Ensure your Compliance Program, Contracts and Monitoring Practices Shine a Light on CASL
On July 11, 2018, the Canadian Radio-Television and Telecommunications Commission (CRTC) released its first notice of violation based on the installation of computer program provisions of Canada’s anti-spam law (CASL), resulting in a combined fine of $250,000 against an ad network (Sunlight Media) and a related software company that facilitates the distribution of targeted online advertisements (Datablocks). CLICK HERE for a CRTC summary of the investigation.
Sunlight Media’s customers include malicious actors who are in violation of s. 8 of CASL, which prohibits the installation of a computer program on any person’s computer system without express consent of the owner or an authorized user of the computer system. These customers essentially use the ad serving technology to serve ads that are embedded with malicious computer programs. By clicking on a seemingly benign ad, the exploit program abuses vulnerabilities of the user’s computer system. For example, once installed, the exploit program permits the installation of second stage malware which can lock the user’s system unless a ransom is paid (ransomware), or steal a user’s sensitive data, such as account login information. Sunlight Media and Datablocks were found to be in violation of section 9 of CASL, which prohibits aiding in the commission of a section 8 violation.
Given that online advertising is one of the main vectors to deliver malware (“maladvertising”), the CRTC investigation led to the conclusion that Sunlight Media did not take steps that would be considered industry best practice for avoiding associations with non-CASL compliant clientele. Similarly, Datablocks demonstrated complete disregard for Sunlight Media’s non-compliant practices. The CRTC decision specifically points to the following:
- Sunlight Media and Datablocks did not have written contracts in place with their clients which would bind them to comply with CASL;
- They had no monitoring in place governing how their clients use their services; and
- They did not have any written corporate compliance policies or procedures in place to ensure compliance with CASL.
In light of the fact that Sunlight Media and Datablocks financially benefited from the commission of acts prohibited under section 8 of CASL, the CRTC issued administrative monetary penalties of $100,000 to Datablocks and $150,000 to Sunlight Media.
For assistance with your CASL policies, contractual language and other documentation, contact PRIVATECH.1