Canadian Radio-television and Telecommunications Commission (CRTC) chairman Jean-Pierre Blais takes part in a news conference in Gatineau, Que. on June 27, 2013. Mr. Blais said the commission would is targeting the “most egregious” violators of Canada’s Anti-Spam Legislation.© Chris Wattie / Reuters/Reuters
Uniformed officers have been knocking on the doors of Canadian businesses all year, but they're not police, tax authorities or securities regulators.
They're from the Canadian Radio-television and Telecommunications Commission and they're on the hunt for spam.
The enforcement branch of Canada's broadcast and telecom regulator is responsible for tracking down violators of Canada's Anti-Spam Legislation (known as CASL), and, as promised, they aren't messing around.
"The CRTC has a team of highly qualified people ready to start enforcing CASL. We have former RCMP officers, major criminal investigators and sophisticated computer forensics experts who will be leading these efforts," Jean-Pierre Blais, chairman of the commission, told a Toronto audience in June, 2014, shortly before the new law took effect. "Enforcement is now in the CRTC's DNA."
He said the commission would target "the most egregious violators: the high-volume spammers, the malicious URLs and the 'botnets' located in Canada," adding, "If you abide by the law, you have nothing to fear. Good corporate citizens will be in good standing."
Since then, the enforcement branch has announced three settlements with well-known Canadian companies – Rogers Communications Inc., Porter Airlines Inc. and dating website Plentyoffish Media Inc. – for violations related to sending commercial e-mails without an option to unsubscribe or with faulty unsubscribe functions.
Manon Bombardier, chief compliance and enforcement officer at the CRTC, says the uniforms her team wears are partly for the officers' safety and also help win co-operation from the targets of their investigations. "When an officer comes into a business with a uniform, there's collaboration almost instantly."
That tactic may have helped with those three companies, which agreed to pay a total of $398,000 between them and all worked collaboratively with the CRTC, Ms. Bombardier said. In a less co-operative case, the commission issued a $1.1-million fine against Compu-Finder, a professional services training company, for sending commercial e-mails without consent and with faulty unsubscribe mechanisms.
A cottage industry has sprung up around CASL compliance with many lawyers now devoting their entire practices to it and recent blog posts from the legal community have questioned whether only "perfect" compliance is acceptable.
David Elder – a partner with law firm Stikeman Elliott LLP in Ottawa who has represented clients both on interpretation of the law and in investigations – says the first year and a half under CASL has proved many fears correct, arguing that enforcement actions have primarily targeted legitimate domestic companies. He says there is a lack of clarity around how the CRTC decides which cases to investigate, little transparency around the process of agreeing on a monetary fine and scant consideration of the defence of due diligence for companies that have put systems in place to try to comply with the law.
In early December, the CRTC said it served its first warrant under CASL, working with international partners to take down a server in Toronto that was associated with a malware family that has infected computers in more than 190 countries. Mr. Elder called that move encouraging.
"A lot of the bad actors are offshore, which does complicate investigation and enforcement. But at the same time, it's not clear that the objectives of the law are being well-served if they just go after the low-hanging fruit," he said.
Yet, Ms. Bombardier says the commission has only published the results of four investigations so far. "We've completed and closed 30 investigations in 2015," she said, adding that on top of the published cases, her team issued 15 warning letters and one citation and that not all investigations lead to enforcement action.
The CRTC received 460,000 reports of spam from Canadians in 2015, she said, and it must look for trends and patterns in the data to determine which companies to pursue.
"We're very proportionate in our approach. If we see a problematic practice in a sector or a large volume being sent by a particular player, we'll look at those. We're not looking at one or two spam messages. And we publish results, which we hope informs businesses of our concerns and helps them focus their attention in those areas so they're compliant."
Regarding the amount of the penalties, once more investigations have been concluded, there will be a number of precedents that will help, Ms. Bombardier said, adding, "Each case is different. So there's no magic formula, it's case by case."
Network security firm Cloudmark published a report in April noting a 37-per-cent reduction in spam originating from Canada and also reporting that Canadians received 29 per cent less e-mail after CASL took effect as marketers decided against sending e-mail that "was not technically spam but did not meet the stringent requirements for affirmative consent."
Mr. Elder says it remains difficult to understand how to interpret the law and there is a need for better guidance. "Regulators like to leave things open-ended, but it creates uncertainty and a chill in the business community. People end up erring on the side of caution and curtailing marketing."