1. Skip to navigation
  2. Skip to content
  3. Skip to sidebar


The Canadian Radio-television and Telecommunications Commission (CRTC) issued an enforcement advisory to both businesses and individuals that send commercial electronic messages (CEMs) to keep records of consent. The CRTC reminded senders of CEMs that section 13 of Canada’s anti-spam legislation (CASL) places the onus on the sender to prove they have consent to send every single CEM.

The advisory made a point to note the CRTC has observed businesses and individuals unable to demonstrate they have obtained consent before sending CEMs. Failure to meet record keeping requirements has been alleged in recent CRTC enforcement decisions against organizations. However, today’s enforcement advisory may suggest the CRTC is finding record keeping to be a widespread concern, warranting this advisory.

Record keeping is one of the most contested provisions under CASL as the financial, organizational and technical burden weighs on senders to meet the high record-keeping standards set by the CRTC. Having the record keeping requirements on the CRTC’s radar adds further urgency to ensure a sender’s compliance program is sufficient.

The CRTC emphasized in its advisory that good record-keeping practices can assist senders establish a due diligence defense in the case of a violation under CASL. Violations of CASL may result penalties of up to CAD $1,000,000 for individuals, and up to CAD $10,000,000 for organizations.

The CRTC reiterated its guidance that record-keeping should document:

  • All evidence of express or implied consent from consumers who agree to receive CEMs. Evidence can be in various forms such as audio, electronic or paper.
  • The procedures and methods through which senders obtain consent
  • The sender’s CASL policies and procedures
  • All unsubscribe requests and subsequent actions taken

Click here to read the full CRTC Enforcement Advisory. For more guidance on record keeping, read the CRTC’s guidelines to help develop a corporate compliance program.




Office of the Privacy Commissioner announces first investigation under the address harvesting provisions

Today, the Office of the Privacy Commissioner (OPC) announced its report of findings against Compu-Finder, a Quebec-based company that offers face-to-face professional training courses.

The OPC alleges Compu-Finder used address harvesting programs to search and collect e-mails on the internet. This marks the first investigation by the OPC involving its address harvesting provisions under the Personal Information and Electronic Documents Act (PIPEDA). The OPC concluded that Compu-Finder did use e-mail addresses of individuals to send e-mails promoting its business activities, without the consent of the individuals concerned. Compu-Finder was unable to demonstrate it had the appropriate consent for the collection and use for many of the e-mail addresses. Further, the OPC found Compu-Finder lacked basic privacy knowledge of its obligations and failed in demonstrating accountability and openness of its privacy practices.

This investigation also debuts the OPC’s compliance agreement power since the tool was added by the Digital Privacy Act on June 18, 2015. The compliance agreement between the Privacy Commissioner of Canada and Compu-Finder lists over ten remedial measures imposed on Compu-Finder. Some of the following measures that Compu-Finder has agreed to implement, include:

  • collect and use only e-mail addresses with proper consent;
  • destroy all e-mail addresses in its possessions which were collected without obtaining consent;
  • refrain from collecting any electronic addresses of individuals through the use of a harvesting computer program;
  • develop and implement a privacy program; and
  • obtain a third-party audit of its privacy program.

Compu-Finder is also under investigation by the Canadian Radio-television and Telecommunications Commission (CRTC). The CRTC issued a Notice of Violation against Compu-Finder pursuant to Canada’s Anti-Spam Legislation (CASL) on March 5, 2016.  The OPC acknowledged the CRTC shared investigative information with the OPC pursuant to CASL and a Memorandum of Understanding between the two agencies.

The CRTC’s proceedings against Compu-Finder are still on going.

You can read the full report of findings and compliance agreement online  here.

Office of the Privacy Commissioner announces first investigation under the address harvesting provisions

Global Privacy Sweep Finds Privacy Issues in Children’s Apps

Last week, the Global Privacy Enforcement Network (GPEN) released the results from their third annual Privacy Sweep. Twenty-nine privacy enforcement authorities spread across 21 countries reviewed 1,494 websites and mobile applications (apps) either targeted to or popular among children – the theme of this year’s sweep.

Canadian regulators participating in the international sweep included the Office of the Privacy Commissioner of Canada (OPC), the Office of the Information and Privacy Commissioner of Alberta and the Office of the Information and Privacy Commissioner of British Columbia, who focussed their review on websites and apps based in Canada.

Among the overall findings by GPEN, 67% of the websites and apps examined collected personal information from children, such as names, photos, videos, audio, addresses and phone numbers.

“Too many developers are collecting particularly sensitive personal information such as photos, videos and the location of children, and often allowing it to be posted publicly, when there are clearly ways to avoid it,” said Privacy Commissioner Daniel Therrien in a statement. The OPC has repeatedly recommended in its publications and report of investigations that the best practice is to never collect personal information from children.

The OPC noted that many companies are developing innovative, creative and dynamic technological tools that balance the purpose of the website or app while respecting privacy protection.

The Privacy Sweep also found that 51% of websites and apps reviewed indicated they may disclose the children’s personal information to third parties. The Privacy Sweep found that 58% of websites and apps reviewed, while purporting not to collect personal information, redirected children to sites and apps that did collect personal information. The redirection was via an advertisement or a contest that sometimes appeared to be part of the website or app.

In considering parental or some form of adult supervision or control, only 31% of websites and apps reviewed had any protective control in place that would limit the collection of personal information; even less (24%) had some form of parental involvement.

The focus of privacy protection of vulnerable groups, such as youth and children, is one of Commissioner Therrien’s current privacy priorities.

The OPC also provided recommendations for companies to consider when collecting, using or disclosing personal information that may involve children, including:

  1. Avoid collecting any personal information from children.
  2. Instead of requiring children to disclose their name or photo or other personal information – for example to register with a website or app – companies should use protective controls such as preprogrammed avatars and usernames that children can select instead.

The goals of the GPEN Privacy Sweep include creating awareness and encouraging compliance with privacy legislation; however, GPEN and the OPC note that the results of the Privacy Sweep could lead to follow-up action being taken, including outreach and investigations.


Global Privacy Sweep Finds Privacy Issues in Children’s Apps

Legislative Alert: Bill S-4, an Act to amend Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) passed in House of Commons.

Today, June 18, 2015, Bill S-4, the Digital Privacy Act was passed by Canada’s House of Commons vote. Bill S-4 was previously passed by Canada’s Senate.

The Digital Privacy Act includes important amendments to the Personal Information Protection and Electronic Documents Act (PIPEDA). These include:

Mandatory Breach Notification

When the amendments come into force (on a date yet to be determined), Canada will have a new federal data breach reporting law. An organization will be required to notify the Office of the Privacy Commissioner of Canada following a breach of security safeguards involving personal information under its control when there is a real risk of significant harm to individuals from the breach. Organizations will also be required to notify affected individuals in these circumstances.

Record Keeping

An organization will also be required to keep records of each and every breach of security safeguards involving personal information under its control and, upon request, provide the Office of the Privacy Commissioner, with access to that record.

We will continue to report on Bill S-4 and compliance strategies over the coming months.


Legislative Alert: Bill S-4, an Act to amend Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) passed in House of Commons.

Consent to Disclose Information in Response to a Consumer Complaint – Guidance from Canada

Not infrequently, customers may resort to consumer affairs columnists and other third parties, such as consumer advocacy groups, in order to resolve issues that they are having. In these circumstances, is there implied consent for the vendor of the goods or services to disclose personal information to the third party advocate?

This was the issue in an October 31, 2014 Report of Findings by the Office of the Privacy Commissioner of Canada (OPC) regarding an investigation into the allegations that an Internet Service Provider (ISP) improperly disclosed personal information to a newspaper columnist. The OPC agreed with the ISP that there was reason to believe implied consent existed, and that the ISP’s response was appropriate, in the circumstances.

Background on the case

After failing to resolve a longstanding internet service dispute with his ISP, a consumer e-mailed a newspaper columnist with instructions to resolve the dispute with the ISP. The newspaper columnist is known by the consumer and public as a consumer advocate who intervenes and tries to resolve problems consumers face with organizations.

The columnist forwarded the consumer’s e-mail to the CEO of the ISP seeking a response to the complaint. The ISP responded to the columnist, who then forwarded the response to the consumer. The consumer objected to the ISP sharing his personal information to the columnist without his consent. The ISP argued they believed they had the consumer’s implied consent, the information they disclosed to the columnist was not sensitive and it was relevant to defending itself against the consumer’s allegations. The OPC agreed with the ISP.

Key points for organizations

1. Does an organization require express or implied consent?

Two types of consent exist under Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) – express and implied. In general, express consent should be sought, especially when the personal information is considered sensitive. When information is not sensitive, implied consent is generally considered appropriate.

In this case, the OPC found the ISP disclosed non-sensitive information about the history of the consumer’s dispute with the ISP.

2. In some circumstances, organizations can reasonably assume implied consent from the
individual’s actions or inactions.

An organization should consider the reasonable expectations of the individual when obtaining consent. Consider whether the individual has certain knowledge or understanding of the information and context to assist in determining their expectations, and subsequently consent.Implied consent is appropriate in situations where the intended use or disclosure of personal information is clear from the context.

Given that the consumer sought assistance in resolving his dispute with the ISP when he contacted the newspaper columnist, it was a reasonable expectation that his information would be disclosed in order to address the very information he put into question.

3. An organization should limit its disclosure when it relies on implied consent.

An organization does not have carte blanche under implied consent and the OPC scrutinizes the information being collected or disclosed. The ISP limited its disclosure to information only related to the consumer’s allegations, in order to properly defend itself against said allegations, and to properly respond to the columnist’s inquiries during a dispute resolution situation.

The information that was disclosed was entirely related to the issue that the consumer initiated.


In this case, the OPC found the ISP had a reasonable belief to rely on implied consent, and that the ISP properly limited the disclosure to personal information that was relevant to the complaint against them.

Organizations should continue to be mindful of the before, during and after around implied consent; the sensitivity of the information, the individuals reasonable expectations and actions/inactions, and limiting the collection or disclosure of information to the particular context.

Consent to Disclose Information in Response to a Consumer Complaint – Guidance from Canada