Hot on the heels of the Compu-Finder case reported earlier here, the CRTC announced yesterday that PlentyOfFish Media Inc., a Canadian online dating website, had agreed to pay $48,000 in administrative monetary penalties (AMPs) as part of a settlement with the CRTC in respect of an alleged violation of Canada’s anti-spam legislation or CASL. Under the settlement, PlentyOfFish will be required to develop and implement a compliance program to ensure that its activities are compliant with CASL.

While the Compu-Finder case centered around the issue of whether recipients of commercial electronic messages (CEMs) had provided the requisite consent, this latest case deals with the form and functionality of the unsubscribe mechanism required in non-exempt CEMs.

Requirement Under CASL

CASL has specific requirements regarding the unsubscribe mechanism. According to Section 11(1)(a) of CASL, the unsubscribe mechanism must:

“enable the person to whom the commercial electronic message is sent to indicate, at no cost to them, the wish to no longer receive any commercial electronic messages, or any specified class of such messages, from the person who sent the message or the person - if different - on whose behalf the message is sent, using

(i) the same electronic means by which the message was sent, or

(ii) if using those means is not practicable, any other electronic means that will enable the person to indicate the wish; and\

(b) specify an electronic address, or link to a page on the World Wide Web that can be accessed through a web browser, to which the indication may be sent.”

The unsubscribe mechanism must be “valid” for 60 days after the date the message is sent. Unsubscribe requests must be processed without delay and in any event within 10 business days of receipt of the request. In addition, pursuant to the Electronic Commerce Protection Regulations (CRTC), there is an additional requirement that the unsubscribe mechanism be set out “clearly and prominently” in the message and that it is “able to be readily performed.”

Analysis

Why is this latest CRTC enforcement action significant? In our view, it clearly shows that the CRTC is focused not only with the fundamental issue of whether recipients of CEMs have provided the necessary consents, but also the actual form of the CEM itself. In the PlentyOfFish case, emails were supposedly sent to users of the site, however, the CEM did not have a clearly labelled or easy-to-use unsubscribe mechanism.

Given that registered site users would either have provided some form of express consent or that “implied consent” (was obtained under the existing business relationship concept), we believe the CRTC is signalling that, even if express or implied consents are in place,  the form of the CEM still matters and that it is important that CEMs meet all of the very specific and detailed requirements of CASL.

We also remind readers that, as of July 1, 2017, a private right of action for violations of CASL comes into effect.  Entering into an undertaking with the CRTC in respect of an alleged CASL infraction will serve to limit the remedies available to private litigants arising from the same matter, so we can expect to see an increase in these undertakings in the months and years to come.

Key Takeaways

This case is noteworthy for several reasons. First, it clearly signals that the CRTC is stepping up its enforcement action and will not hesitate to use the tools available to it under CASL. Second, in addition to verifying that businesses obtain the requisite consents, the CRTC is closely looking at whether businesses sending CEMs are complying with the specific requirements of CASL (e.g., how unsubscribe mechanisms are presented to recipients). Lastly, businesses should consider implementing a CASL compliance policy (coupled with training and education for staff) as a risk mitigation strategy.