CASL’s first compliance and enforcement decision: lessons learned

Author(s): Jeremy Lin, Roland Hung

Nov 2, 2016

The first Compliance and Enforcement Decision under Canada’s Anti-Spam Law (“CASL”) was issued on October 27, 2016 by the Canadian Radio-television and Telecommunications Commission (“CRTC”) against Blackstone Learning Corp. (“Blackstone”). 

By way of background, between July 4, 2014 and December 3, 2014 the CRTC Spam Reporting Center received numerous complaints that Blackstone had been sending unsolicited emails. These emails, primarily directed at government employees, advertised educational and training services offered by Blackstone.

Following an investigation, Blackstone was issued a notice of violation notice pursuant to section 22 of Canada’s Anti-Spam Legislation (“CASL”) which identified nine messaging campaigns, totalling 385,668 emails sent by Blackstone to recipients without consent.  The CRTC found that the emails violated section 6(1)(a) of CASL and originally imposed an administrative monetary penalty (“AMP”)  of $640,000 (which was subsequently lowered to $50,000).

CRTC’s Decision

Did Blackstone have implied consent?

Blackstone submitted that it the emails were sent with the implied consent of the recipients as the addresses were “conspicuously published”. Blackstone’s submissions did not raise any argument or deny the allegations that the emails were sent. It was also clear to the CRTC based on the content and language of the messages that they were sent for the purpose of advertising and promoting services commercially available from Blackstone. Five complainants offered witness statements in which they attested to having received the emails in question from Blackstone and that they had no previous relationship with the company and had never consented to receive such messages. Blackstone did not deny these allegations but rather argued in its submissions that it had implied consent.

Blackstone argued that it had implied consent because the email addresses to which it sent messages were publicly available. CRTC in its decision explained that in order for there to be implied consent the address of the person to whom the message is sent must be conspicuously published. This standard is higher than the simple public availability of an email address. The address also must not be accompanied by a statement indicating that the person does not want to receive unsolicited commercial electronic messages and the messages being sent must be relevant to the recipient’s role or functions in a business or official capacity.

CASL does not allow businesses to send commercial electronic messages to any email addresses they can find online. Consent is evaluated on a case-by-case basis and the onus of proving consent (including implied consent) falls on the party relying on it. The notice to produce issued to Blackstone required it to produce information with respect to how it obtained consent, Blackstone did not respond to this notice. Therefore, Blackstone did not demonstrate that it had the required consent to send the emails at issue.

Determining an appropriate AMP

The purpose of penalties under CASL are to promote compliance not to punish. Compliance can be encouraged through general deterrence; and in that regard, the CRTC did not find the amount of the AMP to be unreasonable. However, if an AMP is so large as to effectively cripple a person so that person can no longer continue to operate on a commercial basis, it would also preclude that person’s compliant participation in the regulated activity going forward. In the CRTC’s view, this principle dictates that the AMP in Blackstone’s case should be lowered.

The CRTC also stated that, while a large number of emails were sent, the relative short time frame in which they were sent indicated that the scope of the violation was not as egregious as to warrant the size of the initial AMP.

Two additional factors that the CRTC considered were Blackstone’s lack of cooperation and the lack of any indicators of self-correction. The CRTC did concede that Blackstone had made some preliminary inquiries to the Department of Industry before CASL came into force which showed to some extent that the company was aware of and concerned with compliance with the regime.

Taking into account all prescribed factors and circumstances the CRTC concluded that a reduced penalty of $50,000 was proportionate to the violation and imposed this new AMP on Blackstone.

So what can businesses learn from the CRTC’s first enforcement decision?

1. While addressed that have been “conspicuously published” may qualify as implied consent, this does not necessarily provide businesses sending CEMs with a broad license to contact any electronic address that can be found online. The CASL conditions attached to “conspicuous publication” requires businesses to meet a higher standard.  The CRTC did not clearly set out all the conditions attached to the “conspicuous publication” higher standard referenced in the decision.  However, the CRTC did state that businesses will need to ensure that: (i) the publication of the email address is not accompanied by a statement that the person does not wish to receive unsolicited CEMs at the electronic address; and (ii) the CEM is relevant to the person’s business, role, functions, or duties in a business or official capacity.
2. The onus is on the party relying on consent to prove that consent was obtained. Businesses should keep detailed records of the consent obtained whether implied or express.
3. Cooperation and self-correction early on in the process as well as positive engagement with the CRTC can aid non-compliant companies in reducing or eliminating an AMP.