What do an online dating site, a multinational food manufacturer, a Canadian airline, and an online training provider have in common? They have all, within the last year, been found to be in violation of CASL law. Plenty of Fish, Kellogg’s, Porter Airlines, and Quebec-based Compu.finder have each run afoul of the CRTC and together, have paid over $1.35 million in fines.
Most recently, Blackstone Learning Solutions Group’s understanding of implied consent ran afoul of the CRTC’s standards.
First Implied Consent Finding
Blackstone was fined by the CRTC for failing to produce acceptable evidence to support a claim of implied consent. They sent more than 385,000 emails across 9 campaigns within a span of 2 months offering their services as an online training provider to employees of federal and provincial government organizations. The company, whose clients include numerous government ministries and non-profits, gathered the emails from government websites and relied on “guidance provided by an official at the Department of Industry” (5). Blackstone insists that implied consent was provided in that the emails they used were publicly available, and did not have “withdrawal of consent” notation accompanying them.
The original fine of $640,000 was reduced to $50,000 after it was proven that the original amount was equal to several years worth of the company’s revenue (52). According to the CRTC, $50,000 was considered more “proportionate to the violation” and having to pay the previous amount would have prevented Blackstone from “operating on a commercial basis”.
In other words, the original amount would have financially crippled them.
What This Means for Implied Consent
The Blackstone case has provided the CRTC with a number of firsts:
- it is the first time that a company has appealed a ruling;
- it is the first time an issued fine has been reduced and;
- it is the first real test of implied consent.
According to the report, although the company may have had implied consent, they could not produce acceptable proof of it. Most frightening is paragraph 30 of the decision:
“…Blackstone provided no supporting information to the Commission with respect to where or how it discovered any of the recipient addresses in question, when it obtained them, whether their publication was conspicuous, whether they were accompanied by a statement indicating that the person does not want to receive unsolicited commercial electronic messages, or how the company determined that the messages it was sending were relevant to the roles or functions of the intended recipients.”
Based on that statement, to prove you’ve obtained implied consent you will need a record of:
- where/how an email was discovered;
- when it was discovered;
- why you believe your content would be relevant to the receiver, and;
- confirmation that no withdrawal statement was attached to the email in question.
You may also be required to provide physical proof of items one and four for every email in your database. Some lawyers have gone so far as to recommend re-verifying implied consent before every email campaign. In this case, that would amount to tens of thousands of records.
What Can Your Business Do?
Clearly, implied consent is not only hard to prove for new lists, but nearly impossible to prove for older ones. Gone are the days when simply finding John Doe’s email on the web was enough. The burden of proof lies with the email sender, and the lack of clear guidelines leaves too many compliance policies to businesses’ best guess.
Organizations are faced with limited options:
- Scrap your email programs entirely, foregoing significant revenue in the process.
- Gut your email list of anyone for whom you don’t have detailed records of express consent – a massive blow to businesses that have been building their databases for as long as 20 years before CASL was a factor.
- Find a way to maintain more detailed records and hope that what you have will satisfy the CRTC.
Those that don’t take any action risk a potential fine of up to $10 million dollars (the maximum possible penalty). Time is running out – business leaders must be able to answer the question “how do I ensure I can prove consent for each and every email address in my database”. While the CRTC has thus far declined to commit to clear guidelines on a minimum Standard of Proof, there are some simple steps you can take to improve your chances of compliance. Unfortunately, we have found that most businesses are not taking even these most basic of steps.