CASL Enforcement: Recent Trends
It can be relatively difficult to read the tea leaves in the CRTC’s approach to CASL enforcement, because there is little public record of those enforcement activities. This was noted by the Standing Committee on Industry, Science and Technology, in its statutory review of the Act.[1] However, what signs do exist suggest that enforcement activities are accelerating.
In each of 2016 and 2017, the CRTC announced only one undertaking in a CASL proceeding. By contrast, in the first quarter of 2018, there have already been two.
The first involved Ancestry Ireland Unlimited Company, the international corporate headquarters for Ancestry.com. The alleged breach appears to have been that Ancestry operated two separate unsubscribe mechanisms, one for messages relating to products and services to which individuals had subscribed and another for other promotional offers. This was said to breach the CRTC Regulations:
Since each message category had its own unsubscribe or preference management system, it was alleged that it was not possible to unsubscribe from all messages with just one operation, which does not comply with the CRTC Regulations.[2]
This statement is slightly puzzling, since the CRTC Regulations prescribe no such requirement. The only explicit requirement of the CRTC Regulations for the unsubscribe mechanism is that it “must be able to be readily performed”.[3] The CRTC may be referring to an accompanying “Information Bulletin”, although that non-binding guidance document only purports to give some examples of approaches the CRTC considers to meet its requirements, not to state any positive obligations.[4]
Ancestry’s undertaking apparently did not include any monetary payment. Instead, it has agreed to implement a compliance program, and to report to the CRTC on its implementation.
The second and more recent undertaking is notable for two reasons. For one, it is the first publicly reported enforcement activity involving SMS messages. Two Quebec corporations operating under the common name “514-BILLETS” allegedly sent requests for consent via SMS to receive offers (presumably also via SMS) without including the required formalities set out in s. 4 of the CRTC Regulations.[5]
This undertaking is also noteworthy for its novel remedy. In addition to a compliance program, the two corporations in this matter agreed to be jointly and severally liable for compensation in the amount of $100,000. One quarter of this amount is to be paid to the Receiver General, as usual. However, the remaining $75,000 will be provided in the form of 7,500 discount coupons, in the amount of $10 each, to be provided to the companies’ existing customers. This is the first time an undertaking has involved any form of compensation other than a direct payment to the government.
Despite the summary nature of these releases, there are at least a few lessons that can be drawn from them.
- First, the CRTC is certainly not slowing, and may in fact be ramping up, its CASL enforcement efforts.
- Second, the CRTC is clearly now prepared to expand beyond email enforcement, into the other kinds of messages covered by CASL.
- Third, despite the Standing Committee’s call for increased transparency, the CRTC continues to provide little detail about its reasoning in relation to CASL compliance undertakings. In particular, the triggers and scale for monetary compensation remains somewhat mysterious.
- Finally, it appears to be open to a company negotiating a CASL compliance undertaking to propose alternative structures for compensation, other than a cash payment to the government.
Visit our Technology page and contact us with any questions or for assistance.
[1] Recommendation 12 calls for increased transparency “in the methods, investigations, and determinations of penalties, as well as on the collection and dissemination of data on consumer complaints and spamming trends”. See House of Commons, Standing Committee on Industry, Science and Technology, Canada’s Anti-Spam Legislation: Clarifications Are In Order (December 2017) (Chair: Dan Ruimy).
[2] See Undertaking: ANCESTRY IRELAND UNLIMITED COMPANY (Ancestry) (24 January 2018).
[3] Electronic Commerce Protection Regulations (CRTC), s. 3(2).
[4] See Compliance and Enforcement Information Bulletin CRTC 2012-548, para. 12, referring to “a web page where he or she can unsubscribe from receiving all or some types of CEMs from the sender”. The relevant statutory language is in s. 11(1)(a), which refers to “the wish to no longer receive any commercial electronic messages, or any specified class of such messages”. However the summary of the Ancestry undertaking expressly refers to the regulation, not the Act, and does not refer to or analyse this provision.
[5] These include the name, mailing address, and either a telephone number providing access to an agent or a voice messaging system, an email address or a web address of the person seeking consent or, if different, the person on whose behalf consent is sought, as well as a statement indicating that the person whose consent is sought can withdraw their consent.