Another anti-spam enforcement action recently took place in Canada, this time led by Canada’s federal privacy regulator, the Office of the Privacy Commissioner (OPC).
This enforcement action is the first time the OPC has publicly found an organization to have violated the general restriction under Canada’s federal privacy law against the non-consensual collection of electronic addresses via computer programs or the use of such addresses—a restriction that was introduced into law when Canada’s anti-spam law (CASL) was enacted.
This enforcement action also represents the first time the OPC entered into a formal “compliance agreement” with an organization alleged to have violated Canadian privacy laws—a power the OPC gained in July 2015. A compliance agreement with the OPC contractually requires an organization to take certain steps to comply with privacy laws, and gives the OPC additional means to enforce the agreement if breached.
Compu-Finder is a professional training company that sent emails to hundreds of thousands of business email addresses promoting training courses in 2014. An investigation by the OPC revealed that Compu-Finder harvested many of these email addresses using commercial email address harvesting software, as well as an in-house software tool that it developed on its own. In March 2015, as part of an enforcement action brought by a separate regulator under CASL, Compu-Finder was issued a Notice of Violation with an accompanying administrative monetary penalty of CAD $1.1 million for allegedly sending emails to recipients without their consent, among other things.
The OPC determined that Compu-Finder contravened the relatively new prohibition under Canada’s federal privacy law against the non-consensual collection and use of “an individual’s electronic address, if the address is collected by the use of a computer program that is designed or marketed primarily for use in generating or searching for, and collecting, electronic addresses.” Although Compu-Finder claimed that it did not collect any email addresses using address harvesting software while the prohibition was in force, the OPC found that Compu-Finder used such email addresses after the provision came into force and therefore violated the provision.
The OPC also found that Compu-Finder contravened Canadian privacy laws in a number of other ways, including by failing to appoint an individual to be accountable for its privacy compliance obligations and using individuals’ personal information without their consent. Some of the remedial measures that Compu-Finder must undertake under its compliance agreement with the OPC include:
- Appoint an individual to be accountable for its privacy compliance;
- Train its staff in respect of its privacy obligations and policies; and
- Maintain appropriate records and evidence of the consent it obtains from individuals to use their personal information.
Organizations should ensure that they not only avoid using address harvesting tools to collect electronic addresses without individuals’ consent, but also refrain from using any electronic addresses that may have been collected using such tools. In this regard, organizations should ensure that they are able to trace the origin of all of the electronic addresses they use for marketing purposes, and have verifiable records of any consents to receive emails associated with those addresses.
If an organization is unsure of how it obtained an electronic address or the purposes for which it may be used, it may be prudent to delete the electronic address altogether. Once class actions and private causes of action are available for contraventions of CASL starting in July 2017, the potential costs of non-compliance will become much more severe.
Contributor: Jonathan Tam