November 5, 2018

Hot off the press! A CASL compliance update announced.

Today, November 5, 2018, the Canadian Radio-Television and Telecommunications Commission (CRTC) released a new round of guidance documentation for businesses sending Commercial Electronic Messages (CEMs) to Canadian subscribers. This document (CRTC 2018-415) deals exclusively with Section 9 of the legislation, a part of the law mostly forgotten by businesses until the recent enforcement taken in July 2018 against Datablocks and Sunlight Media, who allegedly knowingly allowed malware to be shared though their respective ad networks and failed to take action after being notified of the issue by security researchers.

As a reminder, Section 9 of CASL reads:

“It is prohibited to aid, induce, procure or cause to be procured the doing of any act contrary to any of Sections 6 to 8.”

And Sections 6 through 8 deal with items related to sending, causing, or permitting to be sent CEMs without express or implied consent, altering, transmission of data in electronic messages, and installing or a computer program (e.g., malware, viruses, and botnets) without express consent of the user.

The new guidance from the CRTC seems to be focused on businesses or agencies providing services around one of the activities in sections 6 through 8, and how much control over each of these activities these providers have on the potential violation. Example companies listed in the guidance include advertising brokers, electronic marketers, software and application developers, and payment processing system operators, to name only a few. This likely brings into scope any email service provider (ESP) or agency engaging in the sending of a CEM to Canadian subscribers.

The logic provided by the CRTC indicates that as a vendor of services, you have a responsibility to understand your marketplace, the potential vectors of abuse in relation to CASL, and pledge you will take action to mitigate these risks. To this end, the CRTC will assess three areas to determine the potential responsibility of organizations falling under Section 9, covering items such as the level of control they had over a potential violation, the degree of control over the activities of the one committing the violation, and if reasonable steps were taken to try to prevent the violation from occurring.

As part of the enforcement bulletin, the CRTC provided three example of potential violation of Section 9. Here is one providing a common scenario under many agency/ESP models:

Company A specializes in online marketing and sells a bundle of services to Company B, which includes a messaging template and a collection of email addresses and mobile phone numbers for the purpose of mass marketing. The messaging template does not include sender identification information or an unsubscribe mechanism, and no attempt has been made to ensure the express or implied consent of the persons whose contact information appears on the list, all of which are required under section 6 of CASL. In this scenario, Company B may be in violation of section 6 of CASL if it uses the messaging template and contact lists provided by Company A to send commercial electronic messages (e.g., email or SMS). Even though Company A is not the sender of the messages, it could be violating section 9 of CASL by providing the tools that were used to violate section 6 of CASL.

This puts a significant onus on some agencies to proactively monitor their client base to ensure compliance with the legislation. There is clear shared responsibility for violations from a client not properly managed or caused in-part by the agency/vendor.

Building a proper vetting practice for new businesses, documenting their activities, and looking for abnormalities in how a prospective client may want to interact with your brand (e.g., pay via cryptocurrency) should be added to your processes and your client risk assessments process. Also, ensure you have built periodic similar checks into your ongoing client reviews and documentation processes. For more guidance from the CRTC, be sure to read the full compliance and enforcement information bulletin CRTC 2018-415.

Author: Matthew Vernhout

Matthew Vernhout is a digital messaging industry veteran and Certified International Privacy Professional (CIPP) with more than a decade of experience in email marketing. Matt is 250ok’s Director of Privacy, and he is currently the Vice Chair of the eec, after serving for several years as the Chair of their Advocacy Subcommittee.

You may also like...

The Year in Email 2019

It’s hard to believe we are nearing the end of yet another exciting year in email, and 2019 proved to be one of the most momentous and active years to date. Over the past year, the number of new technologies, mergers and acquisitions, mailbox provider (MBP) announcements, news, and highlights is evidence of the versatility […]

[Infographic] Global Privacy Relationship Status: It’s Complicated

I recently gave a presentation on global privacy regulations to a post-graduate marketing class and one of the things I noticed while preparing was that even within a single country, privacy is complicated. On a global scale, it is really complicated. For example, Canada has one federal private sector privacy law, three similar provincial laws, […]

The Year in Email 2018

*Update: This article was featured on email influencer Jordie van Rijn’s emailmonday blog! To see it in action, plus a great round-up of other articles and thought leadership looking forward to the future of email, click here.* The Black Friday emails are deleted, marketers’ email lists are checked twice, we pretty much know which senders […]

Ready to get started?