The Canadian Radio-television and Telecommunications Commission (“CRTC”) has issued guidelines for avoiding liability under Canada’s Anti-Spam Legislation (“CASL”) for assisting third parties in their violations. These guidelines and a recent CRTC enforcement action are a reminder to vendors providing marketing and advertising services that they can be held responsible for both their—and their customers’—CASL violations.
Section 9 of CASL prohibits aiding, inducing, procuring, or causing to be procured any act in violation of section 6-8 of CASL. Sections 6-8 prohibit, respectively:
- sending, causing, or permitting to be sent, commercial electronic messages without express or implied consent (including most unsolicited marketing emails);
- altering, or causing to be altered, transmission data in electronic messages, in the course of a commercial activity without express consent (e.g., phishing); and
- installing, or causing to be installed, a computer program on another person’s computer in the course of a commercial activity without express consent (e.g., distributing malware).
The CRTC says the guidelines apply to entities like electronic marketing companies, advertising brokers, and software and application developers and distributors. The guidelines recommend that such entities:
- Conduct due diligence of their customers, including both proactive diligence (e.g., validating customers, validating customer products, and researching customer reputational risks) and ongoing management and active oversight (e.g., audits and monitoring of customer activities).
- Implement written agreements that bind customers and their downstream clients to comply with CASL, such as including in terms of service a requirement that customers be compliant with CASL.
- Identify their vulnerabilities and implement robust compliance programs to address such vulnerabilities (e.g., regularly monitoring to detect threats and allocating resources to address security vulnerabilities).
- Understand their CASL liabilities, which can include strict liability for violations “even if they did not intend to do so or were unaware that their activities enabled or facilitated contraventions of…CASL by a third party.”
These CRTC guidelines come four months after the CRTC issued its first Section 9 enforcement action against two companies that sent emails on behalf of their clients (see press release and Summary of Investigation). In that action, the CRTC alleged the companies aided in the installation of malware through their distribution of their clients’ online advertising. One company was fined CAD $100,000 and the other CAD $150,000.
