First Compliance Agreement under PIPEDA

First Compliance Agreement under PIPEDA

Federal Privacy Commissioner Supports CRTC Decision

Compu-Finder Violation of CASL

Since Canada’s Anti-Spam Law (CASL) came into force on July 1, 2014, businesses have received a strong message from the CRTC to take CASL seriously. It all started with the one and only notice of violation against Compu-Finder in March of 2015, when the CRTC issued a $1.1 million fine. Since that time, we have seen a smattering of undertakings involving lesser penalties (which are essentially settlements with the CRTC to avoid a notice of violation).

Compu-Finder was sending emails to promote its training courses and was obtaining these email addresses by scouring websites. The CRTC found there were “flagrant and continuous violations of CASL” and stressed that if a CEM is not reasonably relevant to the recipient’s business role, an organization cannot claim that they have implied consent to use e-mail addresses published on websites (see section 10(9)(b) of CASL). The CRTC followed up with an implied consent advisory for businesses. The violations under investigation occurred between July 2, 2014 and September 16, 2014.

PIPEDA Decision

In April of this year, the Office of the Privacy Commissioner of Canada (OPCC) released their own Compu-Finder decision for PIPEDA violations (PIPEDA Report of Findings #2016-003 ). Due to the MOU between the CRTC and the OPCC, much of the evidence collected in the context of the CRTC investigation could be shared with the OPCC for their PIPEDA investigation. The OPCC took the opportunity to also issue their first compliance agreement (which can be found at the end of the decision). Compliance agreements were introduced when PIPEDA was amended last year (section 17.1). They give some additional powers to the Federal Commissioner – if Compu-Finder does not live up to the terms of the agreement, the Commissioner can take the matter to Federal Court to enforce the agreement with a court order. The Commissioner’s office also published a blog piece on May 27, 2016 with useful guidance and a summary of the lessons that businesses can learn from the decision.

The investigation found that there was no designated individual responsible for privacy compliance and that Compu-Finder didn’t have a privacy policy in place. In addition, Compu-Finder’s e-mails were sent from multiple domains that had the effect of masking the sender, and many inconsistent statements were made by Compu-Finder to the OPCC investigators. All of this further demonstrated that the company’s business practices did not consider privacy compliance, or the critical principles of transparency and accountability.

This article summarizes some of the important points that are made in the decision in response to Compu-Finder’s claims:

Business E-Mail Addresses

Compu-Finder claimed that most of their e-mails target business e-mail addresses, and thus e-mails sent prior to the coming into force of the Digital Privacy Act on June 18th, 2015 (which amended PIPEDA to carve out business contact information) should not be considered. However, keep in mind that Section 4 of PIPEDA (application of the law) was amended to exclude business contact information with a caveat. PIPEDA does not apply to business contact information provided it is collected, used and disclosed solely for the purpose of communicating with an individual in relation to their employment, business or profession.

Compu-Finder sent the same promotional e-mails to individuals regardless of their organization’s business, or their specific roles, functions and responsibilities. The same e-mails were also sent to many individuals’ personal e-mail addresses and to generic business e-mail addresses, where the recipient’s business, roles and responsibilities could not be readily ascertained.

Publicly Available Information

Compu-Finder also attempted to claim that since the e-mail addresses were published on the Internet, it was not a problem to collect and use these addresses to send e-mail blasts. As stated in the OPCC’s blog piece, it is important that companies clearly understand PIPEDA’s regulation before determining if information is really “publicly available”. The regulation specifically states that published information must only be used for the purposes for which the information was published in the first place.

Compu-Finder’s collection and use of e-mail addresses for the purpose of sending e-mails selling its services were not, at least in some cases, directly related to the purposes for which organizations had posted individuals’ e-mail addresses on their websites.

Lack of Consent

In considering Compu-Finder’s claim that they could rely on implied consent as defined in CASL, the OPCC interviewed some individuals who provided submissions to the Spam Reporting Centre and found that the messages that they received were not at all relevant to their work. One of many examples included an individual receiving e-mails promoting a course for financial directors when he was a computer science professor at a university.

Note that although the concept of ‘implied’ or assumed consent is not defined under PIPEDA, the concept exists and is based on reasonable expectations of the individual – that is, is it reasonable to conclude that the individual would consent if asked? Arguably, this is a stricter test than we have under CASL – even if the CASL relevancy test could be met, the PIPEDA test for implied consent may not be.

This becomes even clearer when we look at the other contexts in which consent can be implied under CASL. For example, an organization that has an existing business relationship with a customer can send electronic messages regardless of the subject matter, simply because of this relationship. However under privacy laws and best practice, informed consent requires the communication of purposes for which one’s electronic address will be used.

Targeting others Employees without a Business Relationship

The OPCC stressed that under PIPEDA, Compu-Finder cannot rely on the mere fact that an individual in an organization may have attended one of its training courses to collect and use the e-mail addresses of other individuals in that organization for marketing purposes. Collecting and using the e-mail addresses of individuals who have had no dealings with Compu-Finder is outside of their reasonable expectations and therefore, cannot form the basis for meaningful consent under principle 4.3. This is also in line with the CRTC’s reasoning that the B-to-B exclusion for CEMs available under the Electronic Commerce Protection Regulations s.3(a)(ii) – does not apply.

Address Harvesting

CASL amended PIPEDA by adding s.7.1(a) and (b), that makes address harvesting (using software to automate the process of identifying and collecting e-mail addresses) a violation of the privacy rules. Compu-Finder used such software before July 1, 2014, and thus claimed that the OPCC was applying the new provisions of PIPEDA retroactively. However, as noted by the OPCC, of the 170,000 e-mail addresses collected using address harvesting software, 28,000 of those addresses were used after CASL (and thus these new PIPEDA provisions) came into force.

Good Record Keeping

The need for detailed records has been stressed by the CRTC. The lack of adequate details when responding to a CRTC Notice to Produce has been one of the key areas where businesses are falling short. Similarly, the OPCC in support of the CRTC’s position, stressed the need for ‘robust records’ to demonstrate due diligence by stating in their recent blog piece: “Any company doing e-mail marketing should keep records indicating when and how consent from individuals was obtained to collect and use their e-mail address. They should also provide some indication as to the individual’s employment, business or profession and the e-mails sent to them to prove relevance where required.”

The record-keeping expectations seem extremely onerous, but keep in mind that Compu-Finder’s actions demonstrated a complete lack of care for their compliance obligations. Perfection is not what the regulators expect – due diligence and best efforts with respect to compliance is what businesses should be focusing on.

This case is a great example of how the regulators will work together when applying CASL and PIPEDA compliance rules to the same case, and also gives us a sense of the detailed provisions that the OPCC will put into a compliance agreement. The double-decisions with respect to Compu-Finder highlight the importance of taking consent responsibilities seriously.

For assistance with CASL and privacy compliant marketing initiatives, or a review of your consent framework, contact PRIVATECH.