1. Skip to navigation
  2. Skip to content
  3. Skip to sidebar

Lessons Learned: E-Learning Company Faces $50,000 Spam Fine

The Canadian Radio-television and Telecommunications Commission (CRTC) has issued its first Compliance and Enforcement Decision* under Canada’s Anti-Spam Law (CASL).  The Commission confirmed the staff finding that Blackstone Learning Corp. had committed 9 violations of CASL by sending almost 400,000 emails in 2014 without proper consent.  However, the Commission reduced the administrative monetary penalty originally set in the notice of violation from $640,000 to $50,000.  While it is open to Blackstone to appeal the decision, meaning that we may not have heard the last of this case, the Commission’s decision provides useful commentary on its approach to CASL compliance and enforcement.  The following are lessons learned under two headings: implied consent, and what we will refer to as “sender conduct”.

Email addresses posted online – ripe for the picking as “implied consent”?

Not so fast, cautions the CRTC.  While addresses that have been “conspicuously published” online or otherwise may qualify for implied consent, this “does not provide persons sending commercial electronic messages [CEMs] with a broad licence to contact any electronic address they find online”.  The CASL conditions attached to “conspicuous publication” set a higher standard than that.  As a starting point, the person who receives the email message must have posted his address himself, or authorized it to be posted.  Often, an employer will post contact information including an employee’s email address, which for the purposes of CASL implies that CEMs can be sent IF there is no indication otherwise, and IF the messages are relevant to the person’s business role or function.

As the CRTC points out, if a business chooses to advertise through a third party (our example: an online service provider listing) and includes an employee’s contact information along with the ad, this can be the basis for implied consent to contact the employee in relation either to the ad or to the employee’s role, because the account holder (the employer) caused the publication.  Implied consent stops there:  if the listing service goes on to copy or sell the list of addresses on its own, new senders can no longer count on the “conspicuous publication” implied consent, because the account holder did not authorize any further publication.

Lesson learned:  Implied consent is evaluated on a case-by-case basis.  Under CASL, the onus is on the sender to prove consent.  The CRTC “stress[es] the importance of detailed and effective record-keeping for this reason.”

What is a “reasonable” monetary penalty under the CASL regime?  How important are the sender’s conduct and circumstances?

CRTC staff set out an administrative monetary penalty (AMP) of $640,000 in the notice of violation issued to Blackstone.  Having determined that Blackstone did commit the CASL violations, the Commission considered whether the AMP was reasonable.  CASL sets out a number of factors to be taken into consideration.

  • purpose of the penalty: the Commission stated that the amount must be representative of the violations, and have enough of an impact on a person to promote changes in behavior, in effect a second chance. An amount high enough to put a person out of business would mean he would no longer have that second chance.  An AMP of $640,000 would be too high.
  • nature and scope of the violations:  while almost 400,000 non-compliant messages were sent, were disruptive to the recipients, and prompted at least 60 complaints to the Spam Reporting Centre, the violations took place over only 2 months, and suggests that an AMP of $640,000 would be too high.
  • ability to pay:  based on the evidence, an AMP of $640,000 would significantly exceed Blackstone’s ability to pay.
  • other factors – cooperation and self-correction:  Blackstone’s failure to cooperate with the investigation increased the need for a penalty to ensure future compliance. However, the Commission saw some possibility of “self-correction” going forward, which suggested that a lower AMP would be appropriate.

The Commission decided on the amount of $50,000.  The Commission noted that Blackstone did not have the benefit of more recent CASL guidance which is now available to everyone online.  This should be read as a thinly-veiled direction to others:  the decision cites The Commission’s Guidance on Implied Consent for CASL and also the Department of Industry’s Fightspam information website for businesses and individuals.

Lesson learned:  the Commission expects organizations to do their homework, to cooperate with investigations, and to self-correct when they discover mistakes.

We have been assisting many organizations in Canada and other countries to adapt their practices to comply with CASL.  Let us know if we can help you.

*A number of organizations have been subject to CASL enforcement since the Act came into force in July 2014; some of these cases have not been made public, and others have been publicly available only through brief settlement summaries.  This is the first Commission decision reviewing a Compliance and Enforcement Sector notice of violation.

,

Lessons Learned: E-Learning Company Faces $50,000 Spam Fine

CRTC enters into MOU with FTC on spam and unlawful telemarketing

As we have noted in previous posts (here and here), the Canadian Radio-television and Telecommunications Commission (CRTC) has repeatedly highlighted its work with its international counterparts to combat spam and unlawful telemarketing, among other communications “threats”.

On March 24, CRTC Chairman Jean-Pierre Blais and US FTC Chairwoman Edith Ramirez signed a Memorandum of Understanding addressing these threats:  the MOU between the US Federal Trade Commission and the CRTC on mutual assistance in the Enforcement of Laws on commercial email and telemarketing.  The MOU states that the two organizations have already “worked closely in connection with numerous investigations and enforcement actions relating to unsolicited commercial email (spam) and automated telephone calls (robocalls); and have collaborated on promoting technological solutions to robocalls”.

The laws administered by the agencies – the FTC Act and CASL, respectively – both  contemplate sharing information with foreign enforcement agencies under certain conditions.  The new MOU recognizes that it is in the FTC’s and the CRTC’s “common public interest” to extend support across the border where this will assist investigation and enforcement efforts, including:

  1. cooperate with respect to the enforcement against Covered Violations, including sharing complaints and other relevant information and providing investigative assistance;
  2. facilitate research and education related to unauthorized telemarketing and unauthorized telephone calls;
  3. facilitate mutual exchange of knowledge and expertise through training programs and staff exchanges;
  4. promote a better understanding by each Participant of economic and legal conditions and theories relevant to the enforcement of the Applicable Laws; and
  5. inform each other of developments in their respective countries that relate to this Memorandum in a timely fashion.

Accordingly, the FTC and CRTC will share information, provide investigative assistance, and coordinate enforcement against cross-border violations that both sides agree are priority cases.

The announcement is timely in at least one sense.  Industry stakeholders in Canada have complained that the CRTC’s publicized enforcement activity to date has focused largely on Canadian companies that have made mistakes in implementing CASL’s complex compliance requirements.  There has been comparatively little visibility around the CRTC’s efforts to “drive spammers out of Canada” – one of CASL’s primary objectives.

, ,

CRTC enters into MOU with FTC on spam and unlawful telemarketing

Canada’s role in international botnet takedown

The Canadian Radio-television and Telecommunications Commission (CRTC) has served its first warrant under Canada’s Anti-Spam Law (CASL) to take down a Toronto-based command and control server.  The malware family Win32/Dorkbot had reportedly infected more than a million personal computers in 190 countries.

The CRTC has repeatedly stated that it is working together in close collaboration with other countries to address spam, malware and other “online threats”.  In this case, the CRTC collaborated with the FBI, Europol, Interpol, Microsoft, and the RCMP, among others.  The CRTC Chief Compliance and Enforcement Officer, Manon Bombardier, has said that “partnerships between domestic and international law enforcement agencies are key in the fight against transnational cyber threats”.  CASL expressly provides for sharing information among the Government of Canada, various Canadian enforcement agencies, and the government of a foreign state or international organization, for the purpose of administering and enforcing CASL’s anti-spam and malware provisions.

For more information on CASL’s application to malware, see CASL – Software, Apps and other Computer Programs.

, ,

Canada’s role in international botnet takedown

Canada’s Anti-Spam Law (CASL) applies to Software January 15

Earlier this year we told you that Canada’s Anti-Spam Law (CASL) is not just for Canadians.

CASL is also not just about spam.  Effective January 15, 2015, CASL applies to the installation of “computer programs” – software, apps and other programs – on the computer or device of another person.  This affects software vendors, app developers, gaming and entertainment companies, and others that are in the business of providing software to businesses and individuals in Canada.

Like CASL’s spam provisions:

  • the software provisions apply where a Canadian is the recipient – in this case, the recipient of the software, app, or other program;
  • the regime is based on “express consent”, as defined by the legislation; and
  • significant administrative monetary penalties (maximum $10 million) can be levied for non-compliance.

Our overview presentation walks through CASL’s application to computer programs.

Other resources published by the Canadian Radio-television and Telecommunications Commission (CRTC):

, , , , , , ,

Canada’s Anti-Spam Law (CASL) applies to Software January 15

How Canada’s Anti-Spam Enforcers will Cooperate, Coordinate, Share Information

Canada’s Anti-Spam Legislation (CASL) brings with it new legal violations and penalties, some of which become effective as of July 1, 2014.   The Canadian Radio-television and Telecommunications Commission (CRTC), the Competition Bureau and the Office of the Privacy Commissioner of Canada will have new enforcement roles with respect to these violations and penalties, in the following areas:

CRTC: spamming, traffic rerouting (altering transmission data without authorization);  malware (installation of “computer programs” without consent)

Competition Bureau: fraud (false and misleading representations online, e.g. websites and addresses)

Office of the Privacy Commissioner: harvesting (using computer system to collect addresses without consent); invasion of privacy (unauthorized access to computer system to collect personal information without consent).

On January 23, 2014, the Competition Bureau announced that it had entered into a memorandum of understanding (MOU) with the Office of the Privacy Commissioner of Canada and the CRTC the regarding the implementation of their mandates under CASL.  The MOU is dated October 22, 2013.

Nature of the MOU

The MOU fleshes out the already detailed CASL provisions on “consultation and disclosure of information” among the agencies, and with foreign states.  The provisions of CASL itself, and the requirements of the MOU, suggest that all concerned are aware that coordination will not be an easy task.  For example, CASL requires the agencies to provide the Minister of Industry with “any reports that he or she requests” on how they are co-ordinating efforts on their mandated areas.  The MOU requires agency officials to meet “at least quarterly” to discuss enforcement activities and any other matters “of mutual interest” relating to CASL.

While the MOU is not intended to be legally binding or enforceable by the courts, it does represent these three agencies’ agreement on how they intend to co-ordinate their responsibilities.  Among other things, that will affect how each agency’s staff will approach their enforcement activities on the ground.

Notification

Each agency will notify the others with respect to enforcement activities – including the conduct under investigation and CASL provisions at issue – that “may potentially affect” the others’ interests under CASL.

Enforcement Cooperation, Coordination and Information Sharing

The agencies will consult with each other, and may share information related to their enforcement activities.  Where those activities potentially overlap, they will “seek to coordinate their efforts”, whether jointly or alongside one another.  The agencies will also coordinate involvement in information requests and arrangements with foreign agencies.  Once the Private Right of Action (PRA) becomes effective as of July 1, 2017, when an agency is informed of a PRA initiated by a third party, that agency will notify the others.

Criminal Law Enforcement by the Commissioner of Competition

The Commissioner of Competition has authority under CASL to pursue enforcement activities under CASL’s criminal provisions.  Under the MOU, the Commissioner is to notify the other agencies where a decision has been made on that front.  That will in turn halt any cooperation and information sharing among the agencies on that enforcement activity.

Competing interests and Confidentiality

The MOU is not intended to override an agency’s obligations under existing laws, including the Access to Information Act.  This extends to sharing information.  Agencies will make “best efforts to share what information they can, consistent with their interests and legal obligations”.  The agencies commit to maintaining confidentiality of information received from another agency “to the fullest extent allowed by law”, and will use that information only for enforcement activities under the MOU – unless the agency that provided the information agrees to the use of the information for other purposes.

Conclusion

The MOU is another indication, in a long line of communications, guidelines, and statements, that the implementation process for CASL will be very new territory, not only for stakeholders, but for the enforcement agencies themselves.

, ,

How Canada’s Anti-Spam Enforcers will Cooperate, Coordinate, Share Information