Submission to the OPC’s Consultation on Consent under PIPEDA (CRTC)

Canadian Radio-Television and Telecommunications Commission

October 2016

Note: This submission was contributed by the author to the Office of the Privacy Commissioner of Canada’s Consultation on Consent under PIPEDA.

Disclaimer: The opinions expressed in this document are those of the author(s) and do not necessarily reflect those of the Office of the Privacy Commissioner of Canada.

Summary

The Canadian Radio-television and Telecommunications Commission (CRTC)’s Chief Consumer Officer, Barbara Motzney, is pleased to make a submission to the Office of the Privacy Commissioner of Canada’s (OPC) consultation on the consent model.

The CRTC is the federal agency that regulates and supervises Canada’s communication systems in the public interest. It has a role to play in protecting the privacy of Canadian consumers of broadcasting and telecommunications services and has taken regulatory measures when appropriate in furtherance of this goal. The CRTC also has an enforcement role under Canada’s anti-spam legislation (CASL).

The CRTC has recognized that communications companies need the freedom to innovate and that there are legitimate reasons for these companies to collect and use customer information. However the CRTC has also determined that regulatory safeguards to protect the privacy of consumers and their information are warranted.

The CRTC’s regulatory approach to privacy protection and consent, has been premised, in part, on ensuring that consumers are informed. The CRTC has taken steps to ensure that service providers provide customers with privacy policies and information about privacy protection.

The CRTC does not require communications service providers to seek consent for the collection and use (internally) of personal information, as these companies regularly collect information for various legitimate purposes when consumers subscribe to or use services. However, the CRTC has imposed measures which limit the disclosure or other uses of consumers’ information:

The CRTC prohibits telecommunications service providers (TSPs) from disclosing confidential customer information^{Footnote 1} other than the customer’s name, address, and listed telephone number, without the express consent of the customer, except in certain specified circumstances.^{Footnote 2} The CRTC considered that this regulatory measure was necessary due to the advent of technologies and electronic commerce, which allow information to be easily processed, rearranged, and exchanged.
The CRTC’s Internet Traffic Management Practices regulations limit the use of personal information that is collected by Internet service providers and wireless data service providers for traffic management purposes. As this information can be collected and derived without the knowledge or consent of the consumer, it may not be used for other purposes and may not be disclosed. The CRTC recognizes that service providers use the aggregated information collected for the purposes of network planning and engineering and expects that they will continue to rely on aggregated information for such purpose.^{Footnote 3}
The CRTC has recognized that the deployment of set-top boxes which allows subscription TV households to be identified individually gives rise to privacy concerns and has encouraged the broadcasting industry to self-regulate and to include privacy protections in the development of a set-top box based audience measurement system.
The CRTC expects that any communications service provider that charges for the provision of services will obtain express, opt-in consent from a customer before using that customer’s data for the purposes of targeted advertising. For that consent to be meaningful, it will need to be supported by a detailed explanation that allows the customer to clearly understand the full breadth of the actual information that a company might use to target them for advertising purposes.^{Footnote 4}

The CRTC has number of additional regulations to protect consumers’ privacy such as requirements on TSPs to offer services designed to protect customer privacy and rules for companies that engage in telemarketing.

The CRTC’s responses to the specific questions posed in the discussion paper reflect the practices of and approaches taken by the CRTC with respect to protecting the personal information of subscribers of communications services. It is possible that these practices and approaches may not be appropriate for other sectors of the economy.

Full submission:

Introduction

The CRTC is the federal agency that regulates and supervises Canada’s communication systems in the public interest and, this submission has been prepared under this context. The CRTC has a role to play in the protection of Canadian consumers of broadcasting and telecommunications services and has taken regulatory measures when appropriate in furtherance of this objective. The CRTC also has an enforcement role under Canada’s anti-spam legislation (CASL).

The CRTC’s response to this consultation is meant to address the telecommunications and broadcasting sector.

The OPC’s consultation procedures have been read and understood in the preparation of this response.

The mandate of the CRTC

The CRTC’s mandate focuses on achieving policy objectives established in the Broadcasting Act, Telecommunications Act, and CASL.

The CRTC recognizes the importance of communication services to Canadians and works to ensure that the needs and interests of Canadians are at the centre of the system that provides those services. The CRTC’s activities to ensure that Canadians have access to a world-class communication system are categorized under three pillars:

Create. This pillar focuses on ensuring that a wealth of Canadian content is created and made available to all Canadians on a variety of platform.
Connect. This pillar focuses on ensuring that Canadians can connect to a choice of accessible, innovative and quality communication services at affordable prices.
Protect. This pillar focuses on ensuring that Canadians have access to information and services that enhance their safety.

The CRTC’s rules and regulations that enhance the privacy of Canadians are captured within the Protect pillar.

The CRTC’s legislative framework and privacy

The CRTC’s responsibility for privacy in telecommunications is explicitly set out in objective 7(i) of the Telecommunications Act i.e. "to contribute to the protection of the privacy of persons". To implement this provision, the CRTC has imposed requirements to protect the personal information of individuals by means of regulations and other measures as discussed further below.

The Broadcasting Act has no provisions for protection of privacy. Privacy had not been an issue historically in conventional broadcasting, because the point-to-multipoint nature of this service had precluded the collection of personal information. However, this has changed with the wide-spread adoption of internet-connected TVs, smart set-top boxes, and Internet and web-based broadcasting services and apps. With this evolution, the broadcasting industry now has the ability to collect information regarding subscribers' viewing patterns, tastes and preferences and use it for purposes such as targeted advertising.

An Act to promote the efficiency and adaptability of the Canadian economy by regulating certain activities that discourage reliance on electronic means of carrying out commercial activities, and to amend the Canadian Radio-television and Telecommunications Commission Act, the Competition Act, the Personal Information Protection and Electronic Documents Act and the Telecommunications Act also referred to as Canada’s anti-spam legislation (CASL), gives the CRTC the authority to regulate certain forms of electronic contact consisting of the sending of commercial electronic messages (CEMs), the alteration of transmission data in electronic messages, and the installation of computer programs on another person’s computer system, in the course of a commercial activity. One of the purposes of CASL as set out in the legislation is to regulate “commercial conduct that discourages the use of electronic means to carry out commercial activities, because that conduct compromises privacy and the security of confidential information.”

The complementary roles of the CRTC and the OPC

The CRTC and the OPC have complementary roles with respect to privacy protections. The majority of the privacy rules and privacy-related actions fall under the OPC and the Personal Information Protection and Electronic Documents Act (PIPEDA). Communications companies are subject to PIPEDA and the investigation of complaints related to the collection and use of subscribers information by communications companies falls within the OPC’s jurisdiction.

The CRTC has the power to create regulations concerning privacy with respect to communications services. In exercising its powers under the Telecommunications Act, CRTC may apply higher standards to protect privacy than those contemplated by PIPEDA. For example, the CRTC has found that express consent is required for the disclosure of confidential customer information by Telecommunications Service Providers (TSPs)^{Footnote 5} whereas implied consent may be sufficient in certain circumstances under PIPEDA.^{Footnote 6} In addition, the CRTC has greater enforcement power than the OPC.

The CRTC and the OPC, as well as the Competition Bureau, cooperate in relation to enforcement activities under CASL.

The CRTC’s privacy-related regulations

The majority of the CRTC’s privacy-related regulations have been imposed in the telecommunications sector. These regulations have generally focused on protecting customer-related information but there are also regulations more generally protecting consumers’ privacy. The CRTC has recognized that there are legitimate reasons for companies to collect and use customer information, such as billing and network planning, as well as situations where disclosure without express consent is warranted.

The CRTC has imposed regulatory measures or other actions to protect confidential customer information and safeguard consumer privacy in the following areas:

The disclosure of confidential customer information by TSPs
Information collected for the purposes of Internet traffic management practices
The provision of privacy information and policies to customers
Customer information collected by TVSPs using set-top boxes
The use of customers’ information for the purposes of targeted advertising
Services to protect consumer privacy

The disclosure of confidential customer information by TSPs

Since 1986, the CRTC has prohibited TSPs from disclosing confidential customer information (CCI),^{Footnote 7} other than the customer’s name, address, and listed telephone number, without express consent of the customer, except in certain specified circumstances.^{Footnote 8} The CRTC considered that this regulatory measure was necessary due to the advent of technologies and electronic commerce, which allow information to be easily processed, rearranged, and exchanged. In addition, the CRTC considered that market forces alone may not be sufficient to protect customers’ privacy.

CCI may be disclosed without consent to:

the customer;
a person who, in the reasonable judgment of the company, is seeking the information as an agent of the customer;
another telephone company, provided the information is required for the efficient and cost-effective provision of telephone service and disclosure is made on a confidential basis with the information to be used only for that purpose;
a company involved in supplying the customer with telephone or telephone directory related services, provided the information is required for that purpose and disclosure is made on a confidential basis with the information to be used only for that purpose;
an agent retained by the company in the collection of the customer's account, provided the information is required for and is to be used only for that purpose;
a public authority or agent of a public authority, for emergency public alerting purposes, if a public authority has determined that there is an imminent or unfolding danger that threatens the life, health or security of an individual and that the danger could be avoided or minimized by disclosure of information; or
an affiliate involved in supplying the customer with telecommunications and/or broadcasting services, provided the information is required for that purpose and disclosure is made on a confidential basis with the information to be used only for that purpose.

The CRTC’s confidentiality obligations define “express consent” as:

written consent;
oral confirmation verified by an independent third party;
electronic confirmation through the use of a toll-free number;
electronic confirmation via the internet;
oral consent, where an audio recording of the consent is retained by the TSP; or
consent through other methods, as long as an objective documented record of customer consent is created by the customer or by an independent third party.

Information collected for the purposes of Internet traffic management practices

Internet service providers and wireless data service providers may not use personal information collected for the purposes of traffic management practices (ITMPs) for other purposes, and may not disclose such information. The CRTC recognizes that service providers use the aggregated information collected for the purposes of network planning and engineering and expects that they will continue to rely on aggregated information for such purposes.^{Footnote 9} In 2009-657, the CRTC noted that certain ITMPs raise privacy concerns as certain technologies employed to implement ITMPs, such as deep packet inspection, have the capacity to collect and use personal information as part of an ITMP and that information obtained in this manner can be derived from the flow of network traffic, without the knowledge or consent of the consumer.

The provision of privacy information and policies to customers

The CRTC has taken steps to ensure the consumers are informed about privacy policies and how service providers manage their personal information as follows:

Local exchange carriers are required to provide to customers, upon request, information related to privacy protection including the company’s responsibilities with regard to protecting the confidentiality of customer records.^{Footnote 10}
As part of both the Wireless Code and the Television Service Provider (TVSP) Code, the CRTC requires that contracts and related documents, including privacy policies, should use plain language and present information in a way that is clear and easy for consumers to read and understand. Customers must be provided with a permanent copy of these documents after agreeing to a contract.^{Footnote 11} Wireless service providers and TVSPs must notify customers of amendments to their privacy policies at least 30 days before the amendments take effect, also in plain language that is clear and easy to understand.

Customer information collected by TVSPs using set-top boxes

Although the Broadcasting Act does not provide explicit provisions for privacy, the CRTC has taken steps to protect the privacy of consumers who subscribe to television services through the use of industry self-regulation and working groups. In 1993, the CRTC recognized that the deployment of technology such as set-top boxes which allow subscription TV households to be served and identified individually, would provide greater choice and customization of services, providing benefits to consumers and opportunities to television service providers. However the CRTC also recognized that the deployment of technology by the cable industry with the ability to obtain valuable information regarding subscribers’ viewing patterns and preferences gives rise to a number of issues concerning subscriber privacy. The CRTC encouraged the cable industry to self-regulate on privacy by adopting similar principles to the Telecommunications Privacy Principles developed by the Canadian Department of Communications in 1992.^{Footnote 12} In response, the Canadian Cable Television Association (CCTA) developed its own set of voluntary codes and standards for issues such as privacy, customer service, and other matters that affect the cable industry. However, the CCTA ended its operations in 2006.

In 2015, in the Let’s Talk TV—The Way Forward decision,^{Footnote 13} the CRTC recognized the need for the broadcasting industry to have access to viewer information, provided that the privacy of those viewers is protected, as the future success of the broadcasting industry depends on the industry’s ability to tailor the contents of programming packages as well as the programming itself to the needs and interests of Canadians. To this end, the CRTC required that the industry form a working group to cooperatively develop a set-top box based audience measurement system which will include, among other things, privacy protections. The working group was tasked to report back to the CRTC on the data to be collected, a governance structure, and privacy protocols including whether aggregation of data addresses all privacy issues. A progress report was filed with the CRTC on 10 June 2015 and is currently being evaluated by CRTC staff. If the CRTC is not satisfied with the progress of the group or does not consider that various objectives and principles, including those related to the privacy of individuals, are being addressed, it may choose to intervene with specific guidance.

The use of customers’ information for the purposes of targeted advertising

While the CRTC has not imposed any regulations specific to the use of customers’ information for the purposes of targeted advertising, it has issued an expectation that any communications service provider that charges for the provision of services will obtain express, opt-in consent from a customer before using that customer’s data for the purposes of targeted advertising. For that consent to be meaningful, it will need to be supported by a detailed explanation that allows the customer to clearly understand the full breadth of the actual information that a company might use to target them for advertising purposes.^{Footnote 14} This expectation is consistent with the OPC’s prior determination that customers, whose personal information was originally collected for the purposes of delivering paid telecommunications and broadcasting distribution services, would reasonably expect to have an express choice about having that information used for the purpose of delivering targeted advertising to them.^{Footnote 15}

Services to protect consumers’ privacy

The CRTC has put into place a number of other regulations and services to protect consumers’ privacy as follows:

Telecommunications companies in both forborne and regulated markets are required to offer services designed to protect customer privacy such as unlisted number service, call display, call display blocking, disallowance of call return to a blocked number, and call trace.^{Footnote 16}
The CRTC’s rules allow for a subscriber’s name, address, and phone number in published directory listings with implicit consent; however, subscribers are able to ask for an unlisted number.
Pursuant to amends to the Telecommunications Act in 2006, which granted the CRTC the powers required to establish a national do not call list (the National DNCL), the CRTC established requirements related to companies that engage in telemarketing^{Footnote 17} (i.e. the unsolicited Telecommunications Rules framework and the National Do Not Call List). These rules sought to balance the need to protect the privacy of individuals and the legitimate business uses of telemarketing. The National DNCL operates on an implicit consent model, where telemarketers are permitted to call a consumer unless the consumer’s phone number is registered on the National DNCL or on a telemarketer’s internal do not call list. This is different from the CASL which requires that companies obtain express consent in order to send commercial electronic messages to a consumer.^{Footnote 18} CASL’s requirement of express consent applies to the installation of computer programs^{Footnote 19} and to the alteration of transmission data.

Conclusion

The CRTC has recognized that companies need the freedom to innovate but they also should be transparent regarding their data collection and use practices and seek consent where appropriate. Consumers need to have information so that they can be aware of the privacy implications of the communications services they are using and of the trade-offs they are making with respect to their personal data so that they can make informed choices. Consumers of subscription communications services have a reasonable expectation that their privacy and the privacy of their data will be protected given the substantial amounts of data that is transmitted, the types of data implicated in the use of these services, and the lack of consumer awareness in some instances where data is collected. The CRTC has found it appropriate to impose regulatory measures and safeguards to protect the privacy of consumers and their information. In particular, the CRTC has consistently determined that confidential consumer information cannot be disclosed without express consent and that use of customer information for purposes other than for which it was originally collected must be restricted.

Finally, according to the CRTC’s Three-Year Plan 2016-2019, the CRTC will be conducting research on privacy concerns related to communications services that are delivered over the Internet or mobile networks. Based on the results of the research, a public consultation may be initiated to consider the effectiveness of the CRTC’s current regulatory approach to privacy.

Responses to the questions posed in the discussion paper.

The CRTC’s responses to the questions posed in the discussion paper reflect the practices of and approaches taken by the CRTC with respect to protecting the personal information of subscribers of communications services. It is possible that these practices and approaches may not be appropriate for other sectors of the economy.

Enhancing consent

What measures have the potential to enhance consent and how should their development be promoted?

The CRTC’s approach to privacy protection and consent, have been premised, in part, on ensuring that consumers are informed, as per the rules set out in both the Wireless Code and TVSP Code. Requiring that consumers of communications services have access to privacy-related information and policies that are clear and easy to understand is not an enhancement to the consent model but is a fundamental component of protecting their privacy.

What incentives should exist for organizations to implement greater transparency and privacy preference mechanisms to enhance individuals’ ability to provide consent?

The CRTC relies on market forces to the extent feasible to protect consumers’ interests. Where market forces are not sufficient or have failed to protect consumers’ interests or where there are systemic issues, the CRTC would take appropriate measures, such as imposing regulations or working with the industry to develop codes of conduct. Some communications companies might be incented to implement greater transparency and privacy preference mechanisms in order to avoid CRTC intervention. Communications companies would also be incented to adhere to the CRTC’s privacy-related regulations to avoid compliance and enforcement actions.

How should privacy by design be treated in the context of Canada’s privacy law framework? Should this concept merely be encouraged as a durable aspect of an accountability regime? Or should it become a legislated requirement as it will soon be in Europe?

The CRTC would expect that because of the nature of communications networks where substantial amounts of data are transmitted and where service providers may collect and derive information about subscribers, including personally identifiable information or sensitive information, that these communications networks and related services as well as the various supporting functions within the service providers’ organizations are developed with privacy as a default from both a technical and organizational process point of view.

What are the criteria for assessing and classifying risk of re-identification?

The CRTC does not have any regulatory policies related to the collection, use, and disclosure of de-identified data. One of the issues that the set-top box working group has been tasked to address is whether aggregation of data addresses all privacy issues associated with set-top boxed based audience measurement. This work is currently in progress and the CRTC has not made any determinations resulting from the initiative.

Should consent be required for the collection, use, and disclosure of de-identified data? If so, under what conditions?

Is there a workable, risk-based approach that can vary the stringency of the consent requirement with the risk of re-identifiability of data?

The CRTC does not have any regulatory policies related to the collection, use, and disclosure of de-identified data.

What role should contractual backstops play? Are there other ways to protect de-identified data?

The CRTC does not have any regulatory policies related to the collection, use, and disclosure of de-identified data.

Alternatives to consent

If subsection 5(3) of PIPEDA (i.e. an organization may collect, use or disclose personal information only for purposes that a reasonable person would consider are appropriate in the circumstances) can offer the possibility of true prohibitions, what should some of these prohibitions be?

The CRTC’s ITMP Regulatory Framework prohibits the use of information that can be derived or collected as part of an ITMP for purposes other than traffic management as that information can be collected without a subscriber’s knowledge.

Is subsection 5(3) sufficient or do we need further rules regarding “No Go Zones” for collection, use, and disclosures, such as those involving potentially discrimination practices or when children are involved?

The CRTC does not have any regulatory policies regarding “No Go Zones” for collection, use, and disclosures. However, the CRTC has found it appropriate to impose rules in other domains specific to children such as rules to protect children from the harmful effects of television violence.^{Footnote 20}

Under PIPEDA context and sensitivity help determine whether express or implied consent can be relied on. Should there be further rules depending on certain types of information or uses?

As noted above, consumers have a reasonable expectation that because they pay for subscriptions to communications services, their information is not being monetized by their service provider (e.g. used for the purposes of targeted advertising) and thus express consent would be required before the information could be used for such purposes.

Legitimate business interests

In the absence of consent, what grounds for lawful processing authorize the collection, use, and disclosure of personal information?

The CRTC does not require communications service providers to seek consent for the collection and use (internally) of personal information, as these companies regularly collect information for various purposes when consumers subscribe to or use services. These purposes include billing and network planning, provisioning, and management. Use pattern information can help communications service providers understand their subscribers’ habits in order to design, package, and market services.

The CRTC has established that express consent is not required to disclose confidential customer information when the information is being provided to:

the customer;
a person who, in the reasonable judgment of the company, is seeking the information as an agent of the customer;
another telephone company, provided the information is required for the efficient and cost-effective provision of telephone service and disclosure is made on a confidential basis with the information to be used only for that purpose;
a company involved in supplying the customer with telephone or telephone directory related services, provided the information is required for that purpose and disclosure is made on a confidential basis with the information to be used only for that purpose;
an agent retained by the company in the collection of the customer's account, provided the information is required for and is to be used only for that purpose;
a public authority or agent of a public authority, for emergency public alerting purposes, if a public authority has determined that there is an imminent or unfolding danger that threatens the life, health or security of an individual and that the danger could be avoided or minimized by disclosure of information; or
an affiliate involved in supplying the customer with telecommunications and/or broadcasting services, provided the information is required for that purpose and disclosure is made on a confidential basis with the information to be used only for that purpose.

How do we ensure a fair and ethical assessment of grounds for lawful processing that ensure the proper balance is achieved?

The CRTC’s privacy-related regulations, including the rules regarding when information can be disclosed without consent, were imposed following a public process, as is the case for all regulations imposed by the CRTC. Interested parties, including communications companies, consumer and public interest groups, and individuals may intervene and provide their positions on the issues as well as evidence. This information informs the CRTC’s decision-making process.

What would be the role of regulators in assessing grounds for lawful processing?

Regulators can identify the types of information and the situations where the collection and processing of information is required for the companies that they regulate to operate successfully in the marketplace.

Governance – Codes of practice

Could sectoral codes of practice indeed enhance consent and/or privacy protection?

The CRTC-imposed Wireless Code and TVSP Code are mandatory industry codes of conduct that include requirements to ensure that subscribers of wireless services and subscription TV services are informed about their service provider’s privacy policies in clear language and are notified in advance of any changes.

How should they be enforceable?

The Wireless Code and the TVSP Code are administered by an independent consumer agency, the Commissioner for Complaints for Telecommunications Services (CCTS). The CCTS works with consumers and their service provider to resolve complaints about communication services, including non-compliance with the Wireless Code and the TVSP Code. The CCTS monitors trends related to non-compliance with the Codes and reports on this information. The CRTC enforces the Codes by addressing issues related to systemic non-compliance.

Who should be involved in developing sectoral codes? Who should be responsible for overseeing compliance with sectoral codes?

The CRTC conducted public processes to develop the Wireless Code and the TVSP Code which allowed all interested parties including the industry, consumer groups, and individuals to participate in the development of the Codes. In the past, the CRTC has also encouraged the industry, namely the cable companies, to develop their own privacy principles.

As discussed in the previous question, compliance with the Wireless Code and the TVSP Code is handled jointly by the CCTS and the CRTC.

Governance – Privacy Trustmarks

Under what conditions are trustmarks a sensible and reliable tool for protecting consumer privacy in the evolving digital environment?

The CRTC does not have any regulatory policies related to trustmarks.

How would a privacy seal program operate alongside PIPEDA?

The CRTC does not have any regulatory policies related to privacy seals.

Ethical Assessments

To what extent are the suggestions by CIPL, FPF, and IAF helpful and practicable in assessing ethical uses?

The CRTC does not have any expertise related to this question.

To what extent can business be expected to self-regulate in a manner that protects individual privacy in the new digital age?

The CRTC found that it was necessary to impose regulations regarding confidential customer information (rather than rely on self-regulation) because it considered that market forces alone may not be sufficient to protect customers’ privacy and due to the advent of technologies and electronic commerce, which allow information to be easily processed, rearranged, and exchanged.

How should such ethics boards be created, composed and funded? Who should they report to, and what should be their decision making authority?

While the CRTC does not have any expertise in the creation or funding of ethics boards, it does have expertise in overseeing the creation of an independent consumer agency, the Commissioner for Complaints for Telecommunications Services (CCTS). The CCTS was created by the telecommunications industry in response to a direction from the Government of Canada set out in Order requiring the CRTC to report to the Governor in Council on consumer complaints^{Footnote 21} and is funded by the industry. Its structure and mandate were approved by the CRTC and it reports to the CRTC. The CCTS is periodically reviewed by the CRTC. The CCTS is governed by a Board of Directors compose of four independent directors, two of whom are nominees of consumer groups and three industry directors.

Enforcement Models

What additional powers, if any, should be given to the OPC to oversee compliance and enforce new or enhanced consent rules?

The CRTC’s approach to compliance and enforcement includes promoting compliance, monitoring compliance, and taking enforcement actions in instances of non-compliance.

The CRTC may engage in a wide variety of activities to promote compliance and awareness of non-compliance including education and outreach activities. These activities help individuals and entities learn about their obligations, thereby helping them to come into compliance voluntarily and reducing the need for responses from the CRTC. These activities also increase consumers’ ability to recognize, avoid, and report non-compliant conduct. The CRTC responds to non-compliance using the most appropriate tool or tools available.

The CRTC has a range of tools at its disposal that can be used for compliance and enforcement. The appropriate tool to use in a particular situation will depend on the factual context of each case. In some cases, the CRTC may attempt to resolve a non-compliance issue by providing notice that certain activities could lead to non-compliance, thereby allowing a company to independently take corrective measures without requiring the CRTC to take additional enforcement actions.

More strict responses may be appropriate, depending on the context, to bring a company into compliance, deter future non-compliance, and prevent harm. In these circumstances, the CRTC may decide on other enforcement measures, such as issuing a warning letter or a mandatory order, public reporting (i.e. “name and shame”), or prosecution. The CRTC can also use administrative monetary penalties (AMPs) to promote compliance with its telecommunications regulations, the Unsolicited Telecommunications rules and the National Do Not Call List, or CASL. Although most violations of these rules can be subject to an AMP, not all violations will result in the imposition of an AMP. In the case of broadcasting regulations, the CRTC can use the threat of licence revocation as a compliance and enforcement tool.

Where there have been instances of non-compliance, the CRTC may employ ongoing monitoring to ensure that the company comes into, and remains in, compliance with the CRTC’s regulations.

Overarching questions

Of the solutions identified in this paper, which one(s) has/have the most merit and why?
What solutions have we not identified that would be helpful in addressing consent challenges and why?
What roles, responsibilities, and authorities should the parties responsible for promoting the development and adoption of solutions have to produce the most effective system?
What, if any, legislative changes are required?

The CRTC does not have any views on the overarching questions.

Footnote 1

Confidential customer information may include personal information such as:

calling history (e.g. to whom, when and where a call is made, duration of call, calling patterns);
billing history;
banking information provided for payment transactions;
creditworthiness;
unlisted phone numbers; and
subscription to available telecommunications features and services.

Return to footnote 1

Footnote 2

Telecom Decision 86-7, Telecom Decision 2003-33 as amended by Telecom Decision 2003-33-1, Telecom Decision 2004-27, Telecom Decision 95-3, Telecom decision 2006-15, Telecom Decision 2007-13, and Telecom Decision 2009-723

Return to footnote 2

Footnote 3

Telecom Regulatory Policy 2009-657

Return to footnote 3

Footnote 4

Telecom Decision 2015-462

Return to footnote 4

Footnote 5

For example see Telecom Decision 2003-33, Confidentiality provisions of Canadian carriers and Telecom Regulatory Policy 2009-657, Review of the Internet traffic management practices of Internet service providers

Return to footnote 5

Footnote 6

PIPEDA only requires express consent where sensitive information about an identifiable individual is being disclosed.

Return to footnote 6

Footnote 7

Confidential customer information may include personal information such as:

calling history (e.g. to whom, when and where a call is made, duration of call, calling patterns);
billing history;
banking information provided for payment transactions;
creditworthiness;
unlisted phone numbers; and
subscription to available telecommunications features and services.

Return to footnote 7

Footnote 8

Return to footnote 8

Footnote 9

Telecom Regulatory Policy 2009-657 and Telecom decision 2010-445

Return to footnote 9

Footnote 10

Telecom Regulatory Policy 2012-24 and Telecom Regulatory Policy 2009-156

Return to footnote 10

Footnote 11

The provision of a copy of a contract applies to fixed-term contracts for TV services and wireless postpaid service contracts.

Return to footnote 11

Footnote 12

CRTC Public Notice 1993-74

Return to footnote 12

Footnote 13

Broadcasting Regulatory Policy 2015-86

Return to footnote 13

Footnote 14

Telecom Decision 2015-462

Return to footnote 14

Footnote 15

Results of Commissioner Initiated Investigation into Bell’s Relevant Ads Program

Return to footnote 15

Footnote 16

Telecom Decision 86-7, Telecom Decision 92-7, Telecom Decision 2006-15, and Telecom Decision 2009-723

Return to footnote 16

Footnote 17

Telecom Decision 2007-48

Return to footnote 17

Footnote 18

While express consent is the starting position under CASL, the legislation does set out some limited instances in which implied consent can be relied upon for the sending of CEMs.

Return to footnote 18

Footnote 19

In relation to the installation of computer programs, CASL presumes express consent in a limited number of prescribed instances, so long as it is reasonable that the consumer would consent to the program’s installation. In addition, CASL sets up a kind of “enhanced consent” framework for programs that perform certain types of functions. Specifically, if a computer program performs functions which would cause a computer system to operate in a manner that is contrary to the reasonable expectations of the user, those functions must be brought to the user’s attention clearly, prominently, and separately and apart from the license agreement.

Return to footnote 19

Footnote 20

Public notice 1996-36

Return to footnote 20

Footnote 21

Order requiring the CRTC to report to the Governor in Council on consumer complaints, P.C. 2007-533, 4 April 2007

Return to footnote 21

Date modified:: 2016-10-05

Language selection

Search and menus

Search