The current release of Finance and Accounting PolicyPro updates the policy on Canada’s anti-spam legislation (commonly known as “CASL”). Test your knowledge of CASL with the following questions, then review the answers below to see how well you did.
Indicate whether each of the following is “True” or “False”:
- CASL is relatively new so the CRTC is unlikely to pursue violations of CASL, until businesses become more familiar with its provisions.
- The CRTC is only able to impose monetary penalties for CASL violations.
- If a business follows the guidance from CRTC publications like the “Canada’s Anti-Spam Legislation Requirements for Installing Computer Programs” (found at http://crtc.gc.ca/eng/internet/install.htm), this guarantees that the business has properly complied with CASL, and can avoid CRTC penalties and, in the event of a lawsuit, damages.
- CASL relates only to violations involving Canada or Canadians.
- If a business does not sell software and is not installing malware, CASL’s software installation rules do not apply.
- CASL imposes significant costs on businesses in the name of consumer protection and general business efficacy, but compliance with CASL does not yield any benefits for individual businesses.
- Once the provisions permitting a private right of action become effective on July 1, 2017, individuals can bring suit for any violations since CASL’s effective date.
1. Answer – False:
a) Although the legislation is complex and new (most of its provisions were effective July 1, 2014, and some have come into force January 15, 2015), the CRTC is very willing to pursue violations of CASL, even if the violators are reputable businesses and not traditional spammers. Some of the violations below occurred as early as 1 July 2014:
- In March 2015, the CRTC issued a Notice of Violation (NOV) to Compu.Finder, resulting in the company being slapped with an Administrative Monetary Payment (AMP) of $1.1M. The company promoted training courses, and the CRTC alleged that it:
- Sent or permitted to be sent, commercial electronic messages (CEMs) containing an unsubscribe mechanism that did not work properly.
- Did not ensure that the unsubscribe mechanism was valid for a minimum of 60 days after the CEM was sent.
- Did not effect unsubscribe requests with as little delay as possible, and within 10 business days, without the need for any further action by recipients.
b) Later in March, Plentyoffish Media Inc. (Plentyoffish) voluntarily entered into an Undertaking that included a monetary payment of $48,000. Among the allegations – the company’s unsubscribe mechanism was not set out “clearly and prominently” and could not be “readily performed”.
c) In June 2015, Porter Airlines Inc. (Porter) entered into an Undertaking which included a monetary payment of $150,000. Among the violations:
- The inability to prove that consent was received for each and every CEM.
- Some messages had no unsubscribe mechanism, while others had two unsubscribe links, one of which did not function properly. The unsubscribe mechanism was not set out “clearly and prominently” because it was not apparent which mechanism was functional. As with Plentyoffish, this underscores the fact that unsubscribe mechanisms must not only be included, they must be clearly set out and they must work.
Porter also undertook to update its compliance program. Addressing Porter’s case specifically, the CRTC emphasized that general business practices or policies do not provide adequate proof that the organization is compliant with CASL. The organization is required to demonstrate compliance with CASL for each individual CEM that it sends. As a result, proof of consent is critical.
The CRTC has provided guidance on proving consent in its Compliance and Enforcement Bulletin CRTC 2012 – 548 (See www.crtc.gc.ca/eng/archive/2012/2012-548.htm).
For example, oral consent may be proved by an unedited audio recording (note that privacy laws and the Criminal Code contain provisions that affect whether an audio recording was made legally or illegally) and may also be verified by an independent third party.
d) In November 2015, Rogers Media Inc. (Rogers) entered into an Undertaking that included a monetary payment of $200,000. Violations also related to its unsubscribe mechanisms, and failure to give effect to unsubscribe requests within the prescribed time limit. (Note: The CRTC may issue NOVs for alleged violations, but persons may enter into Undertakings at any time after identifying their CASL violations. Undertakings are subject to acceptance by the CRTC, and may contain any conditions that the CRTC considers appropriate – including a requirement to make monetary payments.)
2. Answer – False: The CRTC can also impose non-monetary penalties or conditions. For example, Plentyoffish was required to implement a compliance program that covered elements like training and education, monitoring, auditing and reporting mechanisms, and consistent disciplinary procedures. Rogers undertook to update its training, policies and procedures, including the development of mechanisms to track complaints and their resolution. Rogers also agreed to confirm to the CRTC, in writing, the implementation of the measures above, and to provide a written report of its annual reviews of its compliance programs, if requested by the CRTC.
3. Answer – False: Regulatory bodies will often provide guidance in publications, on their websites or in public education seminars or presentations. As is the case with guidance issued by CRTC staff, this information can be very useful, as it helps to clarify terms that are not defined in the legislation and may provide examples to help businesses comply with the legislation. For example, the publication referenced in the question above clarifies the meaning of “cause to install”, as this term is used in CASL’s software installation rules that are in effect since January 15, 2015. Guidance also provides insight into how the relevant tribunal or the courts might interpret the legislation. Businesses that apply the guidance provided may be viewed in a more favourable light during enforcement proceedings, as compliance with the guidance may be viewed as a good-faith effort to comply with the legislation. However, staff guidance is not the final word on compliance or what the legislation means, and is not a substitute for reading and interpreting the legislation. The CRTC’s tribunal or the courts may interpret the legislation and evaluate compliance, differently.
4. Answer – False: While it is true that there needs to be a Canadian nexus to find a violation of CASL’s provisions relating to the sending of CEMs, installing of software or the altering of transmission data, there are international co-operation provisions in CASL. Under section 19 of CASL, for example, warrants may be issued to authorize entry to physical places, if necessary to assist investigations or proceedings related to the contravention of a foreign law that is substantially similar to CASL.
As evidence of international cooperation, the CRTC announced, in December 2015, that it had obtained a warrant under CASL to take down a command-and-control server in Toronto. The CRTC worked closely with other Canadian agencies, as well as the Federal Bureau of Investigation (FBI), Europol, Interpol and Microsoft Inc. In its news release the CRTC reiterated its commitment to collaborating with domestic and international partners. (Read the CRTC news release here: http://news.gc.ca/web/article-en.do?nid=1023419)
The command-and-control server was associated with the widely distributed malware family – the Win32/Dorkbot, which has infected over one million computers in over 190 countries. Dorkbot is spread through USB drives, instant messages and social networks. Compromised computers form a botnet, under the control of the command-and-control server. The botnet may then be instructed to send spam, steal passwords, download and install malware, participate in distributed denial of service attacks (essentially bombarding a business’ server with requests until the overwhelmed server crashes) and execute other illicit activities.
5. Answer – False: CASL’s software installation provisions apply to the installation of any software on another person’s computer, in the course of a commercial activity, even if the software is not malware. Additionally, commercial activity includes activities that are not carried out for profit. As a result, even if a business does not sell the software and does not expect to profit from the installation (for example if it gives customers free software), CASL would still apply. The business would need to find an exception in CASL that allowed it to install the software without obtaining express consent, or obtain express consent after making the appropriate disclosures.
6. Answer – False: Although CASL does result in increased compliance costs for businesses, and although it is focused on consumer protection and general business efficacy, individual businesses can also benefit from compliance. Compliance can enhance the business’ image in the eyes of its customers. For example, customers will look favourably upon businesses that respect unsubscribe requests without delay, and on businesses that do not surreptitiously install software on their computers.
Businesses have also realized other unexpected benefits. The initial purge when CASL was first implemented, and the shedding of contacts when consents are withdrawn, resulted in some businesses complaining that they had lost as much as 30% of their databases. Additionally, CASL put an end to indiscriminate address harvesting and purchasing of electronic address listings. However, with the quantitative reduction in contacts, came a qualitative improvement in customer relationship databases. The remaining contacts were persons who were truly interested in hearing from the businesses. Businesses could then focus their marketing efforts on the pool of persons who were truly interested in their goods and services, resulting in better yields on marketing efforts.
7. Answer – Debateable, but likely “False: This is an example of some of the criticisms directed at CASL. CASL is sometimes criticised for being too vague, or for using terms that are not defined, leaving too much to interpretation. The provisions providing for a private right of action do not explicitly state whether individuals can bring lawsuits for violations that occurred before the provisions come into force, so there is some debate about this issue. Many experts think that lawsuits can only be brought for violations occurring after the provisions’ effective date, because it would be unfair to do otherwise. Additionally, they apply principles of statutory interpretation, and conclude that given the intent and purpose of CASL, it is unlikely that the provisions are meant to apply retroactively.