Although Canada's anti-spam legislation (CASL or the Act) has been in force since July 1, 2014 and a number of substantial penalties have been imposed under its terms, the Canadian Radio-Television and Telecommunications Commission (the CRTC) has so far produced little guidance on the manner in which allegations of non-compliance – and the penalties they attract when a breach is established – are properly assessed. Until the last week in October, the CRTC's Compliance and Enforcement Branch had publicly commented on only one Notice of Violation under CASL; for the most part, enforcement matters have taken the form of "undertakings" – essentially settlement agreements negotiated in private between the CRTC and the party allegedly in breach. This state of affairs has made it difficult for organizations operating in the digital sphere to fully understand the scope of the risk associated with the sending of commercial electronic messages (CEMs) in a manner that, for whatever reason, fails to comply with the CRTC's interpretation of CASL.

On October 26, 2016, the CRTC shed some light on this question and issued its first written decision: CRTC 2016-428. The decision, which reconsiders a notice of violation and administrative monetary penalty (AMP) previously issued to Blackstone Learning Corp., is significant for a number of reasons, but perhaps most significantly because it supplies useful comment on the implied consent provisions of CASL and on the manner in which the CRTC assesses the need for and calculates the amount of AMPs.

The original notice of violation against Blackstone related to nine email campaigns implemented by the company between July 9 and September 18, 2014. During the campaigns, a total of 385,668 promotional emails were sent to employees at 25 different federal and provincial government offices. The campaigns resulted in over 60 formal complaints issued to the CRTC's online Spam Reporting Centre. Following an investigation, which Blackstone refused to cooperate with, the CRTC issued a notice of violation finding there were reasonable grounds to believe Blackstone had sent CEMs without consent and imposing an AMP in the amount of $640,000. Blackstone chose to dispute the notice of violation, arguing that it had implied consent to send the CEMs in question and that the amount of the AMP was too high.

On the issue of implied consent, Blackstone relied on s. 10(9)(b), also known as the "conspicuous publication" rule. In effect, Blackstone asserted, it had implied consent to send its promotional emails because the electronic addresses they had been sent to were publicly available. The CRTC rejected this argument, and – helpfully – explained that the "conspicuous publication" exemption requires more than mere public availability. Rather, the electronic address must have been published in such a manner that it is reasonable to infer consent to receive the type of message sent, in the circumstances. Whether or not consent can be properly implied by "conspicuous publication" of an electronic address under s. 10(9)(b) is a matter to be evaluated on a case-by-case basis. The decision emphasizes that s. 10(9)(b) does not provide organizations with a broad license to contact any email address they find online. Furthermore, the burden of proving that implied consent exists in any given case falls upon the sender of the disputed CEMs. Since Blackstone failed to provide any, or any persuasive, evidence concerning how it arrived at the conclusion that the targets of its email campaigns had effectively granted implied consent, the CRTC upheld the finding in its original notice of violation that CEMs had been sent without consent, and a penalty of some kind was appropriate.

On the question of penalty, Blackstone's position was on firmer ground. Though it was clear that Blackstone had breached the Act and had, moreover, been generally uncooperative throughout, the CRTC ultimately found that while Blackstone had earned a penalty, the amount originally imposed - $640,000 – was too high. A number of factors supported this view, but most notably the fact that the purpose of the penalty is not to punish but rather to promote compliance with the Act. If an organization is functionally destroyed by the AMP, the CRTC reasoned, then the purpose of promoting compliance is defeated. In Blackstone's case, the CRTC accepted unaudited financial statements submitted by the company, which demonstrated that the business was a small one and the original amount of the AMP represented several years' worth of revenue. Other factors also militated in favour of a lesser penalty, including the relatively short time-period during which the offending CEMs had been sent, and the presence of indicators that Blackstone had intended to comply with CASL and would self-correct in the future. In the end, the CRTC reduced the penalty to $50,000, payable within 30 days of the date of the decision.

The decision contains good information for organizations across Canada, but there are key takeaways that senders of CEMs should keep in mind going forward:

  • In order to rely on the "conspicuous publication" rule, an organization must be able to show that it is reasonable in the circumstances to infer that any given recipient has impliedly consented to receipt of a CEM. The burden of proof falls upon the sender
  • Organizations should develop a practice of keeping detailed records of consent, whether express or implied
  • There can be great value in disputing a notice of violation in the proper circumstances – in this case, Blackstone's challenge reduced the AMP from $640,000 to $50,000
  • Cooperating with the CRTC during the investigation process, and demonstrating a desire to self-correct, can help to limit the scope of an AMP

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.