Category: Privacy

Core resources:

Wuxtry! Wuxtry! Getcher spreadsheet heah!

Here it is.

I’ve been taking various runs at a wrap-up of almost 10 years of CASL being on the books, and keep kind of bouncing off this summary. In part because it’s hard for me – as somebody who needs to interpret the regime, but who is also interested in looking at its effects over time – to get a firm grip on how it is implemented and practised based on the last 9-and-a-bit years of enforcement.

I’m going to break this down into a few components:

Useful things to know, that are in the Act but may not jump out at a user;
Specific observations based on notices of violation and CRTC rulings;
A general overview of how I feel about CASL. Spoiler: conflicted.

General rules:

CASL isn’t just for “spam”. Frankly, they should rename it. “Anti-Spam legislation” is a snappy phrase but causes more confusion than is warranted. The conventional understanding of spam is junk email, but this legislation applies to texts, intrusive software (malware), browser extensions… essentially, if it’s delivered digitally, it falls into the remit.

ALL Commercial Electronic Messages (CEMs) are prohibited. By default. Assume any commercial message is not allowed to be sent, and CASL carves out exceptions to the general prohibition.

ANY CEM contaminates a non-CEM. Even if a message is 99% non-commercial, any inclusion of any content that – from the Act:

having regard to the content of the message, the hyperlinks in the message to content on a website or other database, or the contact information contained in the message, it would be reasonable to conclude has as its purpose, or one of its purposes, to encourage participation in a commercial activity, including an electronic message that

(a) offers to purchase, sell, barter or lease a product, goods, a service, land or an interest or right in land;

(b) offers to provide a business, investment or gaming opportunity;

(c) advertises or promotes anything referred to in paragraph (a) or (b); or

(d) promotes a person, including the public image of a person, as being a person who does anything referred to in any of paragraphs (a) to (c), or who intends to do so.
The Act, 1(2)

Requests for consent are also CEMs per s1.3 of the Act. This results in a Catch-22 – you can’t market without permission, but asking for permission is marketing. Added value is therefore key – or couching a consent request in an otherwise legitimate communication. I can’t email you out of the blue (except under a certain set of circumstances) asking you to opt into my newsletter, but I can post on LinkedIn telling people I’ve created a free white paper on best practices in Z, and require people to sign up for my newsletter to download that white paper.

Nuance that becomes clearer through decisions:

From Compu-Finder:

You can’t obfuscate the source of emails by generating different “from” identities or sender identities. Swapping out domain names, or who the email appears to be sent from, is immaterial. The owner of the domain(s) is at issue, not the sending domain itself [29-30]
Reported initial decisions are not final. It is always, always worth working with the CRTC, if you are one of the very rare organizations that gets to the point of having an AMP levied (see “CASL is your Old Testament God,” below). Explaining your context, pleading small-company-will-fail, and working with them to put a program in place to prevent future violations seems to be a foolproof way of getting AMPs reduced, sometimes very dramatically.

From Porter Airlines:

Stating the obvious, but this is a little trifecta of consent, contact info, and unsubscribe functionality – all three have to be in place for you to be compliant with CASL. You can’t mix and match.

From Blackstone:

A campaign is a violation, not an individual email. [2]
- There is no conspicuous difference in the scope of campaigns, given Blackstone and later Conley/nCrowd. One send of 100 emails is “as bad” as one send of 10,000 emails on the surface; there’s no pattern evident in the decisions that show scope-based penalties.
You don’t need a price to have a CEM: if you’re offering a service and implying it costs something, that’s enough to pass a threshold of “commercial electronic message” [18]
Somebody simply publishing an email address on the Internet isn’t enough to invite solicitation; if you are pulling addresses to create a list, keep records, as you still have to make a case-by-case justification of how consent is implied. As they say in the Act, ”the onus… rests with the person relying on it.” [25-28]
- As an example – and this is me extrapolating, not the legislation – I am on the Smith Engineering higher ed website as the Director, Marketing and Communications, with my email published. That makes me contactable as somebody you can email if you’re offering a product that impacts marketing and communications in higher education, but you’ll want a spreadsheet somewhere that captures that information as the reason you’re reaching out to me.
- I would argue that the “in higher education” component above is relevant and important, but given the overall pattern of how legislation is enforced (see again below) I think this is in the ‘jaywalking’ category of a distinction without a difference – it’s a fine point that could be argued pushes someone into the “spam” category, but likely too minor to be meaningfully enforced. That said, please don’t spam me.

From Ghassan Halazon:

People can be pursued as individuals, which is detailed in the Act [s 32]. There is no clear line via decisions of when vicarious liability will be imposed; the Act states that explicitly in s 31:
- An officer, director, agent or mandatary of a corporation that commits a violation is liable for the violation if they directed, authorized, assented to, acquiesced in or participated in the commission of the violation, whether or not the corporation is proceeded against.
To date there has been no “double dipping” where a corporation and a leader figure has been found in violation, but that doesn’t mean it will never happen.

From 514-Billets:

The CRTC has been open, at least once, to alternate compensation schemes; rather than cutting a cheque to the Receiver General, 514-BILLETS issued coupons for 75% of the imposed penalty.

From Datablocks/Sunlight Media:

While rarely, s 8.1 of the Act is enforced – it’s not clear on whether the relative scarcity of enforcement is because infractions are more rare, or cases are much, much more complex and harder to investigate and pursue.
To wit, this “malvertising” case seems pretty damning on the evident facts, but poor documentation and an aggressive malware response policy within the Government of Canada made this not pursuable.
This is obviously not an open invitation to do nefarious things with computers, but a user-level caution that if you intend to file reports on malware / intrusion software / etc., be slow and cautious about how you capture information and document it.

From Brian Conley / nCrowd:

Again reading into the tea leaves of how the Act is enforced but it feels like vicarious liability is the recourse when it seems like companies aren’t going to be around long enough to pursue / there’s an evident pattern of MBA-style shell games.
There are large and seemingly arbitrary gaps in penalties without much rationale provided for the differing amounts by the CRTC (see, again, the next section)

From Orcus Technologies:

Vicarious liability [s 32 of the Act] is growing in use over time; either reflecting a greater focus on ephemeral companies, or an evolution in the CRTC’s understanding of what penalties will stick.
There seems to be an awkward marriage between CASL and criminal penalties for cybercrime – CASL itself expressly does not have a criminal component, and the hand-off from the CRTC investigation to the RCMP / OPP seems to only, possibly, be resulting in a criminal process four years on.

From Scott William Brewer:

Again, working with the CRTC seems to have a very high success rate in diminishing penalties – from $75,000 to $7,500 in this case.

The final tally

Who wants spreadsheets? We got spreadsheets.

When I tabulate all issued penalties from decisions to date, I arrive at $3,163,000. Imposed penalties – admittedly with fuzzy math around coupon redemption rates for the 514-BILLETS issue – come in at $1,185,750.

The differential is $1,977,250 – about 63% of issued penalties wound up not being imposed. We’re also assuming that all imposed penalties were, in fact, paid – in several cases the companies that had imposed penalties then seem to have gone out of business, so the likelihood of the Canadian Government having seen that money is dim.

Chart showing issued versus imposed penalties. Issued penalties are far higher than imposed.

I also can’t account for about $500,000 that CRTC summaries say were imposed; more on that under “CASL as a marketing exercise,” below.

CASL as your Old Testament God

This kept running through my head as I tried to look at decisions and figure out if there was any clear logic to an external user regarding:

Who was investigated and penalized; was there a consistency in terms of numbers of complaints, egregiousness of the action, or public visibility of the offender?
When penalties were imposed, was there a clear line to draw regarding the severity of the penalty compared to the actual actions taken in violation of CASL?

As somebody raised in the church, the more I poked at it the more I felt I understood the terror of the, I don’t know, Hittites: there’s a baseline set of behaviours you’re expected to follow, but it’s impossible to know when the eye of judgment will fall upon you, and when it does, there’s no real way to predict the extent of your punishment.

Blackstone somehow finds its way to a $590,000 reduction in penalty, despite Blackstone’s only engagement as described in the decision being to complain about a deadline, file an appeal to entirely the wrong court, and then not cooperate – the CRTC actually calls them out specifically for this in the final decision [s55].
Conversely, some level of cooperation seems to have given Ghassan Halazon a $10,000 penalty for CEMs sent by Couch Commerce, but Brian Conley – not exactly his partner in crime, but certainly fellow traveller in terms of responsibility and scope – paid 10x as much, at $100,000.

Beyond those examples, it’s hard to know how evenly the law is applied – or even what the specific triggers and determinants of a penalty are. It doesn’t feel entirely random, but since most decisions are posted without the number of campaigns or scope of sends, there’s no way to draw a line from the violation to the penalty in a way that makes sense in terms of whether it’s being evenly applied.

CASL as a marketing exercise

The other thing is that the pattern of CASL actions – from the perspective of somebody that works in marketing – seems to be more about creating the impression of enforcement than consistently and rigorously applied penalties.

The most recent snapshot contained the following now-familiar text:

Payments and Penalties Under CASL

Since CASL came into force in 2014, compliance and enforcement efforts have resulted in administrative monetary penalties and undertakings totalling over $3.6 million.

I can’t account for these numbers: even the $3.6 million is $0.5M higher than a manual tally of NOVs from the CRTC site (I’ve made a spreadsheet).

My own numbers land at $3,163,000 in issued penalties, but only $1,185,750 in imposed penalties – about 37% of the issued penalties wound up being actually imposed.¹

But there’s also a pattern of big shock-and-awe announcements that get quietly walked back after the fact, or that lead to follow-on penalties much smaller than the initial ones:

A national-headline-grabbing $1.1M penalty for Compu-Finder, later reduced to $100,000.
Similarly, significant hay made about Brian Conley being issued an NOV as “vicarious liability”, at $100,000, but then much smaller amounts for a similar breadth of issue by fellow traveller Ghassan Halazon and the completely unrelated William Rapanos.
The “malvertising” case with Datablocks and Sunlight Media, which dropped a $250,000 penalty to nothing, while narrowing the scope of its investigation from the broad issuing of malvertising across the Internet to a lack of proof on specific Government of Canada computers.

A journey through CRTC CASL “Snapshots” show a pattern of reporting actions that weren’t actually taken under CASL – things done by the CRTC as a whole, but as far as I can tell unrelated to CASL or its enforcement.

For instance, in the most recent snapshot, headlines include:

Large-scale Bank Phishing Investigation – a criminal investigation, following reports to CASL
Using social media to warn Canadians – essentially, CRTC posted and retweeted about frauds

In the previous snapshot, the headlines are all about various CRTC activities – a CRTC decision regarding botnet blocking (its development being the sole headline of an earlier snapshot), a report on a Canadian “dark web marketplace” (actually a reference to the previous snapshot, and not new news) and vigilance over malware called QAKBOT.

And so on. I won’t blow-by-blow this, but if you go back through the snapshots, the bulk of reporting isn’t actually about CASL, but other CRTC activities.

This makes perfect sense from a certain perspective. If you’re a parent, or a teacher, or have ever run a volunteer organization, there are times when you have a rule that you can’t practically enforce, and for whatever reason the common good isn’t enough to get people to follow it. Telling people there is a rule, and enforcing it sporadically, but with harsh enough penalties that it scares everyone into compliance, makes a lot of sense.

Starting with the assumption that the CASL team is smart, works hard, and is just not adequately staffed to provide perfect enforcement nationally at all times (which would take a preposterous scaling-up), big penalty announcements with quiet walkbacks, trumpeting non-CASL achievements in a way that makes CASL look vast and vigorous, is a good move. In the day to day, risks of getting caught are relatively low (see below), but when $1M+ penalties are making the headlines, the idea of getting caught in that net is scary.

But is scary enough?

Does CASL work?

Back when I started this analysis, I said my interests were:

establishing whether or not the overall rate of spam is going down
gaining some understanding of the likelihood of a significant action being imposed on an organization

What have we learned?

Is spam going down?

On the first front, the answer is clearly that complaints are not going down.

graph of spam complaints over time, trending up

Arguably there are many reasons for this – including CASL’s own effectiveness in sensitizing the public to spam and fraud, driving reporting numbers up.

But – given the sporadic nature of enforcement, and the amount of fuzziness around what CASL is claiming, both in terms of penalties and its own vs. taking credit for other CRTC activity in its snapshot – I don’t have a great feeling about it.

Maybe it can’t “work”. Maybe the digital world is too big, and too global, and evolving too fast, for us to “beat” online fraud in any meaningful and lasting way, and stemming the tide is the best we can ever hope for. I don’t have the time or resources to really meaningfully compare CASL to other national spam protection regimes, so there aren’t any comparators out there I can easily index against.

It’s possible that looking at CASL through the same lens as other public-service organizations and criteria – is crime going down, as a measure of police effectiveness; wellness and death rates, as a measure of public health effectiveness – is a fool’s errand.

This leaves me with an aggregate shrug. Does CASL work? Shrug. Could it be doing better? For sure. Should we, as a society, allocate the kinds of resources to it that it would take to do better? Shrug.

But if my read of CASL actions, and their own snapshot headlines, is correct and the slow pivot is from enforcement to awareness, and there’s been a general slide from “we can stop this” to “our best chance is to educate the public, focus only on the worst offenders, and rely on private enterprise to develop better detection and protection algorithms,” that’s a big change over the last 10 years that’s never been explicitly acknowledged.

What’s the likelihood of specific action being taken?

Low. Like, real low. The math remains 218,465 complaints per eventual financial penalty. The “lowest” threshold of effort CASL imposes, a notice to produce, still only happens once per 1000 complaints. That’s not a threshold, I’m not saying “nothing happens until you get to 1000 complaints,” that’s just how it averages out.

But, as detailed in the “Old Testament” section above, also horrifyingly arbitrary.

I am not a lawyer and this is not legal advice, but if I were to get one takeaway from all of this, it’s really a two-part maxim:

Don’t be a jerk, and
Do your best.

If I step back and squint and try to make sense of this decade of decisions, the pattern that seems to come through the fog is that getting CASL to focus on you is rare, and best-effort attempts to follow the rules seem to buy a lot of, if not absolute, forgiveness.

CASL decisions tend to land on unequivocal wrongs. There’s not a lot of stuff in the archives that suggests that they penalize innocent mistakes, or even grey-area decisions. There’s never been a decision that has come down on a public service organization, charity, or non-profit. Not to say there won’t ever be, but the focus seems to be on parties that are clearly doing wrong, should have known better, and did scammy, spammy things anyway.

Don’t break the law! Never break the law!

In principle, CASL is a good thing. It’s reasonably clear. We would all live in a better world if everyone followed these rules. So we should.

But… if you make an inadvertent mistake, or you look back at a campaign and say “oh, we should have done X,” or “I don’t know if we were in full compliance with Y,” I wouldn’t let it ruin your lunch. Learn, pull up your socks, and do better on the next one.

With text-based phishing and malware and online casinos and a whole planet of scammers, the top-of-mind analogy is the city’s on fire and there are riots in the streets. Jaywalking is still wrong, but if you forget to check the traffic lights at 2 a.m., you’re not the kind of problem the CRTC is looking for.

Wow, this went long

I didn’t mean for this to hit 3,000 words! I’ll stop here.

Next up, stepping a bit outside the review mandate, but bringing it back to my own interests: poking at whether or not students and academic institutions can be considered to be in a “business relationship,” which has a heavy impact on CASL but a lot of other things too. This might take a while. Expect more quick observations on IP, privacy and marketing in the interim while I chip away.

1
The imposed penalties number does include a bit of my own math, as the 514-BILLETS case resulted in the issuing of $75,000 worth of rebates, which I calculated at far less than that value in terms of what the ultimate cost to the company would have been.

Law PIPEDA Privacy

FCA validates Amazon refusal of private information release

Post author By mattshepherd
Post date September 27, 2023

Noted in passing — a PIPEDA-related FCA decision (2023 FCA 189) validating a Federal Court ruling of a “stalemate” (2023 FC 166, [102]) that gives more standing to bodies that refuse information requests because the requesting party cannot provide adequate identity verification. In this case it’s Amazon, a password reset and its identity verification steps not being followed.

I’m not a huge fan of Amazon, but on its face this seems correct. I don’t have an issue with this decision per se, but it does raise questions about what kinds of structures a company (or organization; you can see my interest in FIPPA and higher ed institutions here) can put in place to verify a user’s identity, and at what point those systems become burdensome to the point of being unreasonable for the end user.

In the FC decision, there’s an interesting point made about Amazon requiring new terms of service to be accepted as part of the verification process — again, I don’t think Amazon was in the wrong here, but the idea that terms of service can be revised, and that a user is forced to accept them to access data established under the former terms of service, doesn’t sit entirely well.

CASL Consent Law Marketing & Communications Privacy

CASL at 10: Case File Anthology, 2019-2022

Post author By mattshepherd
Post date September 18, 2023

This is part nine of a multi-part series reviewing Canada’s Anti-Spam Legislation in practice since its introduction in 2014 and the beginnings of enforcement in 2015. Crosslinks will be added as new parts go up.

Part 1: Terminology

Core resources:

A news story on this, from Krebs on Security, a security consultant’s site.

December 12, 2019

A $115,000 AMP issued for violations of s9 of CASL against John Paul Revesz and Vincent Leo Griebel, partners, Orcus Technologies.

This is one of the rarer cases of malware under CASL; in this case the Orcus Remote Administration Tool (RAT) found by the CRTC’s Chief Compliance and Enforcement Officer to be a remote access trojan, a type of malware, confusingly also with the acronym RAT.¹

This, in combination with the sale of a DDNS (dynamic domain name server) service to hackers to allow them to communicate with RAT-infected computers, resulted in two NOVs for Revesz and Griebel² resulting in $115,000 in penalties — $100,000 for developing, selling and promoting malware, and an additional $15,000 for the DDNS service.

And a short summary in Slaw.

It’s pretty open and shut: clear evidence of what the RAT did, clear evidence of both Revesz and Griebel bragging on hacking forums about its ability to steal information and passwords.

Note that at the time this AMP was issued, it was for section 9 of CASL:

It is prohibited to aid, induce, procure or cause to be procured the doing of any act contrary to any of sections 6 to 8.
Canada’s Anti-Spam Legislation, s9

Per the NOV, an investigation was still underway to determine if the RAT actually been installed without consent on systems, which would be a violation of section 8:

8 (1) A person must not, in the course of a commercial activity, install or cause to be installed a computer program on any other person’s computer system or, having so installed or caused to be installed a computer program, cause an electronic message to be sent from that computer system, unless

(a) the person has obtained the express consent of the owner or an authorized user of the computer system and complies with subsection 11(5); or

(b) the person is acting in accordance with a court order.
Canada’s Anti-Spam Legislation, s8

…and unlock penalties up to $1,000,000.

The Orcus RAT seems to be alive and well as an open-source piece of software for jerks to try to use.

Some mysteries here:

The NOV has a February 2020 update that states that the time for response expired, so the issued AMP becomes enforceable:

Update 17 February 2020: Pursuant to section 24(1) of CASL, the deadline to make representations with respect to either the amount of the penalty or the acts or omissions constituting the alleged violations was February 3, 2020. Given that no representations were made, pursuant to section 24(2) of CASL, John Paul Revesz is deemed to have committed the violations and must pay the administrative monetary penalty as set out in the notice.

Where’s Griebel? Per this news story, he’s German, so that might be why he was dropped.

Stranger still: where’s the criminal charge?

$115,000 in penalties should be the least of Revesz and Griebel’s worries (if Griebel is still in play). Cybercrime is a thing, and the abovementioned news stories mention criminal charges filed by the RCMP. But the links in the stories to the 2019 RCMP press release go to a 404 page. It’s not a broken link; searching their news, there’s nothing for Revesz, Griebel or Orcus.³

There’s nothing in CanLII showing any court action: nothing relevant for the search terms Revesz, Griebel, or Orcus. Similarly nothing in WestLaw or Lexis.

When I hit the Wayback Machine, I can find an archive of the news release.

UPDATE: thanks to the incredible assistance and sleuthing of the Queen’s Law Library team, I have been pointed to upcoming court dates for a John Revesz. Whether or not these are related (or even the same John Revesz; no middle name here) isn’t confirmed.

The Orcus RAT was first outed as malware in July of 2016, with Revesz and Griebel posting openly about its utility to hackers. It even looks like Krebs did the heavy investigative lifting for the government.

A 30-month delay between this becoming public knowledge and action being taken to stop it by Canadian authorities – and then, seemingly only $115,000 in penalties – is worrisome. The lack of any charges – or delay in bringing charges – is worrisome.

If CASL is the only mechanism taken against a Canadian promulgating hacking tools, that’s troubling. The scope of these is CASL, and I don’t want to go too far down a rabbit hole about how cybercrime is prosecuted, but a scheme designed at its heart to deal with spam shouldn’t be our first and last line of defense against malware created and propagated here in Canada.

And – finally – the fact that this is only $15,000 more than Conley and nCrowd is an eyebrow-raiser as well. In the latter case, a very scammy cluster of shady companies sent out a lot of spam emails to try to get people to buy deal coupons of very limited utility. In this case, malware was unleashed on the Canadian public and promoted to hackers globally. The consequences of buying a bad coupon from a deals site versus giving hackers total access to your computer, which could easily extend to identity theft and all your banking information, is a huge gulf.

This doesn’t feel like a $15,000 swing to me, but that might be attributable to the fact that this is only a s9 violation and an investigation is still, per the NOV from almost four years ago, underway to see if Revesz also violated s8.

If nothing else, this has convinced me to keep my antivirus and malware checkers up to date.

Issued penalty: $115,000

Final penalty: $115,000

Total issued AMPs: $2,782,000

Total imposed AMPs/monetary penalties: $1,068,250

Differential: $ 1,713,750

September 21, 2020

What is it with not-quite-education companies in this space? Compu-Finder, Blackstone, and now a $100,000 penalty levied against OneClass, a service that connects students with user-generated study guides, lecture notes and video tutorials. Decision here, plus a press release.

This seems open and shut: OneClass sent CEMs without recipient consent, and (allegedly) installed a Chrome extension that harvested personal information including usernames and passwords on students’ computers. U of T still has a news piece up instructing students of the phishing email: in essence, it looks like it would access the user’s Blackboard class lists to send emails to all classmates inviting them to join OneClass. The U of T item also has instructions on how to remove it. As phishing goes, this is on the spammy but not super harmful end of things.

Issued penalty: $100,000

Final penalty: $100,000

Total issued AMPs: $2,882,000

Total imposed AMPs/monetary penalties: $1,168,250

Differential: $ 1,713,750

March 29, 2021 / January 4, 2022

A 2021 notice of violation and $75,000 AMP for Scott William Brewer, later reduced to $7,500 in payment in 2022.

Brewer committed violations in two categories – affiliate marketing, earning a commission from CEMs sent without consent to recruit people to an online gambling site, casinoonlinesoftware.com, and direct web marketing for his own online marketing and web business.

The CRTC apparently only investigated three of Brewer’s campaigns, topping 600K emails, despite

Corroborating information reviewed during the investigation indicated that Brewer may have been responsible for sending, causing or permitting to be sent, several million non-compliant CEMs. During a sample period in the investigation, approximately 11 million emails were sent from Brewer’s IP address over a 24 day period.

This, called a “hailstorm campaign,” prompted a press release from the CRTC claiming this as the “largest ever penalty to an individual for sending messages without consent”. Which seems odd, as Brian Conley was subject to $100,000 under vicarious liability for similar violations two years before. Key quote from the Chief Compliance and Enforcement Officer from that release:

“Spam campaigns, such as those carried out by Mr. Brewer, are disruptive to Canadians and undermine their confidence in electronic commerce. Obtaining consent is a fundamental principle of Canada’s anti-spam legislation. The penalty issued today demonstrates that individuals are just as accountable as businesses and must respect this principle.”

And then, 10 months later, it’s no longer a $75,000 penalty, but one for 10% of that amount. The final undertaking says:

Brewer cooperated with the CCEO, provided new information not previously available to the designated person, and has voluntarily agreed to resolve the CCEO’s outstanding concerns regarding compliance with the Act and the Regulations (CRTC).

And later, that the $7,500 penalty

…fully and completely resolves all outstanding issues between the Commission and Scott William Brewer with respect to his compliance with the Act and the Regulations (CRTC) in relation to the CCEO’s investigation into the sending of CEMs during the period of 1 December 2015 to 23 May 2018 and up to the effective date of this undertaking.

Scott seems to be doing fine, with a business pivot to site-building for SEO and sales conversions, per his LinkedIn profile.

Issued penalty: $75,000

Final penalty: $7,500

Total issued AMPs: $2,957,000

Total imposed AMPs/monetary penalties: $1,175,750

Differential: $ 1,781,250

December 6, 2021

A $200,000 imposed AMP to the Gap, for a marketing campaign including its subsidiaries Banana Republic and Old Navy – CEMs without consent and without an unsubscribe mechanism.

Gap seems to have agreed with the CCEO, agreed to pay, and implement a compliance program.

No specifics in the NOV, unlike previous decisions that articulated a number of campaigns or messages; here’s the decision in full:

Undertaking: Gap Inc., File No.: 9110-2021-00605

Undertaking: Gap Inc.

File No.: 9110-2021-00605

Effective date of undertaking: 6 December 2021

Monetary payment amount: $200,000

Under section 21 of An Act to promote the efficiency and adaptability of the Canadian economy by regulating certain activities that discourage reliance on electronic means of carrying out commercial activities, and to amend the Canadian Radio-television and Telecommunications Commission Act, the Competition Act, the Personal Information Protection and Electronic Documents Act and the Telecommunications Act, S.C. 2010, C. 23 (CASL, or the Act)

Person entering into an undertaking

Gap Inc.

Acts and omissions covered by the undertaking and provisions at issue

Gap Inc. has voluntarily entered into an undertaking with the Chief Compliance and Enforcement Officer (CCEO) concerning alleged violations of paragraphs 6(1)(a) and 6(2)(c) and subsections 11(1) and 11(3) of the Act.

Following an investigation, the CCEO alleged that commercial electronic messages (CEMs) were sent or caused to be sent by Gap Inc., between 7 January 2018 and 11 August 2021 to promote sales for Gap Inc. as well as for subsidiaries Banana Republic and Old Navy, without consent from recipients and/or not including an unsubscribe mechanism which could readily be performed,.

Amount owing and summary of other conditions

During the course of the investigation, Gap Inc. has cooperated with the CCEO. Gap Inc. has voluntarily undertaken, pursuant to section 21 of the Act, to resolve the CCEO’s outstanding concerns regarding Gap Inc.’s compliance with the Act and the Electronic Commerce Protection Regulations (CRTC), SOR/2012-36 (the Regulations (CRTC)), including undertaking to comply with, and ensuring that any third party authorized to send a CEM complies with the Act and Regulations (CRTC).

As part of this undertaking, Gap Inc. agreed to make a monetary payment of $200,000 to the Receiver General for Canada in accordance with subsection 28(3) of the Act.

In addition to the monetary payment, and in order to promote compliance with the Act and the Regulations (CRTC), Gap Inc. undertakes to update its compliance program addressing the sending of CEMs. This compliance program has included or will include:

corporate compliance policies and procedures;

training and education for employees of Gap Inc.; and,

monitoring, auditing and reporting mechanisms.

In addition, Gap Inc. will monitor and review its policies and procedures to determine whether any have the effect of providing incentives for employees to violate the Act and the Regulations (CRTC) and, if so, Gap Inc. undertakes to eliminate such incentives.

Gap Inc. will also develop and provide periodic training programs, which include compliance procedures and processes to comply with Act, for employees involved with commercial electronic messages and related compliance.

Finally, Gap Inc. will register and track CEM complaints and the subsequent resolution of those complaints. Gap Inc. will also implement effective corrective measures for compliance failures and within six months of the effective date of the undertaking will supplement the information it has already provided to the CCEO of the corrective measures already implemented to date, as well as information supporting any updates to its Compliance Program.

This undertaking fully and completely resolves all outstanding issues between the Commission and Gap Inc. with respect to Gap Inc.’s compliance with the Act and the Regulations (CRTC) in relation to the CCEO’s investigation into the sending of CEMs for the period up to and including the effective date of this undertaking.

Straightforward.

And here, for the last time (as of August 2023, with the Brewer decision in 2022 being the final one reported⁴), is the tally:

Issued penalty: $200,000

Final penalty: $200,000

Total issued AMPs: $3,157,000

Total imposed AMPs/monetary penalties: $1,375,750

Differential: $ 1,781,250

The difference between the imposed and issued penalties is greater than the penalties imposed, which is interesting.

A quick stop off with a relatively recent NOV, and then we’ll sum all this up.

1
I don’t know if Orcus was being cute with the name, or this is just a coincidence.
2
Nerd note: if you’re going to be a villain, take a hard look at your last name, put the word “Darth” in front of it, and see how it sounds. If it’s credibly somebody who would wear all black and whack at people with a lightsaber, reconsider your whole deal.
3
Testing the search function, by comparison, there’s 4,385 results for “Grand Falls,” which I used as a test because it was mentioned in the top story – now I’m deeply worried about what in God’s name is going on in Grand Falls.
4
UPDATE: This is no longer true; there is a July 2023 AMP, reported in late October 2023: 18 months since the last reported CASL enforcement decision, which is the longest gap in its history.

CASL Consent Law Marketing & Communications Privacy

CASL at 10: Case File – Brian Conley/nCrowd

Post author By mattshepherd
Post date September 14, 2023

This is part eight of a multi-part series reviewing Canada’s Anti-Spam Legislation in practice since its introduction in 2014 and the beginnings of enforcement in 2015. Crosslinks will be added as new parts go up.

Part 1: Terminology

Core resources:

In April 2019, a $100,000 decision was imposed on Brian Conley (as an individual) for violations committed by the company he was CEO of, nCrowd, in a pair of identically dated decisions: first, a NOV, and second, a compliance and enforcement decision, both from April 23, 2019. You’ll recall this from our 2015-16 anthology post, where we saw the AMP issued (but not imposed) in December of 2016.¹

The introduction of vicarious liability

This is the first time vicarious liability has been named in a decision: “Background,” final paragraph:

As a result of the circumstances cited above, specifically the fact that the companies involved were operational then dissolved or otherwise ended, any enforcement actions directed towards such companies would have no deterrent effect nor effectively promote compliance. Therefore, Commission staff pursued the corporate directors through vicarious liability in order to encourage future compliance with the Act.

It’s also in the title of the NOV itself, “Notice of Violation: Investigation into non-compliant emails sent by Couch Commerce Inc. and nCrowd, Inc. including the vicarious liability of corporate directors.”

Vicarious liability is part of the Act, as is the responsibility of directors and officers, in [s31-32] of the Act:

Directors, officers, etc., of corporations

31 An officer, director, agent or mandatary of a corporation that commits a violation is liable for the violation if they directed, authorized, assented to, acquiesced in or participated in the commission of the violation, whether or not the corporation is proceeded against.²

Vicarious liability

32 A person is liable for a violation that is committed by their employee acting within the scope of their employment or their agent or mandatary acting within the scope of their authority, whether or not the employee, agent or mandatary is identified or proceeded against.³

And if the name Couch Commerce seems familiar, it should – these Couch Commerce investigations resulted in an earlier NOV against Ghassan Halazon (“in his individual capacity”) in 2017, as covered in our 2017-2018 anthology. The CRTC states in its September 2019 Activity Summary that this is its first vicarious liability finding. Halazon was the first finding to be resolved, but remember that Conley was first issued the AMP in December of 2016, prior to Halazon being penalized.

But nCrowd and Couch Commerce were only the tip of a massive, scammy iceberg: the web of companies connected to those two (and many, many brand names as well) was extensive, and kudos to whoever put the leg work in to pull it all together, resulting in this truly impressive chart that accompanies the NOV:

Chart showing web of companies including nCrowd and Couch Commerce, detailing alternate names, mergers, closures, and the growth of email lists from 1.9 million to 3.5 million in size over time.

While the graphic design may be questionable, it’s quite a labyrinth of companies.

Where it lands is almost 3.5 million email addresses promoting what the CRTC doesn’t call, but I feel pretty free in describing, as a massive series of bait-and-switch deal scams; from the “Background” section of the NOV:

The key assets acquired in the chain of transactions listed in the chart were intangible, essentially the email distribution list, domain names and trademarks. These ownership changes allowed a new company to continue on the business with an ever larger email distribution list without the assumed liabilities of the former company. However, the continuity of service was damaged: as merchants ceased being paid for their products, they refused to ship products ordered by customers. As a result, both merchants and customers ended up losing money, since the voucher business closed or entered into bankruptcy proceedings before merchants and customers were fully compensated for their transactions.

Since these companies seem to launch and disappear rapidly (see the diagram above), the vicarious/director liability makes perfect sense. Tracking the person or people responsible, rather than the corporate entity, keeps the legislation viable when you’re dealing with MBAs who are shuttling through companies like three-card monte.

What’s not clear is how this is decided – why is Conley (and previously, Halazon) selected here, but in other instances, companies (Kellogg, Blackstone) are the recipients?

I have so many questions after seeing how Conley and Halazon, and nCrowd and Couch, are almost symbiotic through the life of these companies, their practically identical infractions, and the literally fractional penalty levied against Halazon as compared to Conley. Halazon was the executive vice-president of nCrowd while Conely was the CEO, for Pete’s sake.

In the Halazon NOV:

The investigation alleged that commercial electronic messages (CEMs) were sent or caused or permitted to be sent by Couch Commerce to recipients without a compliant unsubscribe mechanism during the period of 2 July 2014 to 9 September 2014, while Mr. Halazon was CEO of Couch Commerce. More specifically, it was alleged that the unsubscribe mechanism did not function, or could not be readily performed, or unsubscribe requests were not given effect until more than 10 business days after a request has been sent. It was also alleged that Mr. Halazon was personally liable for this violation pursuant to section 31 of the Act. ⁴

In the Conley NOV:

Commission staff alleged and the Commission found in Decision 2019-111 that between 25 September 2014 and 1 May 2015, nCrowd, Inc. sent CEMs or caused or permitted any of its subsidiaries, namely nCrowd Commerce, Inc. and nCrowd Limited, to send CEMs to electronic addresses, without consent and without a functioning unsubscribe mechanism contrary to paragraphs 6(1)(a) and 6(2)(c) of the Act.

Commission staff also alleged and the Commission found in Decision 2019-111 that Brian Conley acquiesced in these violations, while he was the President and Chief Executive Officer (CEO) of the nCrowd companies. As CEO, Brian Conley took no action and turned a blind eye to the practices being employed at his companies in terms of the acquisition and use of email distribution lists, despite the fact that in this line of business, an email distribution list is one of the most important assets through which to generate revenues. Protecting such an asset, including ensuring continued ability to use it, under CASL, should therefore have been important to the nCrowd group and its CEO. However, the nCrowd group’s email distribution and consent-tracking lists were largely inaccurate, incomplete, and altered.

The type of consent is listed for each and every one of the 1,928,015 entries as “explicit” consent although a significant number of email addresses on this list were generic or belonged to institutions or governments, including police services and hospitals (some of which were available online).
The date at which the consent was allegedly obtained and the legal person who allegedly sought and obtained the consent were obviously inaccurate or altered. For example, on numerous occasions consent was obtained for more than 3,000 addresses in just one day, and more than 80% of all parties provided consent (1,566,114) on the same day.
nCrowd, Inc.’s non-compliant unsubscribe mechanism was a broad and recurring issue that Brian Conley ought to have known about over the time, and the appropriate steps to fix the unsubscribe process were never taken. The non-compliance continued for almost a year and evidence shows that even when the nCrowd group’s employees informed customers that they had been unsubscribed, they had actually not been.
No evidence was found that Brian Conley ever verified or required the conducting of any audit of the consent list provided by the Couch Commerce group or other lists purchased by the nCrowd group to ensure its validity and accuracy.
Brian Conley instituted no policies or procedures relating to the nCrowd group’s compliance with the Act.⁵

There’s clearly a gap there – Halazon/Couch doesn’t seem to have a problem with consent (or at least, consent goes unremarked on in the decision). Conley/nCrowd was clearly lying about consent, while having arguably identical unsubscribe issues. The email volume attributed to Couch Group (1.9M) and stated above for nCrowd (1.9M) seems to be the same.

Is this a $90,000 gap? The CRTC seems to think so.

This underscores one of the things I find unsettling about CASL: “The maximum penalty for a violation is $1,000,000 in the case of an individual, and $10,000,000 in the case of any other person.” [Act, s20(4)] But under that (to date never imposed) threshold, the purpose of the penalty is “to promote compliance with this Act and not to punish,” and factors for penalty are broad and very discretionary, and rely as much on comportment and ability to pay as they do on what is actually done in violation of the Act:

CASL, Purpose of Penalty, s20(2-3)

Purpose of penalty

(2) The purpose of a penalty is to promote compliance with this Act and not to punish.

Factors for penalty

(3) The following factors must be taken into account when determining the amount of a penalty:

(a) the purpose of the penalty;

(b) the nature and scope of the violation;

(c) the person’s history with respect to any previous violation under this Act, any previous conduct that is reviewable under section 74.011 of the Competition Act and any previous contravention of section 5 of the Personal Information Protection and Electronic Documents Act that relates to a collection or use described in subsection 7.1(2) or (3) of that Act;

(d) the person’s history with respect to any previous undertaking entered into under subsection 21(1) and any previous consent agreement signed under subsection 74.12(1) of the Competition Act that relates to acts or omissions that constitute conduct that is reviewable under section 74.011 of that Act;

(e) any financial benefit that the person obtained from the commission of the violation;

(f) the person’s ability to pay the penalty;

(g) whether the person has voluntarily paid compensation to a person affected by the violation;

(h) the factors established by the regulations; and

(i) any other relevant factor.

Philosophically, I understand this. But in practice, this results in published decisions that have such big swings, with no share information as to why, that it makes the entire scheme seem very arbitrary in its application and enforcement.

Which may be a feature and not a bug – I’ll address that in my wrap-up.

Issued penalty: $100,000

Final penalty: $100,000

Total issued AMPs: $2,667,000

Total imposed AMPs/monetary penalties: $953,250

Differential: $ 1,713,750

Up next: the 2019-2022 anthology. Technically there’s only one 2019 decision after Conley, and it’s only the issuing and not imposition of an AMP, so this will be a smidge broader than the previous anthologies.

1
Confusingly, in the table of enforcement actions, the 2016 Brian Conley entry doesn’t link to the issued AMP, but directly to the 2019 decision, so we can’t see the issued notice, only the final decisions.
2
Note the “whether or not” here — in theory, although it hasn’t happened yet, the CRTC could double-dip with both an institution and an individual being liable. Also — this is past the limit of my understanding, but this only applying to “corporations” seems unnecessarily narrow, but there may be a legal definition of “corporation” that differs from my understanding of the word.
3
See above note re. this allowing the CRTC to penalize individuals across management and labour tiers.
4
Undertaking: Mr. Halazon and TCC; “Acts and omissions covered by the undertaking and provisions at issue,” para. 2
5
Notice of Violation: Investigation into non-compliant emails sent by Couch Commerce Inc. and nCrowd, Inc. including the vicarious liability of corporate directors, “Investigation of nCrowd Inc. and its director Brian Conley,” paras. 1-3.

CASL Consent Law Marketing & Communications Privacy

CASL at 10: Case File Anthology, 2017-2018

Post author By mattshepherd
Post date September 4, 2023

This is part seven of a multi-part series reviewing Canada’s Anti-Spam Legislation in practice since its introduction in 2014 and the beginnings of enforcement in 2015. Crosslinks will be added as new parts go up.

Part 1: Terminology

Core resources:

$10,000 monetary compensation paid by Ghassan Halazon “in his individual capacity”.

March 9, 2017

March of 2017 comes in like a lion, with a $15,000 decision against William Rapanos, the creator of flyers for distribution via Canada Post.

The decision is rare in that it articulates the complaints the CRTC received, and recreates a message in the decision:

Compliance and Enforcement Decision CRTC 2017-65, s11

In the present case, 50 individuals filed a total of 58 submissions with the Spam Reporting Centre regarding the messages at issue.

These submissions included the messages that advertised flyer design, printing, and delivery through Canada Post. For example, the content of one of the submitted messages consisted of the following:

Subject: Canada Post flyer delivery – Art Design and Printing included starting at only $599 for 25,000 homes!

Do you need to send out flyers? Like any direct marketing flyers work by repetition. Statistics say that the average person must see an ad at least 3 times before they react to it. In fact this is why many companies that send out a flyer once and then give up will fail with their direct marketing efforts. For this reason we are offering the following package:

– You choose an area that’s local to your business

– We will select 25,000 homes in those postal codes

– We will professionally design an ad for your business

– We will print your ad on a full colour glossy 8X5 double sided flyer

– We will deliver it with Canada Post 3 times over the next 3 months TO THE SAME AREA

Total cost: $599 per month for 3 months

Result: Your phone will ring all summer long!

Get more information by visiting this page:

http://postalflyers.club/

It’s hard to parse where the CRTC / CASL takes action on these. 50 individuals and 58 submissions doesn’t seem like much, ranked against the 218,000:1 ratio that leads to financial penalties. Without understanding the day-to-day workings of CASL – chiefly, how submissions cluster (maybe 58 is a very high number for a single organization?), it’s difficult to say whether 58 submissions is an eyebrow-raising amount. If not, it’s hard to know why Rapanos was selected.

But – as far as violations go, Rapanos batted the circuit: his messages sent without consent, without contact info or an unsubscribe mechanism.

I love this case, because it has an an awe-inspiring legal Hail Mary by Rapanos, who claimed somebody pirated his Wi-Fi and sent the messages without him knowing, and that he had no connection to a business he very clearly owned [s26-29]: “The suggestions that Mr. Rapanos was potentially the victim of identity theft or that someone unknown to him accessed his unsecured home Internet connection are not persuasive, since they were not supported by any other indicators of fraud or of evidence that his identity had otherwise been used for malicious purposes. Neither Mr. Rapanos, nor any of the other individuals who were asked to do so through notices to produce, provided to the investigator any documentation to support the claim that boarders had resided in Mr. Rapanos’ house or accessed his Internet connection.”

There is never a bad time to drop a reference to what I think is one of the greatest comedy sketches of all time, and I thank Mr. Rapanos for this opportunity:

[s27-29] rebuts this at length, and essentially boils down to “oh, come on.”

As seems common, postalflyers.club is no longer in operation – the domain has no current owner and is available for registration per a WhoIs search. The Wayback Machine has never archived the page, possibly because it’s a redirect to another site that doesn’t exist any more, per [s14], http://firstunitedpartners.com, which also is defunct, available on a WhoIs search, and per the Wayback Machine was only a “domain for sale” notice as of October 2015.¹

Issued penalty: $15,000
Final penalty: $15,000
Total issued AMPs: $2,207,000
Total imposed AMPs/monetary penalties: $813,000
Differential: $1,378,000

June 12, 2017

Short and sweet: it looks like he was the CEO of several deals sites, now bankrupted, but still responsible for CEMs sent by Couch Commerce, and “agreed to make a monetary payment of $10,000 to the Receiver General of Canada”.

Undertaking: Mr. Halazon and TCC

File No.: 9090-2015-00414

Date of the undertaking (signed by all parties): 12 June 2017
Monetary payment: $10,000

Pursuant to section 21 of the Act to promote the efficiency and adaptability of the Canadian economy by regulating certain activities that discourage reliance on electronic means of carrying out commercial activities, and to amend the Canadian Radio-television and Telecommunications Commission Act, the Competition Act, the Personal Information Protection and Electronic Documents Act and the Telecommunications Act, S.C. 2010, c. 23 (the Act).

Persons who entered into an undertaking

Mr. Halazon, in his individual capacity, as former Chief Executive Officer of Couch Commerce, Inc. and its subsidiaries 8108773 Canada Inc. and DealFind.com Inc., operating as Teambuy and Dealfind (“Couch Commerce”), since bankrupted ; and

Transformational Capital Corp. and its subsidiaries, Evandale Caviar Inc. and Mighty Deals Limited, operating as Buytopia.ca, Shop.ca, Shop.us and Mightydeals.co.uk (“TCC”), also represented by Mr. Halazon as CEO.

Acts and omissions covered by the undertaking and provisions at issue

Mr. Halazon has voluntarily entered into an undertaking with a designated person of the Commission in relation to an alleged violation of paragraph 6(2)(c) and non-compliance with subsections 11(1) and 11(3) of the Act, as well as subsection 3(2) of the Electronic Commerce Protection Regulations (CRTC).

Amount payable and summary of other requirements

As part of the undertaking, Mr. Halazon has agreed to make a monetary payment of $10,000 to the Receiver General for Canada in accordance with subsection 28(3) of the Act.

In addition to this payment, TCC, a company which acquired the email list initially used by Couch Commerce and which is also represented by Mr. Halazon, agreed on a compliance program. This program includes elements such as a review of current practices, development and implementation of corporate compliance policies and procedures, training for employees, consistent disciplinary procedures, tracking of CEM complaints and subsequent resolution, monitoring and auditing. This program also includes reporting mechanisms to Commission staff with respect to its implementation, as well as other requirements, such as reporting significant changes affecting the business and full cooperation in case of visits or requests from Commission staff.

This undertaking fully resolves all alleged or potential liability for all CEMs sent by and on behalf of Mr. Halazon and TCC from 2 July 2014 up to the date of the undertaking.

If Couch Commerce Inc. was a company, why was Mr. Halazon pursued as an individual / the CEO under the Act? Other actions have been taken against companies — both previous, such as Kellogg and Blackstone, and even just below, with 514-BILLETS. Vicarious liability, which is not detailed in this action, but will come up soon when we look at Brian Conley and nCrowd.

Issued penalty: $10,000
Final penalty: $10,000
Total issued AMPs: $2,217,000
Total imposed AMPs/monetary penalties: $823,000
Differential: $1,378,000
Kiss of Death: Dead as Doornail ²

March 15, 2018

Monetary compensation of $100,000 from 9118-9076 QUÉBEC INC. and 9310-6359 QUÉBEC INC. (514-BILLETS) (https://crtc.gc.ca/eng/archive/2018/ut180315.htm)

First of all, that’s a pretty sweet phone number. 514 is the area code for Quebec, and BILLETS is a 7-digit combination that’s French for “Tickets”.

Second, while previously there didn’t seem to be a distinction between “monetary compensation” (paid to the Receiver General) and AMPs (generally “paid in accordance with the instructions contained in the notice of violation”) in the past, there’s a big swing here. As often, this is brief enough that we can put it in an accordion, but I’ll ask you to pay attention to the bit at the bottom, about payment:

Undertaking: 9118-9076 QUÉBEC INC. and 9310-6359 QUÉBEC INC. (514-BILLETS)

File No.: 9090-2015-00415

Date of the undertaking (signed by all the parties): 15 March 2018

Monetary compensation: $100,000

Persons who entered into an undertaking

9118-9076 QUÉBEC INC. and
9310-6359 QUÉBEC INC.

Acts and omissions covered by the undertaking and provisions at issue

9118-9076 QUÉBEC INC. and 9310-6359 QUÉBEC INC. have voluntarily entered into an undertaking with the Chief Compliance and Enforcement Officer concerning alleged violations of paragraphs 6(1)(a), 6(2)(a) and 6(2)(b) and non-compliance with subsection 10(1) of the Act, as well as non-compliance with section 4 of the Electronic Commerce Protection Regulations (CRTC) (CRTC Regulations).

9118-9076 QUÉBEC INC. and 9310-6359 QUÉBEC INC. both operate under the name 514-BILLETS to carry on commercial activities related to a ticket resale service for cultural and sports events in Canada, specifically in the Montreal, Quebec City, Ottawa and Toronto areas.

Both corporations are responsible for sending commercial electronic messages (CEMs), mainly in the form of text messages (or SMS, for “Short Message Service”), promoting their commercial activities.

Between 3 July 2014 and 26 November 2015, the Spam Reporting Centre (SRC) received submissions related to these CEMs and CRTC staff launched an investigation with regards to these submissions. The investigation alleged that 9118-9076 QUÉBEC INC. and 9310-6359 QUÉBEC INC. sent or caused or permitted to be sent CEMs between 1 July 2014 and 20 January 2016, without the recipients’ consent and without setting out the prescribed information enabling the recipients to easily identify and contact the sender.

More specifically, the majority of CEMs sent by 9118-9076 QUÉBEC INC. and 9310-6359 QUÉBEC INC. were requests for consent, offering the recipients the opportunity to receive future commercial offers. These messages presented the following format: “ Would you like offers for discount tickets for [...] ” while sometimes including a short list of proposed event categories.

According to section 4 of the CRTC Regulations, a request for consent must include a number of pieces of information, including the name, mailing address, and either a telephone number providing access to an agent or a voice messaging system, an email address or a web address of the person seeking consent or, if different, the person on whose behalf consent is sought, as well as a statement indicating that the person whose consent is sought can withdraw their consent. With respect to text messages and other communication methods with a limited number of characters, subsection 2(2) of the CRTC Regulations provides that the information may be posted on a Web page that is readily accessible by the person by means of a hyperlink set out in the message.

The information required for a request for consent was not indicated in the CEMs sent by 9118-9076 QUÉBEC INC. and 9310-6359 QUÉBEC INC, nor did they include a link to a Web page where the information could have been found.

Amount owing and summary of other conditions

As part of the undertaking, 9118-9076 QUÉBEC INC. and 9310-6359 QUÉBEC INC. jointly and severally agreed to pay $100,000 in compensation for the alleged violations. A $25,000 amount was paid to the Receiver General for Canada, in accordance with subsection 28(3) of the Act. An additional $75,000 amount will be paid out to 514‑BILLETS customers in the form of 7,500 discount coupons with a $10 value each.

In addition to this monetary compensation, 9118-9076 QUÉBEC INC. and 9310-6359 QUÉBEC INC. have agreed to put in place a compliance program. This compliance program includes the review and revision of current compliance practices, the development and implementation of corporate policies and procedures designed to ensure compliance with the Act, the delivery of employee training, the implementation of adequate disciplinary measures in the event of non-compliance with internal procedures, the establishment of a thorough complaint monitoring and resolution structure related to CEMs sending, as well as various other monitoring and audit measures, such as mechanisms for reporting to CRTC staff concerning the program’s implementation.

This undertaking fully resolves all alleged or potential liability of 9118-9076 QUÉBEC INC. and 9310-6359 QUÉBEC INC. with respect to all CEMs sent by them or on their behalf from 1 July 2014 to the date of this undertaking.

So the published $100,000 was actually a $25,000 financial penalty, and $75,000 issued in discounts… to, one assumes, the very same people they were spamming to become customers in the first place.

Remember recently, how Tim Hortons engaged in egregious privacy violations and proposed that it give customers a free coffee and a donut rather than any, shall we say, meaningful penalty?

That seems to be where the Tim Hortons matter landed, per this Superior Court of Quebec decision of September 2022.

Of note in that decision is what I’d say is some extremely valid criticism of these kinds of arrangements – [s50]: “It has been said that they provide benefits to the companies being sued which runs afoul of the objective to deter harmful behaviour. Other objections include the low take-up rate of coupons, the fact that compensation may be tied to a purchase obligation, undue restrictions on the use of coupons and the high fees claimed by class counsel.”

This is enumerated in a series of factors that the court should consider with coupon-based compensation schemes:

2022 QCCS 3428, s52

Hyperlinks amended to the text of the decision’s footnotes rather than CanLII footnotes for the reader’s convenience.

[52] This being said, these types of settlements may be appropriate in certain circumstances. The following factors, while not exhaustive, should be weighed when a court is asked to consider whether a coupon settlement is fair, reasonable and in the best interest of members:

52.1. The individual value of the settlement: When the individual value of the settlement is low, it is often impractical or too costly to issue cheques or proceed with Interac transfers. In such cases, a coupon may be preferable to a cy-près payment which would not directly benefit class members.

52.2. The possibility to choose other compensation or to transfer the voucher: Courts are more likely to approve coupon settlements where the agreement provides that members may choose between coupons and other compensation, or when the coupon is transferable.³

52.3. The value of the coupon in proportion to the cost of redeeming it: When the good or service offered requires a subjectively important investment, some members may be indirectly forced to forego their compensation due to lack of financial means. On the other hand, when the settlement consists of a free item without further obligation or a rebate on a product or service that class members already use, credits may be the best way to automatically compensate members.

52.4. The likelihood that the coupons will be redeemed: Voucher settlement may be particularly problematic when access to compensation requires that customers purchase goods or services that may not be needed in the immediate future.⁴ As such, the frequency and recurrence of the commercial relationship between defendant and class members may be an important factor to consider. One must also be wary of forcing customers to re-establish a long-term commercial relationship that the customer may now consider objectionable as a result of the complained-about practice.

52.5. Restrictions or conditions that apply: The easier it is to use the credit, coupon, or voucher, the likelier it will be that the settlement will be approved.⁵ Coupon settlements that place undue restrictions or too short a time frame for the redemption of class member compensation should be frowned upon. When compensation requires a purchase or travelling to defendant’s establishment, the number and geographical availability of these locations or the possibility of conducting remote transactions is an important factor.

52.6. A change of practice: A coupon settlement may be considered more appropriate when the settlement is accompanied by an undertaking by the defendant to change the commercial practice which gave rise to the class action.⁶

52.7. The obligation to provide a report on the implementation of the settlement: The undertaking to provide the court with a detailed report on the redemption rate is considered to be illustrative of class counsel’s intent to ensure that as many members as possible will redeem their coupon.⁷ This will especially be the case when the report is presented prior to the approval of class counsel fees.

52.8. Financial means of the defendant: When compensation to class members is deferred, the court must be satisfied that the defendant will be able to honour the coupon or voucher when it is presented.⁸

Other than that, this is a pretty open-and-shut violation: spam texts, with little sender and no unsubscribe / consent withdrawal information, clearly violating Section 4 of the regulations.

The decision seems… inexplicable in isolation, but with other prior decisions, such as the Blackstone one that AMPs should be lowered arbitrarily for small businesses, it does seem like the CRTC / CASL has the ability to adjust decisions in ways that may seem baffling to the casual observer. It’s hard to figure out what $75,000 in issued coupons is “worth” in terms of tallying penalties. It’s definitely not a $75,000 loss to the company. If I use an admittedly pretty arbitrary sourced redemption rate of 7%, it comes out to $5,250 out of pocket, which I’ll go forward with.

Issued penalty: $100,000
Final penalty: $30,250
Total issued AMPs: $2,317,000
Total imposed AMPs/monetary penalties: $853,250
Differential: $ 1,463,750

July 11, 2018

$250,000 in AMPs against Datablocks Inc. and Sunlight Media Network, Inc. (rescinded)

At this point, I’ll admit it:

I’m lost.

Part of the point of this was to track what the CRTC is saying it’s done, and what it’s actually done, because the announced penalties under CASL seem to be staggeringly high compared to the totals. I’m’a carry on, but situations like this one make it very challenging to keep track of what the CRTC claims has been done and what it’s tallying toward the “score.”

In its most recent enforcement snapshot, it states:

Payments and Penalties Under CASL

Since CASL came into force in 2014, compliance and enforcement efforts have resulted in administrative monetary penalties⁹ and undertakings totalling over $3.6 million. (emphasis mine)¹⁰

I’m not caught up yet – there’s still a few decisions from 2019-22 left to go – but I’ll tell you right now it’s not going to be even a fraction of $3.6 million in imposed penalties. Spoiler alert: we’re barely going to crack a million.

I’m going to keep gamely tracking decisions like this as part of the overall tally which theoretically will lead to that $3.6 million, but the math behind these pronouncements is getting increasingly baffling.

Anyhow.

The Datablocks/Sunlight Media decision is highly complex, and unlike all CASL enforcement to date orients around subsection 8.1 of the Act:

CASL Subsection 8.1

Installation of computer program
• 8 (1) A person must not, in the course of a commercial activity, install or cause to be installed a computer program on any other person’s computer system or, having so installed or caused to be installed a computer program, cause an electronic message to be sent from that computer system, unless

o (a) the person has obtained the express consent of the owner or an authorized user of the computer system and complies with subsection 11(5); or

o (b) the person is acting in accordance with a court order.

The gist of it is an accusation that Sunlight Media (operating an online ad network) and Datablocks (software/routing infrastructure), ran domains that redirected Government of Canada computers to a site that used Adobe / Shockwave Flash ¹¹ exploits to install malware on the Government of Canada computers.

The infected computers were all promptly re-imaged without collecting any data on the malware, so there was no evidence of this after the fact [s39-47, 51]; further, the Commission noted that given IT processes it was plausible that the Flash files would have been blocked prior to installation [s69].

So it was dropped.

One thing to note here is the scope of this NOV and decision seems to be restricted to specific Government of Canada computers, while the initial investigation (now offline, archived here in the Wayback Machine) doesn’t mention this limitation of scope at all — the Government of Canada doesn’t get mentioned once in the body of the investigation, which talks about “malvertising” as a general scheme. It’s unclear how the scope of the violation narrowed from presumably a broad scheme to promulgate malvertising across the Internet to a few government computers.

Another thing of note is the clarification that malware must be successfully installed for a violation to occur – an attempt to install malware apparently doesn’t trigger CASL 8.1:

[s53] The Commission notes that subsection 8(1) of the Act refers to the installation of a computer program, not an attempt to install one. If the intent of Parliament in writing the Act had been to cover attempts to install, it likely would have included that language in subsection 8(1) of the Act. Furthermore, contrary to certain arguments made on the record, the issue is not necessarily about the infection, or compromise, of a computer system, since those actions or consequences are not referred to in the Act. The question is whether there is sufficient evidence on the record of the proceeding to conclude, on a balance of probabilities, that the Shockwave Flash Files listed in the NOVs were installed. (emphasis mine)

Issued penalty: $250,000
Final penalty: $0
Total issued AMPs: $2,567,000
Total imposed AMPs/monetary penalties: $853,250
Differential: $ 1,713,750

1
Side note: It’s curious that William Rapanos is a “Toronto-area” man at the time of filing, and there’s a 2014 investigation against a Sharon Rapanos of Bowmanville, in the GTA. I can’t find an evident connection between the two, but it’s not a common last name. The NTP for Sharon Rapanos was a demand to produce the names of anyone who had access to her Internet from July 2014 to June 2015, and given William’s reliance on “I was hacked” as his defense above, there seem to be some dots that can be connected. Or not. The universe is big and full of coincidences.
2
I get curious about things, so looked up “Ghazan Halazon” on LinkedIn, and found two profiles — the first, “dealfindingghazanhalazon” is the CEO of Couch Commerce, still lists Ghazan Halazon as its CEO, but there’s a second Ghazan Halazon, with an identical education background, but who mysteriously doesn’t mention Couch Commerce at all. Does this count as two?
3
Abihsira c. Stubhub inc., supra, note 10, paras. 45 b) and d); Hurst c. Air Canada, 2019 QCCS 4614, para. 29; C. PICHÉ, supra, note 11, pp. 38 and 39.
4
Abihsira c. Stubhub inc., supra, note 37, para. 44 h).
5
Ibid, para. 44 a); Preisler-Banoon c. Airbnb Ireland, 2020 QCCS 270, paras. 34 to 35 (closing judgment 2021 QCCS 15); Gosselin c. Loblaws inc., 2019 QCCS 3941, para. 24; Jacques c. 189346 Canada inc. (Pétroles Therrien inc.), supra, note 12, para. 15.
6
Picard c. Ironman Canada inc., supra, note 28, para. 55; Abihsira c. Stubhub inc., supra, note 10, para. 44 j); Preisler-Banoon c. Airbnb Ireland, supra, note 39, para. 33.
7
Hurst c. Air Canada, supra, note 37, para. 33; Gosselin c. Loblaws inc., supra, note 39, para. 30.
8
Abihsira c. Stubhub inc., supra, note 10, para. 44 f).
9
A person who is served with a Notice of Violation has the opportunity to make representations to the Commission with respect to the amount of the penalty or the alleged violations. As such, any case brought to the Commission is subject to a review. (footnote theirs)
10
“Enforcing Canada’s Anti-Spam Legislation, Actions carried out by the CRTC between October 1, 2022 and March 31, 2023,” https://crtc.gc.ca/eng/internet/pub/20230331.htm
11
now there’s a specific nostalgic hit for nerds of a certain age

CASL Consent Law Marketing & Communications Privacy

CASL at 10: Case File – Blackstone Education

Post author By mattshepherd
Post date September 1, 2023

This is part six of a multi-part series reviewing Canada’s Anti-Spam Legislation in practice since its introduction in 2014 and the beginnings of enforcement in 2015. Crosslinks will be added as new parts go up.

Part 1: Terminology

Core resources:

I had set Blackstone aside because it looked like an education space company, but now that I’m in it, it’s a training company, and on its face looks very similar to Compu-Finder.

This on its own is not necessarily proof of anything – correlation is not causation – but companies that push for-profit training courses seem to come up a lot in CASL decisions. Unlike Compu-Finder, Blackstone Seminars/Blackstone Learning Solutions/Blackstone Professional Development Group seems to be soldiering on. Their online presence doesn’t suggest great health, though: the site looks like it’s been coded to viewports that are only about 800px wide, which suggests it hasn’t been touched since 800×600 was king of the display resolutions, which was, uh, 2005?

I know this is a bit obsessive but I care about UX and accessibility, and for a company that is supposed to be providing training to the government, from whence all accessibility legislation hath come, this seems just ridiculous to me:

Blackstone’s site on a standard-issue 2023 1920x1080px screen. I’ve blurred the images because stock image copyright robots are *really* aggressive. This is probably worth a post on its own: there’s no “fair dealing” you can really rely on when re-producing licensed stock used as illustrations for news stories, etc.

Anyway – back in 2014, when pretty much all computer monitors accommodated much wider resolutions than 800px¹, Blackstone was served a Notice to Produce (NTP). An initial deadline of November 21 was extended to December 3 at Blackstone’s request, and then – well, let me just flip the entire thing into an accordion here, emphasis in the original:

Compliance and Enforcement Commission Letter Addressed to Ari Rozin (Blackstone Learning Corp.)

Ottawa, 22 January 2015

BY E-MAIL AND COURIER

Our File No.: 9102-201400305-010

(…)

Ari Rozin
Blackstone Learning Corp.
107 Weslock Cres., Unit 2B
Aurora, Ontario L4G 7Z4

Re: Notice to Produce in File No. 9102-201400305-010 – Request for review from Blackstone Learning Corp.

On 7 November 2014, pursuant to An Act to promote the efficiency and adaptability of the Canadian economy by regulating certain activities that discourage reliance on electronic means of carrying out commercial activities, and to amend the Canadian Radio-television and Telecommunications Commission Act, the Competition Act, the Personal Information Protection and Electronic Documents Act and the Telecommunications Act (the Act), a designated person for the purpose of section 17 of the Act served a notice to produce (NTP) on Blackstone Learning Corp. (Blackstone)

The NTP required Blackstone to produce certain documents by 21 November 2014. On 20 November 2014, this deadline was extended to 3 December 2014 by the designated person, at Blackstone’s request. Blackstone subsequently sought a review of the NTP.

Section 18(1) of the Act provides that an application by a person for review of an NTP must be brought before they are required to produce a document.

Part 5 of the NTP served on Blackstone also provides that a request for review must occur within the time limit set out in Part 3 of the Notice, and establishes the process for making such an application to the Commission by fax or postal mail. Blackstone was also informed by emails from the designated person dated 26 and 27 November 2014 that it needed to follow the procedure set out in Part 5, and needed to comply with the extended deadline.

On 4 December 2014, Blackstone sent an email to the designated person stating, “Please consider this a formal request for a review based on the unreasonable request to produce the documents in the given time.”

The Commission notes that Blackstone was made aware of the applicable procedure and deadline for requesting a review both by the NTP itself, and through emails exchanged with the designated person. The Commission considers that Blackstone’s request for review, which was made by email after the 3 December 2014 deadline, provides no explanation as to why it was unable to comply with the deadline, and gives no reasons why a late submission should be accepted by the Commission. The Commission notes that even if Blackstone’s request had been made within the applicable deadline, it provides no reasons or arguments to support its assertion that the NTP is unreasonable.

In light of these considerations, the Commission denies Blackstone’s request for review on the basis that it does not conform to the procedures established in the NTP, or with the requirement in section 18(1) of the Act that such an application be brought before the documents at issue are required. Blackstone is therefore required to produce the documents specified in the NTP in the form and manner set out therein, to the designated person, by 29 January 2015.

Pursuant to subsection 18(5) and section 27 of the Act, Blackstone has the right to appeal this decision by bringing an appeal in the Federal Court of Appeal within 30 days after the day on which the decision is made. An appeal on a question of fact may be brought only with the leave of the Federal Court of Appeal, an application for which must be made within 30 days after the day on which the decision is made. An appeal with leave may not be brought later than 30 days after the day on which leave to appeal is granted.

Sincerely,

John Traversy
Secretary General

If you haven’t looked at it, flip that thing open and take a look at that last paragraph, which explicitly lays out how to appeal this decision with the Federal Court of Appeal.

Blackstone instead apparently filed an application for leave to appeal with the Supreme Court of Canada, which is not the Federal Court of Appeal.²

The Supreme Court replied to Blackstone – wrong venue! – and then Blackstone did not appeal with the Federal Court, for some reason.

But – while I am not a lawyer (and this is not legal advice) – I’d think that somebody at Blackstone would have very sharp words for their counsel for not understanding the fundamentals of how appeals work, and not even reading the NTP request letter or follow-up directive of January 22.

So – after an odd digression into inappropriate leaves for appeal – the CRTC issued its decision on October 16, 2016.

Worthy of note:

A campaign is a violation, not an individual email: [2]”The notice identified nine messaging campaigns totalling 385,668 commercial electronic messages sent by Blackstone between 9 July and 18 September 2014 without the consent of the recipients. As a result, a designated person stated that they had reasonable grounds to believe that Blackstone had committed nine violations of paragraph 6(1)(a) of the Act.”
You don’t need a price to appear to be selling something: [18] “The cost of these programs was not specifically discussed; however, the nature of the language used, including references to various discounts and group rates, conveyed that these courses were services available for purchase from Blackstone. The Commission thus determines that the messages were sent for the purpose of advertising and promoting services commercially available from Blackstone, and were commercial electronic messages within the meaning of subsection 1(2) of the Act.”
A bit of unpacking around how publishing an email address on the Internet is supposed to work re. “conspicuous publication” in para. 10(9)(b) of the Act [25-28 of the CRTC decision] – key phrase being “the Act does not provide persons sending commercial electronic messages with a broad licence to contact any electronic address they find online; rather, it provides for circumstances in which consent can be implied by such publication, to be evaluated on a case-by-case basis. Pursuant to section 13 of the Act, the onus of proving consent, including the elements of implied consent under paragraph 10(9)(b) of the Act, rests with the person relying on it.”
Other than complaining initially about timelines and the AMP amount, and the misguided appeal to the Supreme Court, Blackstone doesn’t appear to have cooperated with the CRTC at all; [55] “Blackstone did not cooperate with the investigation. The company refused to respond to a notice to produce issued under section 17 of the Act, even after a Commission decision requiring that it do so.”

And – despite Blackstone essentially just filing complaints and misfiling appeals and not doing anything that the Commission asks them to do – the CRTC still lowers the AMP from $640,000 to $50,000.

Once again, like with Compu-Finder, there’s what feels like almost a tacit admission that they do this to terrify marketers into compliance: [60] “As stated in the Act, the purpose of a penalty is to promote compliance with the Act, and not to punish. To this end, the penalty set out in the notice of violation places great emphasis on the principle of general deterrence. The Commission accepts that this is a valid principle to be considered in the imposition of an AMP, but considers that the specific circumstances of Blackstone’s case, and the violations that have taken place, require a lower AMP.”

Why the drop to $50,000? Because [61-62] Blackstone is a small business; its belief that it had consent was established before the release of the 2015-published Guidance on Implied Consent; along with the idea that other regimes like the Unsolicited Telecommunications Rules have lower penalties and still result in compliance.

Which — look, I am supportive of the CRTC and CASL. I understand the logic of the stunning amounts announced in terms of their value as deterrents. But there’s a bit of “boy who cried wolf” here — a risk of normalizing the process of not taking large judgments that seriously because you can be certain they’ll be amended downward.³

This was also in yesterday’s 2015-16 round-up, but just so the tally is close at hand:

Issued penalty: $640,000

Final penalty: $50,000

Total issued AMPs: $2,192,000

Total imposed AMPs/monetary penalties: $908,000

Differential: $1,284,000

1
sorry, I’ll stop now
2
I can’t find the Application for Leave to Appeal on the SCC website, but that might be because it didn’t even get heard – per this CRTC decision, s8-12, the SCC Registrar wrote back and copied the Commission that the SCC was not the right venue. This doesn’t seem to exist in any findable online archive.
3
As an aside, an early post-lockdown internal comms issue was mask enforcement. It was mandated and we were announcing that masks must be worn in buildings, with certain exceptions for eating/drinking. But practically, who would enforce those rules during campus open hours, continuously, in all areas? As I was saying at that time, if you can’t meaningfully monitor and enforce rules globally, the second approach is to make punishment so draconian that it is terrifying to anyone that contemplates breaking the rule. But the #1 rule of terrifying punishments is that you kind of have to stick to the terrifying component. “We will announce the iron maiden but walk it back to a brisk tickling” over time is in some respects worse than just appealing to the common good.

CASL Consent Law Marketing & Communications Privacy

CASL at 10: Case File Anthology, 2015-2016

Post author By mattshepherd
Post date August 23, 2023

This is part five of a multi-part series reviewing Canada’s Anti-Spam Legislation in practice since its introduction in 2014 and the beginnings of enforcement in 2015. Crosslinks will be added as new parts go up.

Part 1: Terminology

Core resources:

Following the Compu-Finder penalty levied in early 2015 (to be walked back in 2017), CASL goes on a tear, dropping AMPs left and right. 7 out of the 15 total AMPs issued under CASL come from these two years.

We’re going to set aside one of them as particularly relevant to my interests (education space), and zip through some of the others:

March 25, 2015:

$48,000 AMP levied against “Plentyoffish Media”, a dating site. I’m not sure why people would want to date folks who are plenty offish, but there y’go. There was no question about consent here — CEMs were only sent to registered subscribers — but with no evident, or a non-functional, unsubscribe mechanism. This, along with a compliance program, seems to have passed without any re-evaluation or follow-up.

Issued penalty: $48,000

Final penalty: $48,000

Total issued AMPs: $1,148,000

Total imposed AMPs/monetary penalties: $248,000

Differential: $900,000

June 29, 2015:

$150,000 AMP levied against Porter Airlines, a small carrier. CEMs were sent to people without Porter being able to furnish any proof of consent. Some messages were sent without contact information, and others without “clear and prominent” unsubscribe information. Again, this plus a compliance program seems to have landed with no further appeals or follow-up.

Issued penalty: $150,000

Final penalty: $150,000

Total issued AMPs: $1,298,000

Total imposed AMPs/monetary penalties: $598,000

Differential: $900,000

November 20, 2015:

$200,000 monetary compensation paid by Rogers Media, a telecommunications giant. There were flawed unsubscribe mechanisms in emails they were sending, some unsubscribe requests were not acted upon within 10 days, others did not have an unsubscribe address that was valid for a minimum of 60 days after the message was sent. This, with a compliance program, landed without appeals or follow-up. The financial penalty is framed as “monetary compensation” rather than an “administrative monetary penalty,” with no further explanation.

Issued penalty: $200,000

Final penalty: $200,000

Total issued AMPs: $1,498,000

Total imposed AMPs/monetary penalties: $798,000

Differential: $900,000

September 1, 2016:

$60,000 monetary compensation paid b y Kellogg Canada Inc., a food company. It, or authorized third parties, sent email without consent. This, with a compliance program, landed without appeals or follow-up. The financial penalty is framed as “monetary compensation” rather than an “administrative monetary penalty,” with no further explanation.

Issued penalty: $60,000

Final penalty: $60,000

Total issued AMPs: $1,552,000

Total imposed AMPs/monetary penalties: $858,000

Differential: $900,000

October 10, 2016:

$50,000 AMP levied against Blackstone Learning, a seminars/training company.

We’re going to unpack this more in the next post, as I’m very interested in education-space developments here, but in a nutshell, lots of email without proof of consent. The notice of violation (which was issued on January 30, 2015, but doesn’t seem to be available online) sent to Blackstone set out an AMP of $640,000, but the decision lowered it to $50,000.

Issued penalty: $640,000

Final penalty: $50,000

Total issued AMPs: $2,192,000

Total imposed AMPs/monetary penalties: $908,000

Differential: $1,284,000

December 14, 2016:

$100,000 AMP issued against Brian Conley of Couch Commerce/nCrowd, an online deals website. We’ll discuss this in detail when we get to 2019 and the final CRTC decision. Note that the link above goes to the final 2019 decision — Enforcement action 9090-2015-00414 (the 2016 notice) isn’t available, and the CRTC’s table of decisions links to the 2019 CRTC decision rather than the enforcement action.

The timing here is important, for reasons we’ll get into in our 2017-18 anthology including Conley’s case.

We’ll be back to look more in depth at Blackstone, and then get back to reviewing other CASL decisions.

CASL Consent Law Marketing & Communications PIPEDA Privacy

CASL at 10: Case File – Compu-Finder

Post author By mattshepherd
Post date August 22, 2023

This is part four of a multi-part series reviewing Canada’s Anti-Spam Legislation in practice since its introduction in 2014 and the beginnings of enforcement in 2015. Crosslinks will be added as new parts go up.

Part 1: Terminology

Core resources:

Here’s the 2015 decision.

As we get into cases resulting in AMPs,¹ if there’s a theme here, I think it will be in establishing a prism of views on CASL: its effectiveness as a practical deterrent, its effectiveness as an educational tool, and how the marketing of CASL reflects the government’s (and our) view on the value of spam control vs. the panoply of other issues facing society today.

As somebody in marketing at the time, it’s hard to underestimate how vaguely scary CASL was for people who relied on email for marketing. The day CASL came into force as also _my_ first day on the job in higher ed marketing, having transitioned from almost a decade in for-profit marketing work, mainly in the pharma / CPG / health product sectors.

So I was cutting my teeth in higher education, a sector with a heavy reliance on email marketing, while CASL took shape. My higher ed marketing career has evolved concurrent with CASL, and it’s interesting to look at how my own views on it have evolved.

The following captures the anxiety and situation well just before the law came into force:

“When CASL comes into force on July 1, 2014, it will be one of the most demanding laws in the world dealing with CEMs. The requirements that recipients specifically opt-in to receiving CEMs and CASL’s classification of electronic requests for express consent CEMs themselves, combined with the potentially enormous financial penalties for breaching the legislation make CASL particularly daunting for businesses sending messages to or from Canada.

It is impossible to know at this point how strictly CASL will be enforced, and the severity of fines that will be issued for infractions.”²

Moving from that quote alone, we have a few areas for follow-up:

how closely is the requirement that recipients specifically opt into CEMs followed?
what are the financial penalties that have been levied, and have they been followed through on?
has the legislation worked, in the raw sense of whether or not spam is in fact being curbed?

The latter question is at least answerable through statistics — see this earlier post.

The straightforward answer to “Did CASL work?” depends on how you define its goal. We can start with the stated purpose from the Act itself:

Purpose

Purpose of Act

3 The purpose of this Act is to promote the efficiency and adaptability of the Canadian economy by regulating commercial conduct that discourages the use of electronic means to carry out commercial activities, because that conduct

(a) impairs the availability, reliability, efficiency and optimal use of electronic means to carry out commercial activities;

(b) imposes additional costs on businesses and consumers;

(c) compromises privacy and the security of confidential information; and

(d) undermines the confidence of Canadians in the use of electronic means of communication to carry out their commercial activities in Canada and abroad.³

“CASL hasn’t stamped out spam, and complaint rates remain relatively consistent, so it is not successful” is a defensible position, but per the Act itself, it is achieving its purpose as stated: to regulate commercial conduct and discourage communications that do a number of things that amount to what we think of as spam.

And even from the jump, reaction to the Act was mixed at best.

It’s also worth noting that the organization that enforces the law is also the one that gathers the complaints.

Which makes sense: the police get calls about people breaking the law, and enforce the law. The fire department gets the calls about fires and then puts out the fires. There’s no disconnect in the process, but it does leave a certain amount of latitude in terms of letting one body both define the problem and attempt to resolve it.

As mentioned in the statistical breakdown, the ratio of complaints to actions — be it requests for information, warnings, or eventually compliance actions — is immense. And the number of actual decisions is small, and the number of AMP penalties even smaller.

Small enough that one person can look at each of them in turn. We’ll start with one that got national headlines at the time: back in 2015, a $1.1 million AMP levied against Compu-Finder.⁴

This drew national headlines as a definitive warning shot to violators of the new law.

What happened?

In a nutshell: Compu-Finder sent out a lot of unsolicited email without an adequate unsubscribe mechanism, which is pretty blatantly in violation of the law (and also — for anyone in marketing – not smart. Seth Godin wrote Permission Marketing in 1999, for Pete’s sake… this, even absent legislation, violated a lot of common sense and best practices).

The Notice of Violation is so brief that I can fit it all right here, in an accordion (fold out to view):

2015 AMP for Compu-Finder

Ottawa, 5 March 2015
File Nos.: 9094-2014-00302-001

To: 3510395 Canada Inc. (dba Compu.Finder)

Name: Ms. Sylvie Pagé, President

Address:
707, chemin du Village, suite 202
Morin Heights, QC, J0R 1H0

Issue Date of Notice: 5 March 2015

Penalty: $1,100,000

Pursuant to section 22 of the Act to promote the efficiency and adaptability of the Canadian economy by regulating certain activities that discourage reliance on electronic means of carrying out commercial activities, and to amend the Canadian Radio-television and Telecommunications Commission Act, the Competition Act, the Personal Information Protection and Electronic Documents Act and the Telecommunications Act, S.C. 2010, c. 23 (the Act), the undersigned has issued this notice of violation finding 3510395 Canada Inc. to have committed the following violations contrary to Paragraphs 6(1)(a) and the Act:

Between 2 July 2014 and 16 September 2014, inclusively, 3510395 Canada Inc. sent or caused or permitted to be sent, to electronic addresses, commercial electronic messages, in three (3) patterns, without having the consent of the persons to whom the messages were sent, resulting in three (3) violations of section 6(1)(a) of the Act.

Between 2 July 2014 and 16 September 2014, inclusively, 3510395 Canada Inc. sent or caused or permitted to be sent, to electronic addresses, commercial electronic messages, containing an unsubscribe mechanism that did not function properly, resulting in one (1) violation of paragraph 6(2)(c) of the Act. Contrary to paragraph 6(1)(b) of the Act, 3510395 Canada Inc. did not ensure that the unsubscribe mechanism was valid for a minimum of 60 days after the message was sent, in accordance with subsections 11(1)(b) and 11(2) of the Act and as required by paragraph 6(2)(c) of the Act, or 3510395 Canada Inc. did not give effect to an indication sent in accordance with subsection 11(1) without delay, and in any event no later than 10 business days after the indication was sent, without any further action being required on the part of the person who so indicated, as required by subsection 11(3) of the Act.

Pursuant to section 20 of the Act, the undersigned has determined that the total administrative monetary penalty for the violations identified above is $1,100,000.

The penalty of $1,100,000 must be paid by 3510395 Canada Inc. to “The Receiver General for Canada” in accordance with subsection 28(3) of the Act.

Manon Bombardier
Chief Compliance and Enforcement Officer

The widely reported decision was a wake-up call for marketers from coast to coast in Canada. Over a million dollars? For 3 email campaigns? In a miasma of still not being entirely rock solid on how the law worked, and how aggressively it would be enforced, especially in the soft areas around what constituted a “business relationship,” it was pretty scary stuff.

Other investigations and a walking-back of the $1.1M

In 2016, the Office of the Privacy Commissioner of Canada carried out its own investigation, using submissions and reports from the CRTC/CASL: PIPEDA Report of Findings #2016-003: Investigation into the personal information handling practices of “Compu-Finder” (3510395 Canada Inc.) – Office of the Privacy Commissioner of Canada It was clear that the PIPEDA investigation is distinct from CASL [114].

Some interesting nuances in that investigation:

While addresses were harvested before the Act introduced provisions regarding address harvesting on July 1, 2014, use of some of those addresses still constituted a violation of the Act [16].
The volume of complaints to the SRC was 1,015 over a nine-months-plus-a-bit period. That’s over 100 complaints a month, which is a lot of complaints. Reading between the lines – if people were submitting that many complaints to a government body, surely Compu-Finder must have been getting a ton, enough that I’d hazard they were being deliberately obtuse about it. Again – permission marketing wasn’t a new concept, even in 2014. [27]
Ultimately, 317 emails were at issue; ultimately this averages out to about 100 emails per “pattern” of email. Only 87 violated the unsubscribe requirement. [31]
The emails came from a revolving door of domain names, including “coursacf”, “acfmanagement”, formationacf”, “objectifscommerciaux”, “gestionnaireschan, “laformationsenligne” and “moncourtravailz” – “to name a few,” as stated in the investigation. They were also sent / signed by generic names such as “Team Leader,” “Director General,” etc. [29,30]

…honestly, the investigation is worth reading. It feels like Compu-Finder missed a trick in not opening a highly profitable red flag factory.

Lack of meaningful consent, ambiguous phone scripts to cold-call companies and extract names and email addresses, reliance on implied consent (PIPEDA 4.3.6; PIPEDA 40.1) but disregarding express prohibitions against solicitation in public email directories… if I were to write a Goofus and Gallant children’s book on e-mail marketing in Canada, the Goofus pages are fully filled in.

Ultimately, Compu-Finder agrees to implement the OPC’s mandated changes “without prejudice and without admission.” [156]. The OPC determines that the issues are either well-founded and resolved, or well-founded and conditionally resolved, noting that the Office has a “continuing interest” in making sure Compu-Finder is compliant. [160, 161]

Then, in 2017, the CRTC walked back on the $1.1 million, dropping it to $200,000.

Which is still more money than most organizations would care to spend on a fine for spam, but a pretty huge leap back from the national-headline-grabbing over-a-million amount. Why? The reasoning extends across [87] through [124] of the decision, culminating in

[125] The Commission finds, on a balance of probabilities, that Compu-Finder committed the four violations set out in the notice of violation, and imposes a total penalty of $200,000 on the company.

So why was there apparently a $900,000 error in the first decision? This may seem cynical, but as somebody who works in marketing, the one line that that review that leaps out as pretty close to an admission that they did it for the shock and awe is here:

[92] The investigation report stated that the purpose of the penalty, being the promotion of compliance with the Act, was achieved through general deterrence created by the AMP, and that the proposed penalty was not disproportionate to the violations. (emphasis added)

The decision, in [87-124], covers ground including the offense, Compu-Finder’s ability to pay, whether or not the size of the penalty triggers a s11 Charter violation (more on constitutional challenges later), and proportionality.

It is what it is; but one might expect that the CRTC would have worked through all of this before issuing the AMP in the first place, unless the object was to terrify as opposed to impose a fee that sticks.

In a 2020 decision — and let’s remember that this all started back in November of 2014 — 3510395 Canada Inc. v. Canada (Attorney General), 2020 FCA 103 (CanLII), [2021] 1 FCR 615 saw the FCA roundly deny Compu-Finder’s appeal, in a decision that covered a substantial amount of ground.

I’m going to refer heavily here to a summary by Ryan J. Black, Becky Rock, Tyson Gratton & Meghan Bellstedt, then of DLA Piper (Canada) LLP, available on CanLii, and worth reading on its own. The FCA decision:

established that CASL is constitutionally valid federally (among other things this prevents “legislation shopping” among provinces for the one with the least stringent anti-spam legislation)
doesn’t violate Sections 7, 8 or 11 of the charter (the first because there’s no unreasonable seizure in a CASL request, the latter two because there’s no criminal charges or penal consequences)
justifiably violates S1 of the Charter, Freedom of Expression — of note, see Para 194 of the FCA decision and its statement that “commercial expression is not as jealously guarded as some other forms of expression”.

Compu-Finder then sought leave to bring this to the Supreme Court, and was rebuffed in March of 2021, six and a half years after the initial ruling.

We won’t be covering further decisions in this much detail, but out of the gate Compu-Finder establishes a few modes of action that are worth tracking:

Big-money AMPs that are later reduced
CASL decisions that get walked back by the CRTC later on
Targeting offenders that operate mainly in the private sector, and mainly in tech

On that first bullet, here’s the beginning of a running tally:

Issued penalty: $1,100,000

Final penalty: $200,000

Differential: $900,000

Let’s dive into a few more of these, and see where and when that pattern holds, and how those numbers differ over time.

Incidentally – Compu-Finder seems to have fallen on hard times since the Supreme Court’s rebuffing. At the time of writing, of the URLs identified in the PIPEDA investigation in 2016 as being the principal URLs for Compu-Finder have all fallen on hard times:

compufc.com – 404 error
acfmanagement.com – returns a blank page; View Page Source shows only a notification to enable JavaScript but not indication of what the content would be
prosperer.ca – clearly abandoned; there is content on the page but the CSS is broken and the page is unreadable
academiedegestion.com – redirects to an alphabet soup URL that requires you to allow notifications to view it – no thank you.

1
Administrative Monetary Penalties – check the terminology post for more acronyms!
2
Jennifer Birrell, Emond Harnden LLP, Legislation to be Aware of: PIPEDA, Anti-Spam, Non-Discrimination, Harassment, Accessibility for Ontarians. https://www.canlii.org/en/commentary/doc/2014CanLIIDocs33375
3
An Act to promote the efficiency and adaptability of the Canadian economy by regulating certain activities that discourage reliance on electronic means of carrying out commercial activities, and to amend the Canadian Radio-television and Telecommunications Commission Act, the Competition Act, the Personal Information Protection and Electronic Documents Act and the Telecommunications Act (S.C. 2010, c. 23), section 3
4
It’s spelled “Compu.Finder” in the header of the CASL decision, “CompuFinder” in the body of that decision, and “Compu-Finder” in the PIPEDA investigation referenced below – for the sake of consistency, we’ll be using “Compu-Finder”, which is how the company referred to itself in its promotional materials throughout.

CASL Consent Law Marketing & Communications Privacy

CASL at 10 – Big Numbers

Post author By mattshepherd
Post date August 10, 2023

Graph re-presenting the above information in a single graphic.

This is part three of a multi-part series reviewing Canada’s Anti-Spam Legislation in practice since its introduction in 2014 and the beginnings of enforcement in 2015. Crosslinks will be added as new parts go up.

Part 1: Terminology

Core resources:

With the 10th year anniversary of Canada’s Anti-Spam Legislation coming up in a few months, it’s beneficial to run through the data they provide (starting in 2018).

My interests here are chiefly:

establishing whether or not the overall rate of spam is going down
gaining some understanding of the likelihood of a significant action being imposed on an organization

On the first, CASL itself reports on the number of complaints it receives over time. I’ve aggregated these from their reports, such as the Sept. 2022 – March 2023 report presented here.

Based on complaints to regulators, is spam diminishing over time?

The number of complaints about unsolicited CEMs over time wobbles, but stays within a rough 140,000-170,000 range, trending up steadily since COVID.

A chart showing complaints to the CASL regulators over time. It wavers up and down, but on the whole stays within a range of 140,000 to 170,000. — Complaints over time: note that the baseline is set at 100,000.

On its face, then, the presence of the legislation isn’t slowing the rate of complaints about unsolicited messages.

Careful phrasing, there: I don’t want to say that the legislation is not having an effect on spam. All we’re seeing here is that complaints about spam are staying high and gently rising over time following a 2020 dip (COVID?) This could feel like it means “spam is not going down,” but there are counter-arguments to that – it may not be that spam is not decreasing, per se, but that growing awareness of CASL means that reporting rates are going up: people can recognize spam more readily, and know it is easy to report.

Even if you take the complaint number as representing spam volume overall, there are (at least) two arguments one could make that CASL is effective:

Spam would be growing unchecked were it not for CASL, and relatively flat numbers are a proof of its success.¹
Complaints aren’t really the right tool to measure its effectiveness: the legislation isn’t really about stopping commercial electronic messages (CEMs) entirely, but consumer and marketer education.

The best test would be to compare complaint rates with those from a country that has no CASL-type legislation or enforcement. Unfortunately, CASL is the reporting structure as well as the enforcement unit — if there are countries that track spam complaints but don’t have any mechanisms for controlling spam, please let me know.

What about the other easily measured numbers: notices to produce, and preservation demands – both easily interpreted as preludes to enforcement?

The graphs are a bit more jagged, due to the smaller overall numbers, and reflect a “ramping up” of CASL following its introduction – the complaints came hard and fast initially, but it clearly took some time to respond to them and begin issuing notices:

Graph showing notices to produce from CASL legislators. Quick clumb from 2018 to 2020, then varying from about 250 to about 125. — CASL – Notices to Produce, April 2018-March 2023.

Preservation demands from CASL. Numbers fluctuate from 0 to 21. — CASL – Preservation Demands, April 2018 – March 2023

Warning letters issued by CASL: one spike in March 2019, otherwise consistently between zero and 10 — CASL – Warning Letters, April 2018 – March 2023

It feels like it took the CRTC a couple of years to hit its stride with Notices to Produce and Preservation Demands,² with complaints flowing in out of the gate and some ramping up of the tools and processes for investigation, with a fairly steady state since 2020 in terms of notices to produce and preservation demands. Until our most recent periods, anyway. I thought I’d identified a wave – notices to produce in one six-month span create higher preservation demands in the next – but the above shows that’s wrong.

Warning letters are very different – a (relatively) large burst in 2019, and then not much at all. I would have expected a consistency here, and can only speculate that the Commission has at some point decided that NoPs and preservation demands are more effective.

The complaints chart looks very smooth compared to the notices/preservation/warning charts because the scale of the numbers is different. Taking a reasonably high period for notices and demands (April-September 2020), here’s how they compare:

Complaints	Notices to Produce	Preservation Demands
140945	257	17

That is a whopping ratio: almost 550 complaints per notice to produce.

About 8300 complaints per preservation demand.

And if you dig into the actual actions beyond the “warning shots” of notices to produce, preservation demands and warning letters, the number gets very small indeed. From April 2018 to present, the ratios are:

1,529,257 complaints total ³

18,785 complaints per warning letter

21,240 complaints per preservation demand

1007 complaints per notice to produce⁴

There have been 16 undertakings and/or decisions with financial penalties issued since 2014. Nine happened prior to 2018, when complaint numbers started being made publicly available, so if we measure from when these stats were published, we arrive at 1,529,257 total complaints resulting in seven announced penalties – many of those later being reduced or ultimately not imposed (stay tuned for closer looks at the decisions and – more importantly – the follow-throughs).

That math breaks down to over 218,000 complaints per announced penalty.

That feels like a lot of complaints ultimately leading to a penalty (or in some cases, no penalty after all).

A summary in convenient graphic form, with tasteful gradient background:

Arguably, warning letters and notices to produce are the deterrent, and the issue rate of warning letters / NOPs is chilling violators, and focusing solely on AMPs is a bit too narrow – but CASL likes to broadcast the dollar values of penalties levied on every report, so I think it’s fair enough to zero in on those as the key factor.

Next post, we’ll start to look at the actual decisions – those seven penalties – and poke at their stories a bit. It’s interesting stuff, I promise.

1
Why do police budgets keep going up while crime rates fall? Because enough politicians believe that if we don’t keep buying military hardware for the police, crime will suddenly rise. I’m not a subscriber to this line of thought, and think declines in crime are more provably attributable to things the police have very little to do with — education, social services, access to mental health supports and healthcare — but this line of thought exists, and there’s no reason it shouldn’t apply to CASL as it applies to street crime.
2
please see the Terminology blog post for descriptions of these!
3
This project overall might be read as critical of CASL, and I just want to be clear that processing 1.5 million complaints is nothing short of heroic. We’ll be getting to conclusions eventually, but please remember this number — I don’t know how many people are staffing the CASL project, but 1.5 million complaints in five years is an incredible amount of work to manage.
4
We have to be clear that this is not a magic number; when we get into looking at specific cases, sometimes a very low number of complaints ultimately result in a notice, preservation demand, or AMP. Saying “if less than a thousand people complain, nothing will happen” shouldn’t be the takeaway here!

CASL Consent Law Marketing & Communications Privacy

CASL at 10 – Parameters

Post author By mattshepherd
Post date May 16, 2023

Signs detailing whether or not dogs are allowed in a park. — Are dogs allowed, with exceptions, or are all dogs forbidden (again with exceptions)?

This is part two of a multi-part series reviewing Canada’s Anti-Spam Legislation in practice since its introduction in 2014 and the beginnings of enforcement in 2015. Crosslinks will be added as new parts go up.

Part 1: Terminology

Core resources: