The list of published enforcement activities under CASL just got a little longer. The first and only administrative monetary penalty levied so far, $1.1 million against CompuFinder, was a lot, but the facts that were published suggest that it was an ideal case for a penalty. Then Plenty of Fish paid $48,000 as part of an undertaking for what was apparently a cumbersome unsubscribe process.
A lot of senders might react by concluding that their practices have nothing in common with what either of these companies were doing. However, even if this is true, the announcement that Porter airlines agreed to pay $150k as part of an undertaking should hit closer to home for anyone sending email in Canada. The CRTC alleges that
- some messages did not contain an unsubscribe mechanism;
- in some messages the unsubscribe was not clearly or prominently set out (apparently some messages contained two unsubscribe links, one of which did not function properly. Thus, according to the CRTC, the unsubscribe mechanism was not clearly set out because it was not apparent which mechanism was functional);
- some messages did not provide all necessary contact information;
- in at least one confirmed instance Porter did not honour an unsubscribe request within the maximum of 10 business days; and
- Porter was unable to provide sufficient proof of consent for some email addresses.
On this last point, the CRTC took the opportunity to underscore their position that senders need to provide specific records of how consent was obtained for each email address, as it is not sufficient to rely on “general business practices or policies as proof of consent for the majority of…electronic addresses”.
Few details are provided. For example, beyond the single confirmed instance of failing to honour an unsubscribe request, there’s no indication of idea how many subscribers were affected by these alleged violations, or how many complaints the CRTC received. According to Porter, the errors resulted from a change in email platforms, and affected a “very small percentage” of their email database. This is a plausible explanation. Mistakes happen.
Being in Ottawa, I use Porter a lot (mostly between here and Toronto), and have received hundreds of emails from them over the years. From my perspective as a consumer, Porter is a great company with fantastic customer service, and although they send a lot of email, I would never consider the company to be a spammer (FYI, Porter is not a client). Looking at Porter through that lens, $150k is huge, especially in an industry with pretty thin profit margins. Furthermore, the CRTC stated that “once made aware of the investigation by the CRTC, Porter Airlines was cooperative and immediately took corrective actions to comply with the legislation.” So it’s not like Porter had ignored previous warnings about their practices.
Maybe there are thousands of Canadians who have been bombarded with Porter emails, even after repeatedly asking to be removed. Maybe this is the result of a rogue marketer at Porter, or one of its agencies, who has been spamming away like it’s still June, 2014. What it looks like though is that Porter is mostly compliant, but they made a few mistakes. And, unfortunately, it seems that the company felt that it was unable to show that it exercised due diligence to prevent these mistakes (otherwise they could not be found liable under CASL).
It’s hard to draw any conclusions without more facts, but it appears that the margin for error is getting smaller. Among other things, it underscores the importance of making sure that proper systems are in place to keep track of consent and populate email footers with the right information. For most applications, just about any email service provider (ESP) can easily take care of this. For more complex systems – for example, if you are relying on implied consent – then the average ESP may not be enough, because you also need to be able to track things like customer purchases. Fortunately, though, there are a growing number of providers who can handle these requirements.