November 5, 2018

Hot off the press! A CASL compliance update announced.


Today, November 5, 2018, the Canadian Radio-Television and Telecommunications Commission (CRTC) released a new round of guidance documentation for businesses sending Commercial Electronic Messages (CEMs) to Canadian subscribers. This document (CRTC 2018-415) deals exclusively with Section 9 of the legislation, a part of the law mostly forgotten by businesses until the recent enforcement taken in July 2018 against Datablocks and Sunlight Media, who allegedly knowingly allowed malware to be shared though their respective ad networks and failed to take action after being notified of the issue by security researchers.

As a reminder, Section 9 of CASL reads:

“It is prohibited to aid, induce, procure or cause to be procured the doing of any act contrary to any of Sections 6 to 8.”

And Sections 6 through 8 deal with items related to sending, causing, or permitting to be sent CEMs without express or implied consent, altering, transmission of data in electronic messages, and installing or a computer program (e.g., malware, viruses, and botnets) without express consent of the user.

The new guidance from the CRTC seems to be focused on businesses or agencies providing services around one of the activities in sections 6 through 8, and how much control over each of these activities these providers have on the potential violation. Example companies listed in the guidance include advertising brokers, electronic marketers, software and application developers, and payment processing system operators, to name only a few. This likely brings into scope any email service provider (ESP) or agency engaging in the sending of a CEM to Canadian subscribers.

The logic provided by the CRTC indicates that as a vendor of services, you have a responsibility to understand your marketplace, the potential vectors of abuse in relation to CASL, and pledge you will take action to mitigate these risks. To this end, the CRTC will assess three areas to determine the potential responsibility of organizations falling under Section 9, covering items such as the level of control they had over a potential violation, the degree of control over the activities of the one committing the violation, and if reasonable steps were taken to try to prevent the violation from occurring.

As part of the enforcement bulletin, the CRTC provided three example of potential violation of Section 9. Here is one providing a common scenario under many agency/ESP models:

Company A specializes in online marketing and sells a bundle of services to Company B, which includes a messaging template and a collection of email addresses and mobile phone numbers for the purpose of mass marketing. The messaging template does not include sender identification information or an unsubscribe mechanism, and no attempt has been made to ensure the express or implied consent of the persons whose contact information appears on the list, all of which are required under section 6 of CASL. In this scenario, Company B may be in violation of section 6 of CASL if it uses the messaging template and contact lists provided by Company A to send commercial electronic messages (e.g., email or SMS). Even though Company A is not the sender of the messages, it could be violating section 9 of CASL by providing the tools that were used to violate section 6 of CASL.

This puts a significant onus on some agencies to proactively monitor their client base to ensure compliance with the legislation. There is clear shared responsibility for violations from a client not properly managed or caused in-part by the agency/vendor.

Building a proper vetting practice for new businesses, documenting their activities, and looking for abnormalities in how a prospective client may want to interact with your brand (e.g., pay via cryptocurrency) should be added to your processes and your client risk assessments process. Also, ensure you have built periodic similar checks into your ongoing client reviews and documentation processes. For more guidance from the CRTC, be sure to read the full compliance and enforcement information bulletin CRTC 2018-415.

Author: Matt Vernhout

Matthew Vernhout is a digital messaging industry veteran and Certified International Privacy Professional (CIPP) with more than a decade of experience in email marketing. Matt is 250ok’s Director of Privacy, and he is currently the Vice Chair of the eec, after serving for several years as the Chair of their Advocacy Subcommittee.

You may also like...

Poorly designed emails could cost you millions of dollars. But what does that really mean?

We partnered with the smart folks at Lab42 to research what people really think about marketing email. Do they like how they look on their preferred device? Do they prioritize the same design elements you do? If you’re not aligned with your recipients, you could end up sending unwanted, unsatisfying email. You know what that […]

Email Year in Review: 2017

Can you believe it? The year 2017 is coming to a close and what a year it has been in the email ecosystem. Email’s staying power continues to flex its muscles as a dynamic channel that can adapt to the ever-changing landscape of digital marketing. This past year saw many changes, trends, and announcements that […]

How the top 500 internet retailers collect email sign-ups (2017).

We’re back for year three of How the Top 500 Internet Retailers Collect Email Sign-ups (2017), where we analyze the email sign-up process of retailers, including how they incentivized sign-ups, what personal data they collected, and more. Included in this blog will be trend comparison over last year’s How the Top 500 Internet Retailers Collect […]

Ready to get started?