Avoiding Liability for Customers’ Canadian Spam Law Violations

Published On November 15, 2018 | By Michelle Anderson and Mason Weisz | General, Privacy
TwitterLinkedInFacebookRedditCopy LinkEmailPrint

The Canadian Radio-television and Telecommunications Commission (“CRTC”) has issued guidelines for avoiding liability under Canada’s Anti-Spam Legislation (“CASL”) for assisting third parties in their violations. These guidelines and a recent CRTC enforcement action are a reminder to vendors providing marketing and advertising services that they can be held responsible for both their—and their customers’—CASL violations.

Section 9 of CASL prohibits aiding, inducing, procuring, or causing to be procured any act in violation of section 6-8 of CASL. Sections 6-8 prohibit, respectively:

  • sending, causing, or permitting to be sent, commercial electronic messages without express or implied consent (including most unsolicited marketing emails);
  • altering, or causing to be altered, transmission data in electronic messages, in the course of a commercial activity without express consent (e.g., phishing); and
  • installing, or causing to be installed, a computer program on another person’s computer in the course of a commercial activity without express consent (e.g., distributing malware).

The CRTC says the guidelines apply to entities like electronic marketing companies, advertising brokers, and software and application developers and distributors. The guidelines recommend that such entities:

  1. Conduct due diligence of their customers, including both proactive diligence (e.g., validating customers, validating customer products, and researching customer reputational risks) and ongoing management and active oversight (e.g., audits and monitoring of customer activities).
  2. Implement written agreements that bind customers and their downstream clients to comply with CASL, such as including in terms of service a requirement that customers be compliant with CASL.
  3. Identify their vulnerabilities and implement robust compliance programs to address such vulnerabilities (e.g., regularly monitoring to detect threats and allocating resources to address security vulnerabilities).
  4. Understand their CASL liabilities, which can include strict liability for violations “even if they did not intend to do so or were unaware that their activities enabled or facilitated contraventions of…CASL by a third party.”

These CRTC guidelines come four months after the CRTC issued its first Section 9 enforcement action against two companies that sent emails on behalf of their clients (see press release and Summary of Investigation). In that action, the CRTC alleged the companies aided in the installation of malware through their distribution of their clients’ online advertising. One company was fined CAD $100,000 and the other CAD $150,000.


About The Authors

Michelle Anderson counsels clients on a range of privacy, security, and consumer protection matters. She works closely with clients to understand their goals and risk profiles to help develop strategies for compliance with domestic and international privacy and security laws and regulations.

Mason helps clients navigate a constantly shifting web of domestic and international laws regulating data collection, marketing, data sharing, computer crime, data security, electronic surveillance, online content, children’s privacy, financial privacy, information management, and other areas of privacy and Internet law. A former web designer, he has extensive experience with issues relating to digital media, new technology and e-commerce.