Compliance and Enforcement Decision CRTC 2017-368

PDF version

Ottawa, 19 October 2017

File number PDR 9094-201400302-001

3510395 Canada Inc., operating as Compu.Finder – Violations of Canada’s Anti-Spam Legislation

The Commission finds that 3510395 Canada Inc., operating as Compu.Finder (CompuFinder), committed three violations of paragraph 6(1)(a) and one violation of paragraph 6(2)(c) of Canada’s Anti-Spam Legislation by sending commercial electronic messages without consent, some of which contained an unsubscribe mechanism that was not clearly and prominently set out and through which an unsubscribe request could not be readily performed. The Commission imposes an administrative monetary penalty of $200,000 on the company.

Introduction

  1. On 4 July 2014, the Commission began receiving submissions through the Spam Reporting CentreFootnote 1 in relation to unsolicited electronic messages (in this case, emails) sent under a variety of business names associated with 3510395 Canada Inc., operating as Compu.Finder (CompuFinder). These messages advertised educational and training services offered by the company, and were sent primarily to individuals working in the province of Quebec.
  2. Following an investigation, on 5 March 2015, CompuFinder was issued a notice of violation pursuant to section 22 of An Act to promote the efficiency and adaptability of the Canadian economy by regulating certain activities that discourage reliance on electronic means of carrying out commercial activities, and to amend the Canadian Radio-television and Telecommunications Commission Act, the Competition Act, the Personal Information Protection and Electronic Documents Act and the Telecommunications Act (the Act or Canada’s Anti-Spam Legislation [CASL]) by a person designated for this purpose under section 14 of the Act (designated person).Footnote 2 The notice identified three messaging campaigns conducted by CompuFinder between 2 July 2014 and 16 September 2014 during which messages were alleged to have been sent without the consent of the recipients. The notice further indicated that some of these messages contained an unsubscribe mechanism that did not function.
  3. As a result, the designated person stated that they had reasonable grounds to believe that CompuFinder had committed three violations of paragraph 6(1)(a) of the ActFootnote 3 and one violation of paragraph 6(2)(c) of the Act.Footnote 4
  4. The notice of violation set out an administrative monetary penalty (AMP) of $1.1 million.
  5. Pursuant to paragraph 22(2)(d) of the Act, the notice informed CompuFinder that it had the right to make representations to the Commission regarding the notice. The Commission received representations from CompuFinder dated 15 May 2015.
  6. In its representations, CompuFinder argued, among other things, that the messages it sent were excluded from the requirements of section 6 of the Act due to relationships it had with the recipients, or that it had implied consent to send those messages on the basis of the conspicuous publication of the recipients’ email addresses. CompuFinder also argued that the designated person’s investigation into the company’s practices was potentially biased, and that the information disclosed to the company in the designated person’s investigation report was too limited to enable it to respond appropriately.
  7. CompuFinder’s representations also raised a challenge to the constitutionality of CASL on several grounds.
  8. The Commission’s determinations with respect to the constitutional challenge raised by CompuFinder have been addressed separately in Compliance and Enforcement Decision 2017-367, also released today.

Issues

  1. The record of this proceeding includes the following:
    • the notice of violation issued to CompuFinder on 5 March 2015;
    • an investigation report setting out the designated person’s grounds for issuing the notice of violation;
    • the representations made by CompuFinder on 15 May 2015 in response to the notice of violation; and
    • extensive supporting documents from both the designated person and CompuFinder to support their respective positions and arguments.Footnote 5
  2. Based on this record, the Commission has identified the following issues to be addressed in this decision:
    • Are there ancillary issues that affect the notice of violation review proceeding?
    • Did CompuFinder commit the violations?
    • If yes, is the amount of the AMP appropriate?

Are there ancillary issues that affect the notice of violation review proceeding?

Initiation of proceedings under the Bankruptcy and Insolvency Act

  1. On 9 August 2016, CompuFinder filed a notice of intention to make a proposal under the Bankruptcy and Insolvency Act (Notice of Intention) with the Superior Court of Quebec. Footnote 6
  2. CompuFinder was thereafter provided with an opportunity to make further submissions to the Commission. CompuFinder simply confirmed that, in its view, the Notice of Intention should have no impact on the notice of violation review proceeding and that it did not intend to apply to the Superior Court of Quebec for a stay of the Commission’s proceeding. CompuFinder did not make further substantive submissions.
  3. On 28 November 2016, CompuFinder filed a proposal to its creditors, listing the Commission as an unsecured creditor.
Commission’s analysis and determinations
  1. Pursuant to paragraph 28(1)(c) of the Act, if representations are made in response to a notice of violation, as they were in the present case, the debt associated with an AMP becomes due only on the day specified by the Commission in its decision, or by the court on appeal. Moreover, the Act specifies that the debt is due to Her Majesty in right of Canada and that such a debt is payable to the Receiver General for Canada, rather than to the Commission.
  2. In light of the above, the Commission considers that, as of the date of CompuFinder’s proposal, there would have been no debt associated with a potential AMP due to be paid by CompuFinder. Accordingly, the proceedings under the Bankruptcy and Insolvency Act do not affect the Commission’s proceeding to review the notice of violation under CASL.

Allegation of potential bias during the investigation

  1. CompuFinder argued in its representations that the investigation into its activities operated to its prejudice. In particular, CompuFinder argued that a notice to produce issued to the company pursuant to section 17 of the Act sought information with respect to its practices for recording and tracking consent to send commercial electronic messages (CEMs),Footnote 7 but did not make inquiries with respect to whether possible exemptions or exclusions from the Act applied in the circumstances. In particular, CompuFinder argued that the notice to produce ought to have sought comment with respect to the potential application of the exemption set out in subparagraph 3(a)(ii) of the Electronic Commerce Protection Regulations (the Governor in Council regulations).Footnote 8, Footnote 9
  2. CompuFinder further argued that the Commission’s subsequent decision denying the company’s application pursuant to section 18 of the ActFootnote 10 to review the notice to produce also failed to justify why CompuFinder was not canvassed for evidence regarding this exemption. Finally, CompuFinder argued that the investigation report supporting the notice of violation failed to appropriately consider whether the exemption applied in the circumstances.
Commission’s analysis and determinations
  1. The notice to produce did not make specific inquiries with respect to every defence potentially available to CompuFinder. Rather, it made inquiries tailored to the designated person’s understanding of the circumstances based on the information that had been gathered at that time.
  2. Further, the Commission’s decision regarding the notice to produce specifically informed CompuFinder that the notice “does not preclude or limit CompuFinder’s ability to submit to the designated person additional information regarding exemptions or possible defences when producing the required documents.”
  3. Moreover, CompuFinder had a further opportunity to provide information directly to the Commission regarding the above-noted exemption or other possible defences when making its representations in response to the notice of violation. The company did so, and the Commission reviewed both CompuFinder’s arguments and the evidence provided in arriving at the conclusions reflected in this decision.
  4. Accordingly, the Commission considers that CompuFinder was not prejudiced during the investigation or afterward.

Accessibility of the evidence supporting the investigation report

  1. CompuFinder referred to the evidence appended to the investigation report and, in particular, to a group of spreadsheets (summary tables) that purported to summarize the details pertaining to each of the messages in respect of which the notice of violation was issued. The company argued that there were several deficiencies with these summary tables, including that they were missing relevant details, such as the date and time at which the messages were transmitted, as well as the addresses to which the messages were sent.
  2. CompuFinder submitted that, as a result, it reviewed each of the messages appended to the investigation report in search of the relevant details. CompuFinder described this as a time-consuming and painstaking process that still did not provide all the information it required. It referred to six messages in particular as examples of the difficulties it encountered, though it did not elaborate on the specific problems it encountered with those messages.
Commission’s analysis and determinations
  1. Pursuant to section 13 of the Act, the burden of proof rests with CompuFinder to demonstrate any consent it was relying on when sending CEMs. However, without information about to whom CompuFinder was alleged to have sent a particular message or at what time, it would be nearly impossible for the company to bring forward specific evidence of consent from the recipient of that message, or for the Commission to appropriately weigh such evidence. Accordingly, the issue identified by CompuFinder raises significant concerns.
  2. In two of the messages identified by CompuFinder, the messages appeared to have been exported from the Spam Reporting Centre in a “raw” text format, in such a manner that the original messages at issue were presented in the UTF-encoded format in which they were transmitted, rather than in a format that could be readily understood by an end-user.Footnote 11 The relevant details of the original messages, including their contents, timestamp, and recipient address, along with any comments made by individuals who submitted them, were obscured by this encoding. Inclusive of the two messages identified by CompuFinder, the Commission finds that 115 of the relevant messages were affected by this issue.
  3. Further, 19 other messages reviewed by the Commission raised additional concerns. These included messages that fell outside the relevant period set out in the notice of violation, one that appeared to have been sent before the Act came into force, a small number of duplicate or missing messages, and, in one case (which was also one of the examples highlighted by CompuFinder), a message file that appeared to contain no actual content.
  4. The three remaining example messages highlighted by CompuFinder did not fall within any of these categories. Like the other messages referred to above, they appeared to have been provided in a “raw” text format, but the original messages were not encoded; they simply retained the HTML markup included in the messages as they were originally sent. The relevant details of these messages, including timestamps and recipient addresses, were readily accessible to the Commission on an individual basis, and CompuFinder did not explain in its representations what problem it encountered with these messages. These three examples were representative of the majority of the messages appended to the investigation report.
  5. The omission of relevant details from the investigation report’s summary tables appears to be inadvertent; the investigation report makes multiple references to a “list of recipient addresses” that does not otherwise exist among the documents provided with the investigation report, and appears to intend to refer to these tables. Similar summary tables that accompanied other notices of violation that the Commission has reviewed have included these details.
  6. While preserving evidence in its original form is important to ensure its authenticity, care must be taken to ensure that the review proceeding that flows from a notice of violation is fair. Where evidence may not be readily accessible to the recipient of a notice of violation in its original format, efforts should be made to present, by some other means, the pertinent information that evidence contains to the person who has been issued the notice, or to otherwise set out reasonable steps by which that evidence can be accessed by that person.
  7. Consequently, the Commission has excluded 115 encoded messages from its consideration of this matter. Similarly, the Commission has excluded from consideration the other messages referenced above that were missing or duplicates, or that fell outside the period covered by the notice of violation or the Act.
  8. The Commission considers that its review of the notice of violation can proceed notwithstanding these issues, but that there is a smaller pool of 317 messages at issue, rather than the 451 identified in the investigation report. These 317 messages, which represent messages sent across CompuFinder’s three messaging campaigns, relate to the three alleged violations of paragraph 6(1)(a) of the Act for sending CEMs without the consent of the recipients. Of these 317 messages, 87 relate to the alleged violation of paragraph 6(2)(c) concerning unsubscribe requirements.   

Did CompuFinder commit the violations?

  1. To determine whether CompuFinder committed the violations set out in the notice of violation, the Commission will examine the following issues raised in the investigation report or by CompuFinder:
    • nature and sender of the electronic messages at issue;
    • applicability of the “business-to-business” exemption;
    • failure to include an unsubscribe mechanism or to process unsubscribe requests;
    • implied consent to send CEMs; and
    • demonstration of due diligence.

Nature and sender of the electronic messages at issue

  1. Subsection 6(1) of the Act provides that it is prohibited to send or cause or permit to be sent to an electronic address a CEM, unless (a) the person to whom the message is sent has consented to receiving it, whether the consent is express or implied, and (b)  the message complies with subsection 6(2), which sets out additional requirements respecting form and content.
  2. CEMs are defined in subsection 1(2) of the Act, which provides the following:
    For the purposes of this Act, a commercial electronic message is an electronic message that, having regard to the content of the message, the hyperlinks in the message to content on a website or other database, or the contact information contained in the message, it would be reasonable to conclude has as its purpose, or one of its purposes, to encourage participation in a commercial activity,[Footnote 12] including an electronic message that
    1. offers to purchase, sell, barter or lease a product, goods, a service, land, or an interest or right in land;
    2. offers to provide a business, investment or gaming opportunity;
    3. advertises or promotes anything referred to in paragraph (a) or (b); or
    4. promotes a person, including the public image of a person, as being a person who does anything referred to in any of paragraphs (a) to (c) or who intends to do so.
  3. Subsection 12(1) of the Act further provides that a person contravenes section 6 only if a computer system located in Canada is used to send or access the electronic message.
  4. The messages at issue varied greatly, but at a minimum they all referred to training or educational services available for purchase from the sender, in areas such as team management, administrative skills, budget planning, and effective use of social media. The messages were typically accompanied by an outline of the content for a specific course and the date and location the course was next being offered. Some messages contained additional content encouraging recipients to act on the offer being made by suggesting that the opportunity was limited in nature or that there was high demand, or by promoting a special rate.
  5. The messages consistently identified the sender as one of the business names under which CompuFinder operates, or referred to websites associated with those names.Footnote 13 CompuFinder is a Canadian corporation operating from Morin-Heights, Quebec. The mailing address included in the messages was CompuFinder’s address in Morin-Heights, and a phone number included in some of the messages was registered to CompuFinder at that same address. In addition, many of the messages at issue were sent to addresses associated with businesses and institutions located in Canada, to Canadian domains (.ca) registered in Canada, or to personal addresses belonging to individuals who live or work in Canada. Each of the eight individuals who provided a written statement accompanying the investigation report also confirmed that they were located within Canada.
  6. CompuFinder did not contest these elements of the investigation report. In light of the above, the Commission finds that CompuFinder was the sender of the 317 messages in question, that the messages were CEMs within the meaning of the Act, and that they were sent by a computer system located in Canada to a number of recipients located in Canada.

Applicability of the “business-to-business” exemption

  1. CompuFinder argued that section 6 of the Act did not apply to a substantial portion of the messages at issue. Specifically, CompuFinder relied on what it called the “business–to-business” exemption set out in subparagraph 3(a)(ii) of the Governor in Council regulations. Taking into account the messages the Commission has excluded from consideration, this argument would apply to 168 of the remaining 317 messages at issue.Footnote 14
  2. The exemption provides the following:


    Section 6 of the Act does not apply to a commercial electronic message

    1. that is sent by an employee, representative, consultant or franchisee of an organization […]

      (ii) to an employee, representative, consultant or franchisee of another organization if the organizations have a relationship and the message concerns the activities of the organization to which the message is sent.
  3. The element of this exemption requiring that the CEM be sent by an employee of one organization to an employee of another organization is generally not at issue in these circumstances. While CompuFinder did not provide specific evidence that each of the recipients of the messages for which it sought to rely on this exemption were employees, these messages were generally sent to domains belonging to organizations where it would be highly unusual for someone who was not an employee, or a representative of some other sort, to have an email address associated with the organization. In cases where this would not have been unusual (universities, for example, where students or alumni might also have email accounts), the Commission was able to verify that the recipient addresses appeared to belong to employees through online directories.
  4. CompuFinder argued that the requirement whereby there must be a “relationship” between the sender and the organization of the recipient should be satisfied in two types of situationsthose where it had entered into a contractual relationship with the employer of the recipient, and those where CompuFinder had a longstanding correspondence history with the recipient.
  5. As a means of attempting to demonstrate contractual relationships with the organizations at issue, CompuFinder provided with its representations a series of invoices and proofs of payment. These documents were unaccompanied by further explanation but they appeared, in general, to be for single training sessions provided by CompuFinder to an individual within the recipient’s organization – though not necessarily the same individual to whom the CEMs in question had been sent.
  6. CompuFinder provided one such document for each organization with which it claimed to have a contractual relationship, and considered these past transactions as a basis on which it could send CEMs to other individuals employed by the same organization. For example, CompuFinder sent numerous messages to an address belonging to a senior programmer employed by an Ontario university. To attempt to demonstrate a relationship with that university, CompuFinder provided a single invoice paid by a different employee in another faculty of that university, on behalf of yet another employee in that second faculty.
  7. CompuFinder did not provide any further evidence to support its view that the employee who had previously taken the company’s course or the employee who approved payment for it created, or had authority to create, a relationship on behalf of the university, or intended to do so. In the Commission’s view, the mere fact that an organization paid for training on behalf of one of its employees is not sufficient to demonstrate that the organization had, or intended to create, a relationship that would allow for a complete exemption from section 6 of the Act that would permit the company providing the training to directly solicit every other employee.
  8. This invoice might be considered evidence of an existing business relationship with the specific employee who attended that training session, and such a relationship could create implied consent to send CEMs to that employee, pursuant to paragraph 10(9)(a) of the Act. However, that type of relationship is different than the kind CompuFinder argued it had in the present case. The Commission would require more information to reach the conclusion that any relationship reflected by this transaction was with the university, rather than the employee who took the course.
  9. The other instances in which CompuFinder claimed a contractual relationship are similar. An invoice or, in some cases, a photocopied cheque or payment confirmation, for one or two employees (sometimes identified, sometimes not) appears to have been relied on as authority to send CEMs to different email addresses within the same organization.
  10. In support of its alternative argument that a longstanding correspondence history with the recipient would also demonstrate a “relationship” with the employer organization, the company provided screen captures which it described as “showing the correspondence history between CompuFinder and some of its clients.”
  11. However, CompuFinder did not explain, in further detail, how any such relationships with these individuals would satisfy the requirements of subparagraph 3(a)(ii) of the Governor in Council regulations, which focus on relationships between organizations.
  12. Moreover, while there are circumstances in which it is possible that correspondence with a business or its representatives could create or demonstrate a relationship that would fall under this exemption, such a determination would necessarily depend on the contents of that correspondence. While CompuFinder made reference to its correspondence, it did not provide any actual messages.
  13. Rather, the screen captures that CompuFinder provided either display the results of a search function within CompuFinder’s own database for particular recipient addresses, or are images of Microsoft Excel spreadsheets where the recipient addresses at issue are listed among many other email addresses in tables that do not appear to provide any other information. These images appear to confirm that the addresses in question were part of CompuFinder’s records, but none of them appear to indicate the period or frequency of the communications CompuFinder argued they reflect, whether such communications were reciprocated, or the content of any of the messages.
  14. Even if CompuFinder had provided more detail for either of its arguments or evidence that would enable the Commission to conclude that such relationships existed, subparagraph 3(a)(ii) of the Governor in Council regulations imposes a further requirement that “the message concerns the activities of the organization to which the message is sent” before the exemption applies. The messages in question did not discuss or make reference to the activities of the recipient organizations.
  15. CompuFinder asserted in its representations that its messages would meet this requirement either where another employee of the same organization had previously purchased its services, or where the company had established a correspondence history in the context of which it had regularly sent CEMs that promoted its professional training services.
  16. With respect to the former argument, the Commission does not agree that one employee’s participation in one of CompuFinder’s courses would, on its own, render further advertisements for any CompuFinder course relevant to the activities of that organization. An employee might have sought professional training for any number of purposes unconnected to the activities of its employer organization per se, including personal interest or qualifying for other jobs. This argument relies on a broad assumption by CompuFinder that is not supported by further evidence.
  17. The latter argument is not persuasive. CompuFinder is, in effect, arguing that its own history of sending (potentially unsolicited) CEMs advertising its services to an organization eventually renders such messages relevant to that organization’s activities, without mention of any reciprocal communication from the organizations in question to indicate that such messages were relevant or welcome. To the extent that previous correspondence might demonstrate the relevance of new CEMs, that determination would again depend on the contents of the correspondence, which CompuFinder did not provide.
  18. In light of the above, the Commission finds that none of the remaining 317 messages were exempt from section 6 of the Act by virtue of the “business-to-business” exemption. Accordingly, it was necessary for these messages to meet the requirements of section 6 of the Act, including the requirement for consent and the formal requirements relating to unsubscribe mechanisms.

Failure to include an unsubscribe mechanism or to process unsubscribe requests

  1. The investigation report identified two issues with CompuFinder’s unsubscribe practicestwo cases in which consumers indicated that their unsubscribe requests were not honoured or were not processed within 10 days, as well as 116 messages (87 of which remain at issue after the Commission excluded a number of messages) that contained an unsubscribe link that did not function. The notice of violation alleged that, as a result, CompuFinder has committed a violation of paragraph 6(2)(c) of the Act.
  2. With respect to the former issue, CompuFinder provided records demonstrating that it had received and processed unsubscribe requests from the individual complainants at issue. With respect to one of the complaints, there is disagreement between CompuFinder and the complainant as to the date of the unsubscribe request. However, CompuFinder’s records reflect that, irrespective of which date is preferred, the request was processed within the required time frame.
  3. Moreover, the second of these complaints appears to have been a direct result of the recipient failing to specify the correct address or addresses from which they wished to unsubscribe. This is also reflected in CompuFinder’s records. An employee of the Ministère de l’Énergie et des Ressources naturelles of Quebec sent an unsubscribe request from a personal email address in response to one of CompuFinder’s CEMs that was sent to a general address for the employer organization. CompuFinder responded, noting that it did not have that person’s individual address in its database, and asked for clarification. After the unsubscribe request was clarified, the individual submitted further messages from CompuFinder to the Spam Reporting Centre; however, these messages were sent to other general addresses for the organization (including addresses at other domains). There is no indication that further messages were sent to the addresses for which the unsubscribe requests were actually made. Accordingly, these complaints do not relate to acts or omissions that constitute a violation of the Act.
  4. The more significant issue with CompuFinder’s unsubscribe practices, however, was that a number of its messages (87 of the remaining pool of 317) contained two unsubscribe links, rather than one. One of these links appeared to function, and the other was observed by the designated person to produce an error when accessed.
  5. CompuFinder argued in its representations that because the messages did contain a fully functional unsubscribe link, they complied with the Act.
  6. Subsection 6(2) of the Act provides, among other things, that a message “must be in a form that conforms to the prescribed requirements” and must “set out an unsubscribe mechanism in accordance with subsection 11(1).” In the Electronic Commerce Protection Regulations (CRTC), the Commission prescribed in subsection 3(1) that “the unsubscribe mechanism referred to in paragraph 6(2)(c) of the Act must be set out clearly and prominently.” The Commission further prescribed in subsection 3(2) that “the unsubscribe mechanism referred to in paragraph 6(2)(c) of the Act must be able to be readily performed.”Footnote 15
  7. The 87 messages identified above did not meet these standards. While they contained a functioning unsubscribe link, many of them also contained a second unsubscribe link that did not function. Written statements from some of the consumers who encountered this problem made it clear that this created confusion and frustration among those who wished to unsubscribe from CompuFinder’s messages, but believed they could not.
  8. Accordingly, the Commission finds that CompuFinder has committed a violation of paragraph 6(2)(c) of the Act, though this violation relates to fewer messages – specifically, 87 messages in total – than are set out in the notice of violation and investigation report.

Implied consent to send CEMs

  1. Regarding the three alleged violations of paragraph 6(1)(a) of the Act for sending CEMs without the consent of the recipient, CompuFinder also took the position that many of the messages at issue had been sent on the basis of implied consent and, accordingly, their sending was not prohibited by paragraph 6(1)(a) of the Act. The company’s representations included an extensive table setting out each email address for which this argument was raised, a hyperlink to a Web address where that email address was published, and the job title of the recipient, where known. Taking into account the messages the Commission has excluded from consideration, this argument would apply to 132 of the remaining 317 messages at issue.Footnote 16
  2. Paragraph 10(9)(b) of the Act provides that consent is implied if the person to whom the message is sent has conspicuously published, or has caused to be conspicuously published, the electronic address to which the message is sent, the publication is not accompanied by a statement that the person does not wish to receive unsolicited CEMs at the electronic address, and the message is relevant to the person’s business, role, functions, or duties in a business or official capacity.
  3. As the Commission noted in Compliance and Enforcement Decision 2016-428, the conspicuous publication exemption and its requirements set a higher standard than the simple public availability of electronic addresses. These conditions do not create broad licence for the senders of CEMs to contact any electronic address found online, but rather provide limited circumstances in which consent can be reasonably inferred, to be evaluated on a case-by-case basis.
  4. For some of the messages sent by CompuFinder, the publication requirement was not met. For example, CompuFinder sent messages to an employee of an Ontario-based cable company, but the hyperlink that CompuFinder provided to support that it had implied consent was to a third-party directory website. The publication of the address on that website appeared to be a reproduction of a portion of a cached webpage from another source. General information on that site regarding its information-gathering practices did not give any indication that the listings were user-submitted. Conspicuous publication requires that the person to whom the message is sent publish, or cause to be published, the address in question. The reproduction of a person’s contact information by a third party on its own initiative does not satisfy this requirement.
  5. In another case, CompuFinder sent messages to an address associated with the operator of a Quebec-based martial arts school, which was also published in an online directory. In that instance, information on the site in question appeared to confirm that the database was driven by submissions from individual users. However, the site’s terms of use contained a disclaimer to the effect that users of the directory were not to send unsolicited CEMs to the addresses found in the directory. Therefore, the requirements of implied consent were not satisfied in this case either.
  6. In many more cases, the relevance requirement was not met. The company appears to have relied on the general public availability of electronic addresses, coupled with assumptions or speculation as to what the functions of the receiving organization or individual might be. It did not provide evidence to support these assumptions.
  7. CompuFinder sent messages to an individual it identified as a professor at an Ontario university, for example. However, both the heading on the page that CompuFinder referenced and the Web address the company provided identified the publication being referenced as a list of “professors emeriti” (retired professors). The page gave no indication of what responsibilities, if any, that person still had at their university that would have made CompuFinder’s messages relevant.
  8. CompuFinder also sent messages to generic or central addresses associated with some businesses (e.g. info@...). The investigation report took the position that this was not sufficient to establish relevance, and CompuFinder did not respond to this point in its representations. Even if the holder of such an email account is understood to be a company or organization in a general sense rather than an individual, the message must still concern the business or functions of that company or organization. CompuFinder did not provide supporting explanations or evidence to demonstrate how this requirement was met in these cases.
  9. Having reviewed each of the cases for which CompuFinder claimed implied consent on the basis of conspicuous publication, the Commission is unable to identify any case where CompuFinder has demonstrated that all of the elements set out in paragraph 10(9)(b) of the Act are satisfied.
  10. Further, pursuant to section 13 of the Act, CompuFinder had the burden of proving its position that messages were sent pursuant to implied consent. The Commission finds, on a balance of probabilities, that CompuFinder did not satisfy this burden in respect of the messages alleged to form the basis of the three violations of paragraph 6(1)(a) set out in the notice of violation.

Demonstration of due diligence  

  1. CompuFinder argued that even if the Commission were to determine that the violations of the Act occurred, CompuFinder should not be found liable on the basis that it demonstrated due diligence.
  2. Subsection 33(1) of the Act provides that “a person must not be found to be liable for a violation if they establish that they exercised due diligence to prevent the commission of the violation.” The onus is on CompuFinder to demonstrate that it was duly diligent, which generally requires it to show that it took all reasonable steps to avoid the violations in question.
  3. CompuFinder argued that beginning in January 2014, before CASL came into force, it began implementing a comprehensive CASL compliance program. According to the company, some of the steps it took included
    • hiring six new employees in April 2014 to conduct targeted outreach to clients to obtain consent;
    • sending express consent requests by email in April and May of 2014;
    • calling the Commission in June and September 2014 to obtain guidance regarding the “business-to-business” exemption;
    • achieving a compliance rate of virtually 100% with unsubscribe requests since the Act came into force on 1 July 2014; and
    • hiring a consulting firm in May 2015 to help develop a formal compliance program.
  4. However, some of these measures cannot be considered relevant to a potential due diligence defence in the circumstances, as they were taken after the period of the violations set out in the notice of violation (which ended on 16 September 2014), and therefore could not have had an impact on preventing or limiting them. For instance, CompuFinder has retained the professional expertise of a consultant to implement a formal compliance program, which is a laudable step toward compliance, but which took place after the violations in question.
  5. While other actions raised by CompuFinder demonstrate an awareness of CASL and its requirements, it is unclear what impact those efforts could have had on avoiding the specific violations at issue. For example, while CompuFinder argued that it began contacting clients by telephone prior to sending CEMs and sent emails seeking consent before the Act came into force, it did not argue that it had express consent in the case of any of the messages at issue, nor did it indicate how many of the recipients of the messages at issue were contacted in this way prior to being sent CEMs.
  6. CompuFinder pointed to two occasions on which it contacted the Commission to seek guidance, but it did not indicate to whom these calls were placed or what specific advice, if any, it received. Further, any uncertainty on CompuFinder’s part with respect to the “business-to-business” exemption was also not reflected in its actions; the company did not proceed cautiously and did not indicate that had it sought further advice from other sources, but rather adopted, and proceeded on the basis of, interpretations that, as set out above, the Commission considers were unreasonably broad and inconsistent with the regulations.
  7. CompuFinder’s argument that it achieved a compliance rate of virtually 100% with unsubscribe requests is not, on its own, persuasive in the circumstances. The company was sending messages during the period in question that contained an unsubscribe link that did not function correctly, which may have led some consumers to believe they could not unsubscribe. It is unknown how many consumers encountered this problem, or how many unsubscribe requests never came to CompuFinder’s attention because of this broken link. Moreover, CompuFinder indicated in its representations that it discovered and corrected the broken link in August 2014 (approximately two months after CASL came into force) as a result of complaints from consumers and not, for example, as a result of proactive testing or monitoring of its compliance with the Act.
  8. This is particularly relevant because shortly before CASL came into force, the Commission published an information bulletin providing guidance with respect to compliance programs.Footnote 17 This bulletin addressed and emphasized the importance of written policies, ongoing audit and monitoring mechanisms, procedures for dealing with third parties to confirm compliance, and adequate employee training. It specifically noted that the development of such programs could assist businesses in establishing a due diligence defence in the case of violations. It also generally mirrors similar guidance the Commission had given in the past with respect to the Unsolicited Telecommunications Regime, which it also administers.
  9. CompuFinder provided information with respect to the steps it took in preparation for the coming into force of the Act and the steps it took in response to learning about the Commission’s investigation. It did not, however, identify or speak to routine practices, written policies, auditing mechanisms, or monitoring of its compliance with CASL during the actual period of the violations, which would have served to prevent or mitigate the violations. For these reasons, the Commission finds that CompuFinder did not take all reasonable steps to avoid the violations in question and, therefore, has not established a defence of due diligence.

Conclusion

  1. The Commission has determined that CompuFinder sent 317 CEMs to recipients who did not consent to receiving such messages. CompuFinder did not demonstrate that the “business-to-business” exemption applied or that it had implied consent to send the messages in question.
  2. Of the 317 messages at issue, 87 contained a non-functioning unsubscribe mechanism.
  3. Finally, CompuFinder did not demonstrate that it had exercised due diligence to prevent the commission of the four violations in question. For these reasons, the Commission finds, on a balance of probabilities, that CompuFinder committed the three violations of paragraph 6(1)(a) of the Act and one violation of paragraph 6(2)(c) set out in the notice of violation.

Is the amount of the AMP appropriate?

  1. The notice of violation set out an AMP of $1,100,000.
  2. Subsection 20(3) of the Act sets out the factors that must be taken into consideration when determining the amount of an AMP:
    • the purpose of the penalty (which, pursuant to subsection 20(2), is to promote compliance with the Act and not to punish);
    • the nature and scope of the violation;
    • the person’s history with respect to any previous violation under the Act, any previous conduct that is reviewable under section 74.011 of the Competition Act, or any previous contravention of section 5 of the Personal Information Protection and Electronic Documents Act that relates to a collection or use described in subsection 7.1(2) or (3) of that Act;
    • the person’s history with respect to any previous undertaking entered into under subsection 21(1) of the Act and any previous consent agreement signed under subsection 74.12(1) of the Competition Act relating to conduct that is reviewable under section 74.011 of that Act;
    • any financial benefit that the person obtained from the commission of the violation;
    • the person’s ability to pay the penalty;
    • whether the person has voluntarily paid compensation to a person affected by the violation;
    • the factors established by the regulations; and
    • any other relevant factor.  
  3. CompuFinder has no history of violations or undertakings under the relevant acts. There is no information on the record of the proceeding to indicate that the company has paid compensation to any persons affected by the violations, and there are no applicable additional factors established by the regulations. Moreover, while it is clear that CEMs played a role in the marketing of CompuFinder’s business, the record does not contain any specific information about financial benefits tied to the violations.
  4. The investigation report, in summary, identified the following information as applicable to the remaining factors, or as additional relevant factors:
    • compliance with the Act can be promoted through the general deterrence associated with an AMP;
    • the non-compliant conduct consisted of sending messages without express or implied consent, including messages containing a non-functional unsubscribe mechanism, and instances in which unsubscribe requests were not appropriately processed;
    • the non-compliant conduct consisted of sending a total of 451 messages;
    • the company’s financial information reveals an ability to pay the proposed penalty;
    • CompuFinder was uncooperative with the investigation and demonstrated a moderate likelihood that there would be further violations; and
    • the proposed penalty is proportional in these circumstances.
  5. In the analysis that follows, the Commission will assess each of the relevant prescribed factors and the additional factors raised by the investigation report to the extent that the record before it allows, taking into account CompuFinder’s submissions.

Purpose of the penalty

  1. The investigation report stated that the purpose of the penalty, being the promotion of compliance with the Act, was achieved through general deterrence created by the AMP, and that the proposed penalty was not disproportionate to the violations.
  2. CompuFinder argued that the purpose of the penalty needed to be considered with a view to both general circumstances, including the relatively new nature of CASL, and its individual circumstances, including more recent efforts toward compliance with the Act, which suggested that a much more moderate approach would be appropriate. In CompuFinder’s view, the AMP set out in the notice of violation served the true purpose of punishment.
  3. The Commission has previously noted that general deterrence can be taken into account in imposing an AMP in the public interest. However, the objective of general deterrence cannot override the requirement that an AMP not lead to the imposition of true penal consequences.Footnote 18
  4. CASL permits for significant penalties, and the Commission recognizes that significant penalties will sometimes be necessary to deter non-compliance or to ensure that the risk of a penalty is not viewed by some as simply another cost of doing business. However, if the amount at issue is out of proportion to the amount required to achieve CASL’s regulatory purposes, this may suggest that it is a true penal consequence.Footnote 19
  5. The Commission must arrive at an amount that is representative of the violations that were committed and that represents enough of an impact on a person to promote changes in behaviour, both generally and specifically. However, if a penalty would preclude the person from continuing to operate on a commercial basis, it would also preclude that person’s compliant participation in the regulated activity going forward, which could be inconsistent with the regulatory purposes of the Act.
  6. In the present case, CompuFinder has committed multiple violations of the Act and, while there is some indication that CompuFinder may have temporarily slowed or ceased its sending of CEMs, pending the implementation of a compliance program, there is little to no detail available concerning these plans. In the circumstances, a penalty will promote compliance, both generally and specifically, by helping to reinforce the importance of, and incent adherence to, compliant practices.
  7. However, in the Commission’s view and in light of other factors discussed in this decision, the proposed penalty over-emphasizes general deterrence and appears out of proportion to the amount necessary to promote CompuFinder’s compliance specifically. Accordingly, consideration of the purpose of the penalty suggests that, while a penalty is required in the circumstances, a lower penalty than the one set out in the notice of violation would be appropriate.

The nature and scope of the violations

  1. The three message campaigns at issue took place over a period of approximately two and a half months. The Commission has concluded that these messages were sent without consent, resulting in three violations of paragraph 6(1)(a) of the Act, and that some of them did not conform to necessary unsubscribe requirements, which led to a violation under subsection 6(2).
  2. CompuFinder argued that the violations did not cause any practical harm of the type often associated with unsolicited CEMs, including fraud, harassment, malware, or other scams. CompuFinder emphasized that it is a legitimate business participating in the Canadian economy.
  3. Notwithstanding these arguments, the witness statements and written submissions made to the Spam Reporting Centre establish that the nature of these messages were, in general, disruptive and unwelcome, and caused nuisance to their recipients, and that the inability of some consumers to unsubscribe as a result of the non-functioning link caused further frustration. While it is true that the Act encompasses a wide range of activities, some of which are more harmful than others, it also encompasses these circumstances.
  4. However, the Commission has excluded from consideration a portion of the messages originally at issue in the notice of violation on the basis that key details concerning those messages were not adequately disclosed to CompuFinder in the investigation report. Specifically, as a result of these exclusions, there are a total of 317 messages at issue, rather than the 451 set out in the investigation report. The Commission has also found that one of the complaints with respect to the processing of unsubscribe requests arose out of a consumer not accurately specifying the addresses in respect of which they wished to unsubscribe.
  5. As a result, the scope of the violations is less than originally described in the notice of violation, though their nature was still sufficient to be disruptive to recipients of the messages. These considerations suggest that a penalty is required in the circumstances, albeit a lower penalty than the one set out in the notice of violation.

Ability to pay

  1. During the investigation, CompuFinder provided unaudited financial statements indicating that it had annual revenues of approximately $1.5 million, but profits of under $100,000. The investigation report pointed to certain transactions of interest that served to lower the company’s overall profits, including an advance to shareholders, an advance without interest to another corporation, and mortgages given to an employee. The investigation report also noted a property owned by the company valued at approximately $1.5 million, for which there did not appear to be a mortgage. The report suggested that the property could be leveraged to satisfy an AMP.
  2. In its representations, CompuFinder provided more recent financial statements that again reflected annual revenues of approximately $1.5 million and annual profits of just under $100,000. The company argued that it was unreasonable to base an assessment of its ability to pay on the company’s annual revenues or assets acquired over the entire period of its operation. CompuFinder did not speak to any of the transactions of interest identified in the investigation report that had served to significantly lower the company’s reported profits.
  3. CompuFinder also identified the $1.5 million property identified in the investigation report as the primary residence of the company’s owners, held by the corporation because they occasionally used it for business. It argued that the proposed AMP would force the company’s owners to sell their home, which would be inconsistent with the purposes of the law.
  4. In the Commission’s view, the annual revenues of an organization, particularly a small one that is privately and closely held, are in general a more reliable indicator of ability to pay than are the organization’s annual profits. This is because there are many ways for a corporation to choose to minimize its net income, whether through reinvestment in the company, ongoing or capital expenditures, or other means of moving money out of the business, such as those identified in the investigation report in this case.Footnote 20
  5. Further, CompuFinder did not provide a detailed analysis or evidence to support its assertion that the proposed penalty would force its owners to sell their home or force the closure of the business. While the more recent development of proceedings under the Bankruptcy and Insolvency Act would appear to lend some support to these concerns, it is again worth noting that CompuFinder did not make further representations with respect to this development, including how the development would affect its ability to pay.
  6. In the circumstances, the record contains certain indications that CompuFinder has the ability to pay the proposed penalty, but other indications that doing so could place CompuFinder’s ability to continue doing business at risk. On balance, the Commission considers that CompuFinder has some ability to pay, though consideration of this factor, especially taken together with the other prescribed factors, suggests that a lower penalty than the one set out in the notice of violation would be appropriate.

Cooperation

  1. Cooperation with an investigation is an important consideration that will be a relevant factor to the determination of an AMP under CASL in most cases, because it promotes more effective administration of the Act in several ways. For example, it promotes discourse with designated persons and enforcement staff, which may lead to undertakings or informal resolutions and, therefore, compliance in a more timely fashion without the issuance of a notice of violation. Considering cooperation as a factor also promotes compliance with other requirements under the Act, such as the obligations imposed by preservation demands and notices to produce.
  2. In this case, the investigation report identified a lack of cooperation on CompuFinder’s part following the issuance of a notice to produce, including missed deadlines and inconsistencies between materials identified for production and those eventually produced by CompuFinder.
  3. The Commission notes that the notice to produce in question was issued shortly after the coming into force of the relevant provisions of the Act, and that CompuFinder’s application for a review of that notice to produce was the first such application made under CASL. In these circumstances, the Commission does not consider that CompuFinder’s conduct following the issuance of the notice to produce represented attempts to frustrate or forestall the investigation into the company’s compliance with the Act. Further, there is no evidence that the investigation was unreasonably delayed as a result.
  4. These considerations suggest that, to the extent that CompuFinder was uncooperative during the investigation, this does not need to be a significant factor relevant to the calculation of the AMP amount in order to promote compliance. Accordingly, a lower penalty than the one set out in the notice of violation would be appropriate.

Self-correction

  1. Self-correction will also be a relevant factor in the determination of an AMP in most cases. The necessity for, or the amount of, a penalty may be diminished in circumstances where a person demonstrates that they have already undertaken efforts to comply with the Act and to correct deviations from its requirements as swiftly as possible. A person’s demonstrated reluctance or unwillingness to correct such deviations of their own accord may similarly increase the necessity for a penalty or the amount that will be considered appropriate.
  2. The investigation report asserted that CompuFinder had demonstrated a moderate risk of further non-compliance, for instance, because the Spam Reporting Centre continued to receive submissions regarding CEMs sent by the company after the date the notice to produce was issued.
  3. CompuFinder argued that while the notice to produce alerted it to the existence of an investigation, the notice alone did not provide sufficient information about the nature of the investigation for the company to know what problems it might need to correct. The company also reiterated that it had undertaken more recent steps to implement improvements to its systems, that it had retained both external counsel and the services of a consultant to help develop a formal compliance program, and that it had ceased sending CEMs until that program’s implementation.
  4. As noted above, the Commission does not agree that the company’s recent efforts to improve compliance result in a penalty no longer being necessary to promote compliance. However, the steps that CompuFinder has taken are positive indicators of the likelihood of self-correction, which suggests that a lower penalty than the one set out in the notice of violation would be appropriate.

Proportionality

  1. Finally, the investigation report considered the overall proportionality of the penalty to be an “other relevant factor.” In the Commission’s view, the proportionality of a penalty is best understood as a function of how the factors set out in the Act apply to the circumstances of an individual case. Generally speaking, if an AMP reasonably reflects the factors set out in the Act and other relevant factors, it will be proportionate and serve its regulatory purpose.
  2. For all the reasons set out above, the Commission considers that the proposed penalty is out of proportion to what is required to achieve regulatory purposes and to promote compliance with the Act going forward.

Section 11 of the Charter

  1. CompuFinder argued that a penalty in the amount set out in the notice of violation constitutes a true penal consequence and engages the protections of section 11 of the Canadian Charter of Rights and Freedoms (the Charter), which apply to persons who have been charged with an offence.Footnote 21
  2. Section 11 is engaged by monetary penalties that, by their magnitude, suggest that they were imposed for the purpose of redressing the wrong done to society at large rather than simply to secure compliance within a limited sphere of activity.Footnote 22
  3. The Supreme Court of Canada has explained that the key question is whether a monetary sanction is, in purpose or effects, punitive. If the amount is out of proportion to the amount required to achieve regulatory purposes, this suggests that it is a true penal consequence. That Court listed several factors to be considered, in addition to the magnitude of the penalty, which include to whom the penalty is paid, whether the quantum is determined by regulatory considerations or the principles of criminal sentencing, and whether there is stigma associated with the penalty.Footnote 23
  4. The Commission has considered these additional factors as they relate to the present case in Compliance and Enforcement Decision 2017-367, and has concluded that they do not, on their own, suggest that a true penal consequence has been imposed.
  5. The Commission considers that the magnitude of the AMP set out in the notice of violation does not appropriately reflect the Commission’s assessment, as set out above, of the applicable factors set out in section 20 of the Act and would not be proportionate to the violations of the Act in the circumstances.

Appropriate amount

  1. Having taken the investigation report and CompuFinder’s submissions into consideration in its review of the prescribed factors, the Commission determines that a total penalty of $200,000 is appropriate, in light of the circumstances of the case, and is reasonable and necessary to promote CompuFinder’s compliance with the Act.

Conclusion

  1. The Commission finds, on a balance of probabilities, that CompuFinder committed the four violations set out in the notice of violation, and imposes a total penalty of $200,000 on the company.
  2. The Commission hereby notifies CompuFinder of its right to appeal this decision by bringing an appeal in the Federal Court of Appeal within 30 days after having been served with a copy of this decision. An appeal on a question of fact may be brought only with the leave of the Federal Court of Appeal, an application for which must be made within 30 days after having been served this decision.
  3. The amount of $200,000 is due by 18 November 2017 and is to be paid in accordance with the instructions contained in the notice of violation. For any amount owing that is not paid by 18 November 2017, interest calculated and compounded monthly at the average bank rate plus 3% will be payable on that amount and will accrue during the period beginning on the due date and ending on the day before the date on which payment is received.
  4. If payment has not been received within 30 days of the serving of this decision, the Commission intends to take measures to collect the amount owing, which may include certifying the unpaid amount and registering the certificate with the Federal Court.

Secretary General

Related documents

Date modified: