In December 2017, the INDU Committee released the CASL Review. According to the Report: “The statutory review of CASL took place between September 26 and December 12, 2017. Throughout that period, the Committee held 13 meetings, heard from 41 witnesses and received 29 briefs from a wide array of stakeholders and experts. The recommendations presented herein to the Government of Canada carefully reflect and acknowledge the evidence and concerns received by the Committee.” Dan Ruimy, M.P.
Let’s review a couple of the RECOMMENDATIONS and evaluate – almost 3 years later, how well we are doing actually implementing those changes.
RECOMMENDATION 1
The Committee recommends that the Government of Canada amend An Act to promote the efficiency and adaptability of the Canadian economy by regulating certain activities that discourage reliance on electronic means of carrying out commercial activities, and to amend the Canadian Radio-television and Telecommunications Commission Act, the Competition Act, the Personal Information Protection and Electronic Documents Act and the Telecommunications Act (the Act) in order to adopt “Electronic Commerce Protection Act” as its short title.
As of July 4, 2020 the current government refers to CASL as “AN ACT TO PROMOTE THE EFFICIENCY AND ADAPTABILITY OF THE CANADIAN ECONOMY BY REGULATING CERTAIN ACTIVITIES THAT DISCOURAGE RELIANCE ON ELECTRONIC MEANS OF CARRYING OUT COMMERCIAL ACTIVITIES, AND TO AMEND THE CANADIAN RADIO-TELEVISION AND TELECOMMUNICATIONS COMMISSION ACT, THE COMPETITION ACT, THE PERSONAL INFORMATION PROTECTION AND ELECTRONIC DOCUMENTS ACT AND THE TELECOMMUNICATIONS ACT” The name of CASL has NOT been changed to “Electronic Commerce Protection Act” as the report recommended. By most accounts, this would be a very simple change and could have been done the next week, yet here we are, 3 years later and all we hear are crickets.
RECOMMENDATION 13
The Committee recommends that the Government of Canada, the Canadian Radio-television and Telecommunications Commission, the Competition Bureau and the Office of the Privacy Commissioner of Canada replace the phrase “Canada’s Anti-Spam Legislation” by the short title “Electronic Commerce Protection Act” and the acronym “CASL” by the acronym “ECPA” in all guidance and enforcement materials as well as other publications on every support, including fightspam.gc.ca.
So 2 of the 13 recommendations dealt with the name of the Act. As a marketer, I always try to name a product or service in a way that everybody “gets” it – just by it’s name. The Canadian Anti Spam Legislation (CASL) is pretty clear to me. It is about reducing spam. I believe 10 years in, most Canadian business people at least know there is a law preventing spam and it is called CASL. Some of them may see it as “the government’s plan to take away a free marketing tool from them”, but that’s a whole other rant for another day.
I am not as clear about the Electronic Commerce Protection Act (ECPA) as this conjures up ” online retail rules” more than it does “reduce spam”. Now remember, this is brought to you by the same people who changed the department called Industry Canada to the Innovation, Science and Economic Development (ISED). Clearly it was named “by committee” rather than by marketing genius – just saying’.
All this to say, NOTHING has happened since Minister Bains “indefinitely postponed” the Private Right of Action – section 47 of the Act on June 7, 2017, a mere 3 weeks before the July 1, 2017 date that would have seen the law come into full force. If I recall, the significance of July 1, 2017 was the end of the grace period for re-building your email lists and the introduction of the primary enforcement tool – the PRA. This is the date when the public (who are the primary recipients of the emailed spam messages) could seek $200 per message received without the sender being able to prove consent. This scared the daylights out of most Canadian business people. Why? After 7 years of this law being passed, they had still not changed their practices. They were not CASL compliant and they were afraid the public would out them. After all – any company that was truly CASL compliant would be able to make a PRA go away very quickly if they could simply provide the proof of consent.
Did this “step backward” completely undermined the CRTC’s plans for enforcement?
I have no access to the CRTC’s actual enforcement strategies but looking back one can clearly see the first 18 months (July 1 – 2014 – December 2015) were spent providing guidance documents and issuing violations that set the tone for how they intended to enforce this law. Brands like Rogers, Porter Airline, Kelloggs, and several others were issued AMPs for not having consent and using non-working unsubscribe mechanisms. The CRTC then went in to an 18 month period (January 2016 – July 1, 2017) in which they forged International agreements so they could actually enforce CASL around the world. A few (very few) fines were issued during this period but clearly their focus was to set the foundation for enforcement while waiting for the primary enforcement tool to kick in – the Private Right of Action.
Since that announcement a little more than 3 years ago by Minister Bains, the CRTC has issued:
- 2 “Enforcement Advisories” regarding the collection of data via in-store WiFi access and advice for the Web Hosting Service Industry.
- One violation (Datablocks and Sunlight Media for a total of $250,000) and
- 4 “Undertakings” – 2 without AMPs (Ancestry.com and Blacklock’s Reporter) as well as one with a $100,000 AMP (514 BILLETS) and one personal one to Mr Halazon for $10,000.
In other words, without the primary enforcement tool – The Private Right of Action – is CASL being aggressively enforced despite #10 of the Digital Charter announced in May of 2019 – “10. Strong Enforcement and Real Accountability: There will be clear, meaningful penalties for violations of the laws and regulations that support these principles.” (was the Digital Charter just more “talk”? We have certainly not seen any “walk”)?
And clearly the “indefinite postponement” of the Private Right of Action on June 7, 2017 has undermined the enforcement of CASL.
Remember, PIPEDA, with the exception of Breach Notification rules introduced in November 2018, has not been updated since 2000 – despite 20 years of technological leaps and bounds where our data is being scrapped and used at the will of large corporations and bad actors around the world. 20 years ago we could not even imagine the things we read in our daily news regarding the breaches and misuse of our privacy and data protection.
Make no mistake, the policy team at ISED are extremely well-versed on privacy and data protection. They spent considerable time with the authorities in the EU as the GDPR was being finalized and enforced. They have met numerous times with the AG in California trying to understand the CCPA which has recently come into force. As advisors to the world privacy professionals, they know what to do.
In summary, this federal government has talked a decent game when it comes to privacy and data protection and NOTHING has actually been done. To be clear people like Ann Cavoukian and Michael Geist, along with our current Privacy Commissioner Daniel Therrien and all Provincial Commissioners have encouraged and provided exceptional counsel (persistently), yet here we are in 2020 with no real enforced data protection and privacy framework for Canadian citizens. Back in school, that would have resulted in an “F” on any report card.
There are 2 questions that speak to the heart of the matter:
- Is the lack of action just having the political will to act?
- What can we do?
We can ask our M.P. (https://www.ourcommons.ca/members/en) to send a note to the PM, asking him to take action to protect Canadian’s privacy and personal data.
We read about breaches every day. Our personal information is the “fodder of the internet” as Google, Facebook, bad actors and even “legitimate” corporations use it for their own purposes because “our competitors are doing it”. Enough already. Stop the insanity.
Let’s update PIPEDA and CASL and start enforcing it in a meaningful way. #updatePIPEDAnow.
After all, we have many other things to be concerned about.
This one is a no-brainer.
Derek Lackey, CIPM is the Chairman of the Response Marketing Association, Managing Director of Newport Thomson, a data protection and privacy trusted advisory and a Board member of BTPAC. He wrote a book called CASL Compliance: A Marketer’s Guide to Email Marketing to Canadians and is Chair of the WG on Guidance for the Canadian Advisory Council on GDPR, a member of the ISO 31700 – Privacy by Design for Consumer Products committee, a member of the Data Governance Standardization Collaborative and the CEN CENELEC JTC 13 on Cybersecurity and Data Protection.
Privacy Isn’t Dead. Far From It.
Welcome! The fact that you’re reading this means that you probably care deeply about…
Schrems II Judgment Day
The Court of Justice of the European Union (“CJEU“) issued its judgment today in …
