Industry Committee on Oct. 24th, 2017

It would not hurt us. It would benefit us and IoT is a lurking giant that should scare us all.

Sure. Thanks for the question.

From a large business perspective, you gather the resources and you do what you need to do to comply. As someone who has worked on implementing CASL internally at a few organizations, but also in working with external counsel and my colleagues in other companies, and the discussion we have at the CBA across the different sections as well, it is truly amazing the amount of time spent, and org charts and step-by-steps that you have to develop in order to make sure that you're actually complying with all the different pieces because it is unnecessarily complex. You shouldn't need a lawyer to implement CASL, and unfortunately, you do. When you think of a small enterprise where they have a few employees, or larger ones—and you heard from the Canadian Marketing Association, an organization which in about 2025 may have spent upwards of $40,000—it's mind-boggling.

Once again, the idea is not to get rid of CASL, but rather to have it focus on what it should be focusing on. For small and medium-sized enterprises to be sending electronic communications to their customers or trying to do prospects, even before CASL came around, people used to insist on consent. However, it's all the little things you need to do to ensure that you have complied that bogs everybody down and it's the fallout from the non-compliant element. If it were more akin to PIPEDA, on which we heard from Commissioner Therrien before, it's a complaints-based model. If you make a mistake or you have a judgment call that you make that's not quite agreed to by everybody else, you have an opportunity as an organization to make it right without necessarily seeing yourself subject to a very formal investigation or fines.

Unfortunately, in the way it's been enforced here in Canada by the CRTC, it has had a chilling effect. You don't want to be that organization that then has to have a settlement agreement or notice of violation.

To your question, if the $40,000 that the Canadian Marketing Association...which would be a trade association really trying to do the right thing, you can't just really wing it, because if you do, then you're subject to potentially being found to be not compliant. If the CRTC were to send back to individual organizations right away any complaint that they got, that would be an opportunity for organizations, small and large alike, to see what changes they need to make.

There are some things that a small organization would have to deal with. Once they got over how broad the definition is, they would have to look at the unsubscribe requirements. No one has an issue with unsubscribing, but we also have to add some of the managing consents, separate consents, for all the different elements. With the record-keeping obligations, which are fairly onerous, you have to be able to show at every instance which consent you're relying on and how you obtained it. There's the way they have to manage their lists. Once you have an existing business relationship, you leave.... I'm sending you emails for two years, but then after that, I have to stop because the law says to. It's all these little artificial things that get in the way of just everyday, appropriate business practices.

Those are some of the elements that small and medium-sized enterprises in particular would have to deal with.

A lot of the compliance efforts and a lot of the consulting that I've seen done really focus on education. Sure, you need someone who understands the law, you need maybe a legal opinion on a few business practices, but there are lots of solutions, many free, many paid for. Obviously if you pay, you get better service and support to manage consent tracking, daytime tracking, even to manage the idea of taking screen shots at the point of data collection and tracking what forms look like. There are solutions out there. Not all of them are onerous to use; not all of them are expensive to use, either.

Is $40,000 for an organization a lot of money to comply? Honestly, I don't necessarily think it is for most mid-sized businesses. Smaller businesses, sure, but smaller businesses also tend to have very small email lists and they may very well know every person who's on their list, so they're not going to be necessarily looking at.... They know where their consumers come from. They have transaction purchase data; they have that history. It's just organizing it in a way that makes it accessible and easy to understand.

There was a question earlier in the panel around six-month implied consent versus two-year implied consent. All of those things are built into marketing automation platforms now. You can track the date the consumer subscribed. You can assign a flag to them to say this is a six-month implied consent, this is a two-year implied consent, an express consent. You can build the logic right into the marketing platforms that will either suppress those users when they've reached their end-of-life cycle or will notify those users, or build some sort of communication plan proactively into reaching those consumers before they reach their expiry.

Sure. There are the right ways to do third party communications and there are the wrong ways to do third party communications. CASL actually allows for both, unfortunately.

The right way that typical people will look at doing third party communications in regard to even the idea of list rental is similar to the idea of taking out a full-page ad in a newspaper. I will give you my advertisement, you will send it to your communication list because you have the proper consents and can manage the unsubscribes. I don't see any of the addresses until people choose to either take my offer or engage and give me some type of consent directly. That's the right way to do third party communications.

The other way really comes down to the idea of, “I have a list. Here you go. Please feel free to send it based on our contractual agreement.” That industry, right after CASL came into force, was studied by an organization in Toronto. They said the available number of lists to be used that way in Canada went from 400 to 14 because none of them had proper consent prior to CASL. When they were reviewed against CASL, that industry basically disappeared, actually probably accounting for a significant amount of unsolicited email communication also disappearing.

That was one of my talking points, that we were the last country in the G8 to adopt an anti-spam law. It's embarrassing that some would like to do away with the law. It's an excellent law, and it's one that is respected as the best in the world among my colleagues.

Absolutely it could do with some adjustments, but in terms of the GDPR which is coming into effect May 25, 2018, we are about to encounter a degree of onerousness in data integrity that the world hasn't seen before, and that's a good thing.

The GDPR builds on the European privacy directive, which has been around for about a decade, with no teeth, with no ability to take punitive action. The GDPR gives countries the ability to force companies back into compliance, to respect the individual's right to say no, to be forgotten, to be left alone by marketers, or to willingly give that data to them and enjoy the benefits.

One thing that's very important is that the difference from the junk mail or the bulk mail that ends up on your doorstep is the marketer pays to get it there. They pay Canada Post to bring it to you. They pay for the printing. They pay for everything. Spammers do not. The recipients end up paying for that.

I'll talk about a small company here in Ottawa: striker.ottawa.on.ca was their domain. It's a consulting company that, for some reason, ended up on the spammer lists, and now they get one million spam a day. They've been driven out of business using that domain. There's not enough spam filtering in the world to compensate for that kind of flood.

We need to be a leader, and we are absolutely positioned to be such. I think it would be a matter of pride for everybody in this room that we can maintain parity with the EU.

Oh, oh!

As Commissioner Therrien explained, there is no doubt they have a very narrow and small piece of CASL that they implement, so obviously any sort of outreach they can do to clarify so that there is no inadvertent.... Being offside of those provisions would be helpful, but if we slide to the rest of CASL, which is where you're hearing a lot of the concern that we are expressing here today and from others who have come before us, yes, there have been a lot of people out on the road trying to explain CASL, but the guidance that organizations have been provided has not been sufficient to remove the fear and the chilling effect that being inadvertently non-compliant could result in something fairly onerous for your organization. That applies to large organizations, small and medium-sized enterprises, and charities as well. So yes, we are all for it, and we think any legislation needs it, so we definitely think there needs to be more, and it needs to be very focused.

We also need to get a message, separate from any changes to CASL, because we've made recommendations about some changes we might want to CASL. There needs to be a message about what the approach to enforcement is going to be. If you are an organization that is trying to do the right thing, “It's okay, don't worry, we can work with you to get you onside” is not the messaging they're getting, so they're spending a lot of money unnecessarily. They're developing a lot of processes that maybe they don't.... There is confusion, also, for individuals who are receiving these messages simply because of the way CASL has been structured.

You heard from Mr. Sookman, and Mr. Elder as well, that when you have a statute that prohibits everything unless it's permitted through exceptions and exemptions, you're offside if you can't fit yourself within those narrow exceptions.

That's some of what our members are struggling with when they are helping their organizations or advising organizations, big and small alike, and not-for-profits as well. That's what we're struggling with. We just want to get to a place where business can operate. We're not talking about the bad spammers here. We want to continue that. This is just about legitimate business trying to do the right thing, so more guidance would be great, but some changes to CASL as well.

Let's make no mistake. Legitimate companies spam, too. They do, all the time. Matt and I have been doing it for 20 years. The amount of non-compliance among legitimate companies is high. CASL has put a stop to that.

On Internet of things updates, I think we could talk for hours, if you want to go to lunch. Your light bulbs should scare you. They really should. The amount of destruction that is happening as a result of IoT and the inability—not by law, but by connectivity—to update this stuff, I think absolutely should be a subject of investigation by this committee. I'd be happy to elucidate to that end.

We keep hearing about charities, but charities are specifically exempt under CASL. I don't understand what the onerous thing is. We keep hearing about the chilling effects of CASL. I don't understand how.... We have data that shows that there is more mail being delivered to Canadian consumers. It is being more effectively delivered, and our economy is growing, yet there is a chilling effect. I'm not feeling the cold; I'm actually quite warm right now.

You have to understand, in terms of the way ISPs work, we get complaints. Consumers hit, “this is spam“, “this is spam”, and “this is spam”. We put a block up in front of, let's say, one of Matt's clients because Matt helps them to send.... They have to come to us with proof that they had permission to send anyway, so what CASL is asking for is exactly the same proof that is demanded of senders every single day of the week. If they don't have proof that you signed up to his list, I'd block them permanently so they don't get to send mail to Bell Canada or Rogers—the ISP side, not the marketing side—or any other network operator in the world. That happens every single day. It's been normal, standard operating procedure for decades.