Case In Point
CRTC Decision Provides Important Guidance on Anti-Spam Legislation
Date: December 1, 2017
A recent compliance and enforcement decision of the Canada Radio-television and Communications Commission (Decision 2017-368) under Canada’s Anti Spam legislation (Act) provides useful guidance for organizations seeking to rely on the Act’s “business-to-business” exclusion, or implied consent, to send commercial electronic messages (CEMs). It also has significant implications for any organization making representations to the Commission in response to a notice of violation.
The decision involved a notice of violation issued by the Commission for emails sent by an organization advertising educational and training services. The notice of violation stated that the organization had failed to obtain consent to send CEMs and failed to provide a proper unsubscribe mechanism. It carried an administrative penalty of $1.1 million. In response to the notice of violation, the organization represented that it had implied consent to send the impugned messages, or that the messages it sent were excluded from the consent requirements of the Act.
The Commission concluded that the organization had violated the Act’s consent requirement and the requirement to have a proper unsubscribe mechanism. In doing so, the Commission made several determinations that provide significant guidance:
- “Business-to-Business” Exclusion: the Commission held that the organization could not rely on the “business-to-business” exclusion to send CEMs. That exclusion applies to messages from a representative of one organization to a representative of another organization, if the organizations have a relationship and the messages concern the activities of the receiving organizations. In this case, the organization provided evidence that members of the same organization to which the CEMs were sent had, at some point in the past, engaged the organization, usually for single training sessions. Those prior users of the organization’s services were not the same as the recipients of the CEMs. The Commission held that “the mere fact that an organization paid for training on behalf of one employee is not sufficient to demonstrate that the organization had or intended to create a relationship” which could engage the “business-to-business” exclusion. Something more is required to establish a relationship between the organizations. Significantly, the Commission’s decision indicates that that it may be difficult to rely on the “business-to-business” exclusion to send business promotion or advertisement messages in any circumstances. The Commission specifically found that a history of advertising services to another organization, without any “reciprocal communication from the organization in question,” does not establish a relationship which could engage the exclusion, and focused on the requirement that the message “concern the activities of the organization to which the message is sent.”
- Unsubscribe Mechanism: the Commission found that the organization had violated the requirement to clearly and prominently include an unsubscribe mechanism in the CEMs. Several of the CEMs reviewed by the Commission contained two unsubscribe links, one of which functioned properly and one of which created an error when used. The Commission found that this practice created confusion, and did not meet the requirements of a clear and prominent unsubscribe mechanism.
- Implied Consent: the organization relied on implied consent in many cases, based on email addresses that it argued were “conspicuously published” on the internet. The Commission found that in many cases, the organization had not established that the conditions for implied consent based on a conspicuous publication of an email address had been met. In particular, some CEMs were sent to addresses published on aggregating lists that did not indicate that they had been user submitted. Others were published along with a request not to send CEMs. Many were published without any indication of the function or role of the address holder, meaning that the organization could not possibly determine that its CEM was relevant to the owner of the address.
- Due Diligence: the organization argued that it should not be liable because it had demonstrated due diligence in attempting to comply with CASL. The Commission reviewed the steps that the organization had taken in preparation for the legislation, and in response to learning about the investigation, but found that they were not sufficient to establish due diligence. The Commission noted that the organization did not speak to “routine practices, written policies, auditing mechanisms, or compliance monitoring” during the period of the violation, which could have provided evidence of due diligence.
The Commission went on to review the amount of the administrative monetary penalty, and ultimately reduced it from $1.1 million to $200,000.
This review provides significant insight into the factors considered by the Commission in considering the penalty, particularly in light of the substantial reduction. The reduction took into account the Commission’s view that a penalty was required in the circumstances, but $1.1 million over-emphasized general deterrence and was out of proportion to the amount necessary to promote compliance. The Commission did not rely heavily on the organization’s submissions regarding ability to pay. It also noted that the penalty should not be increased because the organization had applied to review the notice to produce, but that recent efforts by the organization to improve compliance did not negate the need for a penalty.
Several important lessons for organizations that send CEMs arise from this decision, including:
- Organizations should take proactive steps to provide all necessary information to the Commission after receiving a notice to produce. Significantly, this should include any evidence that the organization relies on to establish consent, exemption, or other compliance, even if it is not specifically requested
- Organizations should be very cautious in relying on the “business-to-business” exclusion to send business promotional or advertising messages to another organization. Based on the Commission’s decision, it is unclear whether that exclusion could apply to any business advertising messaging. Certainly, more than loose evidence of a history of services provided to one member of the other organization will be necessary establish the relationship required by the exclusion, and the message must concern the business of the organization to which it is sent
- Unsubscribe mechanisms must be clear and prominently displayed in CEMs. Confusion caused by multiple unsubscribe links, where one link is inoperative, risks non-compliance with the Act
- Organizations that wish to rely on implied consent through conspicuous publication must ensure that all the requirements of s. 10(9)(b) of the Act are fulfilled. Close attention should be paid when collecting email addresses published on the internet to ensure that they properly fall within the scope of that section before CEMs are sent. Organizations should also be diligent in collecting and preserving the evidence that they are relying on to show compliance with the requirements of that section
- Due diligence requires more than evidence that an organization took steps to self-educate and prepare for the coming into force of the Act. It requires that an organization make ongoing efforts to ensure compliance, which the Commission suggested include “routine practices, written policies, auditing mechanisms, or compliance monitoring.”