1. Skip to navigation
  2. Skip to content
  3. Skip to sidebar

Lessons Learned: E-Learning Company Faces $50,000 Spam Fine

The Canadian Radio-television and Telecommunications Commission (CRTC) has issued its first Compliance and Enforcement Decision* under Canada’s Anti-Spam Law (CASL).  The Commission confirmed the staff finding that Blackstone Learning Corp. had committed 9 violations of CASL by sending almost 400,000 emails in 2014 without proper consent.  However, the Commission reduced the administrative monetary penalty originally set in the notice of violation from $640,000 to $50,000.  While it is open to Blackstone to appeal the decision, meaning that we may not have heard the last of this case, the Commission’s decision provides useful commentary on its approach to CASL compliance and enforcement.  The following are lessons learned under two headings: implied consent, and what we will refer to as “sender conduct”.

Email addresses posted online – ripe for the picking as “implied consent”?

Not so fast, cautions the CRTC.  While addresses that have been “conspicuously published” online or otherwise may qualify for implied consent, this “does not provide persons sending commercial electronic messages [CEMs] with a broad licence to contact any electronic address they find online”.  The CASL conditions attached to “conspicuous publication” set a higher standard than that.  As a starting point, the person who receives the email message must have posted his address himself, or authorized it to be posted.  Often, an employer will post contact information including an employee’s email address, which for the purposes of CASL implies that CEMs can be sent IF there is no indication otherwise, and IF the messages are relevant to the person’s business role or function.

As the CRTC points out, if a business chooses to advertise through a third party (our example: an online service provider listing) and includes an employee’s contact information along with the ad, this can be the basis for implied consent to contact the employee in relation either to the ad or to the employee’s role, because the account holder (the employer) caused the publication.  Implied consent stops there:  if the listing service goes on to copy or sell the list of addresses on its own, new senders can no longer count on the “conspicuous publication” implied consent, because the account holder did not authorize any further publication.

Lesson learned:  Implied consent is evaluated on a case-by-case basis.  Under CASL, the onus is on the sender to prove consent.  The CRTC “stress[es] the importance of detailed and effective record-keeping for this reason.”

What is a “reasonable” monetary penalty under the CASL regime?  How important are the sender’s conduct and circumstances?

CRTC staff set out an administrative monetary penalty (AMP) of $640,000 in the notice of violation issued to Blackstone.  Having determined that Blackstone did commit the CASL violations, the Commission considered whether the AMP was reasonable.  CASL sets out a number of factors to be taken into consideration.

  • purpose of the penalty: the Commission stated that the amount must be representative of the violations, and have enough of an impact on a person to promote changes in behavior, in effect a second chance. An amount high enough to put a person out of business would mean he would no longer have that second chance.  An AMP of $640,000 would be too high.
  • nature and scope of the violations:  while almost 400,000 non-compliant messages were sent, were disruptive to the recipients, and prompted at least 60 complaints to the Spam Reporting Centre, the violations took place over only 2 months, and suggests that an AMP of $640,000 would be too high.
  • ability to pay:  based on the evidence, an AMP of $640,000 would significantly exceed Blackstone’s ability to pay.
  • other factors – cooperation and self-correction:  Blackstone’s failure to cooperate with the investigation increased the need for a penalty to ensure future compliance. However, the Commission saw some possibility of “self-correction” going forward, which suggested that a lower AMP would be appropriate.

The Commission decided on the amount of $50,000.  The Commission noted that Blackstone did not have the benefit of more recent CASL guidance which is now available to everyone online.  This should be read as a thinly-veiled direction to others:  the decision cites The Commission’s Guidance on Implied Consent for CASL and also the Department of Industry’s Fightspam information website for businesses and individuals.

Lesson learned:  the Commission expects organizations to do their homework, to cooperate with investigations, and to self-correct when they discover mistakes.

We have been assisting many organizations in Canada and other countries to adapt their practices to comply with CASL.  Let us know if we can help you.

*A number of organizations have been subject to CASL enforcement since the Act came into force in July 2014; some of these cases have not been made public, and others have been publicly available only through brief settlement summaries.  This is the first Commission decision reviewing a Compliance and Enforcement Sector notice of violation.

,

Lessons Learned: E-Learning Company Faces $50,000 Spam Fine

CASL compliance undertakings continue to mount

Another company that is well-known to consumers has agreed to enter into a compliance undertaking with the CRTC for alleged CASL violations.  Kellogg Canada Inc. has paid a monetary penalty of $60,000 and undertaken to enter into a compliance program to better address elements such as:

  • written CASL compliance policies and procedures;
  • training programs for employees;
  • tracking CASL complaints and resolution; and
  • monitoring and auditing mechanisms to assess compliance.

Notably, the compliance issues arose from messages that were sent: not only by Kellogg, but also by its third party service providers, and not long after CASL entered into force in July 2014.  This was a time when many companies were early on in the process of familiarizing themselves with the many CASL requirements, and implementing programs to make sure that databases, third party agencies (marketing companies and other service providers) and internal procedures were all in line.

The CRTC’s Notice regarding Kellogg’s 2014 compliance issues comes only a month after the CRTC issued its Enforcement Advisory to businesses and individuals on how to keep records of consent (see our recent blog post here), and less than a year before the Private Right of Action becomes available in Canada under CASL legislation, meaning that the CRTC will not be the only one taking businesses to task for CASL compliance.

CASL compliance undertakings continue to mount

Canada’s role in international botnet takedown

The Canadian Radio-television and Telecommunications Commission (CRTC) has served its first warrant under Canada’s Anti-Spam Law (CASL) to take down a Toronto-based command and control server.  The malware family Win32/Dorkbot had reportedly infected more than a million personal computers in 190 countries.

The CRTC has repeatedly stated that it is working together in close collaboration with other countries to address spam, malware and other “online threats”.  In this case, the CRTC collaborated with the FBI, Europol, Interpol, Microsoft, and the RCMP, among others.  The CRTC Chief Compliance and Enforcement Officer, Manon Bombardier, has said that “partnerships between domestic and international law enforcement agencies are key in the fight against transnational cyber threats”.  CASL expressly provides for sharing information among the Government of Canada, various Canadian enforcement agencies, and the government of a foreign state or international organization, for the purpose of administering and enforcing CASL’s anti-spam and malware provisions.

For more information on CASL’s application to malware, see CASL – Software, Apps and other Computer Programs.

, ,

Canada’s role in international botnet takedown

Privacy law and anti-spam: Guidance from the Office of the Privacy Commissioner of Canada

Recent enforcement under Canada’s anti-spam legislation (CASL) by the Canadian Radio-Television and Telecommunications Commission (CRTC) is keeping the spotlight on this new legislation, which came into force just last year. While the CRTC is responsible for the bulk of enforcement under CASL, organizations should remember that CASL also brought in changes to Canada’s federal privacy law,  the Personal Information Protection and Electronic Documents Act (PIPEDA), which applies to the collection, use and disclosure of personal information (including individuals’ email addresses).

The federal Office of the Privacy Commissioner of Canada (OPC) is responsible for investigating violations related to the new provisions under PIPEDA that target the practice of address harvesting. Address harvesting generally involves collecting electronic addresses through the use of a computer program, such as through web scraping, spyware, or automatic generation.

The OPC recently issued a guide and tip sheet for organizations on pratical steps to take to avoid contravening the PIPEDA requirements, including:

1. Obtain consent: Organizations must ensure that individuals are informed clearly and accurately at the point of collection about how their email addresses will be used. Just because an email address is posted online, it cannot be assumed that the individuals at the addresses posted have provided consent to receive email marketing. It is also useful to remember that there is no exception for address harvesting of business email addresses; PIPEDA’s definition of personal information includes business addresses.

2. Due Diligence with Service Providers: If an organization buys a list of email addresses from a vendor or employs service providers to conduct email marketing on their behalf, they should take due diligence steps by asking key questions, such as:

  • How was consent obtained? Appropriate consent at the time of collection must be obtained to use email addresses. Ensure that email marketing service providers utilize a clear consent process. If buying or using a list from a list vendor, were the email addresses collected through web scraping or automatic generation?
  • How is the email address list kept up to date? Unless otherwise permitted under the law, individuals should be permitted to withdraw consent to the use of their personal information at any time, such as by unsubscribing from an email list, and this functionality should be made available. Organizations that use a purchased list of email addresses should ensure that any unsubscribe requests will be communicated to them so that the email can be removed from the list that they use.

3. Maintain written records: An organization should document all email marketing compliance measures, including due diligence steps taken when contracting with a list vendor or email marketing company. Ensure that the service agreements with these organizations expressly require compliance with CASL and applicable privacy laws.

Conclusion

Organizations are responsible for ensuring that all individuals that receive email marketing from them have provided appropriate consent for the collection and use of their address for marketing . The OPC will review reports to the Spam Reporting Centre to identify email harvesters and spyware collecting personal information without consent. Organizations should take steps to comply with PIPEDA to avoid being caught by an OPC investigation, which could lead to being named in the OPC’s reports of its findings and recommendations.

, , ,

Privacy law and anti-spam: Guidance from the Office of the Privacy Commissioner of Canada

Canada’s Anti-Spam Law (CASL) applies to Software January 15

Earlier this year we told you that Canada’s Anti-Spam Law (CASL) is not just for Canadians.

CASL is also not just about spam.  Effective January 15, 2015, CASL applies to the installation of “computer programs” – software, apps and other programs – on the computer or device of another person.  This affects software vendors, app developers, gaming and entertainment companies, and others that are in the business of providing software to businesses and individuals in Canada.

Like CASL’s spam provisions:

  • the software provisions apply where a Canadian is the recipient – in this case, the recipient of the software, app, or other program;
  • the regime is based on “express consent”, as defined by the legislation; and
  • significant administrative monetary penalties (maximum $10 million) can be levied for non-compliance.

Our overview presentation walks through CASL’s application to computer programs.

Other resources published by the Canadian Radio-television and Telecommunications Commission (CRTC):

, , , , , , ,

Canada’s Anti-Spam Law (CASL) applies to Software January 15