After quite a silent period since the CRTC’s last enforcement decision in March 2017, we have seen recent CASL activity that is worth noting.
On October 19, 2017, the CRTC issued a new decision that re-considered the 2015 $1.1 milion dollar fine with which CompuFinder was slapped. The company’s CASL violations were confirmed, however the administrative monetary penalty (AMP) was reduced to $200,000. There are some important learnings from the CRTC commentary on the use of the B-to-B exemption for business relationships found in s.3(a)(ii) of the Governor in Council regulations, and the use of implied consent due to conspicuous disclosure of an electronic address (section 10(9)(b) of CASL).
B-to-B CASL Exemption
Note that a “relationship” is not defined under CASL, but the CRTC has clearly taken a narrow interpretation. As stated in the decision: “In the Commission’s view, the mere fact that an organization paid for training on behalf of one of its employees is not sufficient to demonstrate that the organization had, or intended to create, a relationship that would allow for a complete exemption from section 6 of the Act that would permit the company providing the training to directly solicit every other employee [of that organization].”
The CRTC will be looking for actual reciprocating messages between the parties and records of significant detail in order to demonstrate a business relationship.
Implying Consent due to Conspicuous Publication
The CRTC has also confirmed that organizations claiming conspicuous publication of an e-mail address will be held to a higher standard than simply demonstrating public availability of an e-address. The ‘conspicuous publication’ rule does not create a “broad licence for the senders of CEMs to contact any electronic address found online, but rather provide limited circumstances in which consent can be reasonably inferred, to be evaluated on a case-by-case basis.”
Demonstration of Due Diligence
The CRTC provided some useful guidance to business on the regulator’s expectations with respect to due diligence. CompuFinder provided information with respect to the steps it took in preparation for the coming into force of CASL and the steps it took in response to learning about the CRTC’s investigation. It did not, however, identify or speak to “routine practices, written policies, auditing mechanisms, or monitoring of its compliance with CASL during the actual period of the violations, which would have served to prevent or mitigate the violations.” Thus, the CRTC found that “CompuFinder did not take all reasonable steps to avoid the violations in question and, therefore, has not established a defence of due diligence.”
Appropriateness of the AMP
The CRTC went on to focus on the fact that general deterrence is the purpose of an AMP, and that significant penalties will sometimes be necessary to deter non-compliance or to ensure that the risk of a penalty is not viewed as simply another cost of doing business. However, in light of other factors such as positive indicators of self-correction, the CRTC felt that the $1.1 million fine perhaps over-emphasized general deterrence. The reduction in penalty to $200,000 is welcoming to businesses as it suggests a more moderate approach to enforcement, however, the selection of the AMP amount appears somewhat arbitrary when you read the decision’s full analysis of all the AMP factors.
Certainly the negative reputational costs associated with the higher AMP, the legal costs incurred by CompuFinder, and the lengthy timeframe for the appeal highlight the importance of making appropriate representations on the AMP considerations to the CRTC during an initial finding of culpability.
CASL Statutory Review
A statutory review of CASL is currently underway where many organizations and trade associations have made submissions regarding the serious issues with CASL’s prescriptive and ambiguous provisions. As many businesses have experienced during their compliance efforts, CASL’s broad scope is capturing legitimate business activity when it should be targeting bad actors who are intending to spam.
However, a statement made by the Office of the Privacy Commissioner of Canada (OPCC) indicates that the OPCC feels CASL has, for the most part, been effective at reducing spam on Canadian networks and addressing harmful online threats. The OPCC has accessed and made use of the Spam Reporting Centre (SRC) at the CRTC to help identify and address harvesters or entities suspected of distributing spyware.
I think we can expect some clarification on CASL’s problematic provisions, and clearly the CompuFinder reconsideration demonstrates we can also expect adjustments to how the CRTC is enforcing the law, however, CASL is here to stay. Companies should have taken the necessary steps by now to ensure a strong CASL compliance framework is in place, and that staff are adequately trained on their CASL responsibilities.
For assistance with CASL compliance or to conduct a CASL audit for your organization, contact PRIVATECH.0