings announced by the CRTC, the summary
produced by the CRTC includes few details about the alleged
non-compliance, such as whether the company sent messages without
obtaining consent, failed to meet form requirements in collecting
consent, or was unable to prove the existence of an existing
business relationship that would give rise to implied consent.
Interestingly, the CRTC summary does note that the messages in
question were allegedly sent by "Kellogg and/or its third
party service providers", and that Kellogg undertook to comply
with CASL and its Regulations, and to "ensure that any third
party authorized to send a commercial electronic message on its
behalf" did the same – suggesting that the alleged
violations may have stemmed, at least in part, from the activities
of a third party service provider. This, in turn, raises
important – but unfortunately, unanswered -- questions about
how penalties are assessed in such circumstances, and the extent to
which due diligence in vendor selection and procurement
arrangements might impact liability for non-compliance under
The central prohibition in CASL relating to commercial
electronic messages does refer explicitly to those sending such
messages, as well as to those causing or permitting such messages
to be sent; accordingly, the law appears to apply to both marketers
and the service providers that may be retained to send marketing
messages on their behalf. Organizations would be well advised
to choose third party vendors carefully, and to impose clear
contractual and process requirements on such vendors to help avoid
The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.
To print this article, all you need is to be registered on Mondaq.com.
Click to Login as an existing user or Register so you can print this article.
The Office of the Privacy Commissioner of Canada has ruled that the collection and use of a plaintiff's personal information for the purpose of defending against a civil lawsuit is not a "commercial activity" and, ...
While corporate executives are increasingly becoming aware of their obligation to be informed of cybersecurity threats and the steps being taken by their company to prevent data breaches, it is equally important for executives to ensure that the employees are educated with respect to cyber threats.
A recent privacy decision regarding pre-installed software on laptops may have implications for companies operating not only in the traditional hardware space, but for those companies venturing into the burgeoning "Internet of Things" ecosystem.
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).