CRTC case offers guidance to advisors on CASL compliance

Canada’s anti-spam legislation (CASL) — one year old on July 1 — has resulted in just a handful of investigations, but some lawyers say there is much more to come.

Designed to restrict unsolicited commercial electronic communications, the law is one of the toughest of its kind. However, only a few investigations under the act have been publicized, despite 326,000 complaints to the Spam Reporting Centre as of June.

Although the CRTC has chosen to publicize only a few cases, it is actively enforcing others, says Molly Reynolds, a lawyer with Torys LLP in Toronto: “I wouldn’t be surprised if, over the next few months, we see many more violations [being announced]. The CRTC is quite active in the enforcement area.”

The CRTC is “engaging in triage,” says David Fraser, a lawyer with McInnes Cooper LLP in Halifax, and going after the companies that are spawning the most complaints. When the CRTC officials do come knocking, he adds, they present a “long list of information demands,” which are not necessarily highly focused. “What they seem to be doing is going after companies in a very broad way.”

The CRTC issued its first penalty under CASL on March 5, a hefty $1.1-million fine against Morin-Heights, Que.-based Compu-Finder Inc. That firm had been plugging business-training courses on topics such as social media and professional development, partly by scouring websites looking for email addresses.

The CRTC described the company’s actions as a “flagrant” violation of the act and cited four specific violations. Specifically, the CRTC found that Compu-Finder sent commercial electronic messages without having obtained the consent of the recipients and that its “unsubscribe” function, required under the law, failed to work.

More recently, Toronto-based Porter Airlines has been fined $150,000 for violating CASL, the CRTC announced on Monday.

The Toronto-based airline agreed to pay the fine for sending emails without an unsubscribe button or one that was clearly labeled, the regulator said.

The Compu-Finder case is of particular interest to businesses, given that the legislation provides an exemption from CASL in cases in which two criteria are met: communications between businesses relate to an existing relationship; and the messages “concern the activities” of the recipient. The massive penalty in the Compu-Finder case seems to suggest that there is no broad exemption for business-to-business communications and that the CRTC will be looking carefully at these two criteria before granting an exemption for inter-business communications.

On the other hand, Fraser says, the CRTC’s current focus seems to be firmly on spammers. Gone, he says, are the days of harvesting email addresses from the Internet and buying lists. As a result, financial advisors who use “spray and pray marketing are more likely to show up on the CRTC’s radar,” Fraser says.

The fines are simply not worth it, Fraser adds, noting that the $1.1-million ruling against Compu-Finder was “really, dramatically high given the scale of the business and was probably enough to shut that business down completely, which is troubling.” Administrative penalties are not supposed to be punitive, he says. “If somebody makes a mistake, I hope it’s not essentially a death penalty for the business.”

The CRTC appears to be tailoring its approach according to the circumstances. In late March, dating website operator Plentyoffish Media Inc. agreed to pay a $48,000 penalty for failing to comply with the legislation.

The company had emailed dating registrants using an unsubscribe function that was not “clearly and prominently” set out, according to the CRTC. Plentyoffish Media has updated its unsubscribe mechanism and agreed to develop and implement a compliance program.

“Plentyoffish Media erred by sending commercial electronic messages to its registered users with unsubscribe mechanisms that were not in compliance with the law,” says Manon Bombardier, chief compliance and enforcement officer with the CRTC, in a statement. “This case is an important reminder to businesses that they need to review their unsubscribe mechanisms to ensure they are clearly and prominently set out and can be readily performed.”

However, the CRTC has also taken less aggressive approaches in other cases. Co-operation with its investigations appears to be a factor that will be of assistance to the firms it is reviewing.

For example, the regulator traced a batch of spam back to Regina-based Internet service provider Access Communications Co-operative Ltd., which helped identify the servers of a Saskatchewan company that was unknowingly issuing multiple, offending messages. A third party had infected that company’s servers with malware that allowed others to send spam through that firm. Once the servers were cleaned up, the CRTC did not issue any penalties.

Nonetheless, it’s also clear that the CRTC will remain vigilant. As the regulator notes on its website, it continues to assess “all complaints submitted to the Spam Reporting Centre that are under its mandate and a number of investigations are currently underway.”

Reynolds warns that once the CRTC is in the door, it will likely investigate all aspects of an operation that could relate to a CASL complaint, not just the substance of the complaint. Reynolds adds that a quick response may be required.

“[The CRTC is] asking for information over a very short time period. If you do become subject to a complaint, you may be given less than a month to provide documentation. Such a short time line is going to be a challenge.”

January also saw the implementation of the section of CASL that makes it illegal to install a computer program on another person’s computer without that person’s express consent — also known as the “spyware” provision.

This may raise issues for advisors, or their firms, who allow employees to use their own devices for work. Fraser says companies that permit employees to use their own devices for work-related matters need to tread carefully when installing computer programs on their employees’ devices as it will be important to ensure that corporate information is not compromised as a result. “If you don’t do it properly,” Fraser Cautions, “you may violate the spyware provision.”

This is the first article in a three-part series on Canada’s anti-spam legislation, which came into force on July 1, 2014.

Thursday: What to look out for next regarding CASL.