On October 19, 2017 the CRTC released two updates related to a 2015 AMP against Quebec based company, CompuFinder. The actual reports are both quite long so I won’t go into a detailed reviews, please feel free to read them on your own the links are below, instead I plan to highlight some of the key areas that I frequently see questions and concerns on from marketers.
The first report Compliance and Enforcement Decision CRTC 2017-367 (44 pages) reports on the Commissions review of the ‘constitutional challenge’ launched against CASL in light of the AMP that was applied for violations under CASL. The Summary of this report reads:
The Commission dismisses the challenge regarding the constitutionality of Canada’s Anti-Spam Legislation (CASL) raised by 3510395 Canada Inc., operating as Compu.Finder (CompuFinder), in the context of a review of a notice of violation issued against the company under CASL.
[…]
Accordingly, CompuFinder’s constitutional challenge of CASL has not succeeded.
This report outlines the process the Commission followed to determine; If they could make a ruling on the Challenge, How they determined that they had the power to make this decision, If CASL infringes on the Charter of Rights in Canada, and if so is it a valid reason for the infringement. Ultimately the Commission decided they were within their rights to make this determination and provided the full logic of their process for the dismissal of the challenge.
The Second report Compliance and Enforcement Decision CRTC 2017-368 (25 pages) reports on the imposed AMPs, originally set at $1.1 Million (CAD), and how the Commission reviewed the evidence and the information provided, by CompuFinder, to arrive at a new AMP of $200,000 (CAD). The Summary reads as follows:
The Commission finds that 3510395 Canada Inc., operating as Compu.Finder (CompuFinder), committed three violations of paragraph 6(1)(a) and one violation of paragraph 6(2)(c) of Canada’s Anti-Spam Legislation by sending commercial electronic messages without consent, some of which contained an unsubscribe mechanism that was not clearly and prominently set out and through which an unsubscribe request could not be readily performed. The Commission imposes an administrative monetary penalty of $200,000 on the company.
Here are a few of the more important parts of the finding that answer many of the questions I regularly receive regarding CASL compliance during client conversations:
The Business Relationship limitations:
Items 45 through 55 describe the limitations and restrictions on the B2B relationship stating that a single participant from a company does not constitute a strong enough relationship between two companies to allow for the sending of CEMs to additional employees within that same organization, even if the services were paid for by the company on behalf of the employee.
In the Commission’s view, the mere fact that an organization paid for training on behalf of one of its employees is not sufficient to demonstrate that the organization had, or intended to create, a relationship that would allow for a complete exemption from section 6 of the Act that would permit the company providing the training to directly solicit every other employee.
In order to build a proper B2B relationship that would enable the emailing of other employees beyond the one or two involved with, in this specific example, business skill development courses could not be relied upon unless both businesses understand that the agreement is intended to build this type of relationship and that the individuals have the authority to make these type of agreements on behalf of the client organization.
Third party data providers:
Items 65 through 74 discuss the details of implied consent from address found on publish websites and directory services. The Commission clarified that data aggregation sites that collect email addresses and contact information do not qualify under the legislation as valid public resources as they are not clear that the information was voluntarily supplied with the consent of the individual, they also clarified that some voluntary directories have terms of service that prevent their use for commercial purposes and the relevancy of the message to the persons role, function or business is a factor when determining the proper implied consent from a public source. This meets the requirement under CASL as notice stating that emails incluced in the directory are not to be used for commercial purposes (similar to the notice I have at the bottom of this site).
(68) The reproduction of a person’s contact information by a third party on its own initiative does not satisfy this requirement, (69) the site’s terms of use contained a disclaimer to the effect that users of the directory were not to send unsolicited CEMs to the addresses found in the directory, (72) …also sent messages to generic or central addresses associated with some businesses (e.g. info@…).
The Conclusions:
Here is the important part… Based on the full review of the Commission there were a number of violations that they removed from the original AMP based on some of the evidence being in a format that was not easily accessible however they still applied to 317 messages in the supplied evidence, 87 of which seemed to have non-functional unsubscribes and the proposed due diligence defence was not properly met. The Commission also reduced the violation from $1.1M (CAD) to $200,000 (CAD) based on the tests applied to determine the appropriate size of the violation. These tests include things like; the purpose of the violation, the scope of the violation, the financial benefits based on the infractions and the persons ability to pay the AMPs. Based on my reading this seems like a fair and proper adjustment on the original AMP amount and the following fines/undertakings that were all considerably smaller for similar offences.
Key take aways:
- Be very cautious when using publicly sources email addresses and understand the risks associated with them. Review the sites collection practices and Terms of use. Better yet avoid them completely, as it may violate your provides Terms and Conditions.
- Be sure you understand the scope of your B2B relationships and the levels of consent that your organization has with your client. View the communication structure in a more narrow view and limit the contacts to just the appropriate parties involved with the business transactions unless their are provisions in your contracts that allow for a more broadly view consent between the organizations.
- Documentation and training are a must when looking at your Due Diligence plans and any potential requests for information in the case of a potential violation.
- Validation that your processes are properly functioning and being regularly tested, especially your unsubscribe processes.
Seeing this level of detail and logic applied to the review of the CompuFinder case has given me new insights and information that will allow better information sharing with you my readers.