Canada’s Anti-Spam Legislation is relatively new, onerous and far from elegant. Organizations have been weighing the risks the best they can – and in doing so have puzzled over how to account for CASL’s provision for penalties of up to $10 million.
On October 26th, the CRTC issued a decision in which it held that a company breached the consent requirement in CASL by sending approximately 385,000 unsolicited e-mails to government employees. As a result, it ordered an administrative monetary penalty of $50,000. Most significantly, the CRTC’s decision includes following comment about the significance of CASL’s significant maximum penalty:
The potential for higher penalties provides the Commission and the designated person with a means to recognize and address more egregious non-compliance when it arises, but this does not mean that larger penalties are inherently more appropriate in comparison to regimes with lower maximum penalties. As provided for in the Act, the objective and effect of an AMP must always be to promote compliance, and must not be to punish.
The CRTC considered the size of the company (“small”) and the short duration of the violation (two months) to support a lower penalty. Conversely, it considered the company’s failure to respond to a production order and its failure to change its practices immediately when contacted by investigators as aggravating factors.
The company violated the Act because it could not demonstrate the basis for which it claimed implicit consent to message individuals whose e-mail addresses were “conspicuously published.” In finding a violation, the CRTC said:
The requirement that it be relevant to the recipient’s role or functions creates the condition that the address be published in such a manner that it is reasonable to infer consent to receive the type of message sent, in the circumstances… Paragraph 10(9)(b) of the Act does not provide persons sending commercial electronic messages with a broad licence to contact any electronic address they find online; rather, it provides for circumstances in which consent can be implied by such publication, to be evaluated on a case-by-case basis.
Harvesting addresses from the internet for the purpose of business-to-business marketing is permitted but, as this case shows, organizations need a protocol to demonstrate a duly diligent effort to send individuals messages that are relevant to their work.
None of this should come as a surprise, but this welcome decision does invite a long-desire feeling of normality.
Compliance and Enforcement Decision CRTC 2016-428.