CASL news! The crusade against spam continues unabated

spammmmmmm

Wow! Exciting developments on Canada’s anti-spam front, especially in the last week. Undoubtedly the spammers are quaking in their boots.

So last week there was quite a nugget of news in the spam world. The CRTC released an actual legal decision about CASL, Canada’s anti-spam law about which I’ve written frequently. But first, a quick note about another CASL thing that I missed this summer when I was out enjoying the good weather.

Kellogg Canada

On September 1, the CRTC announced that Kellogg agreed to pay $60,000 in fines (“Administrative Monetary Penalties”, or AMPs, under the law) for violating CASL. The CRTC announcement of the “undertaking” (basically Kellogg saying “our bad, we’ll do what you want CRTC”) was kinda short on details.  Here’s the key phrase:

From 1 October 2014 to 16 December 2014, inclusively, messages were allegedly sent by Kellogg and/or its third party service providers during the period of 1 October 2014 to 16 December 2014 to recipients without consent of their recipients.

No consent! At least that’s exciting. Most of the existing CASL AMPs were given for crappy unsubscribe mechanisms, which is dumb because seriously MailChimp.

What is interesting is the “and / or its third party service providers” bit. Under CASL, you can be screwed if you send the emails (ok ok, Commercial Electronic Messages, or CEMs) yourself, or if you “cause or permit to be sent” the CEMs. Third party service providers would fall under this “cause or permit” business, and it would have been nice to know the details of who or what this third party service provider did or did not do. Us lawyers need some guidance, and we’re not getting any. Kellogg also promised to be nice and comply with CASL in the future. So that’s that.

Blackstone Learning Corp.

We are now more than two years with CASL in effect (since July 1, 2014 for the CEM stuff). In that time, we have had literally zero “legal” decisions about the law which may help us lawyers. That changed last week.

On October 26, 2016, a day that will live in infamy, the CRTC released Compliance and Enforcement Decision CRTC 2016-428. Catchy! It reads like an actual case, so let me go back to my law school days to summarize it for you, in the manner and style of law school summaries at law faculties around the world (but with more expletives).

Facts. Over the second half of 2014, the CRTC received a shitload of complaints about emails sent by Blackstone, advertising their educational and training services. There was an investigation, and Blackstone got a notice of violation of CASL from a “designated person” under CASL (some government official) to pay an AMP of $640,000. The notice said there were nine messaging campaigns totaling 385,668 CEMs sent without the consent of the recipients, who were generally federal and provincial government employees. Blackstone was none too happy, they said they had implied consent to send those CEMs, and appealed.

Issues. Straight from the decision:

  • Do Blackstone’s efforts to appeal the notice to produce affect the review of the notice of violation?
  • Did Blackstone commit the violations?
  • If yes, is the amount of the AMP appropriate?

Held. Blackstone fucked up, but the AMPs are way too high.

Ratio Decidendi. Look at me with the fancy Latin! It just means “reasoning” or “rationale”. So why didn’t I write that? I’m trying to impress women, obviously.

Let’s take the issues one at a time for the discussion of the ratio.

Do Blackstone’s efforts to appeal the notice to produce affect the review of the notice of violation?

This was a stupid procedural question so we’re not even discussing it. Suffice it to say, Blackstone appealed the first notice they got (to give some details, aka a “notice to produce”) to the Supreme Court of Canada, which was wrong and they were stupid for doing it. Go big or go home I guess. This had no effect on anything.

Did Blackstone commit the violations?

The CRTC reviews the law – what is a CEM and what is a CASL violation (sending a CEM without consent) . Blackstone sent CEMs and without the consent of the recipients, so QED. In more detail:

The Commission thus determines that the messages were sent for the purpose of advertising and promoting services commercially available from Blackstone, and were commercial electronic messages within the meaning of subsection 1(2) of the Act.

So yes, a CEM, And:

The notice of violation was also supported by witness statements from five complainants who attested to having received unsolicited messages from Blackstone to their email addresses, and indicated that they had no previous relationship with the company and had never consented to receive such messages. These statements supported the designated person’s conclusion that Blackstone did not have express consent to send the messages

But Blackstone claimed they had implied consent. Under CASL, consent to receive CEMs can be either express or implied. Implied consent can arise from the fact that there was “conspicuous publication of the electronic address in question”. Blackstone said it had implied consent

based on a broad assertion that the email addresses to which it sent messages were publicly available

The CRTC says, nuh-uh, nice try. There are way more requirements than the email just being publicly available:

The conspicuous publication exemption and the requirements thereof … set a higher standard than the simple public availability of electronic addresses. In particular, the electronic address to which the message is sent must not be accompanied by a statement indicating that the person does not want to receive unsolicited commercial electronic messages. The requirement that it be relevant to the recipient’s role or functions creates the condition that the address be published in such a manner that it is reasonable to infer consent to receive the type of message sent

In the notice to produce, Blackstone was asked to supply proof that the email addresses had all of this. Blackstone just ignored that request. They had nothing. So the CRTC holds that there is not any evidence there was implied consent, and so yes, there were CASL violations.

Is the amount of the AMP appropriate?

The CRTC reviews section 20(3) of CASL, which lists a crapload of factors (okay technically just nine, but the last one is “other relevant factors” so that makes it a crapload) for determining the amount of AMPs. They are fun things like the nature and scope of the violations, the company’s history of CASL violations, and ability to pay. The CRTC goes through each one of the nine factors in detail, which frankly I am not going to do. Overall, most factors indicate the AMP should be reduced.

There were some interesting tidbits in this analysis I’d like to bring up. So when discussing the “scope” of the violations, they say:

While the number of unsolicited messages sent by Blackstone was significant and the messages were disruptive, the duration of the violations in question of approximately two months was relatively short

So lesson #1 for spammers – if you want to send spam, you can send a lot but do it quick! Another interesting factor was Blackstone’s ability to pay. The CRTC says it ain’t so good, because “Blackstone is a small business”, so the AMP should be reduced.

There was one factor which should have made for a high AMP. Basically you need to be nice to the authorities:

In the Commission’s view, lack of cooperation where required by the Act is a factor that may speak to the necessity of a penalty to ensure compliance with the regime, and was appropriately introduced in the investigation report in the circumstances. Blackstone’s failure to respond to the notice to produce issued by the designated person, as well as its failure to act upon the subsequent Commission decision requiring that it do so, increases the need for a penalty to ensure Blackstone’s future compliance with the Act.

You will cooperate, dammit!

But overall, the $640k was way too high. The CRTC goes with $50k, a nice round number. And a hell of a lot less than $640k! The CRTC said the notice of violation placed way too much emphasis on general deterrence of other spammers:

To this end, the penalty set out in the notice of violation places great emphasis on the principle of general deterrence. The Commission accepts that this is a valid principle to be considered in the imposition of an AMP, but considers that the specific circumstances of Blackstone’s case, and the violations that have taken place, require a lower AMP.

Superterrific funtime happy hour discussion points and lessons

There are some other juicy quotes in here that may provide some actual important information for CASL, and how the CRTC will interpret things. So for example we know Blackstone did not cooperate, but really that wasn’t such a big deal:

(the CRTC) is concerned that the company did not cooperate with the investigation but recognizes that CASL is a relatively new regulatory regime and that Blackstone has no history of non-compliance under CASL or related acts

So the CRTC recognizes this is kind of a new thing (only 2+ years!) and maybe we should go easy on people. Especially if they have no cash.

Now, you would think that 385k+ CEMs would be a lot of violations. You’d be wrong!

the Commission determines, on a balance of probabilities, that Blackstone committed the nine violations of paragraph 6(1)(a) of the Act set out in the notice of violation

There was no real discussion of this point, but it would seem important. The CRTC decided that it was the “campaigns” that were violations, not the individual emails. Smarter colleagues than me point out two things: (1) because penalties under CASL can be up to $10M for each “violation”, making a distinction between individual emails and campaigns has ramifications for how AMPs can be calculated; and (2) when people can begin to sue under CASL as of July 2017, there may not be the crazy-ass class actions some of us thought there might be.

Finally, the CRTC spends a lot of time talking about Blackstone’s “potential for self-correction”. Because they did a couple of things that show they have the potential to be better, the AMPs should be much lower.

So in short, don’t spam, but if you do, do it quick and be poor and swear up and down you’ll be better next time. You’ll be ok.

One Comment

Leave a Reply

Your email address will not be published. Required fields are marked *