Our Office recently concluded an investigation that has resulted in two important firsts along with some key lessons learned for businesses conducting e-mail marketing.
The investigation represents our first action taken under the “address-harvesting” provisions of the Personal Information Protection and Electronic Documents Act (PIPEDA) introduced by Canada’s anti-spam law (CASL). It also resulted in the implementation of our first compliance agreement, a new tool made possible by changes to PIPEDA introduced by the Digital Privacy Act.
Identifying a potential problem
Following the launch of the Canadian Radio-television and Telecommunications Commission’s (CRTC) Spam Reporting Centre, we identified a cluster of hundreds of submissions received from the public about the e-mail marketing activities of Compu-Finder, a Quebec-based corporate training provider.
We launched an investigation against the company that examined its privacy management practices and possible use of address harvesting software. In discussions with the CRTC, we found that they were pursuing action against Compu-Finder under their CASL mandate regarding the sending of unsolicited commercial e-mails (“spam”). As a result, we agreed to share information between our offices, as permitted under CASL and a related Memorandum of Understanding.
During our investigation, the company reported that as of January 2014, it held approximately 475,000 e-mail addresses. Of these, around 170,000 were collected using address-harvesting software.
The company claimed that, in anticipation of the coming into force of CASL, it reduced the number of its addresses to just over 100,000 including 28,000 collected by address harvesting software.
Collecting from websites
Compu-Finder also said it collected emails from websites of companies which it believed would be interested in its training and which had on obligation to provide such training under Quebec legislation. Yet while its sessions were offered almost exclusively in French at facilities in Montreal and Quebec City, e-mails were continually sent to recipients across Canada as far away as British Columbia and even overseas.
Compu-Finder believed that it could rely upon implied consent to collect and use many of the e-mail addresses in its possession due to: existing business relationships; the non-sensitive nature of the information collected; the open publication of the e-mail addresses; and, the relevance of its commercial e-mails to the professional activities of the individual recipients.
Yet we found that some of the websites the company collected addresses from had clear non-solicitation notices. We also interviewed some individuals who provided submissions to the Spam Reporting Centre and found that none had any business relationship with the company and the messages they received were not relevant to their work. For example:
- One individual received e-mails promoting a course for finance directors when he was a computer science professor at a university;
- Another person received e-mail messages promoting courses on measuring a business’s profitability despite being a scientist working for a government agency; and
- An e-mail to another recipient promoted training on leading groups, although he was a self-employed bookkeeper.
Collecting by phone
Compu-Finder also collected addresses by phone. We obtained a copy of the script used by the company’s employees, which did not explain that the purpose for collecting the addresses was to send individuals e-mails selling the company’s services. In addition, it was clear that Compu-Finder was collecting the e-mails from reception, administration and support staff, rather than the individuals who used the addresses.
Lack of records
We asked the company to provide evidence of the express consent it was relying upon to collect specific e-mail addresses, and it was unable to provide any relevant information regarding how consent was obtained for the collection of addresses.
Key lessons learned
When a company claims express consent for the collection and use of e-mail addresses, it must make sure that individuals approached are fully informed as to the purposes for which their e-mail address will be collected and used.
Publicly available information
Companies should read and understand PIPEDA’s regulations carefully before determining if information is really “publicly available.”
During the investigation, Compu-Finder said it thought email addresses posted on websites were potentially open to collection without consent due to PIPEDA’s “publically available” exception. This however was not the case, as Compu-Finder’s collection and use of e-mail addresses for the purposes of sending e-mails selling its services were not, at least in some cases, directly related to the purposes for which organizations had posted individual’s e-mail addresses on their websites.
In addition, the publicly available exception cannot be claimed if an address was collected by the use of address-harvesting software.
Keep robust records
This investigation drives home the importance of keeping robust records and conducting appropriate due diligence.
Even if Compu-Finder’s assertion that it obtained consent from individuals to collect and use their email addresses were to be believed, it lacked adequate records to back up its claims.
Any company doing e-mail marketing should keep records indicating when and how consent from individuals was obtained to collect and use their e-mail address. They should also provide some indication as to the individual’s employment, business or profession and the e-mails sent to them to prove relevance where required.
Such records and their sources should also be revisited at intervals if your organization is relying on implied consent to check that such consent remains valid. For example, has a non-solicitation statement been added to a website?
Robust records not only prove good practice in the event of an investigation, they also enable a business to readily remove an individual’s e-mail address should consent later be withdrawn, as required under PIPEDA.