The CASL Fines are Starting to Pile Up

CASLThe CRTC recently rolled out another conviction under CASL.

Here are the barebones of CASL compliance from a video interview last January:

CASL is a piece of legislation with good intentions. It’s meant to enhance Canada’s economy and increase efficiencies by eliminating waste. That sounds great. What the government has done is passed a law that says if you send an electronic message to another person’s account you must have that person’s consent before you send that message. Notice it doesn’t say email. It says electronic communication. Notice it doesn’t say email account. The legislation reads, to an account. As a result it is so broad, so encompassing, that it catches every aspect of your business.

After talking about it since 2012, it was about a year ago that we started emphatically writing about Canada’s AntiSpam Legislation (“CASL”), when we wrote, “it is by far the most pernicious legislation I’ve ever seen.”

In another article we called it “corporate ebola” and elsewhere said that it poses a tremendous uninsurable risk for every business sending or receiving email in Canada.

We also warned that under CASL the CRTC (Canadian Radio-Television and Telecommunications Commission) had the power to obtain warrants, enforceable by the Royal Canadian Mounted Police. We can’t think of anyone who took it seriously at the time. They did when the CRTC obtained and enforced two warrants under CASL. Suddenly businesses were paying a bit more attention.

Other companies have treated CASL casually, and paid a hefty price. Look at CompuFinder (fined $1,100,000 for CASL infractions), Porter Airlines ($150,000), Plenty of Fish ($48,000), Rogers Media ($200,000) and Kellogg’s ($60,000).

From inside sources we know that Rogers’ legals for internal and external counsel was roughly $2,000,000, not including lost time and the resources then consumed by an after-the-fact compliance effort.

Look at the article here for background and links to prior articles spelling out what CASL is, what its requirements are, and why it will be extremely difficult to comply without a management-led attack on the issue.

The CRTC has told us it will enforce CASL to exacting high standards. An Enforcement Advisory published earlier this year described those very high standards.

That’s all background. On October 26, 2016, the CRTC found that Blackstone Learning Corp. committed nine violations of CASL by sending commercial electronic messages without consent, and imposed an administrative monetary penalty (AMP) of $50,000 on the company. The really scary part was that in the original notice of violation, the CRTC was seeking a AMP of $640,000. Six hundred and forty thousand dollars, for sending business emails.

Scary.

So picture Blackstone getting that Notice of Violation. Its board of directors had a difficult decision to make: pay the $640,000 AMP, or pay its lawyers a crippling amount of money to fight the CRTC in the hope of having that AMP reduced to a manageable level. I don’t know how much Blackstone paid, but I do know the legal industry, so my guess is the legals for this process were at least $300,000. Not an easy decision.

Blackstone sent emails primarily to government employees, advertising educational and training services offered by the company. The employees complained to the CRTC that they had not consented to receiving those emails. The onus was then on Blackstone to prove to the CRTC that it had prior consent to send the emails. Since Blackstone could not prove on a balance of probabilities that it had express or implied consent, the CRTC found Blackstone guilty.

The Blackstone facts also addressed the internet practice known as “scraping”. Also known as “web harvesting” and “web data extraction”, scraping is an automated process that extracts information from thousands of websites. In this context, the target information is all email addresses posted at that website, and then the scraper will use that contact information to market its services to those email addresses. How those publicly posted email addresses can be legally used is called “the conspicuous publication exemption”.

For the first time, the CRTC offered a detailed analysis of the “conspicuous publication exemption” found in section 10 (9)(b) of CASL. That’s the good news, as it provides guidance and some certainty for compliance departments and Heads of Risk. The bad news is, the CRTC interpreted the exemption fairly narrowly, which guarantees future violations.

Here’s the CRTC’s own words from section 28 of the reasons:

Paragraph 10(9)(b) of the Act does not provide persons sending commercial electronic messages with a broad licence to contact any electronic address they find online; rather, it provides for circumstances in which consent can be implied by such publication, to be evaluated on a case-by-case basis. Pursuant to section 13 of the Act, the onus of proving consent, including the elements of implied consent under paragraph 10(9)(b) of the Act, rests with the person relying on it.

In its reasons, the CRTC did knock down the AMP to $50,000 from its initial $640,000, but think of the incredible legal fees Blackstone had to incur to achieve that. And that’s the reason we get so worked up about CASL; it’s not the potential for fines, it’s the staggering legal costs involved in defending a Notice of Violation. There aren’t many companies that can digest millions of dollars of uninsurable legal fees.

And it’s going to get worse. As of July 1, 2017, the CRTC isn’t your worry. As of that date, a private right of action will be created, which means that anyone can sue you and allege that you breached CASL. Then, as the CRTC pointed out in Blackstone, “the onus of proving consent … rests with the person relying on it.

That private right of action is supportable by class action litigation, with plaintiff lawyers working on contingency. Meanwhile, the legal defence fees will be in the millions of dollars.

It’s cheaper to get into compliance than to pay your lawyers. Get into compliance with CASL now.




PreSeason, the NFL and CASL

NFLThe NFL is trying to clean up its thug image and, after the notoriety following Will Smith’s 2015 movie Concussion, is working hard to eliminate public perception that it doesn’t care about the physical well-being of its athletes.

Kerry Hyder is a defensive end in the Detroit Lions training camp, battling for a roster position. He’s been here before, in other training camps for other teams, trying to finally land a full-time football job. In venture capital terms, Hyder is post-startup but still minimal-revenue.

The National Football League recently fined him over $18,000 for roughing Cincinnati Bengals quarterback AJ McCarron in the third quarter of a relatively meaningless preseason game on Aug. 18. The play was so mild, so innocuous, that I can’t find video of it. It was just a normal part of an average boring preseason game, resulting in no injury, no victim, no ugliness, but yet, the regulatory body imposed a fine on the player after the game. He’s only making $1,000 a week during the preseason.

He’s not the only player to be fined this preseason by the NFL. Two others (Houston’s John Simon and the Seahawks Jarran Reed) were also fined for similar roughing infractions. Just in Week 1 of the preseason, seventeen players in total were fined for onfield play.

The NFL told its teams that it would be enforcing the roughing rules more closely, and has followed through on that with financial penalties. Other players have to be taking notice and consequently changing how they play the game to comply with the rules.

There are direct parallels between Hyder and your business. Think of the CRTC as the NFL. Think of all your daily electronic business communications as the game. And now, think of CASL as the rules the NFL-CRTC has told you it will enforce.

The CRTC (Canada’s Radio-Television and Telecommunications Commission) was created in 1976 to regulate broadcasting and telecommunications. It reports through the federal Minister of Canadian Heritage to Parliament. Enforcement of internet-related regulatory issues has grown into its area of jurisdiction, which means the CRTC is the primary body charged with enforcing Canada’s AntiSpam Legislation (CASL).

There is considerable background on CASL in this article with links to prior articles on what CASL is, why it exists, what are the basic requirements and why July 1, 2017 is going to be a terrible date for business. Please go back to those for context. We have repeatedly pointed out that the biggest CASL financial cost to a company will be its lawyers, with the actual fines being imposed by the CRTC coming second.

The CRTC has told us it will enforce the rules as written, and has told us what standards are expected of us. The Enforcement Advisory published earlier this year described the high bar that compliance with CASL must hurdle over. There will be fines levied for failure to comply.

In case you think you can ignore CASL, ask CompuFinder (fined $1,100,000 for CASL infractions), Porter Airlines ($150,000), Plenty of Fish ($48,000) or Rogers Media ($200,000) what they think. Inside sources have told us Rogers’ legal bills for internal and external counsel was roughly $2,000,000, not including lost time and the resources then consumed by an after-the-fact compliance effort.

To that list we can now add Kellogg Canada Inc. Kellogg’s, whose brands include Froot Loops, Special K, Pop-Tarts, Corn Flakes, Eggo and Rice Krispies, was fined $60,000 in August, 2016 because, “from 1 October 2014 to 16 December 2014, inclusively, messages were sent by Kellogg and/or its third party service providers … to recipients without consent of their recipients.” (from the CRTC’s webpage).

That CRTC investigation has been underway for some time. How much do you think Kellogg’s has paid to its lawyers to deal with this?

Just as the NFL followed through on its rules enforcement, so too is the CRTC. The Supreme Court of Canada in Guindon v Canada in 2015 said that Administrative Monetary Penalties (the fancy-pants way of saying “a fine”), the kind the CRTC can levy under CASL, are a valid part of the legal landscape, so expect to see further fines and settlements as other investigations wind their way through the system.

…and it’s only going to get worse!

As of July 1, 2017 (a mere ten months from now) CASL infractions will give rise to a private right of action, supportable by class action litigation. Anyone to whom you send an email or a text can sue you, and then the onus is on you to prove you had consent to send that message. Whether you had consent is irrelevant under CASL – you have to be able to prove you had that consent. So look at your record-keeping:  could you prove that today? If not, you are not CASL-compliant and your business is at risk.

It doesn’t matter that you may think the law is silly, disproportionate or inapplicable:  it exists and it applies to you. How much do you want to pay to your lawyers and the plaintiffs’ class action lawyers? Wouldn’t it be cheaper to simply comply with CASL?

Kerry Hyder’s play on AJ McCarron was innocuous but was outside of the clear rules of the game, resulting in a direct penalty imposed by the regulator. The same thing is happening with the CRTC and CASL.

We are in CASL’s preseason. The real season begins July 1, 2017. Learn the rules and play within them to avoid serious penalty.