Industry Committee on Oct. 19th, 2017

Mr. Chairman, thank you to the committee for the invitation to present the Canadian Marketing Association's views on this important review of Canada's anti-spam law.

CMA's membership includes most major financial institutions, major retailers, large technology companies, and of course, many marketing agencies and related suppliers across the country. CMA was a member of the 2004 federal task force on spam, and we have long supported some form of regulation to encourage good electronic messaging practices and to deter spam. Our requirement for email marketing, including proper identification of senders, unsubscribe links and lists, opt-in for sensitive communications, all predated CASL by at least a decade.

CMA commends the government and Minister Bains for listening to stakeholders and recently suspending the private right of action. We believe these hearings are an important opportunity for parliamentarians to review the law to see if it's working as intended.

What effect has CASL had in the marketplace and is it well crafted to promote a positive e-commerce environment for both consumers and businesses? On the positive side, the law has encouraged wider adoption of good marketing practices. Companies are more aware and taking steps to ensure CASL compliance. Some surveys also indicate that many users feel they're getting less spam, although the filters provided by our own organizations and Internet providers do much to protect us from both the dangers and inconvenience of spam.

On the other hand, CASL has had very limited impact on the most damaging forms of spam: botnets, phishing scams, fraudulent product claims, malware, and the like all seem to be as prevalent as ever. Yet most CASL enforcement efforts seem to have been focused on legitimate companies sending messages to customers or prospects.

In addition, certain features of CASL have also created confusion and uncertainty for organizations, a concern compounded by the potential for the enormous penalties resulting from something like a broken unsubscribe link.

These uncertainties have a chilling effect on electronic marketing in Canada. Many businesses are avoiding legitimate email marketing campaigns out of fear of inadvertently running afoul of CASL. This effect is directly counter to CASL's stated objective of promoting the efficiency and adaptability of the Canadian economy.

Scott Smith from the chamber appeared here a couple of weeks back, and he mentioned that the chamber, Canadian Marketing Association, the Retail Council, and some other associations are surveying our members about CASL. Interim results are showing that over 40% of respondents indicate they are doing less electronic marketing since CASL took effect, that over 65% say that CASL has put their competitive edge at risk, and over 80% say that CASL is too complicated and confusing. We will be providing the committee with the complete survey results in another 10 days or so.

CMA has a number of suggestions to improve CASL, which we will capture in more detail in our written brief to the committee, but today I want to focus on six key issues and suggestions.

The first is business to business. CASL has created unnecessary barriers for businesses prospecting for new customers in the B to B environment. These limitations on email prospecting create inefficiencies with businesses resorting to more expensive and time-consuming contact methods. Particularly in the B to B environment, the issue of gaining consent, checking lists, and keeping detailed records becomes an impractical nightmare for organizations dealing with groups of salespeople who daily make any number of one-off communications.

We would suggest that CASL should be amended so it does not apply to B to B messages. This approach would be in line with the telemarketing regulations and the national do not call list.

Subsection 6(6) you've heard about already in some detail. It's created a lot of confusion as to what CASL is intended to cover since the messages described in subsection 6(6) are commonly referred to as transactional service security-type messages. Businesses aren't sure how to comply with that subsection. They are at risk if they don't, and if they do, they are likely to confuse their customers. The solution here is to amend CASL to make it very clear that it doesn't apply to transactional or service messages.

Like many others, CMA has argued that CASL should have used the PIPEDA approach to consent, with express consent required in relation to sensitive matters of communication, and valid implied consent required for most other commercial electronic communication and backed up, forcefully, with the unsubscribe offer on every message.

We hope the committee will consider looking closely at consent, but in the absence of such a fundamental change to the law, it should be noted that the current rules for implied consent are challenging for many organizations. The two-year and six-month rule that was mentioned a moment ago creates a systems and data entry headache for many small and medium-sized organizations. Every customer must be tracked so that a two-year clock starts ticking after their latest transaction.

When the two years expire, the organization loses the implied consent to message that customer, but there's an “unsubscribe” on every message and the consumer can opt out at any time, whether it's at two weeks, two months, 24 months, or 30 months. Why create a cumbersome 24-month rule for organizations? It's rather arbitrary, and it creates a serious data management challenge for organizations. Our solution to this would be to simply remove the unnecessary six-month and two-year definitions in the EBR and, where there's a customer relationship or interaction, permit messages to be sent based on implied consent unless or until the consumer signals otherwise.

We're also concerned about the burden of record-keeping. Some organizations are not even using the exemptions in the law because of the related record-keeping requirements, which are too onerous. You have examples. For example, if you obtain express consent from a customer at a retail counter, the CRTC has suggested that you should have a voice recording as evidence of that. The solution here is that the government, as opposed to the CRTC, should develop regulations indicating what are acceptable records and, we would hope, endorse reasonable, ordinary business records.

On the private right of action, I won't revisit the points of concern, because you've heard about them from many others. We simply propose that the private right of action is unnecessary. There are three regulators enforcing this law. The private right of action should be removed from the law or significantly narrowed so as to eliminate statutory damages and/or restrict its availability to ISPs.

On enforcement and penalties, the CMA considers that to date the penalties imposed under CASL are not proportional to the nature of the violations to which they relate. Massive penalties against legitimate companies that made minor errors while attempting to comply with CASL are creating a chill on legitimate marketing activity.

I'm going to ask David Elder to bring his legal expertise to bear and comment on the CRTC enforcement structure.

In the limited time I have, in addition to those two points that Wally raised about disproportionate penalties and perhaps the wrong target audience, I would say that part of the problem with CASL enforcement is that we don't know where the lines are being drawn when enforcement decisions are made and put out. We only get vague summaries, and we don't really know what sorts of decisions are being made and how this is being interpreted.

The other point I would make is that I think there's a structural flaw within the law, in that all of the powers—the enforcement investigation powers—are given to staff members of the CRTC. The GIC appointees of the commission don't have a role and can't provide any guidance or input unless and until a notice of violation is actually issued and a party decides to effectively appeal that to the commission.

Thanks, Dan.

Committee, Dan was very kind before this and said he'd pinch his fingers when I'm coming up to eight minutes, so I appreciate that, Dan.

My name is Andrew Schiestel. Thank you for having me.

By way of background, I'm the current president and chair of the London Chamber of Commerce, and president of tbk Creative, which is a web design and digital marketing agency based in London, Ontario with 20 staff members. I'm the founder of Lighten CASL, which is a not-for-profit organization committed to seeing CASL improved to be easier for companies to comply with while still protecting consumers. In 2015, through the London Chamber of Commerce, I was one of the authors of the Canadian Chamber of Commerce policy paper on CASL reform, which was delegate approved at the 2015 Canadian Chamber AGM. I currently serve on the Canadian Chamber of Commerce policy task force on CASL reform, and articles I've written on CASL have appeared in the Financial Post, The Globe and Mail, and The London Free Press.

I don't think anybody is denying that CASL had good intentions in its creation. We need anti-spam legislation that thwarts harassing CEMs, people who ignore unsubscribe requests, malicious spam, and cybersecurity threats. We need strong legislation to stop those malicious actions, but CASL overextended its aim, and it has left our Canadian companies in a situation where it's anti-competitive to comply with when they're competing against foreign companies. It's excessively expensive to comply with as well, and I'll give examples of both.

It's anti-competitive to comply with, so let's take a Canadian retailer for instance. They are going to run a sweepstake, which they will oftentimes do as part of thriving as a business. When they're setting up that page, they need to do a lot of things financially. They need to pay money to set up the page with web design costs. They have to spend money on a prize. They could be giving away a vehicle to a consumer. They spend money on legals. If they're in a certain province, like Quebec, they might register the contest with the proper regulator. There are human resource costs, advertising costs, and the list goes on.

What they'll then do is have an opt-in mechanism, a check box that's unchecked, and in my experience in the digital marketing profession, I find that, give or take, 50% of consumers, when they're entering these types of sweepstakes, will check that box. So then what the business is left with is a situation where they have expressed consent under CASL for the 50%, but then, for the other 50% who don't check the box, they don't have expressed consent, but they also don't have implied consent because the provisions of applied consent under CASL are too narrow. But that would be kind of a practical situation where consent may be implied, since the consumer gave the business their contact information in the first place.

All that might sound fine if Canada were in a vacuum, but we're not. We compete against companies around the world. In the same situation in the U.S., a retailer, a competitor to our Canadian company, is running a sweepstake. Under the CAN-SPAM Act, 100% of the leads that they get in they can send to them what CAN-SPAM calls commercial electronic mail messages, which are essentially the same thing as a CEM. When you break that down, a Canadian company in that situation can send CEMs to 50% of the leads they get in, and the U.S. company can send to 100% of the leads they get. The consumer is always protected because they can unsubscribe at any time. That's one of the instances that puts our companies at a competitive disadvantage.

Number two is that the act is excessively expensive for companies to comply with. I'm going to bring up—and this was brought up by Wally, with the CMA—the two-year and six-month rules. I think Stephanie also brought this up earlier. I'll give a real, pragmatic example of how a company can go about implementing this, because I've worked with companies who are grappling with this situation.

If you're a company, and you have a lead coming into your website—say it's a home renovation company—under CASL, you have two years from the date of last purchase and six months from the date of inquiry if the consumer doesn't provide express consent. Here's where it gets tricky. You need to spend money on a software solution that will know to purge that user after six months from the date of that inquiry. If the consumer purchases a product, you have to reset the timeline to purge them in your system two years from the date of that purchase. If they purchase again, your software solution has to reset it again. If they provide express consent during that two-year period, then you change the label, and now it's express consent. If they buy another product, it has to have the intelligence not to reset as two years, though, because they provided express consent. Is anybody confused yet?

That's one of the fundamental issues with CASL. The real cost of that is minimum five figures, and definitely six figures in a lot of instances, to build and maintain software to do that. You have to integrate it into your CRM or ERP, communicate through a bridge with your email marketing software, and vice versa. It has to go back and update accordingly. It's a big software project.

Take that one instance and scale it out now to the approximately 1.17 million companies in Canada, and you're looking at a very problematic situation for our economy and our Canadian businesses.

On September 26 the INDU committee had CRTC in and the conversation kept coming up about more education. Businesses don't need more education on spam. CRTC has probably done a very good job on the balance of things with education. I think businesses, on the balance of things, are very capable people. What we need is legislation that's improved to be easier for businesses to comply with while still protecting consumers. I think fundamentally it's an issue with the act itself. That's why we're still doing all this training after three years.

Also, what I've just said above isn't theoretical. It's actually happening every day in our businesses. I'm going to give two examples.

Earlier this year I spoke with a financial services company with 600 employees based in southwestern Ontario. They sell RRSPs, mortgages, bank account services, etc. I chatted with a vice-president and a marketing manager there. They told me that when somebody inquires on their website, they do not send out any group CEMs to that person even though that consumer provided them their email. They said that they do not want to take the risk of violating CASL with the six-month rule so they would rather not send out group CEMs at all in that instance. But this is a situation where the consumer has actually provided this company their information in the context of receiving services down the road. Again, if Canada were in a vacuum, that would be fine, but they compete against fintech companies all over the world that are emailing Canadians all the time ignoring CASL, or not even aware of CASL.

As a second example, earlier this year I spoke with a software company. They have 100 employees, and they sell globally. I spoke with the director of marketing. She told me they went through a recent web design project where they had to build a form for users to contact them from around the world and they had a decision to make. With option A they needed to have a form that would be dynamic, so if a Canadian put in their information, it would switch the information so that it complied with more stringent consent requirements under CASL. With option B the form would be static so it's universal, but they won't send CEMs to Canadians to fill out the form. They'll only use the phone. Guess what option they chose? Option B. They chose to have it static and they won't send CEMs to Canadians for filling out that form. They'll only use the phone in that case. It's not worth the risk to them.

What can be done? Number one, I would recommend expanding the circumstances in which implied consent is present. Here are some examples. If one party gives their information to another party, call it consent. Two people mutually connected on a social networking or instant networking website call that consent as well. As other witnesses said, remove the two-year and six-month rules. A consumer might not be ready to buy another house from the realtor within two years, but there still might be an affinity there and they can unsubscribe at any time. Remove those rules. Google and Shopper Sciences did a study and some purchases take over one year to actually complete, especially when it comes to tech and appliances.

In the coming weeks, look for the Canadian Chamber to provide some additional recommendations on some of the nuances of CASL reform and some of the software recommendations.

Thank you to the INDU committee for the important work that you're doing. CASL can be improved to be easier for companies to comply with while still protecting consumers. By finding the right balance with this policy, we can set Canada up to thrive in the digital economy.

Thank you, and thank you, Dan, for the extra 30 seconds.

Well, I think clarify in the law, for starters, how the penalties are set up. The penalties section just applies broadly to messaging, malware.

The government really could send a strong message, and I think this needs to be done by government, by putting in place the necessary regulations that would instruct the business community and the enforcement agency how they are to apply penalties. I'll let David Elder speak—

That's correct.

Right.

Yes, and I would add that if Canada has some of the most stringent anti-spam legislation in the world, I think one of the problems with that is that oftentimes companies and regulators in different countries prefer that regulations match each other so that they're more universal. Maybe one thing to look at would be to try to get CASL more in alignment with what may be common, more international standards.

For instance, I think it would be very hard for our Canadian regulators to go to the U.S. right now and to try to fine a U.S. company up to $10 million for sending out commercial electronic messages to Canadians that perfectly comply with the CAN-SPAM Act. I don't think that would happen.

To my knowledge, based on CRTC's and ISED's testimony, there have been no fines to date against foreign entities under CASL. To date there have been eight fines and they've all been against Canadian entities. Something needs to be done to go after more foreign entities. I think one of the ways to do that is to create better alignment with the legislation where those foreign entities are so that regulators are going to be more willing to actually enforce our laws or their own laws against those spammers.

I think in the September 26 meeting someone cited a Toronto malware takedown. Some of my other colleagues may know more about that. There was one citation that I'm aware of.

I would say that's so to some degree. I would say there have been probably a couple of instances in which it looked as though some people may not have been following unsubscribe mechanisms. I think the legislation should be improved so that it's properly thwarting the harassing type of CEMs. That includes when somebody is ignoring unsubscribe mechanisms, as well as malicious spam and malware types of stuff.

Thank you for the question, Mr. Baylis.

I would give an answer similar to the one I would have given to your first question, and what I think is an excellent suggestion, which is to amend the provisions having to do with the administrative penalties and compliance and enforcement with that consideration of intent, so that those really stiff fines are focused on those fraudulent and malicious intentional spammers. Doing that would do two things. It would not only get at the real issue and clean up, as you correctly say, our own backyard, but it would also create a more stable and certain business environment that would allow Canadian retailers and other Canadian businesses to prosper. It's a win-win, and my suggestion would be to amend that section and include a consideration of intent.