I'm a lawyer. I practise a mix of competition law and commercial litigation. I'd like to think that it's my competition law experience that is going to drive a lot of what I'm going to tell you today.
I'm going to divide my comments on CASL into three categories, which I'll call “the good, the bad, and the ugly”.
What is the good? Generally speaking, the provisions added to the Competition Act by this law are good. It's a good thing. It's good that we have bulked up the Competition Act to deal with misrepresentations in electronic communications. Also, I generally think the provisions about computer programs are good. I also think that having a robust unsubscribe requirement for electronic communications is a good thing.
I'm going to turn, though, to the bad, because of course what this committee is about is reviewing and proposing potential changes to this law.
As you know, CASL establishes an opt-in regime for commercial electronic messages. It does not distinguish between one-off emails and bulk emails. In fact, it was deliberately drafted so as to apply to even a single email. Basically what this law does is to make it presumptively unlawful to use email—and I'm using “email” as a shorthand for any kind of electronic communication that's captured by the act—for any commercial purposes.
I see four problems with this.
The first relates to the scope. I won't spend a lot of time on that, because I suspect you've heard a lot about it. What we're really concerned about, I would think, is bulk emails, people sending out large amounts of emails, yet CASL applies if I as a lawyer send an email to an in-house counsel saying, “Hey, I'd like to pitch my firm to do some work for you”, or even if I send an email to a lawyer to say, “Let's get together for lunch”. It also applies if I send an email to a neighbour asking if they'd like to buy tickets to a gala dinner, say, for a kids' sports team. That would be a commercial electronic message. In theory, I should be putting an unsubscribe in there.
All of these are likely commercial electronic messages. All of them, therefore, have all of these requirements superadded to them, yet I think no one would say in these situations, one-off emails between people in these circumstances, that all of this apparatus is necessary.
I'm going to turn now to a more fundamental point. In my submission, the mechanism in CASL is inconsistent with a free-market economy. Freedom isn't just about freedom of political speech. In fact, I would say that, for most people, freedom means the freedom to go about their daily lives. This includes economic freedoms, the freedom to start a business, to look for clients, to market that business, to tell people about new and innovative products that you've created, and to offer them on the market.
The quid pro quo for my freedom and the freedoms of Canadians to start businesses is that I'm going to get publicity from other people exercising their freedoms. I might not be that interested in that publicity, but if I want the freedom to tell people about my business and what I do, then I have to accept that I'm going to get stuff that I'm going to have to put in the trash—in the case of snail mail or flyers that are paper—or hit delete on. Of course the other thing is that one person's junk mail or spam is another person's coupon-clipping opportunity.
A corollary to this is that this law reduces competition. In fact, it does so, I'd say, deliberately. That makes its title, frankly, the opposite of what it is. It's almost Orwellian. It parodies some of the purposes of the Competition Act. It talks about, “An Act to Promote the Efficiency and Adaptability of the Canadian Economy...” but, in fact, what CASL does explicitly is privilege incumbent firms over new entrants.
Competition is about new entrants coming into the market offering new products, innovative products, expanding entering markets, and competing with the incumbents, and maybe even unseating them as incumbents.
CASL privileges the relations between incumbents and their clients over those with new entrants who would want to establish new relationships with new clients. It does so by erecting what is effectively a barrier to entry. It says you can't send a commercial electronic message. You can't email people to tell them about your new and innovative products unless you have first somehow contacted them and got their consent to do that.
It raises the costs to a new business and a new entrant to tell Canadians about new and innovative products, and that reduces competition. It's built into the act. It's not a bug. It's a feature.
You've probably heard from other witnesses, so I'm not going to belabour the point, but there's a very serious constitutional argument about this statute, that the mechanism that makes it presumptively unlawful to use email for commercial purposes is inconsistent with the existence of any commercial freedom of speech. As we know, our courts have said there is such a thing as constitutionally protected commercial speech. It's not as strongly protected as what I'm doing today—political freedom of speech—but it is protected.
You may also have heard issues about the effectiveness of CASL, so I won't spend a lot of time on that but I will note that most spam comes from outside of Canada. CASL can't really touch that directly; we have to rely on our partners abroad to deal with that.
The other thing is that some of the absolutely worst kind of spam that we get—phishing messages trying to get us to log on to things and give over our passwords—might not even be caught at all because it's not a commercial message. It's not about buying and selling a product. It's just flat out fraud. It's already probably a criminal offence under our criminal law, but CASL doesn't really touch it. In the end, CASL goes after legitimate businesses here in Canada, loads them up with restrictions that you've probably heard a lot about, and probably doesn't do very much for us in return.
What would I propose in its place if I had the decision-making power? I'd say we should have a very strong opt-out system with very robust unsubscribe requirements that are enforced. The CRTC is enforcing the unsubscribe requirements, of course.
I'll turn quickly to the ugly—the things that need to be fixed a bit, as opposed to just changed fundamentally. First is the private right of action. There are three problems with it. The first is it's an open invitation to class action lawyers to start actions against reputable companies. They're not going to go after the Russian brides and the spammers outside of the country. They're going to go after Air Canada, WestJet, and all the rest of them.
Second—and this is troubling—because you can get out of a class action, although you have to do it before it starts by entering into an undertaking with the CRTC, it gives the CRTC a big tool, a big club, to get money out of companies. What's wrong with that? Well, anytime you create incentives for a regulator that give them a club to get money, there's a danger that they'll try to do that. I'm not saying they will. I'm saying there's a danger. It's like an invitation for them to do it.
The third is a nit, but in its application to section 74.011 of the Competition Act, there's no materiality threshold requirement in that provision. That means you could have a cause of action and lawsuit over an insignificant, trivial misrepresentation or inaccuracy in a subject line of an email.
I suspect my time is over. I'll just mention quickly that the warrantless searches provision, notice to produce, is almost certainly unconstitutional. The act is full of what I'd call statutory interpretation nightmares, but I don't have the time to take you through them.
Thank you very much, Mr. Chair.
I would like to thank all the members of the committee for inviting me to appear today.
I have noticed that the media have not reported much on the committee's work, and yet you do excellent work, both for companies and Canada's economy, and for consumers.
For my part, I have followed your work with great interest, albeit from a distance, through the committee's website, and have published a regular update about it on our blog.
I have to admit that this is the first time I have been in a so-called lobbying position, and I was especially surprised by the number of approximations, exaggerations, and “alternative facts” that have been presented to you by various witnesses as scientific truth. I will come back to that later on.
First, allow me to introduce myself briefly. I am an Internet pioneer in Quebec. In 1994, I founded the first digital marketing agency, through which, for close to 20 years, I have helped various organizations such as VIA Rail, RDS and Club Med USA use the web to transform their marketing strategies, their sales strategies, and sometimes even their business model.
I have always considered email as being at the heart of any digital marketing strategy, and I started implementing email marketing strategies for our clients back in 1996.
In 2013, I left the agency to found Certimail, the company I am representing today, whose mission is to help SMEs increase the effectiveness of their email marketing while complying with Canada's anti-spam legislation, or CASL.
Far from being dogmatic, the observations and recommendations I will present today are based on 20 years of email marketing experience, and four years dedicated to analyzing CASL and its 13 regulatory instruments, in order to help dozens of SMEs of all sizes implement a compliance program based on the CRTC's requirements.
Before I get to the analysis of CASL and its enforcement, I would like to answer a simple question that the committee members have asked regularly, at nearly every meeting, without ever getting an answer, namely, what does it cost for a company to comply with CASL. The answer is simple. The compliance packages offered by Certimail cost $699 for a sole proprietorship or self-employed person, $1,249 for a small company with fewer than 10 employees, and between $3,000 and $15,000 for companies with between 11 and 300 employees. If my colleagues from Newport Thomson, Deloitte, or KPMG, which offer similar services to larger companies, had been invited to appear before the committee, they would have told you that their rates for compliance range from $25,000 to $100,000.
I think this is important information. I admit that I was surprised that neither the CRTC nor the various industry organizations that appeared before you were able to provide this essential and publicly available information.
That being said, I will focus on three elements: the importance and effectiveness of CASL, the inadequacy of the CRTC's approach to its enforcement, and a few recommendations to strengthen CASL by reducing its negative impacts.
Contrary to what many lobbyist have stated before the committee, CASL does not pertain to cybersecurity or computer security risks, but rather seeks to develop consumer confidence in electronic commerce and to develop Canadian industry.
As suggested in the report of the Task Force on Spam, which preceded the legislation, the legislation and its regulations seem more like rules of the road for electronic communications than legislation about information security threats, as people have led us to believe.
When I crossed the bridge this morning to attend your meeting, I noted that the complex and strict regulations that were established a century ago to guide the few automobile drivers of the time have not really compromised this mode of transport or that industry. The same thing applies to CASL.
These rules of the road for electronic communications are very important to Canadians. They demonstrated this by filing more than a million complaints in three years, without a single advertisement encouraging them to do so. There was no advertising campaign informing people who received spam that they could forward it to the Spam Reporting Centre. The idea caught on spontaneously and people filed more than a million complaints. These votes in support of CASL continue to come in by the thousands every day.
Moreover, this volume of complaints is sufficient to contradict a recent statement made to your committee by a Canadian Chamber of Commerce representative, namely, that the problem of unsolicited email has been resolved by anti-spam technology. Receiving unsolicited email is in fact still a major problem for a vast majority of Canada's population. Anti-spam technology is increasingly effective, but it has not solved the problem. Moreover, this technology is starting to show its limitations. Just ask the U.S. Department of Homeland Security, which was short on tasers last week because the Taser server had treated its purchase orders as spam.
By its first anniversary, CASL had reduced the volume of spam received by Canadians by 37%. This shows the effectiveness of CASL for consumers. It is also effective for businesses, at least for those that want to do real email marketing, and not use email incorrectly to do traditional mass marketing from the Mad Men era.
Since CASL came into force, Canada has pulled ahead of the pack to become one of the two countries with the most effective email marketing by far. The other country is Australia, the only other country that has legislation that is as broad, complex, and strict as CASL.
The delivery rate, that is, the proportion of commercial email that is sent and is visible to addressees, that is not filtered by anti-spam or other systems, is in the order of 80% in most countries in the world. In Canada, that rate rose from 79% in 2014 to 90% today. The only country in the world with a similar success rate is Australia.
Similarly, the readership rate, that is, the proportion of marketing emails that are opened by addressees, fluctuates between 12% on the African continent and 24% in the United Kingdom. In the United States, it is 21%. With a readership rate of 32%, Canada is in second place, just behind Australia, where the rate is 33%. Before CASL came into force, the readership rate in Canada was just 26%.
Thank you to the members of the committee for inviting us to testify.
Imagine Canada is the national umbrella for registered charities and public benefit non-profits. Some 86,000 charities and a similar number of non-profits provide vital services and supports to individuals and communities across Canada. Before I get into our specific recommendations regarding CASL, I just want to set a bit of context.
In the aggregate, when you factor out hospitals, universities, and colleges, organizations generate more than half of their income from sources other than donations and government grants. Registered charities are strictly regulated by the Canada Revenue Agency. An organization can have charitable status only if it demonstrates that it is acting for the public good and that no undue private benefit results from its actions.
Public benefit non-profits include things like public housing corporations, community development corporations, and social service agencies. They deliver public benefits, and no part of their income or assets is available for private use. Finally, more than half of the organizations in our sector are operated completely by volunteers. These include board members, who serve their communities with no remuneration.
In preparation for this committee's review, we conducted a survey of charities and non-profits about their experiences since CASL was proclaimed. Among the key findings is that almost 70% of them send some kind of commercial electronic message, as defined in CASL. Upwards of 99% are compliant when it comes to identifying themselves, providing contact information, and providing unsubscribe options.
The definition of a commercial electronic message remains unclear to them. For example, around 40% of organizations sending messages to promote services for which a fee is charged believe that they are not sending CEMs. Almost half of the organizations have incurred compliance costs. More than 30% of those that do not send CEMs have also reported compliance costs, as they are unsure of the definition of a CEM. More than half of the organizations fear that the private right of action provisions of CASL would limit their ability to recruit volunteer board members.
We appreciate the efforts that the government and the department made in 2014 to provide comfort to charities through a limited exemption. However, conflicting views between those who drafted the exemption and the CRTC as the enforcement agency have led to increased confusion as to the charities' obligations under the law.
We believe the solution is to exempt registered charities from the consent provisions of CASL. This would be similar to the exemption they have always had under the do-not-call list.
We also believe it's time to distinguish between public benefit non-profits, such as public housing corporations, and those that exist for private purposes, such as golf clubs or condo corporations. CASL already does this to some extent for certain purposes, and precedent exists in other jurisdictions to make the distinction. With this distinction made, we recommend that public benefit non-profits also be exempt from the consent provisions.
We support maintaining CASL's requirements regarding sender identification, contact information, and unsubscribe mechanisms. Indeed, charities seeking accreditation under Imagine Canada's standards program have been required to meet these standards since prior to CASL.
Regardless of the consent provisions, we also recommend that charities and public benefit non-profits be protected from CASL's provisions regarding PRA, the private right of action. Where organizations have assets, these are held in trust for the public good; they should not be subject to private seizure. As noted above, board members are volunteers serving their communities. They should not be subject to personal liability, particularly when agencies of the federal government have not been able to agree on what the rules are. CASL's administrative penalties are more than sufficient to ensure that charities and non-profits adhere to their obligations, if and when those obligations are truly clarified.
Thank you. I'd be happy to answer any questions you might have.
What we provide, at the prices I mentioned, is a comprehensive compliance program. We conduct an audit, issue recommendations, guide companies in the implementation of compliance recommendations, and provide them with a written compliance policy and records. It's really a turnkey comprehensive compliance program.
The main obstacle we currently face is the CRTC. The problem is two-fold. First, the CRTC's communication is flawed. Two different organizations have carried out two separate surveys, which show that 75% of Canadian businesses feel that they are ill-informed with regard to the real issues of the Canadian Anti-Spam Legislation. People are familiar with the legislation, and they know that there is an issue in terms of consent and unsubscription, but they know absolutely nothing about the compliance requirements, the regulatory requirements. There is really a major problem in that respect. Second, documentation is lacking on the objective interpretation of that regulation by the CRTC. In three years, the CRTC's investigative team has come up with three interpretation guides on three small rules. There are still dozens that affect pretty much all Canadian companies. So the CRTC really needs to make a major effort, and that is one of the recommendations we will submit to you.
The last point is the motivation of businesses, which feel like a million complaints have been filed by consumers. Steven Harroun testified before you a few weeks ago, and he told you that 500 investigations have been opened in three years, that about 30 have been completed and that eight fines have been made public. SMEs feel that they are more likely to win the lottery jackpot than to have an investigation on their emails launched.
We know how SMEs operate. They have constraints. They are always managing urgent considerations and only focusing on the most important matters. The message sent by the CRTC, probably unwittingly, is that this legislation is not important.
It's all speculative in terms of what the private right of action can be. In fact, we don't know.
I think it's interesting that there still seems to be confusion about compliance and how to do that.
In the last session, I talked about maybe having more of the rules defined and so forth. At the end of the day—I was just thinking about this in terms of the process we're following—I have yet to find evidence. Maybe we can go around the table and you can provide it. What evidence is there that Canadians want more electronic messaging?
I'm wondering about all this in terms of how we go on. How many more people out there and Canadians.... I'm just thinking that I asked my staff to do a review, and I just don't remember. I get complaints about just about everything in my office, all kinds of things. Over 15 years, we've seen it all. In fact, I have some rather colourful stories. At any rate, what evidence is there that since this has been in place, many of the charitable supporters have demanded more information or asked for more emails, legitimate or not legitimate, from the people that you deal with?
We'll go around the table here starting with Mr. Schaper.
To answer your question, I would say that Canadians increasingly want to receive emails, but they have two conditions. First, they want to decide for themselves who can send them an email. Second, they want the email's content to be relevant.
I was saying earlier that Canada had excellent email marketing results. So, the legislation has been positive for businesses. Those of them that do good email marketing make more money today than they did before the legislation came into force. Businesses that do bad email marketing—in other words, those that take advantage of the inexpensiveness of sending their messages to everyone without worrying about whether they are relevant or whether the individual has asked or agreed to receive them—are struggling and will perform very poorly.
What the legislation does is encourage businesses to improve. One of the things the task force on spam did was analyze what the best email marketing practices were. The legislation kind of forces businesses to apply those best practices and encourages them to develop good marketing skills, which will in turn help them get results.
I support what Mr. Osborne just said. He said that he was receiving a lot of emails, but there were many that he never asked to receive and that did not concern him. He said that he was receiving emails from Air Canada, but that most of them were of no interest to him. That is something all Canadian consumers are experiencing. The legislation pushes companies to make an effort to ensure to send the right information to the right people.
Extremely affordable technologies exist today that help automate that process. We are trending toward that. Europe has gone in that direction because that is the current trend.
Mr. Osborne was talking earlier about the system that enables recipients to have their name removed from a distribution list. Under that system, businesses can send an email to anyone, as long as people have the option to unsubscribe. That is the system implemented by the United States through the CAN-SPAM Act. The U.S. is currently generating the most spam in the world, even more than Russia and North Korea. It's also a country where email marketing is becoming less and less effective.
When it is well done, email marketing is a goose that lays golden eggs for businesses. Seeing Canada moving backward, while the rest of the world is moving forward, is like deciding to kill the goose. That would detract from Canada's ability to compete.
We offer our services to businesses of all sizes—with up to 300 employees—in a variety of sectors. We have worked with NPOs, museums, associations, as well as with businesses in the fields of insurance, marketing, media and road transportation. This applies to any situation.
We begin by making a presentation to the company on the CRTC's compliance requirements. We conduct an audit, which is generally done by telephone or video conference, using Skype or another similar program. We then gather all the information on the way our client operates.
We carried out a research and development project with researchers from the Université de Montréal's Faculty of Law. We modelled the legislation and electronic means of communications, and we came up with a grid that lists about 100 compliance issues an SME could face. We review those 100 potential problems for each business, and we then provide them with a report of 20 to 30 pages, depending on the situation. We analyze the way the business operates, its processes, its systems and its policies in order to identify all compliance issues. For each issue, we provide an optimized recommendation that will help the business comply with the legislation and meet the compliance requirements, and improve the effectiveness of its email marketing in the process.
After that, we give the company the report and support it remotely—over the telephone, by email or by video conference—in the implementation of our recommendations. We provide the company with a custom draft policy, a potential training program for its employees, as well as all the necessary records. Finally, we provide the business with certification, which has no legal value and is not sanctioned by the CRTC, but which proves that the business has a compliance program in place. That enables us to receive consumer complaints on the company's behalf and, if necessary, we can take away its certification.
I don't have anywhere near the detailed data that Mr. Le Roux has, but I can offer a couple of examples.
I had a client—I obviously can't name them—who wanted to dig into issues around text messaging. I can't remember what the bill was, but if memory serves, it was several thousand dollars. It may have been as high as $10,000. It wasn't a massive bill, but it wasn't nothing.
In my own firm, we didn't spend a lot of money, but that's because I spent a lot of my time—several thousand dollars' worth of time—on our newsletter list. We are employing a guy right now on contract who's going through and updating the implied consents and so forth.
I'll anticipate Monsieur Le Roux's comment. He's right: it's a best practice to do that anyway, because of course databases age and you should be updating those. Some of what someone might call a compliance cost is in fact a cost of maintaining a good database, but it's not negligible.
There are companies out there offering these plug-ins at about eight bucks a user to monitor and intervene so you can't accidentally send a spam email. Eight bucks a user doesn't sound like much, but consider that your cost of Microsoft Office, depending on the package you buy, is around $12 to $25 a user. That's a significant increment on a per-user IT cost for an organization.
What we would like the CRTC to do first and foremost is clarify its interpretation of the act. We identified about a hundred compliance issues for an ordinary SME. For half of these problems, we do not know what the CRTC's interpretation would be. What we see based on the rare published cases or rare details it provides, or the conferences it holds, is that there is a systematically radical and restrictive interpretation. Everything that seems to make good sense should be permitted, authorized or managed by the CRTC. However, the positions the CRTC adopts never seem to proceed from logic or common sense; this creates a climate of fear and uncertainly which makes the compliance process more cumbersome.
Consequently, one of our recommendations would be that the CRTC create an advisory committee comprised of representatives from marketing, compliance, and consumer representatives; in short, people who represent the various stakeholders. Their role would not be to determine the interpretation, but they could play an advisory role to the CRTC to help it to interpret the provisions well. Such a committee could accelerate the CRTC's interpretation process. It is not normal that after three years only three small rules have been explained, while all the rest are still vague and we have no idea where we are headed.
We have another suggestion to make concerning the CRTC. Currently there is a discretionary fine model. The CRTC examines the penalty amount in light of its criteria — I won't say it tosses a coin — up to a maximum of $10 million. When an SME learns that it could be liable for a $10-million fine for missent emails, it is incredulous. The figure is so gigantic that the deterrent effect is lost. In addition, I expect that the CRTC, in order to be able to justify imposing a fine of $200,000 or $300,000, must compile quite an extensive investigation file. Since it takes a long time to do that, it processes very few files.
We recommend that there be a guideline for the fines, including a maximum and a minimum. According to this scale, a first breach that seems to have been an error, committed in good faith, would be liable to a fine of $5,000 or $10,000, for instance. In the case of a large business, the fine for a first offence resulting from an error made in good faith would be more on the order of $50,000. For someone who reoffends, the amount would be higher. If you see that it was not an error committed in good faith, but that the company intended to break the law, then the penalty would be higher. If a scale of that type were brought in, the CRTC's burden of proof and substantiation would be lightened, and this would allow it to process more files. This would also send businesses the message that everyone must respect the law. I believe this would have a much stronger deterrent effect.