The Office of the Privacy Commissioner of Canada (OPC) has concluded its first investigation under the "address-harvesting" provisions added to PIPEDA by the enactment of Canada's anti-spam legislation (CASL). The OPC’s Report of Findings suggests that adequate record keeping continues to be central to demonstrating regulatory compliance—as such, businesses should review their CASL and privacy record keeping practices regularly.
What You Need To Know
- Both the OPC and the Canadian Radio-television and Telecommunications Commission (CRTC) are willing to enforce CASL against the same businesses, including ones that have already received penalties.
- The CRTC found that Canadian corporate training company Compu-Finder had sent commercial electronic messages (CEMs) without the recipient's consent and without an adequate "unsubscribe" mechanism, and fined the company $1.1 million for these violations.
- The OPC also investigated Compu-Finder and concluded that the company's practices did not comply with its privacy obligations under CASL. In the course of its investigation the OPC entered a compliance agreement with Compu-Finder pursuant to which it will closely monitor the company’s progress in respect of its various recommendations.
- The OPC will investigate CASL violations through the same framework it uses to assess other PIPEDA violations, using the Schedule 1 privacy principles.
- Like the CRTC, the OPC will expect companies to maintain detailed records of how they obtained consent to send CEMs, that the CEMs actually sent meet the requirements of the form of consent relied upon, and that the consent remains current and valid.
Background and Analysis
CASL prohibits the sending of CEMs—any electronic message with a purpose of encouraging commercial activity —without the express or implied consent of the recipient. In March 2015, the CRTC issued a Notice of Violation with a fine of $1.1 million to Compu-Finder for breaching CASL, finding that the company sent CEMs without recipients’ consent, and which contained an ineffective unsubscribe mechanism.
In November 2014, the OPC launched an investigation into Compu-Finder. This was the first action taken by OPC under the "address-harvesting" provisions added to the Personal Information Protection and Electronic Documents Act (PIPEDA) by the enactment of CASL.
The Importance of Candid Responses, Supported by Legal Advice
Procedurally, the OPC raised concerns about the integrity and comprehensiveness of Compu-Finder's representations throughout the investigation. Compu-Finder acknowledged that its submissions were imprecise, but explained that it had not engaged external legal counsel to assist with the investigation. In the current environment in which class action lawsuits quickly follow regulatory enforcement, and given the private right of action in CASL set to come into force in 2017, companies should consider engaging counsel at the outset of an investigation to help defend a regulatory complaint in a manner that anticipates, and reduces, the risk of subsequent civil litigation.
The Intersection Between CASL Exceptions and PIPEDA Requirements
Substantively, the OPC found that Compu-Finder "was not aware of, or did not respect, its privacy obligations" and lacked "a basic privacy accountability framework," finding that the company could not satisfy the requirements of express or implied consent to CEMs:
- Telephone. Since CASL came into force, marketers have been advised to phone prospective customers and to obtain their consent to receive CEMs. The OPC found that Compu-Finder’s telemarketing script did not explain the purpose for requesting email addresses or how they would be used. As such, the calls did not result in valid express consent to send CEMs.
- Customer Inquiries. CASL includes an exception to the consent requirement for CEMs sent in response to an inquiry from a customer or that are otherwise solicited by the recipient. However, this may not satisfy the consent requirements under PIPEDA. The OPC found that Compu-Finder's websites that permitted customers to sign up for newsletters or submit inquiries did not include privacy policies that explained the purposes of the collection and use of email addresses and other personal information.
- Online Bios. CASL deems consent to receive CEMs to be implied if (a) the recipient has conspicuously published his or her email address without a statement that the recipient does not wish to receive unsolicited emails, and (b) the CEM is relevant to the recipient’s business capacity. Compu-Finder claimed that it manually collected email addresses from business directories and resources such as online bios on websites; however, the OPC found that some of the email addresses in Compu-Finder's database were likely collected using harvesting software. In addition, many of the websites from which Compu-Finder collected email addresses contained non-solicitation statements, and the CEMs sent to many of these addresses were not relevant to the recipients' business functions. The OPC considered these factors not in the application of the CASL implied consent provision, but to assess whether the PIPEDA requirement for knowledge and consent regarding the collection and use of personal information had been fulfilled.
The Critical Role of Detailed Record Keeping
Throughout its Report of Findings, the OPC raised concerns with Compu-Finder's record-keeping practices. The investigation concluded that the company could not support its claims of express consent with "any documentary evidence whatsoever." The OPC found that invoices issued to corporate customers did not support the implied consent of other employees of those companies to receive CEMs. The Report further noted that Compu-Finder "did not have a means of knowing whether a particular message would be relevant to an individual’s activities"—i.e., the company had no record of the recipient’s business role or responsibilities, such that it could not prove the relevance of the CEMs sent to that individual.
Compliance Agreements will be Onerous when Violations Established
In the course of its investigation, the OPC issued a preliminary report of findings to Compu-Finder, recommending that it overhaul its privacy compliance program. The OPC entered a compliance agreement with the company pursuant to which it will closely monitor the company’s progress in respect of the various recommendations, including appointing an individual responsible for compliance, implementing privacy policies, employee training, record keeping, maintaining transparency around the purposes for which it collects and uses personal information, and destroying email addresses that were not validly collected. The OPC further requested that Compu-Finder commission an independent, third-party audit of its revised privacy program, and submit the report to the regulator within nine months.
Although the OPC's jurisdiction does not include the same power to issue monetary penalties as the CRTC holds in respect of CASL enforcement, the Commissioner’s detailed analysis of the application of PIPEDA and the regulator’s expectations in respect of electronic marketing practices may well have a greater deterrence and compliance impact on Canadian businesses than the $1.1 million fine previously assessed against Compu-Finder.
To discuss these issues, please contact the author(s).
This publication is a general discussion of certain legal and related developments and should not be relied upon as legal advice. If you require legal advice, we would be pleased to discuss the issues in this publication with you, in the context of your particular circumstances.
For permission to republish this or any other publication, contact Janelle Weed.
© 2019 by Torys LLP.
All rights reserved.