Over two years after the enactment of Canada’s anti-spam legislation, the Canadian Radio-Television and Telecommunications Commission (CRTC) has issued its first decision on the law, with a particular focus on the consent requirement for sending marketing emails.

Background on Canada’s Anti-Spam Legislation

Canada’s anti-spam law applies to unsolicited or misleading “commercial electronic messages,” which are broadly defined as any message in which one purpose is to encourage participation in a commercial activity. The law therefore applies specifically to marketing or promotional emails. It generally requires the sender to obtain express or implied consent from the recipient. The message itself must also satisfy certain requirements, such as disclosure of the sender’s contact information and an “unsubscribe” mechanism. The law provides for a penalty of up to $10 million per violation, civil liability by private right of action (effective July 1, 2017), and vicarious liability for employers, directors, and officers in certain circumstances.

CRTC’s Decision

The subject of CRTC’s decision[1] is Blackstone Learning Corporation, a company that provides educational and training services. In 2014, Blackstone sent over 385,000 unsolicited marketing emails to Canadian government employee email addresses. It appears that Blackstone obtained the email addresses through various government websites. The messages promoted Blackstone’s technical writing, grammar, and stress-management programs. The CRTC became aware of these messages after more than 60 of the government employees who received them complained to the CRTC’s Spam Reporting Centre. These complaints prompted the CRTC to launch an investigation into Blackstone. On January 30, 2015, CRTC issued a notice of violation finding that Blackstone’s marketing emails violated the anti-spam law and proposed a $640,000 penalty.

Blackstone challenged the notice of violation, arguing that (1) it had implied consent from the recipients to send the emails and (2) the penalty imposed was “unreasonably high.”

Relying on the anti-spam law’s “conspicuous publication exemption,” Blackstone argued that it had implied consent to send the emails because the recipients’ email addresses were publicly available online. The CRTC rejected this position because the anti-spam law only allows for unsolicited messages to “conspicuously published” email addresses where the message is relevant to the recipient’s employment or official role and where the recipient has not indicated that he or she does not wish to receive unsolicited emails. The CRTC reasoned that the law does not provide a “broad license to contact any electronic address” found online; rather, implied consent must be evaluated on a “case-by-case basis.” Presumably, had the message been one that related specifically to the government employees’ roles, that might have been acceptable. For example, if a government employee who received the Blackstone marketing email had a public website profile that stated that the employee is responsible for purchasing office supplies and that suggested (either directly or indirectly) that potential vendors send an email with information, that scenario would likely meet the criteria for “implied consent.”

With respect to Blackstone’s marketing emails, the CRTC found that Blackstone did not satisfy the exemption because it failed to provide any supporting information with respect to

  • where or how it discovered any of the recipient email addresses in question;
  • when it obtained them;
  • whether their publication was conspicuous;
  • whether they were accompanied by a statement indicating that the person does not want to receive unsolicited commercial electronic messages; or
  • how it determined that the emails it was sending were relevant to the roles or functions of the intended recipients.

The CRTC, therefore, affirmed that Blackstone violated the anti-spam law.

With respect to whether the $640,000 penalty against Blackstone was appropriate, the CRTC considered a number of factors. Chief among those were Blackstone’s ability to pay and its cooperation with the CRTC. The CRTC noted that it could not initially determine whether Blackstone was able to pay the penalty because Blackstone did not provide financial information requested by the CRTC. But based on some unaudited financial statements that Blackstone eventually produced, the CRTC determined that the original penalty would amount to several years’ worth of Blackstone’s revenues. As such, the CRTC concluded that a $50,000 penalty was more appropriate and proportionate to the specific facts of the case.

Implications

This decision shows that the CRTC is determined to vigorously investigate complaints and enforce Canada’s anti-spam law. US companies need to be aware of the requirements of this law when sending marketing messages to email addresses that they know or should know to be in Canada. Companies should understand that they cannot send marketing emails to Canadian email addresses solely because the email addresses are available online.

If a company does send emails because addresses are online, the company should be sure to

  • establish a link between the recipient’s role or responsibility and the email being sent; and
  • maintain copies of the information it obtained online to document that the email addresses were obtained online.

The decision also reveals that, under certain circumstances, there may be value in challenging a notice of violation by the CRTC, enabling companies to provide additional information to the CRTC and obtain a more favorable outcome.

In many other jurisdictions, including in Europe and many countries in Asia, there are specific prohibitions on sending marketing communications without consent. There are also requirements to give the recipients the right to “opt out” of future marketing communications. Many European data protection authorities, including in the United Kingdom, have increased their enforcement of these laws and issued fines to companies. In the United Kingdom, there is a proposed change in the law to make the directors of marketing companies personally liable for breaching direct marketing laws.

In the United States, the federal CAN-SPAM Act (15 U.S.C. § 7704) requires that marketing emails to promote a commercial product or service must meet certain requirements, including a non-deceptive subject line, identification as an advertisement, a physical address for the sender, an opt-out mechanism, and the timely honoring of opt-out requests. Obtaining the recipient’s prior affirmative consent only relieves companies of the requirement to identify the message as an advertisement; all other CAN-SPAM requirements otherwise apply. Violating CAN-SPAM is costly for companies as the Federal Trade Commission just recently increased the maximum penalty from $16,000 to $40,000 per email.