February 8, 2023

Volume XIII, Number 39


February 08, 2023

Subscribe to Latest Legal News and Analysis

February 07, 2023

Subscribe to Latest Legal News and Analysis

February 06, 2023

Subscribe to Latest Legal News and Analysis

Canadian Radio Television and Telecommunications Commission Issues First Compliance and Enforcement Decision on Anti-Spam Legislation

Over two years after the enactment of Canada’s anti-spam legislation, the Canadian Radio-Television and Telecommunications Commission (CRTC) has issued its first decision on the law, with a particular focus on the consent requirement for sending marketing emails.

Background on Canada’s Anti-Spam Legislation

Canada’s anti-spam law applies to unsolicited or misleading “commercial electronic messages,” which are broadly defined as any message in which one purpose is to encourage participation in a commercial activity. The law therefore applies specifically to marketing or promotional emails. It generally requires the sender to obtain express or implied consent from the recipient. The message itself must also satisfy certain requirements, such as disclosure of the sender’s contact information and an “unsubscribe” mechanism. The law provides for a penalty of up to $10 million per violation, civil liability by private right of action (effective July 1, 2017), and vicarious liability for employers, directors, and officers in certain circumstances.

CRTC’s Decision

The subject of CRTC’s decision[1] is Blackstone Learning Corporation, a company that provides educational and training services. In 2014, Blackstone sent over 385,000 unsolicited marketing emails to Canadian government employee email addresses. It appears that Blackstone obtained the email addresses through various government websites. The messages promoted Blackstone’s technical writing, grammar, and stress-management programs. The CRTC became aware of these messages after more than 60 of the government employees who received them complained to the CRTC’s Spam Reporting Centre. These complaints prompted the CRTC to launch an investigation into Blackstone. On January 30, 2015, CRTC issued a notice of violation finding that Blackstone’s marketing emails violated the anti-spam law and proposed a $640,000 penalty.

Blackstone challenged the notice of violation, arguing that (1) it had implied consent from the recipients to send the emails and (2) the penalty imposed was “unreasonably high.”

Relying on the anti-spam law’s “conspicuous publication exemption,” Blackstone argued that it had implied consent to send the emails because the recipients’ email addresses were publicly available online. The CRTC rejected this position because the anti-spam law only allows for unsolicited messages to “conspicuously published” email addresses where the message is relevant to the recipient’s employment or official role and where the recipient has not indicated that he or she does not wish to receive unsolicited emails. The CRTC reasoned that the law does not provide a “broad license to contact any electronic address” found online; rather, implied consent must be evaluated on a “case-by-case basis.” Presumably, had the message been one that related specifically to the government employees’ roles, that might have been acceptable. For example, if a government employee who received the Blackstone marketing email had a public website profile that stated that the employee is responsible for purchasing office supplies and that suggested (either directly or indirectly) that potential vendors send an email with information, that scenario would likely meet the criteria for “implied consent.”

With respect to Blackstone’s marketing emails, the CRTC found that Blackstone did not satisfy the exemption because it failed to provide any supporting information with respect to

  • where or how it discovered any of the recipient email addresses in question;

  • when it obtained them;

  • whether their publication was conspicuous;

  • whether they were accompanied by a statement indicating that the person does not want to receive unsolicited commercial electronic messages; or

  • how it determined that the emails it was sending were relevant to the roles or functions of the intended recipients.

The CRTC, therefore, affirmed that Blackstone violated the anti-spam law.

With respect to whether the $640,000 penalty against Blackstone was appropriate, the CRTC considered a number of factors. Chief among those were Blackstone’s ability to pay and its cooperation with the CRTC. The CRTC noted that it could not initially determine whether Blackstone was able to pay the penalty because Blackstone did not provide financial information requested by the CRTC. But based on some unaudited financial statements that Blackstone eventually produced, the CRTC determined that the original penalty would amount to several years’ worth of Blackstone’s revenues. As such, the CRTC concluded that a $50,000 penalty was more appropriate and proportionate to the specific facts of the case.  


This decision shows that the CRTC is determined to vigorously investigate complaints and enforce Canada’s anti-spam law. US companies need to be aware of the requirements of this law when sending marketing messages to email addresses that they know or should know to be in Canada. Companies should understand that they cannot send marketing emails to Canadian email addresses solely because the email addresses are available online.

If a company does send emails because addresses are online, the company should be sure to

  • establish a link between the recipient’s role or responsibility and the email being sent; and

  • maintain copies of the information it obtained online to document that the email addresses were obtained online.

The decision also reveals that, under certain circumstances, there may be value in challenging a notice of violation by the CRTC, enabling companies to provide additional information to the CRTC and obtain a more favorable outcome.

In many other jurisdictions, including in Europe and many countries in Asia, there are specific prohibitions on sending marketing communications without consent. There are also requirements to give the recipients the right to “opt out” of future marketing communications. Many European data protection authorities, including in the United Kingdom, have increased their enforcement of these laws and issued fines to companies. In the United Kingdom, there is a proposed change in the law to make the directors of marketing companies personally liable for breaching direct marketing laws.

In the United States, the federal CAN-SPAM Act (15 U.S.C. § 7704) requires that marketing emails to promote a commercial product or service must meet certain requirements, including a non-deceptive subject line, identification as an advertisement, a physical address for the sender, an opt-out mechanism, and the timely honoring of opt-out requests. Obtaining the recipient’s prior affirmative consent only relieves companies of the requirement to identify the message as an advertisement; all other CAN-SPAM requirements otherwise apply. Violating CAN-SPAM is costly for companies as the Federal Trade Commission just recently increased the maximum penalty from $16,000 to $40,000 per email.

[1] Compliance and Enforcement Decision Re: Blackstone Learning Corp., CRTC 2016-428

Copyright © 2023 by Morgan, Lewis & Bockius LLP. All Rights Reserved.National Law Review, Volume VI, Number 319

About this Author

Gregory Parks, privacy and cybersecurity lawyer, Morgan Lewis

Gregory T. Parks counsels and defends retail companies and other consumer facing clients in matters related to privacy and cybersecurity, class actions and Attorney General actions, consumer protection laws, loyalty and gift card programs, retail operations, payment mechanisms, product liability, waste management, shoplifting prevention, compliance, antitrust, and commercial disputes. If it is important to a retail company, Greg makes it his business to know it. He handles all phases of litigation, trial, and appeal work arising from these and other areas. Greg is the co...

Ezra Church, Litigation Lawyer, Morgan Lewis

Ezra D. Church focuses his practice on class action lawsuits and complex commercial and product-related litigation, with particular emphasis on the unique issues facing retail, ecommerce, and other consumer-facing companies. Ezra also focuses on privacy and data security matters, and regularly advises and represents clients in connection with these issues.

Kristin M. Hadgis, Morgan Lewis, Litigation attorney

Kristin M. Hadgis represents businesses in complex commercial, class action, retail, and product-related litigation in US state and federal courts, including appeals. She represents clients in a wide range of industries, including financial services, retail, pharmaceutical and medical device, with particular emphasis on the unique issues facing retailers and other consumer-facing companies. Kristin also focuses her practice on privacy and data security matters, and regularly advises and represents clients in connection with these issues.

W. Reece Hirsch, Morgan Lewis, Regulatory Attorney

W. Reece Hirsch counsels clients on healthcare regulatory and transactional matters and co-heads the firm’s privacy and cybersecurity practice. Representing healthcare organizations such as hospitals, health plans, insurers, physician organizations, healthcare information technology companies, and pharmaceutical and biotech companies, Reece advises clients on issues such as privacy, fraud and abuse, and self-referral issues. This includes healthcare-specific data privacy and security matters, such as compliance with the Health Insurance Portability and Accountability Act...

Pulina Whitaker, Morgan Lewis, labor and employment lawyer

Pulina Whitaker’s practice encompasses both labor and employment matters as well as data privacy and cybersecurity. She manages employment and data privacy issues in sales and acquisitions, commercial outsourcings, and restructurings. Pulina provides day-to-day advisory support for multinationals on all employment issues, including the UK’s Modern Slavery Act and gender pay reporting requirements. She also advises on the full spectrum of data privacy issues, including preparing for the General Data Protection Regulation. Pulina has deep experience managing international...