By Sarah Dobson
An Ontario CEO is facing a penalty of $100,000 after the Canadian Radio-television and Telecommunications Commission (CRTC) found he was liable for violations of Canada’s Anti-Spam Law (CASL).
It’s the first time the commission has imposed a penalty on a director — but not on his companies for a CASL violation, according to Bradley Freedman, partner and national co-leader of the cybersecurity group at BLG in Toronto.
“To be more precise, there’s a provision in CASL that allows penalties to be imposed on an officer or director of a company even if the company is not proceeded against… that’s the novelty of this decision.”
The CASL legislation is meant to protect consumers and businesses from the misuse of digital technology, including spam and other electronic threats. These can include the installation of computer programs without consent; false or misleading electronic representations; the harvesting of addresses without permission; and the unauthorized alteration of transmission data.
And the case involving CEO Brian Conley shows the CRTC is willing to pursue complex schemes involving violations of CASL, said Martin Kratz, a partner at Bennett Jones in Toronto.
“This case is also a good reminder that liability under CASL can potentially extend to a corporation’s officers, directors, agents or mandataries if such individuals directed, authorized, assented to, acquiesced in or participated in the commission of a CASL violation.”
The CRTC is sending a message that directors and officers need to pay attention, said Richard Austin, a partner at Deeth Williams in Toronto.
“Whether you call that a shot across the bow, whether you call that a reminder of the importance of complying with laws, whether you say it's an issue that directors and officers… or individuals who are thinking about becoming directors and officers need to take into account — it's a timely message.”
Various companies involved
Between 2014 and 2015, Conley’s company nCrowd and its subsidiaries sent commercial electronic messages (CEMs) without consent and without a functioning unsubscribe mechanism, according to the CRTC.
CASL requires that CEMs must be sent with consent, must have prescribed language to identify the sender and must have the prescribed form of unsubscribe mechanism.
The commission also found Conley acquiesced in these violations, in turning “a blind eye to the practices being employed at his companies in terms of the acquisition and use of email distribution lists, despite the fact that, in this line of business, an email distribution list is one of the most important assets through which to generate revenues.”
The email distribution and consent-tracking lists were “largely inaccurate, incomplete and altered,” said the CRTC.
When you read the facts of the case, either in the enforcement decision itself or in some of the related documents published by the CRTC, the outcome really is not surprising, said Freedman.
“There were these two entities, nCrowd and Couch Commerce, and they were both using multiple companies, creating them, winding them up, transferring assets between them. It seems the purpose was trying to shield the assets and avoid liability, and, at the end of the day, it may be the CEO was the only person that had any assets, and deterrence mandated that an administrative penalty be imposed on the director himself, rather than on a company.”
It’s interesting to note that the other director involved voluntarily settled with the CRTC, he said, and was fined $10,000 instead.
The case involved quite a large number of entities and multiple transactions, with quite a large mailing list, said Kratz.
“The non-compliance was that the companies couldn’t show that they had any real consent from the recipients of the large emailing list; also, they didn’t have a compliant unsubscribe mechanism.”
The whole point behind going after Conley was to stop the practice, said Jae Morris, associate at Deeth Williams in Toronto.
“The purpose of putting out these penalties to officers is to ensure that they comply with the act. That is not punitive.”
The case serves as a good reminder for companies to put in place systems and protocols to ensure they're compliant with CASL, said Morris.
The best response is to show your due diligence in complying with the act, he said.
“CASL sets up three basic requirements: There's the first requirement to get express consent. The second requirement is to set out an unsubscribe mechanism. And the third requirement is the identification requirements, setting out who is sending the message. So, it's really important to do your due diligence in showing that you actually did obtain consent.”
It’s not a good idea to wait until the CRTC comes and says bad things have happened, said Austin.
“Way before that, you implement compliance programs, you monitor compliance programs, you take proactive steps; if you're a director or an officer, maybe even an employee, you have responsibilities for what the company does. And you need to exercise those to take proactive steps to ensure that they are in line with CASL.”
The CASL legislation is very difficult in the first place, said Kratz.
“There are internal contradictions in the legislation and there are fundamental ambiguities in the legislation. These have been identified in a parliamentary review of the legislation and the government has said it will look at these issues, so it’s likely that there will be some effort to try to fix some of these problems.”
For now, it’s possible many people are unaware of this type of personal liability that can hang on them, he said.
“It means that the directors and officers ought to be asking questions about employers’ compliance with this very difficult act, to ensure there are policies and procedures in place to speak to… compliance, there’s education around that compliance practice, they monitor the compliance… they’re following the policies and procedures they put in place and, if and when errors are made, they reassess and will periodically, in a good compliance program, reassess and make sure you’re still doing everything right… against the developing law.”
It’s not enough to just have a policy or procedure — these must be followed with oversight and review, said Freedman.
“CASL is a complicated statute… and it’s so different than similar laws in other jurisdictions and our major trading partners, including the United States, so it can still present some significant compliance challenges by organizations that really want to comply.”