On June 26, 2015, the Canadian Radio-television and Telecommunications Commission (CRTC) announced that Porter Airlines had agreed to enter an undertaking regarding alleged CASL violations. The undertaking required Porter to pay $150,000 and to make important changes to its practices going forward.
The Porter case is the latest in a series of enforcement actions, discussed below, which demonstrate that organizations must take seriously the requirements of CASL. The consequences of a CASL violation can include not only a substantial penalty and a requirement to change practices, but also unwelcome publicity, including a CRTC press release, a listing in the undertaking and notice of violation sections of the CRTC's website, and mainstream media coverage. This bulletin reviews Porter, two previous noteworthy enforcement actions and the lessons learned from each.
Porter Airlines
The CRTC investigation of Porter focused on allegations that: (a) some commercial electronic messages (CEMs) from Porter did not contain an unsubscribe mechanism or contact information as required by CASL; (b) some CEMs did not clearly or prominently set out the unsubscribe mechanism; and (c) Porter failed to honour, within 10 business days, unsubscribe requests which had been submitted to it. The CRTC announcement also stated that Porter had been unable to provide proof that it had obtained consent in respect of each of the CEMs it had sent.
Following the commencement of the investigation, Porter was cooperative and immediately took steps to change its practices. Ultimately, Porter agreed to enter into an undertaking to resolve the matter. Undertakings are a limited form of voluntary 'safe harbour' available for organizations pursuant to section 21 of CASL. Although the CRTC may publish information regarding an undertaking, where an undertaking is entered into, the CRTC may not issue a notice of violation, and a court may not hear an application for statutory damages (which will be available in 2017 with the private right of action), regarding matters that are covered by the undertaking.
Pursuant to the undertaking, in addition to the payment of $150,000, Porter agreed to make amendments to its compliance program and policies, including training and education, monitoring, auditing and reporting mechanisms, and consistent disciplinary procedures. These requirements are consistent with the CRTC's emphasis on the need for organizations to develop a CASL compliance program. The CRTC has previously provided guidance about such programs: Guidelines to help businesses develop corporate compliance programs: Information Bulletin CRTC 2014-326.
With respect to the Porter case, the CRTC stated:
This case is an important reminder that …, proof of consent is required for each electronic address. Some businesses are under the mistaken impression that they are compliant with the law by relying on general business practices or policies as proof of consent for the majority of the electronic addresses to which they send their commercial emails. This is simply not the case.
Although the CRTC announcement did not include details regarding the basis for the above statement, it reinforces that that organizations should carefully consider how they will meet their onus of proving all express and implied consents under CASL. Organizations should consider the CRTC's guidance regarding how consents may be proven: Compliance and Enforcement Information Bulletin CRTC 2012-548. For example: (a) oral consents may be proven where it can be verified by an independent third party or by using a complete and unedited audio recording of the consent (bearing in mind privacy law considerations when making audio recordings); and (b) electronic consents may be proven using checkboxes on a web page where "a record of the date, time, purpose, and manner of that consent is stored in a database."
Previous enforcement actions under CASL
Compu-Finder
On March 5, 2015, the CRTC announced that it had issued a notice of violation with a $1.1 million penalty against Compu-Finder, a company which promoted training courses. Compu-Finder was alleged to have sent CEMs without consent, CEMs containing a unsubscribe mechanism that did not function properly, and CEMs containing an unsubscribe mechanism that was not valid for 60 days, in addition to failing to give effect to unsubscribe requests within 10 business days.
The CRTC provided little information regarding the factors it considered in assessing the $1.1 million penalty. However, it is notable that complaints against Compu-Finder accounted for 26% of all CASL complaints submitted against its industry sector. The CRTC clearly was not pleased that Compu-Finder allegedly had not followed the CRTC's guidance:
Despite the CRTC's efforts, Compu-Finder flagrantly violated the basic principles of the law by continuing to send [CEMs] after the law came into force to email addresses it found by scouring websites […and] consumers didn't find Compu-Finder's offerings relevant to them.
The above statement may have been made with reference to section 10(9)(b) of CASL, which provides that organizations have implied consent to send CEMs to recipients where: (a) the recipient has conspicuously published their address; (b) the publication is not accompanied by a statement that the person does not wish to receive CEMs; and (c) the CEMs are relevant to the person's business, role, functions or duties in a business or official capacity. For many organizations, this is one of the most important exemptions in CASL, particularly in the business to business context.
Compu-Finder had 30 days to submit representations or pay the penalty. It also could have requested an undertaking. No update has been provided.
PlentyOfFish
On March 25, 2015, the CRTC announced that PlentyOfFish Media Inc. had agreed to an undertaking which required it to pay a penalty of $48,000 and to make changes to its practices. The company was alleged to have sent CEMs to registered users of its online dating service that contained an unsubscribe mechanism that was not set out "clearly and prominently" and was not able to be "readily performed". Complaints were received and the CRTC investigated.
Contrasted against the above statement in respect of CompuFinder, the CRTC statement regarding PlentyOfFish was considerably softer, no doubt in part because PlentyOfFish changed its practices when it learned of the investigation: "Plentyoffish Media erred by sending commercial electronic messages to its registered users with unsubscribe mechanisms that were not in compliance with the law. […] We appreciate that Plentyoffish Media changed its …."
Conclusions and lessons learned
The above cases reinforce the importance of compliance with some of the fundamental requirements of CASL: consent, proof of consent, unsubscribe mechanisms, and contact information. The need for compliance program is also a common theme. CASL violations can have material adverse consequences, including in relation to the time and costs of addressing an investigation, monetary penalties, corrective measures for compliance, and high-profile publicity.
Organizations subject to CASL have also gained a deeper understanding of the potential advantages of entering into an undertaking with the CRTC (where the penalties have been lower and publicity has come only after the undertaking has been agreed to), as well as the types of undertaking terms which may be expected by, and acceptable to, the CRTC.
The CRTC noted that Porter and PlentyOfFish changed their practices when they learned of the investigation, which may suggest that the CRTC will look favourably on such conduct in future cases where appropriate.
More than 330,000 complaints have been submitted under CASL. Although there have been only three noteworthy CASL enforcement actions to date, many investigations remain ongoing and it is expected that we will soon see additional announcements, including in respect of some of the more frequently relied-upon exemptions. These will be watched closely as they may have an impact across a wide range of organizations and activities.
