We previously wrote about the significant administrative monetary penalty (AMP) of $1.1 million issued by the Canadian Radio-television and Telecommunications Commission (CRTC) for alleged violations of Canada’s Anti-Spam Legislation (CASL) by a Quebec-based training company called Compu.Finder (CompuFinder).
Now, more than two years later, the CRTC has issued further decisions in this matter that provide helpful guidance to organizations who are sending commercial electronic messages (CEMs).
On March 5, 2015, a notice of violation was issued against CompuFinder for failing to meet CASL requirements. CompuFinder responded with representations in May 2015. Last month, the CRTC issued two further decisions to respond to CompuFinder’s challenges regarding the constitutionality and application of CASL.
The decisions provide guidance on how the CRTC will interpret and apply CASL, including with respect to when certain exemptions can be relied on, what documentation and due diligence the CRTC expects from organizations, and what constitutes an “appropriate” AMP.
The First Decision (CRTC 2017-367)
CompuFinder challenged the constitutionality of CASL, claiming that the federal Government did not have the power to enact CASL and that CASL violated various rights granted by the Canadian Charter of Rights and Freedoms – including the right to freedom of expression. The CRTC dismissed these challenges and confirmed that, in its view, CASL is constitutional.
The Second Decision (CRTC 2017-368)
The CRTC considered CompuFinder’s other arguments in a separate decision, concluding that CompuFinder did commit the violations alleged by CRTC in the original notice of violation. In doing so, the CRTC provided the following guidance on CASL:
a) Business-to-Business (B2B) Exemption
The B2B exemption provides that CASL does not apply to messages sent between representatives of different organizations that do business with each other – if the organizations have an existing “relationship” and the message “concerns the activities” of the receiving organization.
The decision provides the following welcome guidance on this exemption:
- the “relationship” must be with the receiving organization, not just its representatives;
- for messages to qualify for the exemption, they must specifically discuss or make reference to the activities of the receiving organization; and
- evidence must be produced to support the application of the exemption, including records that demonstrate the period or frequency of organizations’ communications, including whether such communications were reciprocated and the content of the communications.
b) Unsubscribe Mechanism
If CEMs are subject to CASL, they must contain an appropriate unsubscribe mechanism. The decision emphasizes that this unsubscribe mechanism must be completely functional.
In the case of CompuFinder, the mechanism contained more than one unsubscribe link, only one of which was fully functional. The CRTC found that this created “confusion and frustration” among customers who wanted to unsubscribe but thought they could not. As such, the unsubscribe mechanism did not satisfy the requirements of CASL.
c) Implied Consent to Send CEMs
In the right circumstances, organizations can rely on implied consent. For example, the conspicuous publication exemption permits organizations to imply consent if a recipient’s electronic address is conspicuously published, provided it is not accompanied by a statement that the person does not wish to receive unsolicited CEMs and the message is relevant to the person’s business or official role, functions, or duties.
As in CRTC 2016-428, the decision emphasizes that organizations must: (i) undertake a case-by-case evaluation of whether electronic addresses meet this exemption; and (ii) maintain appropriate supporting evidence.
d) Due Diligence Defence
CASL sets out a due diligence defence on which organizations may be able to rely. In order for organizations to increase the likelihood that this defence will be available, the decision suggests that organizations must:
- adopt CASL compliance measures early on (i.e. before complaints are investigated);
- maintain complete and current records to support consent;
- be cautious and reasonable in applying implied consent exemptions;
- seek external advise where appropriate; and
- appropriately document CASL compliance measures and make records easily accessible.
e) Appropriateness of the AMP
Finally, the CRTC reduced the proposed AMP from $1.1 million to $200,000, emphasizing that the AMP was not proportional to the amount necessary to promote compliance, that the scope of violations was reduced, that CompuFinder had made efforts to comply and co-operate, and that the proposed AMP would place CompuFinder’s ability to continue doing business at risk. This last factor (ability to pay) was likely particularly important, as CompuFinder initiated proceedings pursuant to the Bankruptcy and Insolvency Act last year.
What the decisions mean for organizations
Although they may be appealed by CompuFinder, the decisions demonstrate the significant costs and difficulties that can ensue for organizations whose practices are not compliant with CASL – including when relatively few CEMs are at issue.
To minimize the non-compliance risks associated with CASL, organizations are well advised to:
- implement written CASL policies and procedures, ongoing auditing and monitoring mechanisms, and regular and adequate training for representative sending CEMs;
- promptly respond to and address inquiries or complaints regarding the organization’s CEMs and document the action(s) undertaken;
- regularly assess the appropriateness of, and maintain complete and current records regarding, the consent relied on to send CEMs;
- ideally, work toward obtaining formal, documented express consent where possible;
- periodically review and test the unsubscribe mechanisms included in CEMs; and
- seek experienced legal counsel prior to relying on exemptions provided for in CASL and/or when incidents or investigations relating to the application of CASL arise.