In the Undertaking announced today by the CRTC, Gap, Inc has agreed to pay a $200,000 fine and to come into full compliance with An Act to promote the efficiency and adaptability of the Canadian economy by regulating certain activities that discourage reliance on electronic means of carrying out commercial activities, and to amend the Canadian Radio-television and Telecommunications Commission Act, the Competition Act, the Personal Information Protection and Electronic Documents Act and the Telecommunications Act, otherwise known as the Canadian Anti Spam Legislation or CASL for short. (for some strange reason our own Government refuses to use the short name and insists on using the full long name of the Act)
This law was passed in Dec 2010 and came partially into force in July 2014. ISED and the CRTC agreed to extend enforcement to July 2017 – a 3 year period – to allow organizations to clean up their lists and record consent in a way that can be recalled upon request. The private right of action – the primary enforcement tool – was also to come into force on July 1, 2017.
In their eagerness to protect businesses from incovenient and “frivolous” lawsuits, the then Minister of ISED, Navdeep Bains, “indefinititely postponed” the PRA. In doing so, most companies immediately ceased any CASL compliance activities thinking the law was not being aggressively enforced. And while the CRTC are not handing out fines left and right, they are indeed still monitoring the Spam Centre activity and taking action on organizations who are causing compliants from Canadian citizens. When “tall poppies” appear, they open investigations and make no mistake, the total cost of violating CASL only starts here. Ask any organization who has been investigated. Legal fees, staff time and resources begin to add up to real costs, on top of the fine and eventual cost of coming into compliance.
It is important for organizations to know exactly what Gap, Inc was fined for. According the the CRTC’s news release posted on the Response Marketing Association’s website, as well as the settlement notice the Undertaking included violations of paragraphs 6(1)(a) and 6(2)(c) and subsections 11(1) and 11(3) of the Act. So let’s unpack exactly what that means.
Paragraph 6(1)(a) consists of
“Requirements and Prohibitions
Unsolicited electronic messages
6 (1) It is prohibited to send or cause or permit to be sent to an electronic address a commercial electronic message unless
(a) the person to whom the message is sent has consented to receiving it, whether the consent is express or implied; and”
So clearly, the CRTC had tangible proof due to their full investigation of the Gap’s email practices that the Gap could not prove express or implied consent for some or all of the complaints they received in the Spam Centre. Note I did not say they they did not have consent of some form. They could not prove it. This is one of the cornerstones of a CASL Compliant Program. Every organizations must set up a series of processes to track and record each type of consent they wish to claim such that, upon request, they can prove that every name on their email list qualifies for either express or implied consent under the law. I wrote a series of detailed articles regarding the 5 types of CASL consent in order to help organizations understand their real obligations, which is also included in my book CASL Compliance: A Marketer’s Guide to Email Marketing to Canadians.
So now let’s examine Section 6(2) (c) which deals with:
“Contents of message
(2) The message must be in a form that conforms to the prescribed requirements and must
(c) set out an unsubscribe mechanism in accordance with subsection 11(1).”
The footer of every email message must contain:
- The legal name of the organization with their legal business address
- A contact person with 2 ways to reach that individual
- A working unsubscribe mechanism
Clearly the Gap was not consistent in ensuring these details were in every message sent. Whether it is a one-to-one email or a bulk promotional message, ALL emails sent must include these details in the footer. And if you are sending an email on behalf of another organization, you must include their details as well.
Then there is Section 11(1) and (3)
“Unsubscribe mechanism — section 6
11 (1) The unsubscribe mechanism referred to in paragraph 6(2)(c) must
(a) enable the person to whom the commercial electronic message is sent to indicate, at no cost to them, the wish to no longer receive any commercial electronic messages, or any specified class of such messages, from the person who sent the message or the person — if different — on whose behalf the message is sent, using
(i) the same electronic means by which the message was sent, or
(ii) if using those means is not practicable, any other electronic means that will enable the person to indicate the wish; and
(b) specify an electronic address, or link to a page on the World Wide Web that can be accessed through a web browser, to which the indication may be sent.”
Again, clearly the unsubscribe mechanisms in some of the messages sent, did not meet this standard – in other words, the unsubscribe mechanism failed to allow someone to easily unsubscribe. Nothing seems to frustrate people more than clicking on an unsubscribe link that does not work. Many consumers see this as a “sneaky ploy” as most brands have lost digital trust with their consumers. This and perceived lack of consent seem to cause the most compliants to the CRTC Spam Centre.
Section 11(3) states a specific period of time that a requested unsubscribe must be suppressed from further emails:
“(3) The person who sent the commercial electronic message and the person — if different — on whose behalf the message was sent must ensure that effect is given to an indication sent in accordance with paragraph (1)(b) without delay, and in any event no later than 10 business days after the indication has been sent, without any further action being required on the part of the person who so indicated.”
This tells us that the CRTC had proof that some people who tried to unsubscribed continued to receive emails after 10 business days. It is not the individual’s responsibility to remind an organization that they unsubscribed. Again, CRTC had clear proof that the Gap emailed people after they had unsubscribed and the Gap had no records to prove them wrong.
So while it is important to understand why they were fined, it is also critical to read the details of a Settlement Agreement to understand what the CRTC is looking for regarding CASL. In this case, as in almost all others, a settlement of even a violation has an official request (cannot be ignored) to come into full compliance with the law. In this case the language includes the following as a key part of the Undertaking:
“Amount owing and summary of other conditions
During the course of the investigation, Gap Inc. has cooperated with the CCEO. Gap Inc. has voluntarily undertaken, pursuant to section 21 of the Act, to resolve the CCEO’s outstanding concerns regarding Gap Inc.’s compliance with the Act and the Electronic Commerce Protection Regulations (CRTC), SOR/2012-36 (the Regulations (CRTC)), including undertaking to comply with, and ensuring that any third party authorized to send a CEM complies with the Act and Regulations (CRTC).
As part of this undertaking, Gap Inc. agreed to make a monetary payment of $200,000 to the Receiver General for Canada in accordance with subsection 28(3) of the Act.
In addition to the monetary payment, and in order to promote compliance with the Act and the Regulations (CRTC), Gap Inc. undertakes to update its compliance program addressing the sending of CEMs. This compliance program has included or will include:
- corporate compliance policies and procedures;
- training and education for employees of Gap Inc.; and,
- monitoring, auditing and reporting mechanisms.
In addition, Gap Inc. will monitor and review its policies and procedures to determine whether any have the effect of providing incentives for employees to violate the Act and the Regulations (CRTC) and, if so, Gap Inc. undertakes to eliminate such incentives.
Gap Inc. will also develop and provide periodic training programs, which include compliance procedures and processes to comply with Act, for employees involved with commercial electronic messages and related compliance.
Finally, Gap Inc. will register and track CEM complaints and the subsequent resolution of those complaints. Gap Inc. will also implement effective corrective measures for compliance failures and within six months of the effective date of the undertaking will supplement the information it has already provided to the CCEO of the corrective measures already implemented to date, as well as information supporting any updates to its Compliance Program.”
Yes, these are the clearly stated requirements of a CASL compliant program. But now it gets even more interesting. Add this up. Calculate what the total cost of a violation of CASL really costs an organization and you will come to the conclusion that, including the stain on the brand, it is just not a business risk worth taking. Yes, it’s true that you have a better chance winning a lottery than being fined by the CRTC under CASL, but there are lots of lottery winners out there. And clearly Gap, Inc just became one of those.
To ensure your organizations is fully CASL Compliant, start with a simple independent CASL Review. It is a cost effective way to understand your organization’s gaps and it allows your organization to create a project lists of actions that must be taken, including a “by when”. To learn more, email us at info@newportthomson.com or purchase my book and do your own internal assessment – CASL Compliance: A Email Marketer’s Guide to Emailing Canadians
Unfortunately your work in this area is not yet done. Quebec just passed Bill 64, a tough consent law that includes many things that CASL does not. If you collect personal data of individuals and use them in any manner (email, profiling, serving up ads, geo-location, etc) stay tuned for details, but you might consider starting on the first two elements that come into force in September 2023 – only 9 short months from now.