CASL made clearer: CRTC releases its first compliance and enforcement decision under Canada’s anti-spam legislation

Data Protection, Privacy and Security Alert

The Canadian Radio-Television and Telecommunications Commission (CRTC) has issued its first Compliance and Enforcement Decision for violation of Canada's anti-spam legislation (CASL).

Until now, CRTC CASL enforcement actions have taken the form of settlements reached in confidential negotiations between the  Enforcement Branch and the company. But this decision, released on October 26, 2016, is significant because it is the first CASL enforcement decision to provide guidance on compliance.  

The decision contains several important lessons about regulation of commercial electronic messages (CEMs) in Canada before class action enforcement opens on July 1, 2017.

Background to CASL and CEMs

CASL went into force on July 1, 2014 and created a comprehensive regime of offences, enforcement mechanisms and penalties prohibiting the sending of an unsolicited or misleading  CEM. A CEM is defined broadly. It means any electronic message (not just an email) one of whose purposes is to encourage participation in commercial activity. CASL has rigid requirements regarding CEMs: the recipient of the CEM must have provided consent (express or implied) to receive the CEM, and the CEM must comply with specific formalities set out in the legislation, including disclosure of contact information and an effective unsubscribe mechanism. Violation of CASL's CEM rules can result in an administrative monetary penalty (AMP) of up to $10 million per violation, civil liability (through a private right of action which comes into force on July 1, 2017), and vicarious liability on employers, directors and officers who are unable to prove that they exercised due diligence to prevent the violation.

The CRTC's decision

In its decision, the CRTC found that Blackstone Learning Corp., an Ontario company engaging in educational and training programs and services, committed nine violations of CASL in the summer of 2014 by sending 385,668 CEMs in nine messaging campaigns to employee electronic addresses at twenty-five government organizations without the consent of the recipients.  An AMP of $50,000 was imposed against Blackstone.

The CEMs at issue came to the attention of the CRTC because they triggered approximately sixty complaints to its Spam Reporting Centre. An investigation was launched, and on January 30, 2015, the company was issued a notice of violation under CASL. The notice of violation set out an AMP of $640,000.1

Under CASL, when a company refuses to pay the AMP in the notice of violation and challenges the decision, the CRTC must decide, on a balance of probabilities, whether the company committed the violations alleged in the notice of violation and, if so, whether to impose the AMP set out in the notice of violation. The CRTC has the power to vary the amount of the AMP, suspend it subject to conditions, or waive it altogether.

Blackstone exercised its right to challenge the notice of violation issued against it. Blackstone’s primary arguments were that it had implied consent to send the CEMs and that the amount of the AMP was unreasonably high.

Blackstone conceded that it had sent the CEMs in question, but argued that it had obtained implied consent to send them because the email addresses to which the company sent CEMs were publicly available; that is, Blackstone tried to rely on what has come to be known as the “conspicuous publication exemption” in CASL.2 The CRTC rejected this position. The CRTC stated that, if the recipient had no prior or existing business or non-business relationship with the company, implied consent to send unsolicited messages to conspicuously published contact information could arise only with respect to messages relevant to that person’s employment role. The CRTC stated that “the Act does not provide persons sending commercial electronic messages with a broad licence to contact any electronic address they find online; rather, it provides for circumstances in which consent can be implied by such publication, to be evaluated on a case-by-case basis.”3

In the result, as Blackstone was unable to provide proof that it had obtained express or implied consent to send the CEMs, the CRTC determined, on a balance of probabilities, that the company committed the nine violations of CASL as set out in the original notice of violation.

In assessing the reasonableness of the $640,000 AMP set out in the notice of violation, the CRTC considered, among other factors, the company’s ability to pay the penalty. While Blackstone’s ability to pay could not be assessed initially because the company did not provide financial information as required in the notice to produce, along with its submissions, the company did submit unaudited financial statements for the preceding two years. The CRTC accepted that Blackstone is a small business and the AMP would represent several years’ worth of the company’s revenues. 

Blackstone’s demonstrated lack of cooperation by refusing to respond to the notice to produce documents was taken into account.  However, the CRTC noted some attempt had been made by Blackstone to self-correct, because the company had made some enquiries to the Department of Industry before CASL came into force and to the investigator in response to the notice to produce. Further, the decision noted that, in the summer of 2014, Blackstone did not have the benefit of more recent guidance published on the topic of implied consent to send CEMs4 and that this may have contributed to the company’s erroneous belief that it had adequately obtained consent. The CRTC also noted that the company had no history of violations of under CASL or other related statutes.

Taking these and other factors into consideration, the CRTC concluded that a much lower AMP of $50,000 was proportionate to the circumstances of the case and reasonable to promote Blackstone’s compliance with the Act.

Important CASL lessons

This decision has five key takeaways:

  1. It can be extremely valuable for a company to exercise its right to contest an AMP imposed by notice of violation. In Blackstone’s case, the CRTC reduced Blackstone’s AMP from $640,000 to $50,000. 
  2. The messages need not mention any specific commercial terms to qualify as CEMs under CASL. In Blackstone’s case, the CRTC found that the nature of the language used in the emails, including references to discounts and group rates, conveyed that services were available for purchase from Blackstone.
  3. For the purpose of relying on the conspicuous publication exception, the public availability of an email address is insufficient. In order to properly rely on the exception, there must be, in addition to conspicuous publication of the email address by or on behalf of the recipient, no statement refusing CEMs, and the messages in question be relevant to the recipient's business, role, functions or duties.
  4. General assertions of implied consent will never suffice. Implied consent must be supported with evidence as to where and when the company discovered the recipients' addresses and how the company determined that the messages it was sending were relevant to the roles or functions of the recipients.
  5. Factors considered when determining the appropriate amount of the AMP include the following:
        • The object of the penalty is to promote changes in behaviour, not to destroy the business. The CRTC concluded that Blackstone's limited ability to pay merited a lower penalty than the one set out in the notice of violation.
        • Unaudited financial statements can be admitted as evidence of ability to pay an AMP.
        • The number of complaints received about the CEMs will be relevant to enforcement decisions. In Blackstone’s case, the 60 or more unique submissions to the Spam Reporting Centre, as well as correspondence with some of the complainants, reflected that the messages were unwelcome and caused nuisance and frustration.
        • The time period over which the CEMs were sent is relevant. In Blackstone’s case, the two-month duration of the violations was considered relatively short and suggested a lower penalty than set out in the notice of violation.
        • The extent of cooperation during an investigation will affect the amount of the AMP. The CRTC stated that Blackstone’s failure to cooperate with the investigation increased the need for a penalty.
        • Demonstrating a good faith intention to comply with CASL and self-correct in the event of a violation will suggest a lower AMP.

Find out more about addressing CASL issues, including CASL compliance audits and disputes with regulators, by contacting Kelly Friedman or Tamara Hunter.


[1] Blackstone received a notice to produce documents on November 7, 2014. Blackstone requested a review of the notice on December 4, after the deadline for production had passed. The CRTC denied this request on January 22, 2015, and the notice of violation was issued the following week.

[2] Section 10(9)(b) of CASL provides that consent can be implied when publication of contact information is conspicuous, the publication is not accompanied by a statement that the person does not want to receive unsolicited CEMs, and the CEM is relevant to the recipient’s business, role, functions or duties in a business or official capacity.

[3] Para. 28.

[4] Such as the CRTC's Guidance on Implied Consent, published on  September 4, 2015 available here  and discussed here