Canada’s Anti-Spam Legislation (“CASL”) came into force on July 1, 2014, creating new requirements for sending commercial electronic messages (“CEM”). A non-compliant business risks having “administrative monetary penalties” (or “AMPs,”, which are essentially fines) levied against it by the CRTC. However, until recently, there has been no guidance on how aggressively CASL would be enforced, the scope of Notices of Violations, or how AMPs would be determined, and the scope of such. Businesses were stuck in a murky regulatory regime.
With the recent $48,000 AMP imposed on PlentyOfFish, as part of an undertaking entered into between the company and the CRTC, the water is becoming clearer.
After receiving a number of complaints, the CRTC launched an investigation of PlentyOfFish.com, ultimately finding that the dating website was sending CEMs to its users without a proper unsubscribe mechanism, in violation of the legislation. The unsubscribe mechanism was not clearly or prominently set out, and could not be readily performed, as required by the legislation; accordingly, PlentyOfFish’s CEMs were found to be in violation of the legislation.
So what can businesses learn from the CRTC’s recent CASL activities?
- Once made aware of the investigation, PlentyOfFish updated its unsubscribe mechanism to comply with the provisions of the CASL regulation. While businesses should ensure compliance with CASL from the outset, the PlentyOfFish cases suggests that prompt review and remediation upon receipt of a notice of an investigation may assist in keeping penalties on the low end of the scale.
Businesses should ensure that all CEMs contain a clear and prominent unsubscribe mechanism, and further ensure that the steps to unsubscribe are not unduly difficult or otherwise not able to be performed. This can include:
- a link to a web page where the user can unsubscribe from receiving all or some types of CEMs; or
- in the case of SMS messages, the ability to click on a similar link or text back the word “stop” or “unsubscribe.”
The $48,000 fine was paid by PlentyofFish as part of an undertaking entered into between the company and the CRTC. Undertakings are essentially binding promises and may be entered into before or after a Notice of Violation are issued; contravention of a term of the undertaking is itself a violation. Once again, the lesson appears to be that moving quickly to respond and address alleged deficiencies can keep penalties lower. However, this is a trade-off, as a business which enters into an undertaking will incur costs related to creation of a compliance program, which is almost certainly going to be a required term of any undertaking.
The federal government has provided an information bulletin containing guidelines to help businesses develop corporate compliance programs in light of CASL. Businesses should consider taking the following steps:
- involving senior management in fostering a culture of compliance in the organization;
- conducting a risk assessment for which business activities run the greatest risk of violating CASL;
- development of a written corporate compliance policy, which should be updated regularly and easily accessible by all employees;
- keeping accurate and thorough records;
- create and implement an effective training program for employees;
- create and implement auditing and monitoring mechanisms for the compliance program;
- put a complaint-handling system in place to ensure customers can submit complaints that are addressed in a reasonable period of time;
- create and enforce an organizational disciplinary code to address contraventions.
- The CRTC has further conducted a number of information sessions, and has a number of guides available on its website to aid in businesses’ efforts to comply with CASL. Businesses developing a corporate compliance program should review the available government guidelines for practical tips.
Businesses are beginning to see CASL’s teeth, as CRTC investigators start to reel in violators of the legislation. Administrative monetary penalties under the legislative regime may be up to $1,000,000 per violation for individuals, and $10,000,000 for organizations. The CRTC may require undertakings which can include fines and corrective measures, such as in this case, or may also issue warning letters, preservation demands, notices to produce, restraining orders, and notices of violation. The PlentyofFish fine is only the second major penalty imposed under CASL, but businesses should be ready to weather unfriendly seas if they intend to send CEMs without ensuring compliance with Canada’s anti-spam legislation.