You may have heard about the Notesolution Inc’ s undertaking with the CRTC to come into compliance with CASL announced Sept 21, 2020. We were curious why CRTC attached a monetary penalty of $100,000 – admittedly a stiff fine during a period that sees few fines under this law. This is only the 3rd fine since Minister Bains “indefinitely postponed” the private right of action (June 7, 2017) – meant to be the primary enforcement tool for CASL.

What are the “alleged violations”

The alleged violations of paragraphs 6(1)(a), 8(1)(a), 10(1)(a), 10(3), 10(4), and 10(5)(a) of the Act as well as sections 4 and 5 of the Electronic Commerce Protection Regulations (CRTC) SOR/2012-36 (the Regulations (CRTC)).

So this is why the CRTC entered into an Undertaking with Notesolutions Inc.  Let’s unpack that by looking at each section of the laws (and regulations) they allegedly violated. Let’s start with:

Section 6(1)(a):

6 (1) It is prohibited to send or cause or permit to be sent to an electronic address a commercial electronic message unless

(a) the person to whom the message is sent has consented to receiving it, whether the consent is express or implied; and

So clearly Notesolutions Inc could not prove consent – express or implied – for emails it was sending. This is a core requirement of CASL and has been quoted in many of the violations and undertakings to date. It is important to note that “having” consent and “proving ” consent are two very different distinctions. Many organization claim they have consent. But can they PROVE it ?

 

Installation of computer program

8 (1) A person must not, in the course of a commercial activity, install or cause to be installed a computer program on any other person’s computer system or, having so installed or caused to be installed a computer program, cause an electronic message to be sent from that computer system, unless

(a) the person has obtained the express consent of the owner or an authorized user of the computer system and complies with subsection 11(5); or

“The Chief Compliance Enforcement Officer (CCEO) at the CRTC alleged that OneClass installed a computer program, namely the “OneClass Easy Invite Chrome Extension”, in the course of a commercial activity, on the computer systems of post-secondary students between October and November 2016, without their express consent and setting out the purpose for which consent was being sought. The CCEO further alleged that OneClass should have been aware that the “OneClass Easy Invite Chrome Extension” would cause the computer system to operate in a manner contrary to the reasonable expectations of the owners or authorized users of those computer systems, namely by collecting personal information stored on the students’ computer systems, including username and password credentials.”

This too is a core requirement of CASL (Section 8) which states that consent is required to download software on any device.

Express consent — sections 6 to 8

10 (1) A person who seeks express consent for the doing of an act described in any of sections 6 to 8 must, when requesting consent, set out clearly and simply the following information:

(a) the purpose or purposes for which the consent is being sought;

This is similar to the first 2 alleged violations. OneClass could not prove that consent to send messages or download software exists.

(3) A person who seeks express consent for the doing of any act described in section 8 must, when requesting consent, also, in addition to setting out any other prescribed information, clearly and simply describe, in general terms, the function and purpose of the computer program that is to be installed if the consent is given.

This section means OneClass did not properly INFORM individuals when downloading the software.

(4) In addition to the requirements set out in subsections (1) and (3), if the computer program that is to be installed performs one or more of the functions described in subsection (5), the person who seeks express consent must, when requesting consent, clearly and prominently, and separately and apart from the licence agreement,

(a) describe the program’s material elements that perform the function or functions, including the nature and purpose of those elements and their reasonably foreseeable impact on the operation of the computer system; and

(b) bring those elements to the attention of the person from whom consent is being sought in the prescribed manner.

This is part of the notification process when collecting consent. You must be transparent and inform the individual providing the consent, exactly what the download will do and why it is required. The following was also included:

Description of functions

(5) A function referred to in subsection (4) is any of the following functions that the person who seeks express consent knows and intends will cause the computer system to operate in a manner that is contrary to the reasonable expectations of the owner or an authorized user of the computer system:

(a) collecting personal information stored on the computer system;

(b) interfering with the owner’s or an authorized user’s control of the computer system;

(c) changing or interfering with settings, preferences or commands already installed or stored on the computer system without the knowledge of the owner or an authorized user of the computer system;

(d) changing or interfering with data that is stored on the computer system in a manner that obstructs, interrupts or interferes with lawful access to or use of that data by the owner or an authorized user of the computer system;

(e) causing the computer system to communicate with another computer system, or other device, without the authorization of the owner or an authorized user of the computer system;

(f) installing a computer program that may be activated by a third party without the knowledge of the owner or an authorized user of the computer system; and

(g) performing any other function specified in the regulations.

In this case the download changed the behaviour of the computer. The CCEO deemed this as especially aggregious as previously mentioned.

Section 4 makes it clear what is required when seeking consent:
Information to Be Included in a Request for Consent
4 For the purposes of subsections 10(1) and (3) of the Act, a request for consent may be obtained orally or in writing and must be sought separately for each act described in sections 6 to 8 of the Act and must include

(a) the name by which the person seeking consent carries on business, if different from their name, if not, the name of the person seeking consent;

(b) if the consent is sought on behalf of another person, the name by which the person on whose behalf consent is sought carries on business, if different from their name, if not, the name of the person on whose behalf consent is sought;

(c) if consent is sought on behalf of another person, a statement indicating which person is seeking consent and which person on whose behalf consent is sought; and

(d) the mailing address, and either a telephone number providing access to an agent or a voice messaging system, an email address or a web address of the person seeking consent or, if different, the person on whose behalf consent is sought; and

(e) a statement indicating that the person whose consent is sought can withdraw their consent.

This section clearly states what proving consent means under various circumstances. We have seen a lot of companies defining this for themselves. You should know that during investigations the CRTC gives far more weight to their “stated definitions” than your “interpretations”. Part of a good compliance program should ensure you are operating to the minimal standards set by the legislation, not your perceptions of the law.

The final Section of alleged violation is Section 5 of the Electronic Commerce Protection Regulations (CRTC):
Specified Functions of Computer Programs
5 A computer program’s material elements that perform one or more of the functions listed in subsection 10(5) of the Act must be brought to the attention of the person from whom consent is being sought separately from any other information provided in a request for consent and the person seeking consent must obtain an acknowledgement in writing from the person from whom consent is being sought that they understand and agree that the program performs the specified functions.

Note, this requires a positive action on the part of the individual giving consent. To assume consent just because you made it clear, does not meet the measure of the regulations.

It is also important to note that Notesolutions Inc was very co-operative during the investigation. We belive the AMP would have been 10x higher and it would have taken the “undertaking” off the table. Without co-operation this could have been a “violation” which states they have been found guilty of these violations and they are on the record as being found guilty of all charges.

In addition to $100,000 AMP, Notesolutions Inc has agreed to “undertake to develop and implement a compliance program addressing the sending of CEMs. This compliance program will include:

corporate compliance policies and procedures;
training and education for employees of OneClass; and,
monitoring, auditing and reporting mechanisms,
In addition, OneClass will monitor and review its policies and procedures to determine whether any have the effect of providing incentives for employees to violate the Act and the Regulations (CRTC) and, if so, OneClass undertakes to eliminate such incentives.

Finally, OneClass will register and track CEM complaints and the subsequent resolution of those complaints. OneClass will also implement effective corrective measures for compliance failures and will maintain regular communication with the Commission from time to time to determine compliance with the Act and the Regulations (CRTC).”

Check Also

EU confirms PIPEDA’s adequacy status under the GDPR

In a Report issued two weeks ago,[1] the European Commission advised that i…