Industry Committee on Oct. 26th, 2017

Very well.

Sure. The fellow who founded that contacted me some time ago, or I contacted him, and he put me on his list of advisers. That's more or less the extent of my involvement with them. I've spoken with them but I'm appearing here to give you my own opinion. I'm not doing so on their behalf, and I haven't run what I'm going to say by them in any way. What you're going to hear is what I think.

Thank you, Mr. Chair.

I'm a lawyer. I practise a mix of competition law and commercial litigation. I'd like to think that it's my competition law experience that is going to drive a lot of what I'm going to tell you today.

I'm going to divide my comments on CASL into three categories, which I'll call “the good, the bad, and the ugly”.

What is the good? Generally speaking, the provisions added to the Competition Act by this law are good. It's a good thing. It's good that we have bulked up the Competition Act to deal with misrepresentations in electronic communications. Also, I generally think the provisions about computer programs are good. I also think that having a robust unsubscribe requirement for electronic communications is a good thing.

I'm going to turn, though, to the bad, because of course what this committee is about is reviewing and proposing potential changes to this law.

As you know, CASL establishes an opt-in regime for commercial electronic messages. It does not distinguish between one-off emails and bulk emails. In fact, it was deliberately drafted so as to apply to even a single email. Basically what this law does is to make it presumptively unlawful to use email—and I'm using “email” as a shorthand for any kind of electronic communication that's captured by the act—for any commercial purposes.

I see four problems with this.

The first relates to the scope. I won't spend a lot of time on that, because I suspect you've heard a lot about it. What we're really concerned about, I would think, is bulk emails, people sending out large amounts of emails, yet CASL applies if I as a lawyer send an email to an in-house counsel saying, “Hey, I'd like to pitch my firm to do some work for you”, or even if I send an email to a lawyer to say, “Let's get together for lunch”. It also applies if I send an email to a neighbour asking if they'd like to buy tickets to a gala dinner, say, for a kids' sports team. That would be a commercial electronic message. In theory, I should be putting an unsubscribe in there.

All of these are likely commercial electronic messages. All of them, therefore, have all of these requirements superadded to them, yet I think no one would say in these situations, one-off emails between people in these circumstances, that all of this apparatus is necessary.

I'm going to turn now to a more fundamental point. In my submission, the mechanism in CASL is inconsistent with a free-market economy. Freedom isn't just about freedom of political speech. In fact, I would say that, for most people, freedom means the freedom to go about their daily lives. This includes economic freedoms, the freedom to start a business, to look for clients, to market that business, to tell people about new and innovative products that you've created, and to offer them on the market.

The quid pro quo for my freedom and the freedoms of Canadians to start businesses is that I'm going to get publicity from other people exercising their freedoms. I might not be that interested in that publicity, but if I want the freedom to tell people about my business and what I do, then I have to accept that I'm going to get stuff that I'm going to have to put in the trash—in the case of snail mail or flyers that are paper—or hit delete on. Of course the other thing is that one person's junk mail or spam is another person's coupon-clipping opportunity.

A corollary to this is that this law reduces competition. In fact, it does so, I'd say, deliberately. That makes its title, frankly, the opposite of what it is. It's almost Orwellian. It parodies some of the purposes of the Competition Act. It talks about, “An Act to Promote the Efficiency and Adaptability of the Canadian Economy...” but, in fact, what CASL does explicitly is privilege incumbent firms over new entrants.

Competition is about new entrants coming into the market offering new products, innovative products, expanding entering markets, and competing with the incumbents, and maybe even unseating them as incumbents.

CASL privileges the relations between incumbents and their clients over those with new entrants who would want to establish new relationships with new clients. It does so by erecting what is effectively a barrier to entry. It says you can't send a commercial electronic message. You can't email people to tell them about your new and innovative products unless you have first somehow contacted them and got their consent to do that.

It raises the costs to a new business and a new entrant to tell Canadians about new and innovative products, and that reduces competition. It's built into the act. It's not a bug. It's a feature.

You've probably heard from other witnesses, so I'm not going to belabour the point, but there's a very serious constitutional argument about this statute, that the mechanism that makes it presumptively unlawful to use email for commercial purposes is inconsistent with the existence of any commercial freedom of speech. As we know, our courts have said there is such a thing as constitutionally protected commercial speech. It's not as strongly protected as what I'm doing today—political freedom of speech—but it is protected.

You may also have heard issues about the effectiveness of CASL, so I won't spend a lot of time on that but I will note that most spam comes from outside of Canada. CASL can't really touch that directly; we have to rely on our partners abroad to deal with that.

The other thing is that some of the absolutely worst kind of spam that we get—phishing messages trying to get us to log on to things and give over our passwords—might not even be caught at all because it's not a commercial message. It's not about buying and selling a product. It's just flat out fraud. It's already probably a criminal offence under our criminal law, but CASL doesn't really touch it. In the end, CASL goes after legitimate businesses here in Canada, loads them up with restrictions that you've probably heard a lot about, and probably doesn't do very much for us in return.

What would I propose in its place if I had the decision-making power? I'd say we should have a very strong opt-out system with very robust unsubscribe requirements that are enforced. The CRTC is enforcing the unsubscribe requirements, of course.

I'll turn quickly to the ugly—the things that need to be fixed a bit, as opposed to just changed fundamentally. First is the private right of action. There are three problems with it. The first is it's an open invitation to class action lawyers to start actions against reputable companies. They're not going to go after the Russian brides and the spammers outside of the country. They're going to go after Air Canada, WestJet, and all the rest of them.

Second—and this is troubling—because you can get out of a class action, although you have to do it before it starts by entering into an undertaking with the CRTC, it gives the CRTC a big tool, a big club, to get money out of companies. What's wrong with that? Well, anytime you create incentives for a regulator that give them a club to get money, there's a danger that they'll try to do that. I'm not saying they will. I'm saying there's a danger. It's like an invitation for them to do it.

The third is a nit, but in its application to section 74.011 of the Competition Act, there's no materiality threshold requirement in that provision. That means you could have a cause of action and lawsuit over an insignificant, trivial misrepresentation or inaccuracy in a subject line of an email.

I suspect my time is over. I'll just mention quickly that the warrantless searches provision, notice to produce, is almost certainly unconstitutional. The act is full of what I'd call statutory interpretation nightmares, but I don't have the time to take you through them.

Thank you.

Thank you very much, Mr. Chair.

I would like to thank all the members of the committee for inviting me to appear today.

I have noticed that the media have not reported much on the committee's work, and yet you do excellent work, both for companies and Canada's economy, and for consumers.

For my part, I have followed your work with great interest, albeit from a distance, through the committee's website, and have published a regular update about it on our blog.

I have to admit that this is the first time I have been in a so-called lobbying position, and I was especially surprised by the number of approximations, exaggerations, and “alternative facts” that have been presented to you by various witnesses as scientific truth. I will come back to that later on.

First, allow me to introduce myself briefly. I am an Internet pioneer in Quebec. In 1994, I founded the first digital marketing agency, through which, for close to 20 years, I have helped various organizations such as VIA Rail, RDS and Club Med USA use the web to transform their marketing strategies, their sales strategies, and sometimes even their business model.

I have always considered email as being at the heart of any digital marketing strategy, and I started implementing email marketing strategies for our clients back in 1996.

In 2013, I left the agency to found Certimail, the company I am representing today, whose mission is to help SMEs increase the effectiveness of their email marketing while complying with Canada's anti-spam legislation, or CASL.

Far from being dogmatic, the observations and recommendations I will present today are based on 20 years of email marketing experience, and four years dedicated to analyzing CASL and its 13 regulatory instruments, in order to help dozens of SMEs of all sizes implement a compliance program based on the CRTC's requirements.

Before I get to the analysis of CASL and its enforcement, I would like to answer a simple question that the committee members have asked regularly, at nearly every meeting, without ever getting an answer, namely, what does it cost for a company to comply with CASL. The answer is simple. The compliance packages offered by Certimail cost $699 for a sole proprietorship or self-employed person, $1,249 for a small company with fewer than 10 employees, and between $3,000 and $15,000 for companies with between 11 and 300 employees. If my colleagues from Newport Thomson, Deloitte, or KPMG, which offer similar services to larger companies, had been invited to appear before the committee, they would have told you that their rates for compliance range from $25,000 to $100,000.

I think this is important information. I admit that I was surprised that neither the CRTC nor the various industry organizations that appeared before you were able to provide this essential and publicly available information.

That being said, I will focus on three elements: the importance and effectiveness of CASL, the inadequacy of the CRTC's approach to its enforcement, and a few recommendations to strengthen CASL by reducing its negative impacts.

Contrary to what many lobbyist have stated before the committee, CASL does not pertain to cybersecurity or computer security risks, but rather seeks to develop consumer confidence in electronic commerce and to develop Canadian industry.

As suggested in the report of the Task Force on Spam, which preceded the legislation, the legislation and its regulations seem more like rules of the road for electronic communications than legislation about information security threats, as people have led us to believe.

When I crossed the bridge this morning to attend your meeting, I noted that the complex and strict regulations that were established a century ago to guide the few automobile drivers of the time have not really compromised this mode of transport or that industry. The same thing applies to CASL.

These rules of the road for electronic communications are very important to Canadians. They demonstrated this by filing more than a million complaints in three years, without a single advertisement encouraging them to do so. There was no advertising campaign informing people who received spam that they could forward it to the Spam Reporting Centre. The idea caught on spontaneously and people filed more than a million complaints. These votes in support of CASL continue to come in by the thousands every day.

Moreover, this volume of complaints is sufficient to contradict a recent statement made to your committee by a Canadian Chamber of Commerce representative, namely, that the problem of unsolicited email has been resolved by anti-spam technology. Receiving unsolicited email is in fact still a major problem for a vast majority of Canada's population. Anti-spam technology is increasingly effective, but it has not solved the problem. Moreover, this technology is starting to show its limitations. Just ask the U.S. Department of Homeland Security, which was short on tasers last week because the Taser server had treated its purchase orders as spam.

By its first anniversary, CASL had reduced the volume of spam received by Canadians by 37%. This shows the effectiveness of CASL for consumers. It is also effective for businesses, at least for those that want to do real email marketing, and not use email incorrectly to do traditional mass marketing from the Mad Men era.

Since CASL came into force, Canada has pulled ahead of the pack to become one of the two countries with the most effective email marketing by far. The other country is Australia, the only other country that has legislation that is as broad, complex, and strict as CASL.

The delivery rate, that is, the proportion of commercial email that is sent and is visible to addressees, that is not filtered by anti-spam or other systems, is in the order of 80% in most countries in the world. In Canada, that rate rose from 79% in 2014 to 90% today. The only country in the world with a similar success rate is Australia.

Similarly, the readership rate, that is, the proportion of marketing emails that are opened by addressees, fluctuates between 12% on the African continent and 24% in the United Kingdom. In the United States, it is 21%. With a readership rate of 32%, Canada is in second place, just behind Australia, where the rate is 33%. Before CASL came into force, the readership rate in Canada was just 26%.

Okay, I will be brief.

Narrowing the scope of CASL today would help encourage Canadian businesses to maintain an outdated marketing approach rather than to harness innovation and prepare to meet current challenges.

CETA has just come into force, and Europe has passed legislation that is practically a carbon copy of the Canadian Anti-Spam Legislation in order to manage all the electronic communications of the 300 million European citizens.

CASL enables Canadian companies to comply, to prepare and to gain a competitive edge over other companies that want to enter the European market.

I have about a dozen recommendations for you, but since I won't have time to go over them, I suggest that we talk about them in the debate. We will also submit a brief to you after my testimony.

Thank you, Mr. Chair.

Thank you to the members of the committee for inviting us to testify.

Imagine Canada is the national umbrella for registered charities and public benefit non-profits. Some 86,000 charities and a similar number of non-profits provide vital services and supports to individuals and communities across Canada. Before I get into our specific recommendations regarding CASL, I just want to set a bit of context.

In the aggregate, when you factor out hospitals, universities, and colleges, organizations generate more than half of their income from sources other than donations and government grants. Registered charities are strictly regulated by the Canada Revenue Agency. An organization can have charitable status only if it demonstrates that it is acting for the public good and that no undue private benefit results from its actions.

Public benefit non-profits include things like public housing corporations, community development corporations, and social service agencies. They deliver public benefits, and no part of their income or assets is available for private use. Finally, more than half of the organizations in our sector are operated completely by volunteers. These include board members, who serve their communities with no remuneration.

In preparation for this committee's review, we conducted a survey of charities and non-profits about their experiences since CASL was proclaimed. Among the key findings is that almost 70% of them send some kind of commercial electronic message, as defined in CASL. Upwards of 99% are compliant when it comes to identifying themselves, providing contact information, and providing unsubscribe options.

The definition of a commercial electronic message remains unclear to them. For example, around 40% of organizations sending messages to promote services for which a fee is charged believe that they are not sending CEMs. Almost half of the organizations have incurred compliance costs. More than 30% of those that do not send CEMs have also reported compliance costs, as they are unsure of the definition of a CEM. More than half of the organizations fear that the private right of action provisions of CASL would limit their ability to recruit volunteer board members.

We appreciate the efforts that the government and the department made in 2014 to provide comfort to charities through a limited exemption. However, conflicting views between those who drafted the exemption and the CRTC as the enforcement agency have led to increased confusion as to the charities' obligations under the law.

We believe the solution is to exempt registered charities from the consent provisions of CASL. This would be similar to the exemption they have always had under the do-not-call list.

We also believe it's time to distinguish between public benefit non-profits, such as public housing corporations, and those that exist for private purposes, such as golf clubs or condo corporations. CASL already does this to some extent for certain purposes, and precedent exists in other jurisdictions to make the distinction. With this distinction made, we recommend that public benefit non-profits also be exempt from the consent provisions.

We support maintaining CASL's requirements regarding sender identification, contact information, and unsubscribe mechanisms. Indeed, charities seeking accreditation under Imagine Canada's standards program have been required to meet these standards since prior to CASL.

Regardless of the consent provisions, we also recommend that charities and public benefit non-profits be protected from CASL's provisions regarding PRA, the private right of action. Where organizations have assets, these are held in trust for the public good; they should not be subject to private seizure. As noted above, board members are volunteers serving their communities. They should not be subject to personal liability, particularly when agencies of the federal government have not been able to agree on what the rules are. CASL's administrative penalties are more than sufficient to ensure that charities and non-profits adhere to their obligations, if and when those obligations are truly clarified.

Thank you. I'd be happy to answer any questions you might have.

First of all, in terms of helping the consumer, CASL certainly does help consumers in ways, and I wouldn't want you to think that I'm saying it doesn't. The—

I may have overstepped. The point is that the central thrust of it, the opt-in requirement, I see as bad. However, having strong unsubscribe mechanisms—and they're there in CASL—makes a lot of sense. Any reasonable anti-spam law is going to have those, so I wouldn't want you to think that I think those are not necessary and good things.

Yes, the definition of a CEM needs to be clarified. My own view is that it's hard to craft, but it should be restricted to the bulk type of emails and not the one-off type of emails. I don't think our enforcers are that concerned if I send one email to someone or if anyone does. It's just not what the law is about—

I'm thinking on the fly here. First of all, changing the central mechanism would mean they would not need to get consent to send an electronic message. Now, that doesn't mean they could just go and blast away. There's still PIPEDA to consider. There's still the issue of how they get email addresses in the first place.

There are still barriers, which I think everyone would say are reasonable barriers, in the sense of restrictions on companies selling our personal information, including email addresses, but it would certainly unlock to an extent the issue of how you would collect email addresses for purposes of sending something. Or if someone sends you an email, you don't have to worry as much about how you respond and what the limits are: two years, six months, or what have you. It would reduce the compliance costs for new entrants.

Again, changing the thrust of the law would not mean that you could just go and scrape email addresses all over the place and blast away. I wouldn't advocate going that far.

Again, in some ways we find it ironic that when the do-not-call list was brought in, there was an exemption for charities. We've all been subjected to phone calls during dinner and whatnot, and that's a much more expensive and intrusive way of contacting people. When CASL was brought in, we recommended a similar exemption for charities, and also, if they can be properly defined in the law for public benefit non-profits—

Under the regulations, charities have a limited exemption. Our understanding of the intent of the officials who wrote the exemption was that it was meant to cover virtually any commercial message that a charity might send.

When we published the information that the officials at what was then Industry Canada had vetted and confirmed was accurate, we were contacted by the CRTC. They said to hold on, that they were the enforcement agency and that they were not sure that was what the exemption meant, but they couldn't really tell us what they thought the exemption meant.

What we'd be looking for is a much more clearly worded exemption from the consent provisions.

Basically, we call it self-generated income. It's from sales of goods and services. It's lottery tickets—

That's the gray area, and that's the concern—

We don't have real-time data on that. For donation information, we rely on the information published by the Canada Revenue Agency from tax filer data. I can certainly see what we have, to see if we have anything that might show a trend during that period, and get back to the committee on that.

Yes. It is based on concerns they've had and concerns we've had, in terms of the applicability and the potential for damage, as well as the disconnect between the messages we were getting at the time from Industry Canada and the minister's office versus what the CRTC was indicating to us. It created confusion.

In 2003, Australia passed a law that is very similar to the Canadian Anti-Spam Legislation. It is based on prior consent and provides for unsubscribe mechanisms, mandatory identification and fairly harsh penalties. That legislation has been in force in Australia for nearly 15 years, and we have never heard it said that the country's economy was crumbling. On the contrary, that country has excellent results, as we have had since the Canadian legislation was implemented.

In Europe, the legislation was passed last year and will come into force next May. Up until now, every European country has had its own legislation on this issue. As of next May, the electronic communications of 300 million consumers from 27 European Union countries—there will be 26 countries once Brexit comes into force—will be governed by a piece of legislation similar to the Canadian one. That legislation will contain the same rules, including with regard to express consent. It will even impose additional requirements on people, and fines will be as high as 20 million euros, which is much higher then the penalties under the Canadian legislation.

Just like the Australian and Canadian pieces of legislation, the European statute is extraterritorial. Canadian businesses that will send messages to Europe—if they comply with the Canadian legislation in its current form—will be very well prepared compared with companies from the U.S. or other parts of the world.

I would say so.

What we provide, at the prices I mentioned, is a comprehensive compliance program. We conduct an audit, issue recommendations, guide companies in the implementation of compliance recommendations, and provide them with a written compliance policy and records. It's really a turnkey comprehensive compliance program.

The main obstacle we currently face is the CRTC. The problem is two-fold. First, the CRTC's communication is flawed. Two different organizations have carried out two separate surveys, which show that 75% of Canadian businesses feel that they are ill-informed with regard to the real issues of the Canadian Anti-Spam Legislation. People are familiar with the legislation, and they know that there is an issue in terms of consent and unsubscription, but they know absolutely nothing about the compliance requirements, the regulatory requirements. There is really a major problem in that respect. Second, documentation is lacking on the objective interpretation of that regulation by the CRTC. In three years, the CRTC's investigative team has come up with three interpretation guides on three small rules. There are still dozens that affect pretty much all Canadian companies. So the CRTC really needs to make a major effort, and that is one of the recommendations we will submit to you.

The last point is the motivation of businesses, which feel like a million complaints have been filed by consumers. Steven Harroun testified before you a few weeks ago, and he told you that 500 investigations have been opened in three years, that about 30 have been completed and that eight fines have been made public. SMEs feel that they are more likely to win the lottery jackpot than to have an investigation on their emails launched.

We know how SMEs operate. They have constraints. They are always managing urgent considerations and only focusing on the most important matters. The message sent by the CRTC, probably unwittingly, is that this legislation is not important.

No, it hasn't, sir.

The private right of action was due to come into force this summer. It's been delayed, I believe, pending your review.

I did speak with some class action lawyers to ask them if they were chomping at the bit, and the answer wasn't the scare stories that some have told.

I should fairly point out that the answer was was, “Well, we'll wait and see how it goes.”

With regard to that part of the question, I don't know whether such evidence exists or where it would be. The perspective we bring is that donors are very interested—and governments have been very interested—in charities seeking to reduce their costs of doing business wherever possible. Using electronic communication is a much cheaper way of raising funds and getting the word out there than are phone banks. We believe they're much less intrusive for people.

To the extent that people are increasingly responding to online appeals and to the extent that the cost of generating a dollar for charities is going down, we think there's...but in terms of the specific question, “Do you want more email?”, I can't answer that.

I'm not. That's not the kind of evidence I would be tracking. It's not really what I do.

What I can say is this. As a consumer, I get many things that I don't want. I get a lot of flyers in the mail and I don't want them, except that sometimes there's one I do want, and I don't know which one I'm going to want. I get a lot of emails from businesses. Most of the time I don't really want to hear about the specials that Air Canada has for flights to wherever until I'm actually thinking of travelling. Then all of a sudden I have to come up here and I see that there's a seat sale on, and suddenly I want that.

I can only offer my own personal view about this, and, as I said before, I don't think it's about what Canadians want; I think it's about what's right for our economy.

Don't worry.

To answer your question, I would say that Canadians increasingly want to receive emails, but they have two conditions. First, they want to decide for themselves who can send them an email. Second, they want the email's content to be relevant.

I was saying earlier that Canada had excellent email marketing results. So, the legislation has been positive for businesses. Those of them that do good email marketing make more money today than they did before the legislation came into force. Businesses that do bad email marketing—in other words, those that take advantage of the inexpensiveness of sending their messages to everyone without worrying about whether they are relevant or whether the individual has asked or agreed to receive them—are struggling and will perform very poorly.

What the legislation does is encourage businesses to improve. One of the things the task force on spam did was analyze what the best email marketing practices were. The legislation kind of forces businesses to apply those best practices and encourages them to develop good marketing skills, which will in turn help them get results.

I support what Mr. Osborne just said. He said that he was receiving a lot of emails, but there were many that he never asked to receive and that did not concern him. He said that he was receiving emails from Air Canada, but that most of them were of no interest to him. That is something all Canadian consumers are experiencing. The legislation pushes companies to make an effort to ensure to send the right information to the right people.

Extremely affordable technologies exist today that help automate that process. We are trending toward that. Europe has gone in that direction because that is the current trend.

Mr. Osborne was talking earlier about the system that enables recipients to have their name removed from a distribution list. Under that system, businesses can send an email to anyone, as long as people have the option to unsubscribe. That is the system implemented by the United States through the CAN-SPAM Act. The U.S. is currently generating the most spam in the world, even more than Russia and North Korea. It's also a country where email marketing is becoming less and less effective.

When it is well done, email marketing is a goose that lays golden eggs for businesses. Seeing Canada moving backward, while the rest of the world is moving forward, is like deciding to kill the goose. That would detract from Canada's ability to compete.

They're spending money. They're putting human resources into it.

Yes.

Yes, we believe it was not the intent for this to be happening. We know that donors are always concerned that charities make the most efficient use of the dollars they—

Yes, as I said, it's in our brief that if we can get a clear exemption from the consent requirements.... Charities are following the other requirements of CASL, the unsubscribe and those things, and that's something—

Yes, well, it's the requirement for opt-in to be able to send out those messages.

That's where some of the grey area is. The FAQs that the CRTC has put out say that if you're sending a message to sell tickets, you may or may not....

Yes.

Yes. It would be for us, and again it's very similar to what Australia has done in their law. They have the opt-in provisions, but they exempt charities from the opt-in provisions.

Yes.

Yes. Companies heard about the legislation in 2014, before it came into force, because it received extensive media coverage. They even talked about a syndrome similar to the Y2K. Everyone expected to be hit with fines as of July 1 or 2. There was a wave of panic. In reality, not much happened and the syndrome faded away.

In May 2014, the CRTC published a newsletter that outlined specific requirements that had to be met in order to be able to use the due diligence defence, as set out in subsection 33(1) of the legislation. That provision stipulates that any business that establishes that they did what was necessary to comply with the legislation is safe from penalties in case of violation. In that newsletter, the CRTC specifies that, by “necessary measures”, it means a compliance program with eight requirement categories. The problem is that the newsletter was buried deep within the CRTC's website. It took most lawyers who specialize in the area two years to discover it. Fightspam.ca, the website that explains the legislation, makes no mention of that newsletter, and neither do the CRTC's public communications.

People know that they must comply with the legislation, but when they are told that they must have a compliance program, they wonder what that is.

I partially agree. However, I would like to make a nuance.

There are actually two issues here, one of which was raised by Rogers. I completely agree with Rogers, and that is part of our recommendations. Subsection 6(6) of the Canadian Ant-Spam Legislation stipulates that transactional messages or personal messages—so those that are not of a commercial nature—must contain an unsubscribe mechanism. That creates a great deal of confusion and complexity for businesses, but also for consumers. They receive a transactional message for which they don't have to give their consent, the message contains an unsubscribe mechanism, but they don't understand why they can unsubscribe when they did not give their consent to begin with. They figure that, if they try to unsubscribe, the system will not work because they did not subscribe in the first place.

However, Mr. Osborne talked earlier about putting individual messages, so messages sent to an individual....

I think that subsection 6(6) could even be removed.

That is Rogers' recommendation, and we fully support it.

This is where it's important to have a marketing perspective rather than a legal perspective. The current prevalent trend in email marketing is what is referred to as marketing automation. Those are systems that make it possible to automatically generate individual emails based on consumers' actions. If individual emails were removed from the legislation, it would be like saying that the use of marketing automation is giving businesses free rein.

As I am not a lawyer or a legal drafter, I don't have the necessary expertise to tell you how we could do it. However, I can tell you that proving whether the email was written by an individual or generated by a machine seems very complicated to me.

The examples Mr. Osborne provided earlier involve situations where the legislation allows a message to be sent. If I have a personal relationship with someone, I already have the right to send them a message. If I send a message to someone to offer services to their company and not to them as a consumer, the legislation already provides an exception and gives me the right to contact them.

I have heard a number of witnesses at different meetings talk about situations where they said they did not have the right to send a message. In reality, in 80% of the mentioned cases, the legislation allows them to send messages. The issue is that the CRTC's restrictive interpretation of the legislation and the regulations makes it extremely dangerous to do so, and....

We offer our services to businesses of all sizes—with up to 300 employees—in a variety of sectors. We have worked with NPOs, museums, associations, as well as with businesses in the fields of insurance, marketing, media and road transportation. This applies to any situation.

We begin by making a presentation to the company on the CRTC's compliance requirements. We conduct an audit, which is generally done by telephone or video conference, using Skype or another similar program. We then gather all the information on the way our client operates.

We carried out a research and development project with researchers from the Université de Montréal's Faculty of Law. We modelled the legislation and electronic means of communications, and we came up with a grid that lists about 100 compliance issues an SME could face. We review those 100 potential problems for each business, and we then provide them with a report of 20 to 30 pages, depending on the situation. We analyze the way the business operates, its processes, its systems and its policies in order to identify all compliance issues. For each issue, we provide an optimized recommendation that will help the business comply with the legislation and meet the compliance requirements, and improve the effectiveness of its email marketing in the process.

After that, we give the company the report and support it remotely—over the telephone, by email or by video conference—in the implementation of our recommendations. We provide the company with a custom draft policy, a potential training program for its employees, as well as all the necessary records. Finally, we provide the business with certification, which has no legal value and is not sanctioned by the CRTC, but which proves that the business has a compliance program in place. That enables us to receive consumer complaints on the company's behalf and, if necessary, we can take away its certification.

Yes.

It's commercial accreditation, not legal.

We almost always use flat rates, precisely because we don't want businesses to hold off on calling us for help.

For a one-person enterprise, a retailer, artisan, self-employed worker or freelancer, we charge $699 plus tax. For a 2-to-10 employee business, we charge $1,249 plus tax. For a business with 11 to 300 employees, the cost will vary according to the specifics of the business. We will ask them a few questions in order to come up with a customized flat rate. For those businesses, our rates vary from $3,000 to $15,000. A 300-employee business that is complex and has a lot of systems might be charged up to $15,000. That said, over the past four years, we have never charged anyone that much.

I don't have anywhere near the detailed data that Mr. Le Roux has, but I can offer a couple of examples.

I had a client—I obviously can't name them—who wanted to dig into issues around text messaging. I can't remember what the bill was, but if memory serves, it was several thousand dollars. It may have been as high as $10,000. It wasn't a massive bill, but it wasn't nothing.

In my own firm, we didn't spend a lot of money, but that's because I spent a lot of my time—several thousand dollars' worth of time—on our newsletter list. We are employing a guy right now on contract who's going through and updating the implied consents and so forth.

I'll anticipate Monsieur Le Roux's comment. He's right: it's a best practice to do that anyway, because of course databases age and you should be updating those. Some of what someone might call a compliance cost is in fact a cost of maintaining a good database, but it's not negligible.

There are companies out there offering these plug-ins at about eight bucks a user to monitor and intervene so you can't accidentally send a spam email. Eight bucks a user doesn't sound like much, but consider that your cost of Microsoft Office, depending on the package you buy, is around $12 to $25 a user. That's a significant increment on a per-user IT cost for an organization.

Oh, oh!

The exemption in the regulations right now refers to messages sent by or on behalf of charities, and so our hope would be that in those cases where people are outsourcing some of that messaging, it would be the same sort of thing.

Again, we supported the suspension, especially knowing that the review by the committee was coming up. We thought that made a lot of sense. But when we're dealing with organizations large and small, for which the board members are members of the community who are volunteers doing this to serve their community, the prospect of personally being liable under a PRA if the organization either doesn't have assets or doesn't have sufficient assets is troubling to a lot of organizations. As I said, in the survey we did, more than half the charities were concerned. Being aware of this, they're not going to be able to recruit board members in the future because of that potential issue.

What we would like the CRTC to do first and foremost is clarify its interpretation of the act. We identified about a hundred compliance issues for an ordinary SME. For half of these problems, we do not know what the CRTC's interpretation would be. What we see based on the rare published cases or rare details it provides, or the conferences it holds, is that there is a systematically radical and restrictive interpretation. Everything that seems to make good sense should be permitted, authorized or managed by the CRTC. However, the positions the CRTC adopts never seem to proceed from logic or common sense; this creates a climate of fear and uncertainly which makes the compliance process more cumbersome.

Consequently, one of our recommendations would be that the CRTC create an advisory committee comprised of representatives from marketing, compliance, and consumer representatives; in short, people who represent the various stakeholders. Their role would not be to determine the interpretation, but they could play an advisory role to the CRTC to help it to interpret the provisions well. Such a committee could accelerate the CRTC's interpretation process. It is not normal that after three years only three small rules have been explained, while all the rest are still vague and we have no idea where we are headed.

We have another suggestion to make concerning the CRTC. Currently there is a discretionary fine model. The CRTC examines the penalty amount in light of its criteria — I won't say it tosses a coin — up to a maximum of $10 million. When an SME learns that it could be liable for a $10-million fine for missent emails, it is incredulous. The figure is so gigantic that the deterrent effect is lost. In addition, I expect that the CRTC, in order to be able to justify imposing a fine of $200,000 or $300,000, must compile quite an extensive investigation file. Since it takes a long time to do that, it processes very few files.

We recommend that there be a guideline for the fines, including a maximum and a minimum. According to this scale, a first breach that seems to have been an error, committed in good faith, would be liable to a fine of $5,000 or $10,000, for instance. In the case of a large business, the fine for a first offence resulting from an error made in good faith would be more on the order of $50,000. For someone who reoffends, the amount would be higher. If you see that it was not an error committed in good faith, but that the company intended to break the law, then the penalty would be higher. If a scale of that type were brought in, the CRTC's burden of proof and substantiation would be lightened, and this would allow it to process more files. This would also send businesses the message that everyone must respect the law. I believe this would have a much stronger deterrent effect.

The presentations I heard from people who spoke on behalf of small businesses were essentially from the Canadian Federation of Independent Business, the CFIB, and the Canadian Chamber of Commerce. As members of the CFIB, we receive its emails. I also heard representatives from the Retail Council of Quebec. These organizations are dinosaurs with regard to digital marketing. I apologize for saying that, but people who know me know that I am a person of integrity. The Retail Council of Quebec contributed to the fact that the retail industry fell behind in e-trade. It spent years saying that it was not important; then all of a sudden it realized that it was important and it changed its tune, but the ship had already sailed, and Quebec's retailers were already behind in all this. I regularly receive the CFIB newsletters and emails, and their electronic marketing is not effective. It must not obtain very good results. There may even be complaints regarding compliance with the law.

These organizations do not represent reality of SMEs. We were talking about new businesses earlier, start-ups. They were created in this digital universe. In today's world, the last thing you want to do is displease a client or a potential client by sending him information that does not interest him, while letting him know that he can delete the email if he does not want it. That is harmful to its brand and reputation.

Frankly, here is what I recommend. In fact, one of the blog posts we wrote recently had the following subtitle: “Is there a marketer in the room?” That is the role I try to play. I would say that you should talk to people who are SME email marketing specialists. There are enterprises that do a lot of work in this area. Those people will be able to tell you what really needs to be done and what the practices are.

I hear a lot about theoretical cases and hypotheses in the testimony. The comments were abstract and theoretical. That is normal on the part of lawyers who are not marketing specialists, because this is not their trade and this is not what is expected of them. However, we have been doing email marketing for 20 years; some things work and others don't. We have data. I could show you graphs that show how 10 times fewer subscribers can generate twice as many clients. A good message sent to 1,000 people generates more sales than a moderately effective message sent to several thousand people.

With regard to the data, there were three studies done on SMEs in 2017. This is recent; I won't go back to 2014. We did a survey in February of about one hundred SMEs in Quebec, in all sectors. The Insurance and Investment Journal, a magazine published by the insurance industry, conducted a study involving 500 Quebec insurance companies in March. Fasken Martineau and the Direct Marketing Association of Canada surveyed 200 or 300 Canadian enterprises. If you extrapolate the data collected from these surveys, they show that between 5% and 15% of Canadian businesses may be in compliance with CRTC requirements. That means that 85% to 95% of businesses absolutely do not comply with the law at this time.

As to motivation, the issue is that in Quebec, there is only one organization that talks about compliance programs, and that is Certimail. The CRTC has never come to Quebec to talk about compliance programs. Mr. Harroun told you that he was very proud to have raised the awareness of 1,200 businesses during his conference tour in Toronto this spring. The Insurance and Investment Journal contacted the CRTC in the spring to invite one of the members of Mr. Harroun's team to do a presentation on Canada's Anti-Spam Act at an insurance industry seminar. The CRTC only responded in September, and declined the invitation. The seminar was cancelled. Four hundred enterprises were going to participate. Those 400 enterprises still have not been given the information.

Oh, oh!

That would work with the highway traffic act as well. Oh, oh!

In fact, the goal is to have them comply with the law. At the end of the process, they have completed their compliance program; they have the documents required by the CRTC.

It is a one-time cost. You only pay the fee once.

Our certification is valid for one year, however. We provide one year of support and regulatory monitoring.

The following year, if they want to renew their certification, it will cost them between $100 and $300 a year.

This is done through automated systems nowadays, most of which are free for small business. If you have a 50,000 client data base, there will be costs, but it will generally cost between $100 and $300 a month, and if you have 50,000 clients in your data base, that is not a problem.

I thank you for the question on the solutions that make this easy to manage, because I wanted to raise that topic.

There are technological solutions designed in Canada that help companies comply with CRTC requirements. There aren't enough of them, because the CRTC does not communicate enough, but there are some. Most of these solutions offer free versions to very small businesses. So there really aren't additional labour costs or any other costs.

As I said earlier, the CRTC's lack of clarity as to the interpretation of the act forces us to impose excessive measures on companies so that they comply with the law, but they have to be ready for anything. That is a big problem.

Another problem involves the synchronization of consents. Earlier there was a debate about individual emails and group emails. Currently, when someone unsubscribes from a newsletter, the CRTC considers that that individual has unsubscribed from the entire company. That means that an employee can no longer send an Outlook email to that person because he unsubscribed from the newsletter. The fact that the withdrawal of consent applies to the entire company is a problem.

Consequently, we ask that the request for consent and the withdrawal of consent be circumscribed. The withdrawal of consent should be limited to the consent request.

The problem is that the CRTC asks us to go beyond the technology and see to it that two unrelated technologies communicate. It can be done, but it is complicated, because the CRTC did not inform the tech businesses about this, and so they did not think to manage that aspect.

Assuming you're not with me on moving from opt-in to opt-out—I suspect that ship has sailed—what I'd suggest is this.

Number one, find a better way of carving out those one-off emails that are written by a real person.

Monsieur Le Roux was right that there are often exemptions that we can rely on, but there are uncertainties around them. For example, if you read the definition of “personal relationship”, it's a nightmare. It's just impossible. I have no idea what it means, and I'm a lawyer with nearly 20 years' experience.

Correct.

I don't mean the automated ones that Monsieur Le Roux was talking about but real one-off emails. The second one is to clean up the definitions. There is a lot of discussion around subsection 6(6) of the law. Here's the problem. You have a definition of a commercial electronic message that's basically—

The third one.... Sorry, I lost my train of thought.