CRTC Releases Guidelines on s. 9 of CASL

This post is in: November 29, 2018

…and provides illustrative examples

The CRTC has released Guidelines on the Commission’s approach to section 9 of Canada’s anti-spam legislation (CASL), which provides best practices and guidance for stakeholders to whom s. 9 might apply. Section 9 itself provides: “It is prohibited to aid, induce, procure or cause to be procured the doing of any act contrary to any of sections 6 to 8” (sections 6 to 8 contain prohibitions dealing essentially with the circulation of advertising/spam without recipient consent). The guidelines note that the section could apply (non-exhaustively) to “advertising brokers, electronic marketers, software and application developers, software and application distributors, telecommunications and Internet service providers, payment processing system operators.” Illustration is given to the factors which the CRTC might consider in applying section 9, by way of examples:

Example 1
Company A specializes in online marketing and sells a bundle of services to Company B, which includes a messaging template and a collection of email addresses and mobile phone numbers for the purpose of mass marketing. The messaging template does not include sender identification information or an unsubscribe mechanism, and no attempt has been made to ensure the express or implied consent of the persons whose contact information appears on the list, all of which are required under section 6 of CASL. In this scenario, Company B may be in violation of section 6 of CASL if it uses the messaging template and contact lists provided by Company A to send commercial electronic messages (e.g. email or SMS). Even though Company A is not the sender of the messages, it could be violating section 9 of CASL by providing the tools that were used to violate section 6 of CASL. 

Example 2
Company A offers web hosting services. Its client, Company B, uses Company A’s services to launch a phishing campaign that redirects unsuspecting Canadians to a fake banking website created to obtain their personal data – a violation of section 7 of CASL. Company A was alerted to the malicious activity by a cyber security firm, but took no action to stop it. In addition, there is no statement in its web hosting terms of service requiring clients to be compliant with CASL, nor does it have processes to ensure compliance. Therefore, while it was Company B that launched the phishing campaign, Company A may be responsible pursuant to section 9 of CASL for having “aided” the doing of the section 7 violation.

Example 3
An individual visits an online app store and downloads a video game, which comes bundled with a custom browser toolbar. Not all toolbar functions, such as the pushing of advertisements, are described during the installation process, and consent for the toolbar is sought through a pre-checked box – contrary to the requirements of section 8 of CASL. During an investigation, it is determined that several customers had previously complained to the online app store about the toolbar. Although the video game developer may be the responsible party for a section 8 violation, the online app store may have violated section 9 of CASL for having “aided” the doing of the section 8 violation.

The Guidelines then set out recommendations for managing risks for compliance including a note on strict liability, highlighting that to take advantage of a due diligence defence ongoing management and active oversight must be demonstrated (including monitoring activities of third parties), and providing a non-exhaustive list of reasonable steps that ought to be included in prevention, detection and remediation plans that satisfy the requirements of CASL.

(with a contribution from Daniel Roth)