If your business sends Commercial Electronic Messages (“CEMs”) including emails, SMS and social media messages to clients or potential clients, then you need to be aware of a recent compliance and enforcement decision regarding Canada’s Anti-Spam Legislation (CASL).
CASL regulates the sending of CEMs. Amongst it’s many provisions are the requirements that the sender obtain consent before sending a CEM and that the message contain a simple and functioning unsubscribe mechanism.
The penalties for breaching CASL are high. Up to $1 million for individuals and $10 million for businesses.
In October 2017, the CRTC issued its decision on the case of Compu.Finder, a company that sent CEMs to residents of Quebec (and other Canadians) to advertise its educational and training services. The CEMs included an outline of the course content, available dates and locations. They were sent from different email addresses, or had links to different websites, and they could all be traced back to Compu.Finder.
With the potential for fines up to $1 million dollars this case provides insight and lessons for best practices on how this law is applied and how to avoid running afoul of its provisions.
Obtaining Implied Consent
Section 10(9)(b) of CASL states that consent is implied if:
(b) the person to whom the message is sent has conspicuously published, or has caused to be conspicuously published, the electronic address to which the message is sent, the publication is not accompanied by a statement that the person does not wish to receive unsolicited commercial electronic messages at the electronic address and the message is relevant to the person’s business, role, functions or duties in a business or official capacity;
Citing an earlier decision, the CRTC confirmed that 10(9)(b) of CASL does “not create a broad licence for the senders of CEMs to contact any electronic address found online, but rather provide limited circumstances in which consent can be reasonably inferred, to be evaluated on a case-by-case basis.”
Implied Consent Tips:
– For there to be implied consent, the recipient has to “publish, or cause to be published” the email address. If a third person posts a person’s contact information online, this is unlikely to mean that there’s implied consent.
– If the website where the email address is listed contains a disclaimer stating that the email address is not to be used to send unsolicited CEMs, then implied consent cannot be established.
– The CEM must be relevant to the recipient’s business. The sender should be able to provide evidence to establish relevance.
o Sending CEMs to generic email addresses (email@example.com) is not sufficient to establish relevance.
Lack of an Unsubscribe Mechanism
CASL requires that the unsubscribe mechanism included in electronic messages “be set out clearly and prominently” and that it can “be readily performed”.
87 of the emails Compu.Finder sent contained 2 unsubscribe links. One of the links appeared to function, but the other did not.
The CRTC found that the inclusion of 2 links, one of which did not function, created confusion for those who wanted to unsubscribe and were unable to do so because they had clicked the non-functioning bottom.
The business-to-business exemption of CASL provides that section 6 does not apply (the section requiring consent and an unsubscribe mechanism) if the CEM is sent from an employee of one organization to an employee of the other organization, and the “… organizations have a relationship and the message concerns the activities of the organization to which the message is sent.”
In this case, Compu.Finder argued that because it had provided a single training session to an employee of the recipient organization, a contractual relationship existed and Compu.Finder could then send emails to all employees of the recipient organization.
The CRTC found while it might be acceptable to assume that a business to business relationship existed with the individual who took the course, the mere fact that an organization paid for training on behalf of one of its employees is not sufficient to demonstrate that the organization had, or intended to create, a relationship that would permit the company providing the training to directly solicit every other employee.
Finally, the CRTC stated that contrary to the arguments of Compu.Finder, the fact that it had a history of sending CEMs to a particular individual does not in itself prove that the CEMs are relevant to the recipient organization’s activities as a whole.
Business-to-Business Exception Tips:
– Don’t assume that because one of your previous clients engaged your services you can email other employees of your client’s organization.
– Don’t assume that the fact that you were sending commercial electronic messages in the past to potential/actual clients means that there’s a business-to-business relationship.
Compu.Finder argued that even if it violated CASL, it should not be found liable because it had exercised due diligence. Some of the due diligence activities Compu.Finder engaged in included:
I. calling the CRTC to obtain guidance;
II. hiring a consulting firm to manage their compliance with CASL; and
III. achieving a compliance rate of 100% in responding to unsubscribe requests.
The CRTC found that these attempts were insufficient in light of the facts and fined the company $200,000.
Each case is different, however, the lessons from this case provide a good starting point when considering the compliance of your company with this legislation. Working with a specialist in the area is recommended to ensure your company stays on the right side of the CRTC.
NOT LEGAL ADVICE. Information made available on this website in any form is for information purposes only. It is not, and should not be taken as, legal advice. You should not rely on, or take or fail to take any action based upon this information. Never disregard professional legal advice or delay in seeking legal advice because of something you have read on this website. Jillian M. Siskind & Associates professionals will be pleased to discuss resolutions to specific legal concerns you may have.