June 6, 2017
Steven Harroun, Chief Compliance and Enforcement Officer
Canadian Radio-television and Telecommunications Commission
Check against delivery
Thank you for your kind introduction and warm welcome.
I applaud your Association for raising awareness among your members of their responsibilities when it comes to marketing products and services to Canadians. It says a lot that you made time in your conference agenda to focus on the need to comply with CRTC rules and regulations to protect consumers. Kudos to you for providing this opportunity to explain how you can avoid problems when you do.
I realize not all businesses have been big fans of the Commission’s work in some instances—especially when it comes to the Unsolicited Telecommunications Rules and Canada’s anti-spam legislation. I thank you for your willingness to work in partnership with the CRTC to make compliance widespread among your members.
Before I discuss your obligations related to these laws, let me first say I fully understand the need to promote your businesses.
Responsible, clever businesses help consumers find the goods and services they need and desire—an essential service in the marketplace. The very best businesses persuade people by using their smarts and wits to entertain and amuse. They appeal with seductive words and images to convince consumers to identify themselves through brands. And, understandably in today’s digital world, they take creative and lawful advantage of the latest digital tools and tactics to reach them.
Consumers aren’t always enamoured with your efforts, of course, especially if you cross the line. And some are quick to complain. That’s where our job comes in as the regulator.
I’d like to pause for a moment to show you a video we created to inform Canadians about how they can help us fight spam.
I appreciate that promoting your goods and services can sometimes be a difficult balancing act. One part of the general public celebrates you. Another part scorns you.
I know you have a tough job. And I can assure you, I admire legitimate marketing professionals. It requires keen intelligence and deep humility. Not an easy combination to pull off.
My colleagues and I at the CRTC can relate. Sometimes we’re praised for helping Canadians regain control of their communication system. Other times, we are viewed as busy-bodies who interfere with the market for no good reason. There doesn’t seem to be much middle ground.
However, we were given the authority to regulate and enforce the rules by our elected representatives. Parliament put Canada’s telecommunications laws in place at the behest of Canadians themselves. We do have a responsibility to enforce the laws of the land, a job we take seriously.
If it’s any consolation, we often face the same balancing act that you do when establishing and enforcing regulations at the CRTC. Take the example of Canada’s anti-spam legislation—what we call CASL for short.
In a nutshell, CASL balances protecting Canadians’ privacy with ensuring that businesses can continue to compete in the global marketplace. Our duty is to weed out trouble makers so businesses that comply with the rules can thrive.
Just so you are clear, the law was never intended to eliminate all spam. What CASL does is level the playing field so legitimate businesses aren’t tarred with the same brush as spammers.
Most companies willingly abide by the rules. It’s those that have no intention of complying – whose sole intention is to be damaging and deceptive—that get separated from the pack. This allows the CRTC and our partner agencies to focus our investigative resources on the most nefarious activities.
The problem is that, in a digital age, consumers are bombarded with multiple messages on multiple platforms—24/7—from both legitimate and illegitimate actors. And when Canadians are not happy about it, we hear about it!
Canada’s anti-spam legislation came into effect in July of 2014. Since then, our Spam Reporting Centre has received over 975,000 complaints from Canadians to investigate. These numbers reinforce that the legislation is necessary.
Commercial e-mail messages are the primary source of what prompts Canadians to report cases that require follow-up investigation—commercial email messages that you or your organization may be responsible for sending. Email messages account for more than three quarters of incidents reported to us.
They are followed by spam via mobile text messages and other instant messaging platforms, which represent the bulk of the remaining complaints.
To help you understand where you fit into this picture, let me give you a high-level overview of the legislation.
CASL gives the Commission the authority to regulate commercial electronic messages. By that, I mean messages sent to email and social media accounts, as well as text messages sent to cellphones and through various instant messaging platforms.
It also applies to the alteration of transmission data in electronic messages. An example of this is to direct a user to a different website other than the one they intended to visit after clicking a link or rerouting them through their browser.
Finally, the CRTC is responsible for enforcing the provisions related to the installation of computer programs during the course of commercial activity on another person’s computer system. This covers activity such as updates and upgrades of applications on smart phones, or the installation of malicious malware potentially imbedded in spam messages.
The first thing you need to do before sending a commercial message is get the recipient’s consent. CASL is an “opt-in” regime. This means that a consumer must agree to receive the message before you start sending emails, direct messages or text messages.
A consumer’s consent can be either express or implied.
Express consent means a person has clearly agreed to receive an electronic message from you—either in writing or orally. The recipient needs to proactively express consent, for example, by voluntarily signing up at a website. That’s opting in. Once express consent is obtained, companies are able to send messages until the recipient notifies the sender that he or she no longer wants to receive them.
Implied consent generally entails having a prior business relationship with a consumer, based on a previous commercial transaction. It also pertains to relationships such as memberships in a club or charitable organization. Or if people make their email address publicly available by publishing it on a website.
In every case, the burden of proof regarding consent rests with the sender. The onus is on you as senders to review your mailing lists and ensure you are complying with CASL by having established consent before sending your commercial messages.
Another requirement of the Act is that companies have to clearly identify themselves in each message. And they have to give consumers the opportunity to unsubscribe from all digital mailings. CRTC regulations demand that the unsubscribe link must be clearly and prominently available in all commercial messages sent to Canadians.
Complying is in your best interests
CASL not only serves the public interest. Legitimate businesses also need the legislation – in fact, businesses should welcome this law.
It helps to expose scammers whose practices create collateral damage for the good guys, diminishing your legitimacy in the eyes of consumers you’re trying to appeal to. Equally important, the law gives you guidelines by which to ply your trade. If you comply with the Act, you won’t run into any problems.
And, believe me, compliance is better than enforcement. When violations occur, the CRTC has a number of tools at its disposal to ensure the regulations are respected and consumers’ rights protected.
When it comes to the use of those tools, we exercise discretion. We don’t go out looking to kick down doors. We much prefer helping businesses comply with the law than enforcing it after they’ve broken it.
CRTC staff criss-cross the country, meeting with business owners, company executives and managers, and marketing professionals. We share information about how to be compliant with the law through information sessions, webinars and keynote speeches. Exactly what I’m doing here today.
Businesspeople attend sessions, like this one, to learn about recent enforcement updates—and, even more so from my experience, to ask questions to make sure their activities comply with the law. I’ll be happy to field your questions at the end of my presentation.
Non-compliance can be costly
The main message I want to leave with you today is that we would rather be your ally than your adversary when it comes to enforcing CASL. CRTC staff are keen to share lessons learned from our enforcement efforts to help businesses and associations comply.
But, I want to be equally clear: don’t confuse outreach, assistance and support with rolling over.
Make no mistake. We take infractions of the law very seriously. And we have a number of options in our enforcement toolbox to ensure compliance with the Act. These include:
- A warning letter, to bring to the attention of the business a minor violation requiring corrective action.
- A notice of violation, which is issued for more serious offences. The enforcement measure may include a monetary penalty. Notices are also published on our website. We warn Canadians of illegal online practices so they are aware and report any suspected violations.
- We also have something called an undertaking to address alleged non-compliance. This is similar to a negotiated settlement or agreement, where the company or individual under investigation undertakes to come into compliance and cooperates in reaching an agreement with CRTC staff. For instance, a business may need to implement a corporate program or report on its activities. Or, it may have to pay a specified amount – although this payment is not considered a monetary penalty.
You have probably read in the press about undertakings we have entered into since coming into force with payments running as high as $200,000 for infractions to date.
It’s important to understand that monetary penalties are just one tool in our tool box. High penalties tend to be used as a last resort after all other efforts have failed. They are reserved for the most egregious cases.
Depending on the nature of the violation, the CRTC has the authority to impose up to $1 million per violation for individuals. And up to $10 million per violation for a corporation or group. The legislation lays out the factors we take into consideration when determining the appropriate penalty, including cooperation with CRTC staff on the investigation.
In addition to these tools to promote compliance, we can also obtain a warrant from the courts to enter a residence or business to verify compliance with CASL as part of our investigation.
In December 2015, we exercised this power to obtain a warrant to enter a business to take down a command and control server that was sending malicious spam messages worldwide. Known as Win32/Dorkbot, this malware has infected more than a million personal computers in over 190 countries. Along with national and international partners, the CRTC took down a command-and-control server here in Toronto.
CRTC staff use their discretion in selecting and applying the most appropriate enforcement response. Whatever the choice, our goal is always to ensure compliance with the law and prevent recidivism to protect Canadians.
This philosophy and approach are much the same when it comes to enforcing the Unsolicited Telemarketing Rules and the National Do Not Call List. The main difference is that while CASL requires that consumers to ‘opt in’ to receive commercial messages, the telemarketing rules require that they ‘opt out’ from being called.
Canadians can do so by registering their numbers on the National Do Not Call List or, for short, the DNCL.
Chances are, many of you have put your own numbers on the list to reduce the number of telemarketing calls you receive. You are not alone. Over 13 million Canadians have registered thus far.
The Unsolicited Telemarketing Rules state that telemarketers must register with the National Do Not Call List and purchase a subscription for the area codes they intend to call. They must then ensure their calling lists do not contain any numbers registered on the DNCL. This is true of anyone making telemarketing calls to Canadians, including those making calls from outside the country.
There are exemptions to the Rules. This includes market research and polling firms. Or any businesses that have leased, sold or rented a product or service to a consumer in the previous 18 months. Exemptions also apply to any consumer inquiries made to a company in the previous six months.
Most legitimate telemarketers and businesses are following the rules and respecting Canadians’ wishes to protect their privacy. The challenge is the rogue telemarketers that hide or misrepresent their identity by displaying a phony number on the call display. This is known as caller ID spoofing.
The CRTC has been working to better protect Canadians’ privacy and to help them manage unsolicited telecommunications and illegitimate calls. Last November, the Commission called on telecommunications service providers to offer their subscribers call management features.
We believe telecommunications service providers are in the best position to develop and implement call management solutions for the millions of Canadians tired of receiving nuisance calls – just as they have done for e-mail and text messaging.
We also issued a new directive that telecommunications service providers must develop technical solutions to block illegitimate nuisance calls within their networks.
And the CRTC is prepared to take further action if telecommunications service providers do not implement sufficient measures to protect Canadians against unwanted calls. In the near future, the Commission will issue a follow-up decision regarding solutions to address the use of caller ID spoofing.
Our objective with these rules—similar to the regulations governing spam—is to make sure all Canadians have adequate and reliable protection when using the telecommunications system.
Importance of compliance
As consumers yourselves, I am sure you appreciate that.
I hope my talk today has also convinced you that it’s in your businesses’ best interest to satisfy Canadians’ expectations when it comes to protecting their privacy.
If I could provide you with one take away to help you with your compliance efforts, it would be this: Make sure your organization has a robust compliance program if you engage in these activities to market to Canadians.
Every business should have a compliance program in place to help ensure each commercial message or telemarketing call is compliant. If your practices are ever called into question, a thorough compliance program can help you with a due diligence defence.
So what does that entail? The primary components of these programs could include:
- Senior management involvement to provide leadership from the top. A member of senior management should be named as the business’s chief compliance officer.
- A risk assessment to determine which business activities are at risk of violating the Unsolicited Telecommunications Rules and/or CASL.
- A written corporate compliance policy that is easily accessible to all employees, including managers—the policy should be updated to keep pace with changes in legislation or new services and products.
- Good record keeping—in the event of complaints to the CRTC against your business, you will require proof of the measures you have taken.
- And training programs delivered to staff at all levels about what constitutes prohibited conduct and what should be done if your employees witness such conduct.
If you need guidance or advice, we are here to help. You will find useful information, including questions and answers, on the CRTC website to help you comply with the laws I’ve outlined today. We update these materials regularly, to reflect the results of the latest investigations and cases.
And we’re always as close as an email or phone call. So whether you have a question about setting up a compliance program or need clarification on interpretation of the regulations, don’t hesitate to ask.
But let me be clear, CASL and Unsolicited Telemarketing Rules are not new. And ignorance is not a defence.
Look at it this way—if I do a U-turn on the 401 and my defence to the police officer who pulls me over is that I did not know I couldn’t make a U-turn, I am still getting the ticket.
The same applies if violations under these laws have been determined. There will be consequences, which could include administrative monetary penalties and the obligation to implement compliance programs. At best. And, at worst, public shaming that will keep your public relations department busy for a long time.
So let’s give Canadians what they have asked for and keep working together to make sure all businesses in Canada comply with these laws.
I would be happy now to take a few questions.