On March 5, 2015, the Canadian Radio-television and Telecommunications Commission (CRTC) issued its first Notice of Violation under Canada’s Anti-Spam Legislation (CASL), which included a C$1.1-million administrative monetary penalty (AMP).
The Notice of Violation was issued against Compu-Finder, a Quebec-based corporate training services provider. The CRTC alleged that between July 2, 2014 (the day after CASL came into force) and September 16, 2014, Compu-Finder sent commercial electronic messages without the consent of the recipient and without a properly functioning unsubscribe mechanism, resulting in four separate violations of the Act.
Compu-Finder has 30 days to pay the penalty or submit written representations to the CRTC with respect to the amount of the penalty or the acts or omissions alleged to be violations of CASL. It may also pursue entering into an undertaking with the CRTC in respect of this matter (which would be similar to a settlement and would have the effect of ending the proceeding commenced by the Notice of Violation).
Although the actual Notice of Violation is not yet publicly available, the CRTC’s press release does provide insight into the CRTC’s enforcement approach as well as its interpretation of certain provisions of CASL.
It is clear that the number of complaints received through the Spam Reporting Centre in respect of Compu-Finder was a factor in the CRTC’s decision to investigate. Complaints regarding Compu-Finder accounted for 26 per cent of all complaints submitted to the Spam Reporting Centre in the professional training industry.
APPROACH TO COMPLIANCE
The CRTC’s enforcement approach was clearly influenced by Compu-Finder’s allegedly “flagrant” disregard for the requirements of CASL. The CRTC’s Chief Compliance and Enforcement Officer Manon Bombardier stated that “[d]espite the CRTC’s efforts, Compu-Finder flagrantly violated the basic principles of the law by continuing to send unsolicited commercial electronic messages after the law came into force to email addresses it found by scouring websites.” We note that the CRTC’s approach in this case is in stark contrast to its approach in an investigation last fall into Access Communications (an ISP) and a small Saskatchewan-based company, whose server became infected with malware and caused it to join a botnet resulting in the company unknowingly sending millions of spam messages. In the latter case, the CRTC emphasized the cooperation of the company investigated and no penalty was issued.
AMOUNT OF AMP
A C$1.1-million AMP for four violations of CASL averages out to C$275,000 per violation. While this amount is much lower than the C$10-million AMP per violation that is possible under the Act, it is likely large enough to have an impact on Compu-Finder. In determining the amount of an AMP, CASL requires that the CRTC consider a non-exhaustive list of factors including the ability of the offending person to pay as well as the purpose of AMPs under the Act, which is to promote compliance and not to punish. In the CRTC’s press release, Ms. Bombardier indicates that her goal in issuing the Notice of Violation is “to encourage a change of behaviour on the part of Compu-Finder such that it adapts its business practices to the modern reality of electronic commerce and the requirements of the anti-spam law.”
REQUIREMENTS FOR IMPLIED CONSENT
The CRTC alleged that Compu-Finder collected email addresses by “scouring websites.” Interestingly, under CASL, consent to send a commercial electronic message is implied if the recipient conspicuously published (or caused to be conspicuously published) his or her email address, provided he or she has not indicated a desire not to receive commercial electronic messages at that address and the message is relevant to his or her role, duties or functions in a business or official capacity. Since Compu-Finder provides corporate training services, it is possible that its email messages could relate to a recipient’s role, duties or functions in a business or official capacity, and therefore consent to send commercial electronic messages to a recipient who has published his or her email address online could be implied. However, the CRTC made it clear that the recipients involved in this investigation did not find the messages to be relevant to them at all. Further, even if Compu-Finder relied on implied consent, the CRTC is alleging that the messages sent did not comply with CASL’s form and content requirements as they did not have a functioning CASL-compliant unsubscribe mechanism.
The CRTC indicated that Compu-Finder was sending commercial electronic messages to businesses (as opposed to consumers). Regulations enacted under CASL offer an exemption to businesses sending messages to other businesses with which the sender has a “relationship” and where the message concerns the activities of the organization to which the message is sent. Many businesses were expecting this exemption to be wide in scope and that both the definition of a “business relationship” and what would “concern the activities of an organization” would be interpreted largely. However, it is clear that the CRTC is examining the relationships that exist or not between businesses as well as whether the recipient businesses find the messages relevant to them. In light of this interpretation, businesses may need to more carefully examine the electronic messages they send in reliance on this exemption.
In the absence of any significant public enforcement activity in the months immediately after CASL came into force, some were beginning to wonder if we would ever see any penalties issued under CASL. This case has made clear that the CRTC is indeed actively investigating and will take enforcement action where it sees fit.