On April 23, 2019, the Canadian Radio-television and Telecommunications Commission (CRTC) found that nCrowd Inc. (nCrowd), a company involved in the sale of electronic coupons, violated Canada’s anti-spam legislation (CASL)1 for sending emails to Canadian consumers without their consent or a proper unsubscribe mechanism. Perhaps more importantly, the CRTC also found nCrowd’s director, Brian Conley (Conley), vicariously liable for acquiescing in these violations and imposed an administrative monetary penalty of $100,000 on Conley personally.
In April of 2015, CRTC staff began investigating numerous consumer complaints that nCrowd had sent emails without consent and with no available unsubscribe option. CRTC staff discovered a complex corporate network through which nCrowd and its affiliates sold electronic coupons to consumers on a range of deals and promotions from legitimate merchants. nCrowd’s email distribution list exceeded 1.9 million addresses. Through a series of acquisitions, foreclosures and bankruptcies, the nCrowd network of corporations had been able to grow the mailing list without assuming the liabilities of the predecessor companies. However, these transactions also impacted the business itself as merchants were not paid by successor companies, prompting the merchants to refuse to ship products, which affected consumers who had purchased the coupons.
The investigation uncovered a largely inaccurate and incomplete email distribution and consent-tracking list. The deficiencies noted by the CRTC staff were extensive: the type of consent listed for all email addresses was listed as “explicit,” even though many of the addresses were generic or belonged to institutional or government domains; the date on which consent was obtained was obviously inaccurate or had been altered (for example, consent for approximately 80% of the email addresses was obtained on the same day); the unsubscribe process was non-compliant; and appropriate steps to fix the unsubscribe process were never taken. The CRTC also noted the use of “pixel tags” by the nCrowd, which is a way of tracking email open rates. The CRTC pointed out that the use of this tracking technology is not evidence of consent to receive the messages in the first place.
The CRTC held that nCrowd violated paragraphs 6(1)(a) and 6(2)(c)2 of CASL by sending commercial electronic messages to individuals without their consent (express or implied) and by failing to conform with the unsubscribe requirements within the legislation.
The CRTC stated that the date on which consent was obtained was an essential component to proving consent. The lack of evidence of a valid date made it impossible for the CRTC to verify whether express had been obtained or whether implied consent arising from an existing business relationship could be relied upon. Accordingly, the CRTC found that nCrowd did not discharge the onus on it of proving that the emails had been sent with the consent of the recipients.
Further, the CRTC held that nCrowd’s emails did not have a functioning unsubscribe link, unsubscribe requests were not given effect, and nCrowd failed to prove that any policy or procedure was in place relating to its unsubscribe mechanism. Therefore, the emails did not conform with the prescribed requirements under the legislation and unsubscribe requests were not properly managed.
Section 31 of the CASL provides that an officer, director, agent, or mandatary of a corporation that commits a violation is liable for the violation if he or she directs, authorizes, assents to, acquiesces in, or participates in the commission of the violation, whether or not the corporation is proceeded against. The CRTC determined that Conley was familiar with both the importance and management of the email distribution list, and that he either must have known about the problems or turned a blind eye to those problems.
In assessing the administrative monetary penalty, CRTC stated that the central purpose of the penalty was to promote compliance with the Act and that the penalty must serve as a deterrent for future non-compliance. Although Conley argued that he was unable to pay the penalty, he did not provide fulsome documentation to back up this claim. As a result, the CRTC determined that the proposed penalty of $100,000 did not exceed Conley’s ability to pay and that it was reasonable and necessary to promote compliance.
Issues of Note
In 2017 the CRTC staff also issued a Notice of Violation to Mr. Ghassan Halazon, (Halazon) a director of Couch Commerce Inc. (another company involved in this email venture) and then a further warning letter. According to the CRTC’s news release, “new compliance issues” had arisen regarding another company (of which Halazon was a director) that seemed to be a successor owner of the email list. However, in settlement, Halazon entered into an undertaking with the CRTC to address these issues, which included a $10,000 penalty and a compliance program. The amount of this penalty, when compared to the penalty levied against Conley, seems designed to promote and encourage compliance.
In addition to pursuing corporate directors, the CRTC sent out warnings to the companies’ email service providers, Salesforce.com and Sailthru, Inc. The CRTC reiterated its previous interpretation of CASL that service providers who play a “material” role in the content of a message or the choice of recipients need to be identified in the message. In the case of these two service providers, some of the messages did not properly identify them, yet their solutions adapted messages based on recipients’ profiles and behaviours and sent emails with dynamically generated content; this was enough to meet the “materiality” test.
CASL was introduced to protect consumers and businesses from the misuse of digital technology, including spam and other electronic threats. One of the intended consequences of the legislation is the requirement that companies become more disciplined in managing their electronic marketing programs.
The enforcement decision against nCrowd and Conley reiterates the importance of implementing and maintaining proper email distribution and consent-tracking practices. The decision reminds businesses that these obligations include, but are not limited to:
- Maintaining an up-to-date consent list indicating the valid date on which each consent was obtained;
- When relying on the existing business relationship form of implied consent, respecting the applicable time limits for sending messages;
- Not using generic email addresses obtained online; and
- Ensuring that unsubscribe links function properly for a period of 60 days after each message is sent and giving effect to these requests within 10 business days of the date of sending.
Additionally, email service providers cannot assume that they are mere passive “pipelines” for electronic messages. If they take a role in message content or recipient selection, they need to be identified in the message as well.
The enforcement decision further signals that adherence to CASL is not just for corporations. By issuing Notices of Violation against directors personally, the CRTC warns those involved that they can be held liable even where they are merely silent or tacit in the commission of a violation.
For further information regarding this matter, please contact Bernice Karn or any other member of the Information Technology & Data Privacy Group.
1 An Act to promote the efficiency and adaptability of the Canadian economy by regulating certain activities that discourage reliance on electronic means of carrying out commercial activities, and to amend the Canadian Radio-television and Telecommunications Commission Act, the Competition Act, the Personal Information Protection and Electronic Documents Act and the Telecommunications Act, SC 2010, c 23.
2 6(1) It is prohibited to send or cause or permit to be sent to an electronic address a commercial electronic message unless
(a) the person to whom the message is sent has consented to receiving it, whether the consent is express or implied; and
(b) the message complies with subsection (2).
(2) The message must be in a form that conforms to the prescribed requirements and must
(c) set out an unsubscribe mechanism in accordance with subsection 11(1).