Hot off the press! A CASL compliance update announced.

Today, November 5, 2018, the Canadian Radio-Television and Telecommunications Commission (CRTC) released a new round of guidance documentation for businesses sending Commercial Electronic Messages (CEMs) to Canadian subscribers. This document (CRTC 2018-415) deals exclusively with Section 9 of the legislation, a part of the law mostly forgotten by businesses until the recent enforcement taken in July 2018 against Datablocks and Sunlight Media, who allegedly knowingly allowed malware to be shared though their respective ad networks and failed to take action after being notified of the issue by security researchers.

As a reminder, Section 9 of CASL reads:

“It is prohibited to aid, induce, procure or cause to be procured the doing of any act contrary to any of Sections 6 to 8.”

And Sections 6 through 8 deal with items related to sending, causing, or permitting to be sent CEMs without express or implied consent, altering, transmission of data in electronic messages, and installing or a computer program (e.g., malware, viruses, and botnets) without express consent of the user.

The new guidance from the CRTC seems to be focused on businesses or agencies providing services around one of the activities in sections 6 through 8, and how much control over each of these activities these providers have on the potential violation. Example companies listed in the guidance include advertising brokers, electronic marketers, software and application developers, and payment processing system operators, to name only a few. This likely brings into scope any email service provider (ESP) or agency engaging in the sending of a CEM to Canadian subscribers.

The logic provided by the CRTC indicates that as a vendor of services, you have a responsibility to understand your marketplace, the potential vectors of abuse in relation to CASL, and pledge you will take action to mitigate these risks. To this end, the CRTC will assess three areas to determine the potential responsibility of organizations falling under Section 9, covering items such as the level of control they had over a potential violation, the degree of control over the activities of the one committing the violation, and if reasonable steps were taken to try to prevent the violation from occurring.

As part of the enforcement bulletin, the CRTC provided three example of potential violation of Section 9. Here is one providing a common scenario under many agency/ESP models:

Company A specializes in online marketing and sells a bundle of services to Company B, which includes a messaging template and a collection of email addresses and mobile phone numbers for the purpose of mass marketing. The messaging template does not include sender identification information or an unsubscribe mechanism, and no attempt has been made to ensure the express or implied consent of the persons whose contact information appears on the list, all of which are required under section 6 of CASL. In this scenario, Company B may be in violation of section 6 of CASL if it uses the messaging template and contact lists provided by Company A to send commercial electronic messages (e.g., email or SMS). Even though Company A is not the sender of the messages, it could be violating section 9 of CASL by providing the tools that were used to violate section 6 of CASL.

This puts a significant onus on some agencies to proactively monitor their client base to ensure compliance with the legislation. There is clear shared responsibility for violations from a client not properly managed or caused in-part by the agency/vendor.

Building a proper vetting practice for new businesses, documenting their activities, and looking for abnormalities in how a prospective client may want to interact with your brand (e.g., pay via cryptocurrency) should be added to your processes and your client risk assessments process. Also, ensure you have built periodic similar checks into your ongoing client reviews and documentation processes. For more guidance from the CRTC, be sure to read the full compliance and enforcement information bulletin CRTC 2018-415.

minute read

Popular stories



BriteVerify email verification ensures that an email address actually exists in real-time


The #1 global data quality tool used by thousands of Salesforce admins


Insights and deliverability guidance from the only all-in-one email marketing solution

GridBuddy Cloud

Transform how you interact with your data through the versatility of grids.

Return Path

World-class deliverability applications to optimize email marketing programs

Trust Assessments

A revolutionary new solution for assessing Salesforce data quality


Validity for Email

Increase inbox placement and maximize subscriber reach with clean and actionable data

Validity for Data Management

Simplify data management with solutions that improve data quality and increase CRM adoption

Validity for Sales Productivity

Give your sales team back hours per day with tools designed to increase productivity and mitigate pipeline risks in real-time