CASL: $10k per complaint?

Kellogg has become the latest big brand to pay for alleged violations of CASL. The notice on the CRTC’s website says very little, other than that messages were sent by Kellogg and/or its providers over the course of a couple of months in 2014 to recipients who had not provided consent. Kellogg agreed to pay $60,000 and update its compliance program.

As with previous undertakings, there is no indication of how many alleged violations occurred. However, the actual undertaking does reveal that the CRTC received six complaints about the emails, which works out to $10,000 per complaint. For now, this is the closest thing to any sort of metric to gauge the cost of violations (yes, this is meaningless).

Clearly a mistake was made. As a large, conservative brand, it is inconceivable that Kellogg would knowingly choose to upset potential consumers of its products by sending email without consent. It appears that the company did have written policies and procedures in place (which they are required to update), though apparently no training programs.

More detailed information about these undertakings would be very helpful helpful. Senders are sufficiently concerned about CASL, and a lot of time and money has been invested in compliance. But it is never as simple as flipping a switch, and questions often arise about how much to invest in policies, procedures, and training, and how detailed they need to be. Mistakes will happen to even the most diligent senders.

Posted in CASL | Leave a comment

Avis: CASL-related amendments to Competition Act violate the Charter

Earlier this year the the Competition Bureau brought an application against Aviscar, Budgetcar, and their parent company, Avis Budget Group Inc. The Bureau alleges that the companies engaged in deceptive marketing practices by failing to disclose additional fees that can increase the price of a car rental by as much as 35 percent. The Bureau is seeking $30 million in administrative monetary penalties as well as consumer refunds. In response, Avis et al. argue that “Recovery Fees” are standard across the rental car industry and well-known to consumers.

As discussed in an previous post, one component of the Bureau’s case involves allegations that Avis sent emails that are false or misleading. According to the notice, one email sent in 2014 gave “the general impression that it is possible for a consumer to save up to 25% off his or her next weekend rental“, when in fact Avis does not apply the discount to the Recovery Fees. The Bureau therefore argues that it is not possible to save up to 25%.

The Bureau relies in part on s. 74.011(1) of the Competition Act, one of the sections added to the law when CASL was passed, which applies to sender and subject matter information of an electronic message. This section is unique because, unlike other sections that deal with false or misleading representations, there is no requirement that a representation be false or misleading in a “material” respect. This appears to be the first case involving the CASL-related amendments under the Competition Act.

The respondents claim that the emails are neither false nor misleading, in addition to arguing that s. 74.011(1) is an unreasonable restriction under s. 2(b) of the Charter because the section

places unjustified limits on freedom of expression in that it applies over-broadly to all false or misleading representations regardless of whether they are false or misleading in a material respect.

The respondent asks the Competition Tribunal to either strike s. 74.011(1) from the Act or read in a materiality condition.

This won’t be the first time the Tribunal considers s. 2(b) of the Charter: in 2005 the Tribunal found that while s. 74.01(3) (which deals with misrepresentations of a seller’s ordinary selling price) does infringe s. 2(b), the infringement is reasonable and demonstrably justified.

Whether or not the respondent succeeds on the constitutional arguments in this case may have little bearing on the overall outcome of the matter, given that the information in the subject line of the Avis email is just one small piece of the Bureau’s case. However, stakeholders have argued before that the lack of a materiality requirement could lead to problems, so it will be interesting to see how the Tribunal rules on this. And, more importantly, it is likely that we will see others arguing that CASL violates the right to freedom of expression under the Charter in the future.

Posted in CASL | Leave a comment

Is the private right of action under CASL retroactive?

When Industry Canada determined the coming-into-force date for Canada’s Anti-Spam Legislation (CASL), it wisely decided to delay the private right of action for a period of three years. This is supposed to give businesses some time to figure out the rules before worrying about lawsuits under the private right of action, which allows any person affected by a contravention of CASL (as well as related amendments to the Competition Act and PIPEDA) to sue for actual and/or statutory damages. The last thing the government wants is for a bunch of respected brands following normal business practices to be hit with class action lawsuits for alleged technical contraventions of the law.

A common question though is whether the private right of action could be applied to alleged contraventions that occur before it comes into force on July 1, 2017 (i.e., any time after July 1, 2014). In other words, is the private right of action retroactive? The short answer is that no one really knows for certain.

However, there are a few factors that would seem to weigh against a finding of retroactivity, beyond the fact that it would be unfair.

According to the “modern principle” of statutory interpretation, which has been referenced by the Supreme Court on numerous occasions, “the words of an Act are to be read in their entire context and in their grammatical and ordinary sense harmoniously with the scheme of the Act, the object of the Act, and the intention of Parliament“.  Looking at the broader context and intention of the government, it is clear that the purpose in delaying the private right of action was so that it could not be applied to alleged contraventions occurring before July 1, 2017. A finding to the contrary would  defeat the purpose of delaying the private right of action in the first place.

There are also at least a couple of cases that seem to support the presumption against retroactivity for statutory rights of action. The Ontario Court of Appeal decided against the retrospective application of a right of action under the Combines Investigations Act (replaced by Competition Act). In City National Leasing v. General Motors of Canada, the Court noted: “We find nothing in the legislation…that would warrant us in concluding that it is capable of being given such operation” (thanks to Timothy Banks for pointing this out).

More recently, the BC Court of Appeal found in Round v. MacDonald, Dettwiler and Associates that a right of action under the Securities Act was not retroactive. The Court affirmed the finding of the trial judge, who stated that “retroactive operation of a statute is highly exceptional, whereas prospective operation is the rule“.

So, while we can’t be certain, it appears that statutory rights of action are presumed to apply prospectively, absent exceptional circumstances. With nothing in Act (or the broader context) indicating an intent for retroactive application, hopefully this means that businesses cannot be sued for alleged contraventions occurring before July 1, 2017. Of course, anything that happens after that date will be fair game.

Posted in CASL, Privacy litigation | Leave a comment

What the Digital Privacy Act means for digital marketers

Bill S-4, the Digital Privacy Act, received royal assent on June 18 (this was nine years in the making – the parliamentary review of PIPEDA that led to the bill began in 2006). The bill makes a number of changes to PIPEDA, not least of which is the creation of a breach reporting regime, which will come into effect on a date to be determined by Industry Canada. A comprehensive summary of these changes can be found here.

The change that is probably most relevant for marketers is the way that PIPEDA now deals with “business contact information”. It is well known that PIPEDA (and other private sector privacy laws) provide exceptions for business contact information. However, these exceptions are all a little different, and up until June 18, a business email address was not excluded from PIPEDA. Because the list of data elements excluded from PIPEDA was drafted as an exhaustive list (the name, title or business address or telephone number of an employee of an organization), the Privacy Commissioner of Canada concluded years ago that anything not on this list, like an email address, could not be excluded.

Business contact information is now defined broadly as “any information that is used for the purpose of communicating or facilitating communication with an individual in relation to their employment, business or profession such as the individual’s name, position name or title, work address, work telephone number, work fax number or work electronic address”.

According the new section 4.01, PIPEDA does not apply to the collection, use or disclosure of business contact information “solely for the purpose of communicating or facilitating communication with the individual in relation to their employment, business or profession.” Thus, although business contact information is not excluded from PIPEDA altogether, the circumstances under which it can be collected, used and disclosed without consent are quite broad.

In reality, the fact that business email addresses were not excluded probably did not stop a lot of B2B marketers from acting is if they were. At least now they can be used without breaking the law.

Posted in PIPEDA | Leave a comment

Little margin for error under CASL

The list of published enforcement activities under CASL just got a little longer. The first and only administrative monetary penalty levied so far, $1.1 million against CompuFinder, was a lot, but the facts that were published suggest that it was an ideal case for a penalty. Then Plenty of Fish paid $48,000 as part of an undertaking for what was apparently a cumbersome unsubscribe process.

A lot of senders might react by concluding that their practices have nothing in common with what either of these companies were doing. However, even if this is true, the announcement that Porter airlines agreed to pay $150k as part of an undertaking should hit closer to home for anyone sending email in Canada. The CRTC alleges that

  • some messages did not contain an unsubscribe mechanism;
  • in some messages the unsubscribe was not clearly or prominently set out (apparently some messages contained two unsubscribe links, one of which did not function properly. Thus, according to the CRTC, the unsubscribe mechanism was not clearly set out because it was not apparent which mechanism was functional);
  • some messages did not provide all necessary contact information;
  • in at least one confirmed instance Porter did not honour an unsubscribe request within the maximum of 10 business days; and
  • Porter was unable to provide sufficient proof of consent for some email addresses.

On this last point, the CRTC took the opportunity to underscore their position that senders need to provide specific records of how consent was obtained for each email address, as it is not sufficient to rely on “general business practices or policies as proof of consent for the majority of…electronic addresses”.

Few details are provided. For example, beyond the single confirmed instance of failing to honour an unsubscribe request, there’s no indication of idea how many subscribers were affected by these alleged violations, or how many complaints the CRTC received. According to Porter, the errors resulted from a change in email platforms, and affected a “very small percentage” of their email database. This is a plausible explanation. Mistakes happen.

Being in Ottawa, I use Porter a lot (mostly between here and Toronto), and have received hundreds of emails from them over the years. From my perspective as a consumer, Porter is a great company with fantastic customer service, and although they send a lot of email, I would never consider the company to be a spammer (FYI, Porter is not a client). Looking at Porter through that lens, $150k is huge, especially in an industry with pretty thin profit margins. Furthermore, the CRTC stated that “once made aware of the investigation by the CRTC, Porter Airlines was cooperative and immediately took corrective actions to comply with the legislation.” So it’s not like Porter had ignored previous warnings about their practices.

Maybe there are thousands of Canadians who have been bombarded with Porter emails, even after repeatedly asking to be removed. Maybe this is the result of a rogue marketer at Porter, or one of its agencies, who has been spamming away like it’s still June, 2014. What it looks like though is that Porter is mostly compliant, but they made a few mistakes. And, unfortunately, it seems that the company felt that it was unable to show that it exercised due diligence to prevent these mistakes (otherwise they could not be found liable under CASL).

It’s hard to draw any conclusions without more facts, but it appears that the margin for error is getting smaller. Among other things, it underscores the importance of making sure that proper systems are in place to keep track of consent and populate email footers with the right information. For most applications, just about any email service provider (ESP) can easily take care of this. For more complex systems – for example, if you are relying on implied consent – then the average ESP may not be enough, because you also need to be able to track things like customer purchases. Fortunately, though, there are a growing number of providers who can handle these requirements.

Posted in CASL | Tagged , , , | Leave a comment

Bell moves to “opt-in” for Relevant Advertising Program

The Office of the Privacy Commissioner of Canada (OPC) just published the results of an 18-month investigation into Bell’s Relevant Ads Program (RAP), which involves advertising that is behaviourally targeted to wireless customers. Bell’s announcement of the Program back in August 2013 resulted in 170 complaints to the OPC.

Bell’s RAP uses wireless customer activities (such web pages visited from a mobile device), and account/demographic information (e.g., postal code, gender, age range, and payment patterns) to create user profiles. Advertisers then deliver ads to mobile devices on the Bell network that are targeted based on those user profiles. Although the Program is only for wireless customers, Bell indicated that it intends expand to residential customers in the future.

This is the most comprehensive finding yet involving online behavioural advertising (OBA), and is notable for a number of reasons. Most significantly, the OPC concluded that because the RAP involves the use of “sensitive” information, Bell cannot rely on opt-out consent, according to the OPC’s 2012 Policy Position on Online Behavioural Advertising. It appears that since the OPC finalized its report of finding Bell has agreed to move to an opt-in model, avoiding a potential Federal Court case.

The OPC considers the personal information used by Bell to be sensitive primarily because Bell collects and retains all URLs viewed by a user on their mobile device. That Bell only generates non-sensitive interest categories does not change the fact that the underlying URLs may be sensitive.

The breadth and volume of customer data available to Bell are also relevant factors. According to the OPC,

Bell is able to track every website its customers visit, every app they use – and in the future, potentially every TV show they watch and every call they make – using Bell’s network, whether at home or abroad. Under the RAP, Bell can use this information to infer a wide range of both general and specific interests. The combination of this information with the extensive account/demographic information (e.g., age range, gender, average revenue per user, preferred language and postal code) used by Bell for the RAP will result in highly detailed and rich multi-dimensional profiles that, in our view, individuals are likely to consider quite sensitive.

The OPC also highlighted the fact that Bell seeks to generate additional revenue by tracking and targeting ads to paying customers. The OPC believes users may expect to be tracked in return for a free service, but not so when the service is paid for. This could be the most important factor in distinguishing the RAP from targeting that occurs on sites such as Facebook, which can also involve a lot of detailed personal information (recall that Facebook relies on opt-out consent, and, for some ads, does not even provide an opt-out).

Also interesting is that Bell conducted a survey to support its position on opt out consent. The OPC was not swayed, having hired a professional to evaluate the survey who stated that “most of the conclusions drawn by Bell from the survey are not scientifically supported”. The OPC and Bell even disagreed on whether 170 constitutes a significant number of complaints; while Bell stated that the number represents a small proportion of affected customers, the OPC responded that “never before have so many Canadians taken the time to submit formal complaints to our Office on a specific issue.”

The findings in this case appear to build on rather than alter the framework laid out in the OPC’s 2012 Policy Position by adding to the list of factors that may require opt-in consent for OBA activities. This is in addition to the OPC’s finding last year that creating a profile based on a medical condition (sleep apnea) involves sensitive personal information.

Posted in OBA, PIPEDA | Leave a comment

Why the CASL-related amendments to the Competition Act will matter

The Competition Bureau filed a notice of application to the Competition Tribunal yesterday, brought against Aviscar, Budgetcar, and their parent company, Avis Budget Group Inc. The notice alleges that the companies engaged in deceptive marketing practices by failing to disclose additional fees that can increase the price of a car rental up to 35 percent. The Commissioner is seeking $30 million in administrative monetary penalties as well as consumer refunds.

The media release on the Competition Bureau’s website states that the action “marks the Bureau’s first proceedings under the new provisions of the Competition Act that came into force as part of Canada’s Anti-Spam Legislation (CASL) in July 2014, because Avis and Budget also use electronic messages to disseminate the alleged false or misleading representations.”

So what are these new provisions that came into force with CASL?

The Competition Act has always applied to false and misleading misrepresentations made in an electronic message. However, the bill that created CASL amended the Competition Act to more specifically address false and misleading representations arising in four components of an electronic message: 1) sender information 2) subject matter information (e.g., a subject line); 3) a “locator” (e.g., a URL); and 4) the content of a message.

Categories 1), 2) and 3) are somewhat new in that there is no “materiality” requirement. In other instances under the Competition Act, a representation must be false or misleading in a “material” respect, and a representation is considered material if it is likely to influence an “ordinary citizen” (e.g., to make a purchase). So the CASL-related amendments have made it easier for the Competition Bureau to prove that sender information, subject matter information, and URLs are false or misleading. Time will tell whether this makes a meaningful difference.

With respect to the content of a message, the materiality requirement remains. So the Competition Act applies to false and misleading representations made in the content of an electronic message in the exact same manner is it did before. However, there is an important  change outside of the Competition Act, in that the private right of action applies to these particular CASL-related provisions. As a result, consumers will be able to sue for actual damages and statutory damages of up to $200 per message containing a false or misleading representation, once the private right of action comes into force on July 1, 2017. This means that false and misleading representations made in electronic messages could become more costly to defend than representations made elsewhere.

In this case, the notice provides several examples of where Avis and Budget have allegedly made false or misleading representations, including print ads, websites, mobile apps, and an email.  The Bureau alleges that the subject line in the email sent by Avis is false or misleading, which is how the CASL-related amendments have been applied for the first time. With so many examples, if the Bureau can prove that the various representations are false or misleading, the fact that the subject line is not subject to the materiality condition will likely make little difference in the outcome of the case. So these changes may not matter very much right now, but they will in a few years.

Posted in Uncategorized | Leave a comment

$1.1 million penalty under CASL offers few surprises

The moment that so many people have been waiting for arrived this morning when the Canadian Radio-television and Telecommunications Commission (CRTC) announced publicly for the first time that it has issued a Notice of Violation under Canada’s Anti-Spam Legislation (CASL), which includes a $1.1 million penalty.

The company on the receiving end of the Notice is Compu-Finder, a Montreal-based company that, according to its website “offers executives and managers access to new fields of knowledge inspired by the evolution of the realities of geoeconomy and geopolitics stemming from the phenomenon of market globalization.”

Apparently Canadians have been less than enamored with the company’s offers to train executives and managers on new fields of knowledge. According to the CRTC, complaints against the company account for 26% of all training-related complaints received by the Spam Reporting Centre. The Notice alleges that Compu-Finder sent commercial electronic messages without consent, and that unsubscribe mechanisms in some messages did not work.

It may be a bit of a surprise that the first publicized penalty is over a million dollars. That is significant. However, there are a few things about this Notice that are as expected.

First, there appears to be substantial evidence of multiple violations of CASL affecting many Canadians. Although the penalty is based on four violations, it seems that there could be many more. This is consistent with the situations in which the CRTC has issued penalties under the Unsolicited Telecommunications Rules (i.e., multiple, clear violations). This also seems consistent with the CRTC’s messaging in terms of its intended approach to enforcement of CASL.

Second, the company is based in Canada. It makes sense that, in the early stages of enforcement, the CRTC would want to issue a penalty against a Canadian company so that it has a better chance of actually collecting the fine (or putting the company out of business).

Just because the Notice involves what appears to be a clear case of spam does not mean that it is irrelevant to other senders, however. For example, the CRTC may take the opportunity to offer its views on what it means for a message to be relevant to a person’s “business, role, functions or duties in a business or official capacity“, which is a key factor in determining whether consent can be implied based on the conspicuous publication of an electronic address (or where the recipient has provided their electronic address to the sender). This could therefore result in important guidance for business-to-business marketers.

Compu-Finder now has 30 days to pay the penalty, make written representations, or  request an “undertaking” with the CRTC. Can Compu-Finder talk its way out of a $1.1 million dollar penalty? Stay tuned.

Posted in CASL | Leave a comment

What the Privacy Commissioner is looking for with OBA sweep

The Globe and Mail reported a couple of weeks ago that the Office of the Privacy Commissioner of Canada (OPC) plans to study online behavioural advertising (OBA). The article followed a letter that the OPC sent to notify the Interactive Advertising Bureau (IAB) of the study.

This will likely resemble the mobile app sweep the OPC did last year, and the internet sweep (which examined privacy policies) the year before that. In both cases the OPC took the opportunity to call out good and bad practices among organizations. In what appears to now be an annual tradition, OBA is an obvious next issue: it is widespread and vital to the internet, yet, aside from the Policy Position on OBA published in June 2012, there has been minimal guidance on OBA so far.

So what exactly is the OPC looking for? The OPC stated that “the methodology used in the project would be similar to that used for the investigation of Google’s advertising for health related services” (for those who do not recall, the OPC found that Google violated PIPEDA by allowing advertisers to target internet users who suffer from sleep apnea).

The OPC also stated that the objective is to raise awareness about transparency and providing the ability to opt out of OBA, and that the study will look at “web sites popular in Canada and will not be focusing on particular publishers or advertising organizations.

Based on this, it would seem that the OPC will look at websites that display targeted ads in order to evaluate whether adequate notice and opt out are provided. This would include, for example, reviewing privacy policies for information about OBA-related activities, and making note of whether ads display the “Ad Choices” icon.

In addition, the OPC will likely look for ads that appear to be targeted based on “sensitive” categories of personal information, like health/medical conditions, race/ethnicity, and possibly financial information.

The study will take place over the next few months, with the results to be released some time in the Spring. The OPC will wait to see the results before it decides whether to  publicly name organizations. For anyone who has been meaning to get around to reviewing OBA programs for compliance with PIPEDA, now is the time. Otherwise you you could be the OPC’s next example of what not to do.

Posted in OBA, PIPEDA | Tagged , , | Leave a comment

New Zealand Spammers fined

A New Zealand court fined a spammer $12,000 a few days ago. According to a press release published by the Department of Internal Affairs, the spam was apparently some sort of bizarre response to an argument that broke out in an internet gaming forum. The messages, described as “mainly abusive in nature”, contained links to a webpage promoting his free Android app, Crazy Tilt Arcade Challenge. He also sent the messages from multiple addresses in an attempt to hide is identity. Nothing like mixing business with internet forum-fueled revenge.

This is far from the largest fine that has been handed out under the New Zealand Unsolicited Electronic Messages Act 2007, which provides for fines of up to $500,000. That came last year when the New Zealand High Court fined Image Marketing Group (IMG) $120,000 for sending over 500,000 emails and almost 45,000 text messages promoting databases and antenna boosters.

IMG had also sold a database of 50,000 email addresses to someone else for $1,000, the use of which resulted in 400 spam complaints. IMG was held liable for the use of the list under a section of the law that prohibits a person from being “directly or indirectly, knowingly concerned in, or party to” a violation of the Act (this is somewhat similar to section 9 of CASL). IMG is owned by Brendan Battles, who has been described as a notorious spammer who used to live in the US.

 

Posted in CASL | Tagged , , | Leave a comment