Industry Committee on Nov. 9th, 2017

I don't think our enforcement actions bear that out. We've taken actions against individuals operating businesses out of their homes, against very small businesses, and of course against very large businesses like Rogers or Porter Airlines. I think we have to be able to respond to the complaints we receive, and as well as—

I think mostly what we've seen is companies that haven't paid adequate attention to the rules that are in place currently. They haven't done a good job of reviewing the consent rules and ensuring that their email lists meet that test. Also maybe they haven't always done as great a job as they should in terms of keeping records to demonstrate that they've obtained consent, that they're in compliance, and that the messages they send out are—

Yes, and we're looking at how we can tackle those malicious actors, the illegitimate side of the business, but also create a level playing field among legitimate businesses.

I'll give you one example. We completed a case last year, which was a widespread fraudulent activity in the coupons business. These individuals, these companies, were selling coupons to Canadians and Americans. Without actually having had a relationship with the business, they weren't able to follow through on what they were selling.

We conducted this investigation. It took nearly two years. We issued notices of violations and administrative monetary penalties against those companies, but we issued warning letters to the email service providers that were sending out the commercial messages inappropriately without the required identification.

The tools allow us to ensure that the enforcement action that we take responds to the nature and scope of the violation and to that person's role in it. Those emails—

I would suggest that it would be difficult to ensure that you could respond to every situation with mandated enforcement actions.

The commission already has direction in the legislation in what the appropriate circumstances are in the factors that the commission and the chief compliance and enforcement officer have to take into consideration when determining whether to issue a notice of violation with an administrative penalty, and, if so, what that quantum should be. When we're looking at those factors—number of complaints, number of violations, nature of the violations—that's when we consider whether we should issue a penalty, and, if so, what that quantum should be.

That particular section of the act, section 20, gives the chief compliance and enforcement officer the discretion to determine the appropriate remedy and what the quantum should be. There are several factors that are enunciated as well as the opportunity for the chief compliance and enforcement officer to consider other factors. It's that particular tool that allows him to determine whether a penalty is appropriate, and if so, what the quantum should be.

As my colleague suggested, in order to properly investigate and enforce the act, the commission needs the discretion to determine on a case-by-case basis the appropriate remedy. If we are placed with issuing a notice of violation to a first-time violator, in which the violation is of such a proportion that they're sending malware or installing botnets, that is not the appropriate tool. What the chief compliance and enforcement officer needs to do is determine the appropriate tool to use in this circumstance to ensure compliance, to bring the company into compliance with the law. Sometimes that's a warning letter, but oftentimes it's not. If the behaviour is egregious, if it's an egregious violation of the act, if, when examining the factors enunciated in section 20, it's a strong violation, then he needs to use a stronger tool to ensure compliance with the act.

I'll just add to that.

One would have to look at the precedent that would set. Let's say in a graduated system the first time you offend, it's a warning letter; the second time, it's a citation; and maybe it's not until the fifth time that we consider an administrative monetary penalty. Well, one of the key components of the legislation is to make sure we don't have recidivism. I don't want people to be in front of me a second time. I don't want to investigate the same company a second and third time.

From the very first time we choose any level of enforcement action, from a warning letter right to an administrative monetary penalty, I want that to solve the problem. The goal is compliance, ultimately.

Absolutely. It's definitely precedent-based. I understand the concerns that have been raised on the record. It's “up to” $1 million per violation for an individual and “up to” $10 million per violation for a company. Certainly our enforcement actions over the last three years have not realized monetary penalties to that great a degree. But certainly every decision we publish and every action we take provides guidance to the lawyers in this community and also to the companies to understand, okay, if I have five violations against the act, it probably means this, and if I've had 500,000, I probably need to go to the higher level of the scale of enforcement actions that the CRTC has taken.

Each decision that we publish, each enforcement action that we take, I think provides that guidance. I think we've been consistent over the three years when we assess cases: is it like case X or is it like case Y?

I actually think it's extremely important that the chief compliance and enforcement officer's staff are the ones out giving that guidance. We are seeing in every case.... We talk about, if you will, some 20-odd cases that we've closed. We do lots of investigations that conclude with no action taken—

—but we are able to offer those companies guidance, such as, “You should clean up things over here. You should make sure you're doing this properly.” My outreach team, which does not do actual investigations, collaborates a lot with our enforcement team to understand what problems we are seeing and what areas we need to focus on when we do that outreach. I think it's important that those two groups talk together and that we go out there and say, “This is what we're seeing. This is what you've seen in our decisions, but this is also what we're seeing in our complaints. This is what we're seeing in our investigative actions.” They may not be public, if you will, because they've closed without any actual official enforcement action.

Certainly there are costs to complying with any piece of legislation and regulation.

I can let my colleagues add to this, but one has to look at the fact that you've heard about some creative technology solutions over the period of your testimony where there are options for people just to purchase. Large companies probably have the wherewithal to comply, but for small companies—we expend much of our outreach effort and our guidance on the small and medium-sized enterprises—compliance can be at the end of the day an Excel spreadsheet that says, “Yes, Mary across the road said I can email her.” It does not have to be a grand compliance program.