TOTAL: {[ getCartTotalCost() | currencyFilter ]} Update cart for total shopping_basket Checkout

Privacy Bar Section | Risky business-to-business communications: CASL lessons from the CompuFinder case Related reading: Kentucky General Assembly approves comprehensive privacy bill

rss_feed

""

""

Canada’s Anti-Spam Legislation is under review by Canada’s Parliamentary Standing Committee on Industry, Science and Technology. The INDU Committee, as it is known, has been inundated with submissions arguing that CASL is overly broad, unclear, and not proportionate to the harms that the legislation seeks to curb. The committee hearings began on Oct. 26 and are ongoing.

Amid these hearings, the Canadian Radio-television Telecommunications Commission released its much-anticipated response to CompuFinder’s challenge to the Notice of Violation and $1.1 million administrative monetary penalty that the CRTC Staff had issued against it in March 2015. The CRTC issued two decisions — one relating to a constitutional challenge to the legislation, and one relating to CompuFinder’s violations of the statute. The decision on the constitutionality of CASL is a fascinating read; however, the decision with respect to the violations is the more pressing for organizations sending business-to-business electronic messages. As an aside, the commissioners reduced the administrative monetary penalty to $200,000, which is consistent with the trend of the commissioners to reduce the headline-grabbing penalties issued by CRTC staff.

The CompuFinder decisions are worth the read. In particular, organizations relying on the “business-to-business” exemption in the Governor in Council Regulations or the “conspicuous publication” basis for implied consent should urgently reconsider whether they can meet the requirements set out by the commissioners. Like their earlier decision in the Blackstone Learning case, this latest review of provisions commonly used by businesses emphasizes that organizations have a high burden under CASL to prove that they are acting in compliance with the legislation even when sending business-to-business communications.

What did the CRTC staff argue that CompuFinder did wrong?

The CRTC staff alleged that CompuFinder violated CASL in respect of three email marketing campaigns. These campaigns involved emails advertising educational and training services to individuals primarily working the province of Quebec. In addition, CRTC staff alleged that the unsubscribe mechanism in some of these messages failed to work.

Leaving aside the constitutional issues, CompuFinder argued that it should not be found liable for three main reasons. First, CompuFinder was permitted to send emails to the recipients without complying with CASL because CompuFinder fit within the business-to-business exemption. Second, even if CompuFinder did not fit within that exemption, it was permitted to send emails to the recipients because they had provided their implied consent by conspicuously publishing their email addresses. Third, CompuFinder argued that it was shielded from liability based on the application of the due diligence defense in section 33(1) of CASL. CompuFinder failed on all three arguments.

What is the “business-to-business" exemption?

Section 3(a)(ii) of the GIC Regulations created an exemption for business-to-business communications. If a commercial electronic message falls within this exemption, then the sender does not need to comply with CASL at all. To fall within the exemption, three conditions must be met:

  1. The CEM must be sent by an employee, representative, consultant or franchisee of one organization to an employee, representative, consultant or franchisee of another organization;
  1. The two organizations must have a “relationship”; and 
  1. The CEM must concern the “activities” of the recipient organization.

Although this exemption was probably intended only to exempt one-to-one ordinary course of business communications from the application of CASL, organizations have been using it as a basis for their mass-marketing messages. As we’ll see, the CompuFinder decision demonstrates why this is a risky use case.

What constitutes a “relationship”?

Section 3(a)(ii) of the GIC Regulations refers to the organizations having a “relationship.” The GIC Regulations provide no guidance on what criteria should be used to establish that the organizations have a relationship. Section 10(9) of CASL already permits the sender of a message to rely on implied consent if there is an “existing business relationship” between either the sender of a message or the person who causes or permits the message to be sent and the recipient of the message. Section 10(10) of CASL lists the types of EBRs, which include business relationships through the purchase of goods or services and written contracts, among other things.

A key question is whether the term “relationship” encompasses a broader set of relationships than the fixed categories of EBRs. In CompuFinder, the question was whether the fact that an organization paid for an employee to take a training course offered by CompuFinder was sufficient. Would that payment establish a “relationship” between CompuFinder and the organization so that CompuFinder could send CEMs to other employees at the organization? The commissioners tell us that the answer is no. Just because the organization paid for a course was not enough to establish a “relationship” for the purposes of this exemption. The CRTC stated at paragraph 45 of its decision that:

"CompuFinder did not provide any further evidence to support its view that the employee who had previously taken the company’s course or the employee who approved payment for it created, or had authority to create, a relationship on behalf of the university, or intended to do so. In the Commission’s view, the mere fact that an organization paid for training on behalf of one of its employees is not sufficient to demonstrate that the organization had, or intended to create, a relationship that would allow for a complete exemption from section 6 of the Act that would permit the company providing the training to directly solicit every other employee."

The onus to establish that a relationship between CompuFinder and the recipient organization existed rested on CompuFinder. Invoices, payment confirmations and checks were all inadequate to demonstrate the intention by the recipient organization to create a relationship with CompuFinder. Although the commissioners accepted that it was theoretically possible to establish a relationship through correspondence, the content of those communications would need to be examined. CompuFinder was unable to adduce evidence of communications that would meet the test.

What constitutes the “activities” of the recipient organization?

The exemption in s. 3(a)(ii) of the GIC Regulations also required CompuFinder to establish that the content of the CEM was relevant to the “activities of the organization to which the message is sent.” Once again, the GIC Regulations provide no instruction on how to interpret what would constitute the “activities” of the organization or relevance. However, the commissioners rejected the argument that one employee’s participation in one of CompuFinder’s courses would make further CEMs to other employees relevant to the activities of the recipient organization.

The commissioners dealt with this aspect of the test briefly. However, the decision is still instructive. The activities of the organization must relate to the organization’s activities rather than the individual career interests of a single employee. The commissioners did not expressly say so, but it seems reasonable to conclude that the “activities” of the organization must relate to the execution of the organization’s business, which could include not only the core business functions relating to the organization’s products and services but also to the management of the organization’s finances, human resources and other matters.

What is the “conspicuous publication” basis for implied consent?

The “conspicuous publication” provision is found in s. 10(9)(b) of CASL. This provision permits a sender to rely on implied consent if three criteria are met:

  1. The recipient has conspicuously published the electronic address, or has caused that publication;
  1. The publication is not accompanied by a statement that the recipient does not wish to receive unsolicited CEMs at that electronic address; and 
  1. The message is relevant to the person’s business, role, functions or duties in a business or official capacity

Section 13 of CASL states that the sender has the onus of proving that the sender has met the requirements for consent, including under this section of CASL.

It is important to note that the “conspicuous publication” basis for implied consent is an exception from the requirement for express consent. It does not eliminate the requirement to comply with the requirements for identification information and an unsubscribe mechanism. This is different from the business-to-business exemption, which takes the CEM outside of the application of CASL altogether.

How do you prove publication?

The “conspicuous publication” provision requires more than mere publication of the email address. The email address must have either been published by the individual or caused by the individual to be published.

In its previous decision in Blackstone Learning, the commissioners suggested that the publication of email addresses by the employer of an employee could satisfy this requirement:

For example, if a business conspicuously publishes on its website contact information for an employee at an address held by that business, this publication could create implied consent to send messages relevant to that person’s role. If that business chooses to advertise through a third party and provides that employee’s contact information for the purposes of that advertisement, this could also create implied consent to contact that person in relation to that advertisement, or their role, because the account holder caused the publication.

While this is a great outcome, it is difficult to follow the logic in that analysis. CASL provides that the publication must be by the individual or caused by the individual. What if the employee had no choice in the matter?

In any event, what is clear is that using third-party directories is risky. The user of the third-party directory must be able to establish that there is evidence that the email addresses in the third-party directory were user-submitted. CompuFinder failed in at least one instance to be able to demonstrate that the submissions in the directory were user-generated.

Watch the terms of use

The second requirement under the “conspicuous publication” basis for implied consent requires the sender to establish that the publication was not accompanied by a statement that the recipient does not want to receive CEMs. The commissioners cited the example of a third-party directory that stated that “users of the directory were not to send unsolicited CEMs to the addresses found in the directory.” The commissioners concluded that this meant that the requirements under the “conspicuous publication” provision were not met. Presumably, the argument underpinning this conclusion was that the user-submissions were premised on this restriction and, therefore, the recipient’s statement that the recipient did not want to receive CEMs could be inferred.

Relevance is in the eyes of the recipient

Relying on its earlier decision in the Blackstone Learning case, the commisisoners concluded that CompuFinder was unable to establish that the CEMs were relevant to the business, role, functions or duties of the recipient. In the Blackstone Learning case, the commissioners stated that the “conspicuous publication” provision “does not provide persons sending commercial electronic messages with a broad license to contact any electronic address they find online; rather, it provides for circumstances in which consent can be implied by such publication, to be evaluated on a case-by-case basis.” In the CompuFinder case, the commissioners concluded that CompuFinder had failed to consider the relevance of its CEMs to the specific recipients but instead had speculated as to the recipient’s role or function.

Due diligence requires effort to mitigate the alleged violations

When all else fails, demonstrate due diligence! CompuFinder sought to shield itself from liability using the due diligence defence in s. 33(1) of CASL. This provision states that a “person must not be found liable for a violation if they establish that they exercised due diligence to prevent the commission of the violation.”

CompuFinder relied on the fact that it hired six employees in April 2014 to conduct targeted outreach to clients to obtain consent, sent express consent requests by email in April and May of 2014, sought guidance from the CRTC staff in June and Sept. 2014, had a compliance rate of virtually 100 percent with unsubscribe requests, and hired a consulting firm in May 2015 to help develop a formal compliance program.

The commissioners rejected the due diligence defense. First, remedial activities that occurred after the violation were not relevant. Second, the activities that pre-dated the violations would only be relevant if they were directed at avoiding the specific violations. For example, the fact that CompuFinder was processing virtually 100 percent of unsubscribe requests was not persuasive. It had been sending messages without a functioning unsubscribe link, which could have led recipients believe they could not unsubscribe. More damaging, the issue was corrected only because of complaints rather than as a result of auditing and monitoring. Had CompuFinder had a program of auditing and monitoring for these types of issues, that fact might have been relevant to the due diligence defense.

Key Take-Aways

The business-to-business exemption was arguably never meant to be used for marketing. When the previous Conservative government published the Regulatory Impact Analysis Statement for the GIC Regulations, the government stated that the exception was meant to address “concerns raised in the consultations about the unintended application of CASL to ordinary, transactional business communications.” The use of the exception for mass marketing was likely not contemplated. Although the exception could be used for that purpose in proper circumstances, the CRTC is sending a clear message that there is a high compliance burden on the organization to ensure that there is, in fact, a bona fide documented relationship between the organizations and that the message relates to the activities of the recipient organization.

Similarly, the “conspicuous publication” provision was probably meant to facilitate “cold emails” on a one-to-one basis rather than to provide a basis for mass marketing. Again, it may be possible to use this exception to add to mass marketing lists, but the compliance burden will be steep. The organization must document the provenance of the email address – where it came from, the fact that the email was published or caused to be published by the individual, and that there is no provision buried in the terms of use or otherwise that prohibit the use of the email for marketing. Furthermore, the organization will need to consider whether the content of each CEM actually relates to the recipient’s business, role, functions or duties in a business or official capacity. As the CRTC has now stated twice – this is a case-by-case analysis, which makes it difficult to apply to mass marketing communications. It can be done, however, it will require strict controls and documentation.

Let’s hope the INDU Committee recommends changes to create a more flexible law that is more aligned with the activities of legitimate Canadian businesses. In the meantime, if you are going to rely on due diligence, you’d better have a comprehensive program in place prior to the alleged violations. This program should include audit and monitoring.

photo credit: Ian Muttoo Happy Canada Day! via photopin (license)

Comments

If you want to comment on this post, you need to login.