We can all help the CRTC enforce CASL.
Report all of your spam messages to spam@fightspam.gc.ca. If we all forward our spam to the Spam Reporting Centre, the bad actors will pop up like tall poppies. The CRTC will know who to investigate for what and fines/undertakings/violations will follow when appropriate. Here are the Enforcement Highlights from October 1, 2021 to March 31, 2022 – Enforcement Highlights
Dark Web Investigation
As part of an investigation, in January 2021, the CRTC’s Chief Compliance and Enforcement Officer issued administrative monetary penalties totalling $300,000 to four Canadians for their involvement with a company in the Dark Web Marketplace known as CanadianHQ.
The CRTC’s actions resulted in the shutdown of CanadianHQ, which was one of the largest Dark Web marketplaces of its kind in the world and a significant contributor to harmful cyber activity in Canada. The CRTC’s investigation focused on four individuals who allegedly sent emails that mimicked well-known brands in order to obtain personal data including banking credentials and other sensitive information.
This investigation has also allowed the CRTC to identify a number of other vendors where it expects to take additional enforcement actions.
To find out more on the CRTC’s investigation of CanadianHQ, consult the CRTC’s new release on Targeting the Dark Web Marketplace.
Complaints from Canadians support CRTC’s investigation
In December 2021, the CRTC reached an agreement with Gap Inc. (Gap) for allegedly violating CASL. In addition to implementing corrective measures, Gap agreed to make a payment of $200,000.
As part of the investigation, the Chief Compliance and Enforcement Officer had reason to believe that Gap sent commercial electronic messages to Canadians without the necessary consent. Gap’s messages also allegedly did not consistently include either an unsubscribe mechanism or an unsubscribe mechanism which could easily be performed.
Upon being made aware of the Chief Compliance and Enforcement Officer’s concerns, Gap proactively made changes to its marketing practices to meet CASL requirements.
This investigation was supported by complaints received from Canadians. Canadians are encouraged to report spam and suspicious practices to spam@fightspam.gc.ca or by using the Spam Reporting Centre’s (SRC’s) online form.
Some email addresses will be considered personal Information under the revised PPIPS, impacted by the passing of Bill 64 last September. If we are reading the revisions correctly, an individual’s business email address is NOT considered personal information, so B2B has a little wiggle room. But this means there will be another enforcement body monitoring your email spam activities – the Commission d’accès à l’information du Québec or CAI for short. They will be the enforcement body for this tough new data protection & privacy law that will impact any organization who operates across Canada. Quebec represents 22.5% of the Canadian population so it stands to reason that anyone with a National database will have 20-25% of that list residing in Quebec – so PPIPS applies.
Unlike the GDPR who allowed 3 lawful basis for private sector organizations to process an individual’s personal information – CONSENT, CONTRACTUAL and LEGITIMATE INTEREST, Quebec choose to only include CONSENT and CONTRACTUAL. To understand the significance of this decision, one must consider that 95% of business being done under the GDPR is claiming LEGITIMATE INTEREST!
CONTRACTUAL means you can use personal information in order to fulfill a contract or purchase (no more, no less), so it is for existing customers only.
CONSENT is for all non-customers or prospects. The problem is the consumer, who is in no mood to issue CONSENT to businesses they do not trust. And make no mistake, consumer trust regarding their privacy is at an all time low! So, from where we sit, something has got to give and we are pretty sure it will not be the CAI, who will likely be eager to use their newfound enforcement powers aggressively. PPIPS also includes a private right of action. Something businesses have been deathly afraid of (see CASL enforcement or lack of it since the government indefinitely postponed the PRA built into CASL). The CRTC continues to enforce CASL as noted above but as I often say a business has a better chance of winning a lottery than being fined by the CRTC. Having said that, there are quite a few lottery winners out there!
What is a Marketer To Do?
First, complete a Privacy Review to accurately compare your current practices with the laws in the jurisdictions you do business in. The resulting Gap Report will provide a good overview of your path to compliance, including timelines and costs. Next you can complete a high level risk assessment for your organization. With these two valuable tools the Executive management and the marketing team can make intelligent business decisions.
Once again, from our point of view, marketing should take a hard look at which media they use for each business objective they are trying to achieve. For example, email may become a very effective customer relationship tool, but may be a very risky media to use for prospecting for new customers. Traditional advertising may return to the mix as it is exceptional at creating awareness and helping to differentiate a brand (when done well). Either way, marketers have some thinking to do given these new realities.
We operate at the intersection of marketing and privacy. If we can help, reach out at info@newportthomson.com