Canadian telemarketers reach $1.7 million settlement with Federal Trade Commission

Have you ever received a call from someone claiming that you owe money for something you never bought (or even heard of)? Last week a Florida court issued an order against Montreal-based Francois Egberongbe and Robert N. Durham, both individually and doing business under such names as Nationwide Marketing Bureau, National Business Advertising, National Biz Ads and Yellow Business Ads. According to the Federal Trade Commission (FTC), Egberongbe and Durham had been operating a scam in which they would call and send invoices to small businesses and non-profits requesting payment for online business directory listings that had never been ordered (debt collection schemes like these have been around for a long time, targeting both consumers and small businesses).

According to the settlement with the FTC and the State of Florida, the defendants must pay $1.7 million (yes, that’s U.S. dollars), which is to be used to reimburse those who fell victim to the scam. The defendants are also prohibited from providing, promoting, advertising or attempting to collect payments for any “online business directory” service, and are subject to ongoing compliance reporting obligations.

With agencies like the FTC becoming more ‘global’ in their approach to enforcement, it is increasingly difficult for Canadian companies to avoid consequences for conducting these types of activities in the U.S. (and vice versa). At least one of the defendants wisely chose to retain U.S. counsel on this matter, as opposed to ignoring the complaints and waiting for a default judgment. Adam Guerbuez, a Montreal-based “email marketer”, chose the latter approach and was successfully sued by Facebook in Califorina under the CAN-SPAM Act back in 2008 for $873 million. Two years later a Quebec court agreed to enforce the judgment. Although it is unclear whether the FTC will ever collect from the Canadians in this case, because this is a court order for monetary relief, it looks more like a civil judgment than a regulatory penalty, which could increase the likelihood that this would also be enforced by a Quebec court.

Posted in Telemarketing | Tagged , , , , , , | Leave a comment

More guidance on CASL computer program rules

The CRTC and Industry Canada held an information session on the computer program rules under section 8 of Canada’s Anti-Spam Legislation (CASL) in Montreal on December 1 (hosted by Norton Rose Fulbright), one of the last in a series of information sessions across the country. The CRTC was represented by Dana-Lynn Wood, Senior Enforcement Officer, Electronic Commerce Enforcement, and Lynne Perrault, Director, Electronic Commerce Enforcement Division, Compliance and Enforcement Sector. Industry Canada was represented by André Leduc, Manager of the National Anti-spam Coordinating Body.

The session offered some helpful insight beyond that provided in the guidance published by the CRTC  last month. As a general comment, the CRTC emphasized the significance of “reasonableness” in interpreting and applying the CASL computer program rules. Furthermore, the CRTC made several references to “malware”, suggesting that they intend to focus on the types of computer programs that really do pose a threat to consumers (which is consistent with the purpose of passing CASL in the first place). This should provide some comfort to software developers and publishers.

The following are some of the specific issues that were discussed (note that these are the views of CRTC staff, and not necessarily binding on the Commission).

Automatic Downloads: An update to an existing computer program is a computer program in and of itself. In most cases publishers have two options to ensure that updates do not violate CASL. One: if an update is installed by the user (e.g., user must click “Install” to install the update), then CASL most likely does not apply. Two: if a vendor wants updates to be installed automatically (with no user intervention), then CASL likely applies because the program is installed by someone other than the user. In this latter scenario the vendor must obtain consent for updates at the time when the program is initially installed.  Now for the helpful part: where automatic updates are turned on or off through user settings, e.g., in the operating system of a mobile device, then these updates are likely installed by the user given the user’s control over those settings. As such, CASL does not apply.

Grandfathering: As with section 6 (the commercial electronic messaging rules), the CRTC clarified that it will recognize ‘express consent’ obtained before the section 8 comes into force as express consent under CASL, even where that express consent does not meet all of the requirements under CASL (e.g., prescribed identifying information required under CASL may not have been provided).

Liability: CASL applies to a person who “installs”, as well as a person who “causes” a computer program to be installed. The CRTC stated that, in determining whether a person has installed or caused a program to be installed, it will consider whether the person’s action was 1) necessary for the installation; 2) proximate to the installation; and 3) sufficiently important to the installation.

The CRTC also provided an update on its enforcement activities so far:

  • Approximately 185,000 submissions have been made to the Spam Reporting Centre to date (although I am not sure what this means – is this a lot? a little?).
  • Approximately 20 notices to produce have been issued. In many cases organizations have requested formal notices so that the legal requirement to disclose information is clearly documented.
  • Several warning letters have been sent out.
  • A few ‘complex’ investigations are currently ongoing.

The CRTC stated that further written guidelines are likely to be provided as they continue to work through the various issues raised during the cross-country tour.

Posted in CASL | Tagged , , | Leave a comment

CRTC guidance on CASL computer program rules

The CRTC has published guidance on its interpretation of the rules that apply to the installation of computer programs under Canada’s Anti-Spam Legislation (CASL). Given that these rules come  into force in just over two months, it is it is helpful to see some how the CRTC intends to approach a few key interpretive issues.

Perhaps most important is guidance on what it means to “install” a computer program, because CASL only applies when installing onto another person’s computer system. For example, the the CRTC has clarified that CASL does not apply when someone downloads and installs software from a website, or purchases and downloads an app onto a mobile device. The guidance emphasizes that the true objective of CASL is to address malware and other forms of software that might be installed without the knowledge or consent of the user. One of the examples cited by the CRTC as something that would be subject to CASL is a generic description of the infamous Sony rookit.

Before getting too excited over the prospect that CASL will only apply to surreptitiously installed programs, it is important to note that CASL will affect automatic updates because they are not installed by the user. If a publisher intends to install automatic updates in the future, then consent is generally required for those updates when the program is first installed, and the CASL rules for requesting consent apply.

One exception is that consent is not required for an update that is installed solely to correct a failure, which, according to the CRTC, “may include a patch designed to fix a security vulnerability or a software error, flaw, failure or fault in a computer program or system that causes it to produce an incorrect or unexpected result or to behave in unintended ways.” However, if the update does anything other than correct a failure, such as introduce new functionality, then this exception likely would not apply.

Oddly, the CRTC did not refer to earlier guidance it has given with respect to cookies; i.e., that cookies are computer programs, but that they are generally not “installed” under CASL.

In addition to clarifying these issues, the guidelines provide a good, plain-language description of the rules. And for an even more succinct description, we’ve put together this CASL Computer Program Checklist.

Posted in CASL | Leave a comment

Recommended reading: MECLABS search for the perfect reconfirmation campaign

The final months leading up to Canada’s Anti-Spam Legislation (CASL) coming into force gave rise to millions of emails asking recipients to provide express consent. Most went something like this: there is a new law coming into force, and if you want to continue to hear from us, you need to act now. I think it is safe to assume that most were unread.

In helping others get prepared for CASL, it became evident that many senders already had some form of consent for most if not all of their lists, and I suspect that a lot of the reconfirmation emails sent earlier this year were not necessary. My personal view is that businesses should focus on sending these messages when they really need to, as opposed to sending because it seems like the right thing to do, or because everyone else is doing it (the purpose of our Database Checklist is to help determine when this is necessary). Otherwise it is just a quick way to purge a list that took so much time and effort to build.

When it actually is necessary to send these messages, senders obviously want to generate as many opt-ins as possible. This is where my expertise ends. But, while I do not pretend to be a marketing expert, I do need to understand what marketers are facing in order to do my job effectively. So I had countless conversations with colleagues in search of the perfect reconfirmation message.

It turns out that because no one had really needed to send these messages before, senders were basically guessing. Based on anecdotal evidence, it seems that most were lucky to get conversion rates of more than a few percent.

This is why it is great to see some actual research on the topic: yesterday Daniel Burstein from MECLABS posted the results of a reconfirmation campaign sent to Canadian subscribers of MarketingExperiments and MarketingSherpa. In short, the messages that referenced CASL in addition to the value that recipients would receive from staying on the list increased conversion rates from 5.9% to 8.8% (an increase of almost 50%). I find this a little surprising, but Daniel points out that this may be due in part to the fact that their subscribers are likely more knowledgeable and interested in CASL than the average consumer.

The MECLABS blog is definitely worth a read as these campaigns may become more of a way of life for marketers with CASL in force (think about expiring existing business relationships). It would be great to see more research like this in the future.

Posted in Uncategorized | Leave a comment

Forget email, I will just call…

I have heard this many times over the past year or so from people who are frustrated with Canada’s Anti-Spam Legislation (CASL). Aside from the fact that this is an extreme reaction, some people seem to forget that there are rules for that too. And while we are all anxiously waiting to see who will be penalized first under CASL, the CRTC has been very active in the past few months handing out penalties under the Unsolicited Telecommunications Rules (UTR).

The following seven businesses have been hit with administrative monetary penalties since the beginning of April:

iQor Canada Ltd.: $237,500
NorthShield Windows and Doors Inc: $52, 500
The Home Comfort Group Inc.: $50,000
Ecosmart Home Services Inc.: $20,000
Suitelife Vacations Club Inc.: $20,000
Loyal Seal Windows and Doors Inc.: $10,000
Brian Jones: $4,000

Total: $394,000

As in the past, the home improvement industry continues to draw a lot of scrutiny, although iQor Canada, a collection agency, takes top prize so far this year at $237,500. All cases except for one involved calls being made to numbers that were registered on the Do Not Call List (DNCL), highlighting a failure to have an updated version of the list (or no subscription at all).

Based on the somewhat limited published facts in these cases, the violations seem pretty clear; i.e., the CRTC does not appear to be handing out fines on issues where there is much room for interpretation.

 

Posted in Uncategorized | Leave a comment

Who needs to be identified in a CEM under CASL?

The Canadian Radio-television and Telecommunications Commission (CRTC) has provided a bit of further guidance on one of the more common questions under Canada’s Anti-Spam Legislation (CASL) since it was passed in 2010: who needs to be identified in a commercial electronic message (CEM)?

The question arises out of the fact that CASL refers to “the person who sent the message and the person — if different — on whose behalf it is sent“. Because the concept of “sending” is not defined, there are a few possible views on what it means to send on behalf of another person. According to one interpretation, a sender may be the person who provides the services and/or infrastructure to deliver a message (or the person who actually hits the “send” button”?). This would typically be an the email service provider (ESP). So, any time an advertiser uses an ESP, the message would read “This message is sent by [ESP] on behalf of [Brand].”

There are some instances where service providers are identified in emails; for example, self-serve ESPs may include a “powered by [ESP]” in emails that are sent according to a free service offering. However, in the majority of cases brands do not want their messages cluttered with this information. And ESPs do not want to be contacted by consumers who may have questions.

Requiring ESPs to be identified as the “sender” is therefore a bad approach. Consumers do not need (or want to know) who the service provider is. In fact, it is confusing. Further, if the ESP needs to be identified, what if the brand is also using a digital agency,  and/or an advertising agency? Maybe they should be identified as well. Even more confusing and unhelpful.

This is why the “sender” should be the person with whom the recipient has the consent relationship. It’s simple, it makes sense, and it clearly represents who the consumer is dealing with. More fundamentally, if is not this person, then there is no easy way to define who that person is (as demonstrated above).

The CRTC published the following on their FAQ page a couple of weeks ago, which provides some help for anyone faced with this question:

“You must identify yourself and the persons on whose behalf a commercial electronic message (CEM) is sent. When a CEM is sent on behalf of multiple persons, then all of these persons must be identified in the CEM. However, where it is not practicable to include this information in the body of a CEM, then a hyperlink to a webpage containing this information is acceptable as long as the webpage is readily accessible at no cost to the recipient of the CEM. The link to the webpage must be clearly and prominently set out in the CEM. Also, not every person who is involved in the sending of a CEM must be identified. Rather, only the persons who play a material role in the content of the CEM and/or the choice of the recipients must be identified. For example, an email service provider that provides a service to its clients to send emails, where the email service provider has no input on the content of the message, nor on the recipient list, does not need to be identified in the CEMs sent by clients using its service. Bear in mind however, that though the email service provider does not need to be identified in this scenario, it still shares its responsibilities with its clients in terms of ensuring that the CEMs are sent with valid consent (either express or implied) and contain an unsubscribe mechanism. Both the email service provider and its clients are sending, causing or permitting to send CEMs, and as such, they both have obligations under CASL.”

Although this could be more definitive, it at least clearly recognizes that the ESP is not the sender for the purposes of CASL by default (while leaving some room to conclude that an ESP could be the sender in some cases).

So when does a person send on behalf of another person? There may be several examples, but perhaps the most obvious is a list rental: a list owner (e.g., a publisher or trade association) may send advertisements to its subscribers on behalf of an advertiser pursuant to a relationship that includes consent to receive third-party offers. Thus, in this case, the message would indicate that the list owner is sending on behalf of the advertiser.

Hopefully this provides at least a bit of clarity for anyone who is confused over who needs to be identified in a CEM. However, as expressed by the CRTC, it is important to recognize that whether service providers need to be identified and potential service provider liability for violations committed by clients are separate matters.

Posted in Uncategorized | Leave a comment

CRTC announces changes to Unsolicited Telecommunications Rules

The Canadian Radio-television and Telecommunications Commission (CRTC) recently completed a review of the Unsolicited Telecommunications Rules (UTR), and announced a few changes that are important to telemarketers.

First, all telemarketers are required under the UTR to keep an internal do-not-call-list (DNCL) of numbers from consumers who have directly asked that they no longer be contacted.  The grace period for adding a number to an internal DNCL has been reduced from 31 to 14 days. This particular change to the rules comes into effect on June 30, 2014 (the remainder of changes described below come into effect immediately).

Note that the grace period for making calls to numbers on the National DNCL remains at 31 days (i.e., you must use a version of the National DNCL that is no more than 31 days old).

Second, the UTR have been modified to allow for the use of an email address for identification purposes in the following instances:

  • A telemarketer may provide an email address instead of a postal address in response to a request for contact information (Telemarketing Rules, 17(b)).
  • A telemarketer may provide an email address instead of a postal address in a fax telemarketing communication (Telemarketing Rules, 19(e)).
  • A telemarketer may provide an email address instead of a postal address when making calls using an automatic dialing-announcing device (ADAD) (ADAD Rules, 4(d)).

Third, contact information provided under the UTR must be valid for 60 days (see Telemarketing Rules, 31, and ADAD Rules, 4(j)). There was previously no explicit time period for such information to remain valid. This change was apparently based on the 60 day requirement under Canada’s Anti-Spam Legislation (CASL).

A number of changes proposed by stakeholders that were refused by the CRTC include the following:

  • Reducing restrictions on the use of ADADs
  • Banning the use of ADADs
  • Requiring telemarketers to display a caller name
  • Imposing additional record-keeping requirements for telemarketers
  • Requiring internal DNCL requests to extend to “affiliates”
  • Requiring telemarketers to notify consumers that their internal DNCL registration is about to expire
  • Changes to the time period for validity of internal DNCL requests (remains at 3 years)
  • Expanding internal DNCLs to “non-solicitation” telecommunications
  • Removing or reducing the exemption for business-to-business communications
  • Extending the time periods for an existing business relationship (remains at 18 months following purchase/lease/contract and 6 months following inquiry)
  • Requiring businesses to allow consumers to register an internal DNCL request through a website
  • Requiring telemarketers to deem the termination of a call by a consumer as an internal DNCL request
  • Banning telemarketing calls to mobile phones
  • Changing permitted calling hours
  • Banning predictive dialers
  • Requiring telemarketers to leave a message instead of calling back
Posted in UTR | Leave a comment

Weed Man operator fined $200,000 for violating telemarketing rules

The CRTC announced a couple of weeks ago that Turf Operations Group, which operates a number of Weed Man franchises across Canada, had been fined $200,000 for violating the Unsolicited Telecommunications Rules (UTR).

The CRTC served a Notice of Violation on the company on December 23, 2013, which outlined the following violations:

  • making calls to numbers registered on the National Do Not Call List (NDCL) over a period of almost two years;
  • failing to maintain an internal do not call list, and therefore ignoring do not call requests from consumers; and,
  • exceeding the allowable monthly abandonment rate for the use of predictive dialing devices (five percent).

At the risk of pointing out the obvious, a $200k penalty is a very bad Christmas gift significant penalty for a company that apparently operates five lawn care franchises across Canada, and is now one of the largest penalties handed out under the UTR (the largest is still the $1.3 million penalty against Bell, which, although much higher, would be much smaller in relation to annual revenue). Such a penalty could have a serious impact on a business of that size, further underscoring the need to take these rules seriously (I still come across marketers who have not even heard of them).

This brings the total penalties issued under the UTR thus far to around $3.6 million.

This is also the first penalty handed out by the new Chief Compliance & Enforcement Officer, Manon Bombardier, hired late last year after Andrea Rosen retired. In this role, Ms. Bombardier is responsible for enforcing the UTR as well as CASL when it comes into force this July.

Note that just over a month ago, the CRTC announced that two window/door companies – Green Shield Windows and Doors Ltd. and Peak Windows  and Doors Ltd. – were required to pay a combined total of $100,000 for failing to subscribe to the NDCL.

 

Posted in UTR | Leave a comment

Ads targeted at sleep apnea sufferer violate PIPEDA

The Office of the Privacy Commissioner of Canada (OPC) just published a finding into a complaint made by an individual with sleep apnea. The individual had been searching for information about  Continuous Positive Airway Pressure (CPAP) devices (a device that essentially forces you to continue breathing while you sleep), and was unimpressed when he started to receive ads for CPAP machines on various websites.

Through its investigation the OPC confirmed that the ads were placed through the Google AdSense service, which allows for both contextual and interest-based advertising. Not surprisingly, the OPC found the use of the service to deliver targeted ads for CPAP devices to be a violation of PIPEDA. According to the OPC’s Policy Position on Online Behavioural Advertising, behavioural advertising can only occur with implied/opt-out consent where non-sensitive information is involved. Sensitive information, e.g., that related to a medical condition, requires express, opt-in consent.

Although Google initially argued that the ads were more “contextual” than interest-based, the deciding factor for the OPC was that the ads were based on past activity online. During the course of the investigation it was revealed that the ads were in fact delivered as part of a remarketing campaign. The OPC recommended that “Google ensure that no sensitive interests will be used to deliver advertisements without express consent.”

The reality is that Google offers a service that is used by countless advertisers and publishers, and it is difficult to police exactly how the service is used (e.g., the types of ads that may appear). Google’s terms of use for AdSense actually prohibit advertisers from targeting based on “health or medical information”.

However, a further complicating factor is that there are differing opinions on what is and is not “sensitive”. Although tracking and targeting based on sleep apnea may be considered sensitive in the Canadian context, it may be less so in the U.S.

For example, the Digital Advertising Alliance Self-Regulatory Principles for Online Behavioral Advertising state that

Entities should not collect and use financial account numbers, Social Security numbers, pharmaceutical prescriptions, or medical records about a specific individual for Online Behavioral Advertising without Consent.

This would not appear to preclude an advertiser from collecting information about a medical condition such as sleep apnea. Interestingly, Google indicated that it had previously received complaints about retargeting of CPAP devices, and, before the involvement of the OPC, “these complaints would have been reviewed and determined to be compliant with its policies, and therefore permitted to continue.”

The Canadian version of the Principles are  markedly less permissive, stating that

Entities should not collect and use sensitive Personal Information for Online Behavioural Advertising without consent, as required and otherwise in accordance with applicable Canadian privacy legislation.

It is the OPC’s position that any health or medical-related information is sensitive for the purposes of PIPEDA, and therefore subject to a higher standard of consent.

The OPC ultimately concluded the complaint as be well-founded and conditionally resolved, based on, among other things, Google’s undertaking to amend its polices, training, and monitoring of how its services are used. According to the OPC, the tools for monitoring and enforcing compliance  in place at the time of the complaint were “not scalable and had demonstrable shortcomings.”

It is worth noting that Google seems to have born all of the responsibility in this matter, with no discussion of how users of Google AdSense may also be accountable. This is despite the fact that there are advertisers who “malicious advertisers continuously work to subvert or avoid its compliance mechanisms.” Although this is an interesting finding, we are only beginning to scratch the surface of OBA in Canada.

Posted in OBA, PIPEDA | Leave a comment

Grandfathering existing consent under CASL

I wrote a guest blog for EmailKarma a few days ago explaining the meaning of “grandfathering” existing express consent under CASL. I encourage anyone with questions about grandfathering to read it.

Posted in CASL | Leave a comment