U.S. Companies Lack Knowledge of Canada Anti-Spam Law

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

By Peter Menyasz

July 28—Canada's telecommunications regulator has issued an enforcement advisory telling businesses to keep track of customers' consent to receive e-mails, but many U.S. companies may not even be aware the requirements that apply to them, attorneys told Bloomberg BNA.

The Canadian Radio-television and Telecommunications Commission (CRTC) issued the advisory to remind businesses that they must keep records of consent for all customers, Patricia Valladao, an agency spokeswoman for the regulatory agency, told Bloomberg BNA July 28.

Melissa Krasnow, a partner with Dorsey & Whitney, told Bloomberg BNA July 27 that U.S. companies may not be aware of the obligations under Canadian law.

“I would question whether there's an awareness of the Canadian requirements altogether,” Krasnow said.

It will likely take a multi-million-dollar penalty against one U.S. company before others take notice and ensure they comply with the rules on e-mailing their Canadian customers, she said. “That will definitely get attention,” Krasnow said.

The CRTC has fined Canadian firms through consent agreements, including Sirius XM Canada Inc. (C$650,000) (15 PVLR 1402, 7/4/16).

Valladao agreed that U.S. companies “may not be fully aware of” the Canadian anti-spam law but couldn't discuss “specific cases, due to their confidential nature.”

The regulator stressed in the advisory that Section 13 of Canada's anti-spam legislation (CASL) requires the person sending an e-mail to have express or implied consent from the consumer. That applies even if the sender has an existing business relationship with the consumer, it said.

If found guilty, wrongdoers may face fines, per violation, of C$10 million ($7.6 million) for businesses and C$1 million ($760,000) for individuals, Valladao said.

The CRTC and the U.S. Federal Trade Commission have entered a mutual anti-spam enforcement cooperation agreement (15 PVLR 674, 3/28/16).

Need to Prove Consent

Paige Backman, chair of the Privacy & Data Security Team at Toronto-based Aird & Berlis LLP, told Bloomberg BNA July 27 that the advisory is a good reminder to businesses that they must be ready to prove consent to send customers e-mails if questioned by the regulator, but it doesn't provide guidance on how companies may comply.

The regulator may send a company a list of hundreds of e-mails and demand proof of consent for each one, she said. It may also require evidence that each e-mail also meets other requirements of the anti-spam law, such as proper opt-out mechanisms, Backman said.

“It isn't commercially reasonable,” she said. “It's a very real challenge for business to comply with this legislation.”

Jillian Swartz, a technology law partner in Toronto law firm Allen McDonald Swartz LLP, told Bloomberg BNA July 27 that compliance is particularly difficult for small and medium-sized businesses that don't have the resources to track e-mail contacts in such detail.

Ideally, a company's computer system should check a contact management database to ensure up-to-date consent before an e-mail is sent, but most large companies aren't even able to do that, Swartz said.

Small Bark, Large Bite

Swartz said that the regulator has limited resources and only takes action against companies for which it has received many complaints, she said. “But once they get their teeth into you, good luck,” she said.

Businesses should consider keeping a hard copy or electronic record of express and implied consent, such as audio recordings, copies of signed consent forms and completed electronic forms, as well as documenting how consent was obtained, policies and procedures on compliance and opt-out requests and how they were handled, the regulator said.

Good record-keeping may help businesses identify potential non-compliance, investigate and respond to consumer complaints, show that complaints were resolved and establish a due diligence defense if there is a violation.

To contact the reporter on this story: Peter Menyasz in Ottawa at correspondents@bna.com

To contact the editors responsible for this story: Donald G. Aplin at daplin@bna.com ; Daniel R. Stoller at dstoller@bna.com

For More Information

Text of the CRTC enforcement advisory is available at http://news.gc.ca/web/article-en.do?nid=1104989.

Copyright © 2016 The Bureau of National Affairs, Inc. All Rights Reserved.

Request Bloomberg Law Privacy and Data Security