On November 5, 2018, the Canadian Radio-television and Telecommunications Commission (CRTC) issued Compliance and Enforcement Information Bulletin CRTC 2018-415, providing some guidance concerning the CRTC's approach to Section 9 of Canada's anti-spam legislation (CASL).
Section 9 of CASL provides that it is "prohibited to aid, induce, procure or cause to be procured the doing of any act contrary" to Sections 6 to 8 of the legislation. These sections prohibit sending commercial electronic messages (CEMs) without express or implied consent (Section 6), altering transmission data in electronic messages in the course of commercial activity without express consent (Section 7), and installing a computer program on another person's computer in the course of commercial activity without express consent (Section 8).
This bulletin should be of particular concern to organizations in a variety of digital industries, as the CRTC specifically mentioned that advertising brokers, electronic marketers, software and application developers and distributors, telecommunications and internet service providers, and payment processing system operators are all examples of intermediaries that, by the nature of their businesses, are at risk of non-compliance with Section 9 of CASL.
The risk became a reality earlier this year when the CRTC issued its first ever Notices of Violation (NOVs) under Section 9 to two online advertising companies (''Key Enforcement of Software Installation and Extended Liability Provisions Under CASL'') In these NOVs, the CRTC contended that the companies contravened Section 9 by enabling their clients to use their online platforms to install computer programs on individuals' computers without these individuals' consent (thus in violation of Section 8 of CASL). Although the NOVs provided some commentary on how to avoid violations under Section 9, the CRTC stated that it had issued the NOVs as a result of the companies' "actions and their omissions". This generated concern from organizations seeking to stay compliant with CASL, particularly in terms of knowing the full ambit of omissions that would constitute a violation.
Key Factors for Assessing Potential Violations of Section 9
While the NOVs lacked commentary on how the CRTC determined violations of Section 9, this new bulletin somewhat elaborated on this process. The bulletin listed three key factors that the CRTC considers in assessing a suspected Section 9 violation:
• the level of control that a party has over the actual activity that violates any of Section 6 to 8 of CASL, including the extent to which said party is able to prevent or stop that activity;
• the degree of connection between the actions which could contravene Section 9 and those which do contravene any of Sections 6 to 8; and
• the reasonable steps that a party took, including precautions and safeguards, to prevent or stop violations of any of Sections 6 to 8 from occurring.
However, the CRTC simultaneously cautioned that it looks at a "variety" of factors not limited to the three above; this has produced further uncertainty in this area.
Although the CRTC emphasized the above three factors as important in its assessment of Section 9 violations, it went on to provide examples of potential Section 9 violations without elaborating on how these factors (or any others) come into play.
An example of particular concern was that of an individual visiting an online app store and downloading a video game that came bundled with a custom browser toolbar. In the example, the game's installation process did not describe all of the toolbar functions (such as the pushing of advertisements), and proper consent was not obtained for the toolbar's installation. The CRTC suggested that the video game's developer may thus be responsible for violating Section 8, while the app store may be responsible for violating Section 9 as it "aided" in the Section 8 violation. The only additional commentary that the CRTC provided on this specific point is that "[w]hile awareness of violations may be a factor when assessing Section 9 violations, it is not necessary to be found liable".
This goes back to the principle that both actions and omissions can constitute a contravention of Section 9. This notion has engendered concern about the far reaching implications of the Section 9, and can be particularly troubling for businesses that may not have complete control over their clients' actions.
Suggestions for Ensuring Compliance
On the topic of compliance programs, the CRTC did provide a reminder that, under Section 33 of CASL, an individual or organization will not be found liable for a violation of CASL if they "establish that they exercised due diligence" to prevent said violation. The CRTC then listed a range of strategies for actions that could constitute "due diligence", including:
• incorporating regular threat/risk assessments into compliance or information technology security programs;
• validating the identities of clients through key information (name and address, previous or current aliases, length of time in operation, key directors or other relevant stakeholders) and documentation (incorporation records, tax records, government-issued identification);
• being cognizant of location discrepancies (for example, if clients do business in one region but have other financial activities in another, unrelated region);
• avoiding doing business with entities seeking total anonymity through the use of aliases, post office boxes as mailing addresses, or cryptocurrency for transactions;
• researching the reputation of potential clients and their products or services (including any malicious activity or legal compliance issues associated with them);
• auditing how existing clients are making use of services, detecting possible violations, and reporting them to relevant authorities;
• implementing written agreements that bind clients and their downstream clients to comply with CASL;
• ensuring regular monitoring to detect threats and notifying stakeholders accordingly;
• providing assistance to users whose devices and accounts have been compromised; and
• documenting any measures taken to prevent the occurrence of CASL violations.
Lastly, in addition to the above suggestions, the CRTC recommended that electronic commerce organizations "should seek legal and other expert advice to ensure they fully understand their rights, responsibilities, risks, and liabilities under CASL".