Horizontal Evaluation of Canada’s Anti-Spam Legislation (CASL)

From: Innovation, Science and Economic Development Canada

March 2018

Table of contents

Horizontal Evaluation of Canada's Anti-Spam Legislation[PDF - 1.32 MB]

Executive summary

Initiative description

Canada's Anti-Spam Legislation (CASL) aims to protect Canadians from spam, electronic threats and misuse of digital technology.
CASL was passed in 2010 and the majority of provisions came into force in 2014 with a three-year transition period to allow time for consumers and businesses to become aware of and comply with the legislation.

CASL is delivered by:

  • Innovation, Science and Economic Development Canada (ISED): National Coordinating Body (NCB), Office of Consumer Affairs (OCA) and Competition Bureau (CB);
  • Canadian Radio-television and Telecommunications Commission (CRTC) including the Spam Reporting Centre (SRC); and
  • Office of the Privacy Commissioner of Canada (OPC).

The compliance continuum reflects the key activities that partners undertake to promote compliance, monitor compliance, investigate non-compliance and respond to non-compliance.

About the evaluation

As CASL is in its early stages, this evaluation assessed the achievement of immediate outcomes by examining components of the compliance continuum; governance; and, the extent to which the impact of CASL can be measured. Using qualitative and quantitative research methods, the evaluation covered the period from 2010-11 to 2016-17.

What the evaluation found

Roles and responsibilities have been defined and mechanisms exist to facilitate the management and delivery of CASL. However, the oversight role of the NCB could be strengthened and the role of OCA clarified. Further, there is an opportunity to improve cohesion among partners, especially between the enforcement agencies and non- enforcement partners. In addition, CASL partners have established international relationships to share information and leverage joint efforts where possible. However, except as it relates to CB, there are no provisions for information sharing with other non-CASL domestic partners, which limits cooperation for compliance activities.

To promote compliance with CASL, each delivery partner conducts education and outreach activities. However, these activities are not coordinated and many aspects of CASL may not be well understood by businesses such as SMEs. Currently, the SRC collects intelligence to monitor compliance and support the enforcement agencies. There may be opportunities for SRC data to support information sharing among the CASL partners and in activities that promote compliance.

CRTC, CB and OPC have distinct powers and processes for investigating and responding to non-compliance. 36 investigations have been completed and a range of compliance actions have been taken since 2014-15. There is a perception by external stakeholders that some types of compliance actions may better promote awareness of CASL.

Although it is too early to conclude on impact, the evaluation found that there are limited data sources available to assess the impact of CASL on the electronic marketplace.

Recommendations

  1. To improve cohesion, the CASL partners should re-examine the existing governance structure including roles and responsibilities and the supporting committees.
  2. The National Coordinating Body should work with CASL partners to strengthen information sharing in order to facilitate the management and delivery of CASL. Consideration should be given to the sharing of aggregate Spam Reporting Centre reporting data.
  3. As appropriate, the CASL partners should collaborate and develop a coordinated approach to education and outreach activities to improve the understanding of CASL by businesses, as well as the impact and reach of these activities.
  4. The National Coordinating Body, in collaboration with the delivery partners, should strengthen its data collection capacity to ensure that performance information is available to assess the impact of CASL.

Acronyms

AMPs
Administrative Monetary Penalties
CASL
Canada's Anti-Spam Legislation
CB
Competition Bureau
CRTC
Canadian Radio-television and Telecommunications Commission
ISED
Innovation, Science and Economic Development Canada
MOU
Memorandum of Understanding
NCB
National Coordinating Body
OCA
Office of Consumer Affairs
OPC
Office of the Privacy Commissioner of Canada
PIPEDA
Personal Information Protection and Electronic Documents Act
SMEs
Small- and medium-sized enterprises
SRC
Spam Reporting Centre

Background

  • Context
  • CASL Description
  • CASL Environment
  • Compliance Continuum

Context

Unsolicited commercial electronic messages, known as spam, are a global challenge. Spam has become a significant social and economic issue and a disruption to the productivity of businesses and consumers. More than 90% of emails sent globally each day were spam in 2015.Footnote 1 As well, it is estimated that spam costs the Canadian economy more than $3 billion per year.Footnote 2

In addition to spam, there are other electronic threats such as identity theft, phishing, false and misleading content and malware that have become more sophisticated and widespread. Spam and electronic threats continue to disrupt electronic commerce and reduce business and consumer confidence in the electronic marketplace, impose heavy costs on network operators and users, threaten network reliability and security, and undermine personal privacy.

While spam and electronic threats can be caused by illegitimate actors from around the world, legitimate businesses can also knowingly or unknowingly cause harm to consumers and the electronic marketplace. Consumers and businesses benefit from a decrease in unsolicited commercial electronic communication, as trust in electronic means of communications and those who use them for commercial purposes is essential to the prosperity of the Canadian economy.

Prior to 2010, Canada was the only G8 country without anti-spam legislation. At the time, technological solutions alone had proven largely ineffective in stemming the growth and impact of spam and related threats. Industry continued to make efforts but were hindered by the lack of legal prohibitions to prevent spam and other electronic threats from originating and occurring in Canada.

To deter spam and other electronic threats, Canada's Anti-Spam Legislation (CASL) was passed in 2010. Apart from certain changes to PIPEDA introduced by CASL in 2011, the majority of CASL's provisions came into effect in 2014. CASL aims to protect consumers against spam, electronic threats and misuse of digital technology while ensuring businesses remain competitive in a global digital marketplace.Footnote 3

CASL Description

Canada's Anti-Spam Legislation

An Act to promote the efficiency and adaptability of the Canadian economy by regulating certain activities that discourage reliance on electronic means of carrying out commercial activities, and to amend the Canadian Radio- television and Telecommunications Commission Act, the Competition Act, the Personal Information Protection and Electronic Documents Act, and the Telecommunications Act.Footnote 6

CASL is designed to help protect Canadians from spam and other electronic threats received from either legitimate businesses or illegitimate actors. The legislation establishes a regulatory framework consistent with international best practices and contributes to the Government of Canada's efforts to "improve economic opportunity and security for Canadians".Footnote4

Through CASL, Canada has adopted an opt-in consent model where senders may only send a commercial electronic message if they request consent first, or meet an exception or exemption (see Appendix A). CASL is technology neutral, meaning that it is intended to apply to all forms of electronic communication. It aims for a balanced approach that protects the interest of consumers and organizations that have legitimate reasons for communicating electronically. The expected outcomes of CASL are described in Appendix B.

Activities prohibited by CASL include:Footnote 5

  1. sending of commercial electronic messages without the recipient's consent (permission), including messages to email addresses and social networking accounts, and text messages sent to a cell phone;
  2. alteration of transmission data in an electronic message which results in the message being delivered to a different destination without express consent;
  3. installation of computer programs without the express consent of the owner of the computer system or its agent, such as an authorized employee;
  4. making false or misleading representations to the public in the form of electronic messages;
  5. collection of personal information through accessing a computer system in violation of federal law (e.g. the Criminal Code of Canada); and
  6. collection of electronic addresses by the use of computer programs or the use of such addresses, without permission (address harvesting).

CASL had a three-year transition period to allow time for businesses and consumers to become aware of and comply with consent requirements.

Three-year transition period

Description of the Three-year transition period
  • On July 1, 2014 the majority of provisions came into force.
  • On January 15, 2015, sections of the Act related to requiring consent to install computer programs came into force.
  • On July 1, 2017, the Private Right of Action provisions were to come into force. However, this was suspended.

CASL Environment

The electronic marketplace system in which CASL exists is complex. CASL is part of a broader range of domestic and international legal and policy frameworks in the areas of spectrum, telecommunications, privacy protection and cyber resilience, including cyber security.

Enabling Environment Framework

Description of Enabling Environment Framework

The enabling environment is comprised of:

  • Policy makers, rule makes and governors who set policies, laws and regulations and coordinate policies;
  • Compliance and enforcement agents who use authorities to promote compliance and enforce laws and regulations;
  • Platform providers and influencers. Platform suppliers enable transactions and media and specialized information groups develop and relay information.
  • Suppliers of messaging who conduct spam and, or, fraudulent electronic activities (or not); and
  • Consumers who recognize, resist and report scams (or not).

The enabling environment of CASL can be viewed as a system with five key actors including legislators and policymakers, compliance and enforcement agents, business platform providers and influencers, suppliers of messaging, and consumers.

To implement CASL, approximately $69 million over seven years (2010-11 to 2016-17) was allocated to:

  1. Innovation, Science and Economic Development Canada (ISED) specifically the National Coordinating Body (NCB), Office of Consumer Affairs (OCA) and Competition Bureau (CB);
  2. Canadian Radio-television and Telecommunications Commission (CRTC), the main enforcement agency of CASL, including the Spam Reporting Centre (SRC); and
  3. Office of the Privacy Commissioner of Canada (OPC).

The non-enforcement partners of CASL are NCB and OCA, and the enforcement agencies are CRTC, CB and OPC.

Compliance Continuum

The compliance continuum reflects the key activities that the delivery partners undertake to encourage compliance with CASL. The continuum is not linear and its components are interrelated. Results of one component of the continuum can influence results of other components.

Compliance Continuum Components

Description of Compliance Continuum Components
  • The compliance continuum is made up of four components: Promoting Compliance, Monitoring Compliance, Investigating Non-Compliance and Responding to Non-Compliance.
  • In regards to promoting compliance, all delivery partners conduct activities such as outreach and presentations, participate in conferences and attend meetings with stakeholders to promote awareness of CASL relative to their respective mandates and compliance with the legislation.
  • In regards to monitoring compliance, the enforcement agencies monitor compliance with the laws they enforce. The SRC gathers data on spam and other electronic threats that the enforcement agencies use to identify potential investigations and responses to non-compliance. 
  • In regards to investigating non-compliance, investigations are conducted by the enforcement agencies.  Investigations can be resource-intensive and may take multiple years to complete.
  • In regards to responding to non-compliance, the enforcement agencies have a suite of responses to non-compliance such as warnings, undertakings and consent agreements. CRTC and CB can seek Administrative Monetary Penalties (AMPs).  Responses to non-compliance are meant to promote and enforce compliance with CASL.

Methodology

  • Evaluation Context and Considerations
  • Methods of Data Collection

Evaluation Context and Considerations

The objectives of this evaluation were to provide early insights regarding the implementation of CASL and to identify areas where delivery could be improved.

An evaluation of CASL was required in 2017-18 to meet policy commitments. This is the first evaluation of CASL and covers the period from 2010-11 to 2016-17.

As CASL is in its early stages, this evaluation focused on the achievement of immediate outcomes (see Appendix B) in terms of what works, for whom, and in what circumstances by examining components of the compliance continuum as follows:

Evaluation Focus

Description of Evaluation Focus
  • The outcome of information sharing to facilitate CASL was assessed among the CASL partners and with others at the domestic and international levels.
  • The outcome of awareness of spam and other online threats was assessed by examining promoting compliance and monitoring compliance
  • The outcome of recognition of appropriate and inappropriate practices in the electronic marketplace was assessed by examining investigating non-compliance and responding to non-compliance.

The evaluation also examined governance and the extent to which the impact of CASL on the electronic marketplace can be measured. Performance data provided for the evaluation is only available commencing in 2014-15, when the majority of CASL provisions came into force. Details on the evaluation limitations can be found in Appendix C.

The evaluation was conducted by the Audit and Evaluation Branch of ISED. It is separate from the 2017 legislative review completed by the House of Commons Standing Committee on Industry, Science and Technology.Footnote 7

Methods of Data Collection

This evaluation is based on qualitative and quantitative research methods from both primary and secondary data sources.

Document Review

Review of documents including:

  • Foundational documents
  • External documents such as research papers and articles
  • Government priority-setting documents

Interviews

Conduct of 40 semi-structured individual and small group interviews with:

  • CASL delivery partners (20)
  • External experts and stakeholders (20)

Administrative and Financial Data

Provided by the delivery partners including:

  • Performance reports
  • Initiative-related operational data
  • Human resource and financial data

Service Blueprint

Process mapping of spam reporting from the consumer perspective, developed from data analysis, SRC site visits and interviews with CASL enforcement agencies (Appendix D). This was used as a line of evidence to assess how the SRC supports awareness of CASL and operations of the enforcement agencies.

Comparative Analysis

Analysis of anti-spam legislation in Canada, Australia, UK and US (Appendix E). This was used to assess how Canada's anti-spam legislation with its opt-in model and enforcement capabilities compared with other countries.

Secondary Sources of Survey Data

Surveys conducted from 2012 to 2017:

  • Canadian Anti-Spam Act survey: Bill C-28Footnote 8
  • Canada's Anti-Spam law is effective, but it's harming Canadian businessesFootnote 9
  • CASL Experience of OrganizationsFootnote 10
  • CASL Survey Report: Bridging the Gaps in Understanding and ComplianceFootnote 11
  • Understanding Canadian reactions to CASLFootnote 12

Findings

  • Governance
  • Information Sharing to Facilitate CASL: Among CASL Partners
  • Information Sharing to Facilitate CASL: With International and Domestic Partners
  • Promoting Compliance
  • Monitoring Compliance
  • Investigating and Responding to Non-Compliance
  • Impact of CASL on the Electronic Marketplace

Governance

Finding: Roles and responsibilities of the CASL partners were defined at the outset and governance mechanisms exist to support delivery. However, the oversight role of the National Coordinating Body could be strengthened and the role of the Office of Consumer Affairs clarified. Further, there is an opportunity to improve cohesion among partners.

Roles and responsibilities of the partners have been set out in foundational documents and legislative mandates, as follows:

  • Non-Enforcement
    • NCB
      • Policy oversight, including monitoring and reporting
      • Oversight of public communication and outreach activities
      • Support to the enforcement agencies
    • OCA
      • Lead and coordinate consumer and small business education and awareness of CASL, including the management of the FightSpam website
  • Enforcement
    • CRTC - Through CASL:
      • Enforce and investigate violations of prohibitions against the sending of spam, the alteration of transmission data, and the installation of computer programs into computer systems and/or networks without consent
      • Encourage compliance through outreach, sanctions and remedies for violations such as AMPs
    • CB - Through amendments to the Competition Act:
      • Encourage compliance, enforce and investigate cases of false or misleading electronic representations
      • Encourage compliance with CASL-related Competition Act provisions through outreach, sanctions and remedies for violations such as AMPs
    • OPC - Through amendments to the Personal Information Protection and Electronic Documents Act (PIPEDA):
      • Enforce and investigate the unauthorized collection and use of electronic addresses by using computer programs, and the unauthorized collection and use of personal information through any means of telecommunication made by accessing a computer system
      • Encourage compliance with CASL-related PIPEDA provisions through outreach and remedies (excluding AMPs)
  • Intelligence Gathering
    • Spam Reporting Centre (SRC)
      • Housed within the CRTC, primarily to support the enforcement agencies
      • Receives submissions and reports of spam and other electronic threats
      • Gathers voluntarily provided or publicly available information to identify potential violations and support enforcement of CASL
      • Manages CASL information databases, allow access to databases by the enforcement agencies and report on trends and metrics

Canada is unique when compared to the US, United Kingdom and Australia in that it engages multiple federal partners with different but complementary mandates to implement its anti-spam legislation.

A number of governance committees and mechanisms have been created to deliver CASL. To support all partners, two committees are chaired by NCB: a senior management committee and a working-level committee. These committees are the primary fora for all partners to discuss priorities, share information, avoid duplication and leverage joint efforts. Additionally, for the enforcement agencies:

  • A Memorandum of Understanding (MOU) clarifies cooperation, coordination and information sharing between the agencies as they conduct their enforcement activities.
  • An Enforcement Working Group including investigators from CRTC, CB and OPC meet on a regular basis to discuss potential and ongoing investigations.
  • An SRC Working Group including representatives from the SRC, CRTC enforcement team as well as CB and OPC ensures that the SRC meets the needs of its users.

The evaluation found that the roles and responsibilities of the enforcement agencies are well understood and governance mechanisms are utilized by the agencies. However, there is less clarity for the non-enforcement partners (NCB and OCA).

With respect to NCB, interviewees indicated that they were unclear of the role of NCB in providing oversight given that each agency has clear and distinct legislative mandates.

Evidence shows that most meetings of the committees chaired by NCB occurred up to 2014- 15 for the coming into force of the majority of CASL provisions and establishment of the SRC. Since then, these committees have met on an infrequent and ad hoc basis.

As well, both NCB and OCA have roles related to coordinating communication and outreach activities, although, in practice, this is not occurring. Given its central enforcement role for CASL, the CRTC has played a primary role for CASL education and awareness. This approach minimizes the risk of providing conflicting interpretations of CASL to the public and stakeholders. Overall, the evaluation found that there would be benefits to more cohesion among all partners particularly between the enforcement agencies and non-enforcement partners.

Recommendation: To improve cohesion, the CASL partners should re-examine the existing governance structure 15 including roles and responsibilities and the supporting committees.

Information Sharing to Facilitate CASL: Among CASL

Finding: Information sharing among the enforcement agencies is effective. Although partners have distinct mandates, there are opportunities to enhance information sharing among all partners.

Spam Reporting Centre

  • The SRC collects data that is used to investigate and respond to non-compliance.
  • The enforcement agencies can individually access the SRC database to extract information for their own CASL-related mandates.
  • The SRC produces aggregate quarterly reports of spam submission data such as the number of spam submissions by type and by reason. Upon request, these reports have been provided to partners such as NCB.
  • Some CASL interviewees suggest that proactively sharing aggregate SRC data would help CASL partners, especially NCB and OCA, understand trends around electronic threats.
  • Broader distribution of the existing reports on spam submissions would respond to the interest of having this information by CASL partners.

There are two levels of information sharing among the delivery partners:

  • Among the Enforcement Agencies

    • The enforcement agencies are able to share information with one another if it is related to CASL enforcement. The evaluation found evidence of information sharing to support parallel investigations. For example, CRTC and OPC shared information regarding their investigations of Compu-Finder. Compu-Finder was investigated by the CRTC primarily for sending unsolicited commercial electronic messages to recipients without prior consent and for failing to action unsubscribe requests, and was investigated by the OPC with regards to consent matters under PIPEDA and address-harvesting.
    • The evaluation also found that information sharing can be challenging particularly as the enforcement agencies' legislative mandates extend beyond CASL. For example, while OPC was conducting an investigation, it found information that could pertain to CB's mandate for ensuring truth in advertising. Since the information was not CASL-related, it could not be shared with CB.
    • Despite some challenges, the evaluation found that CRTC, CB and OPC have formed good working relationships to support the enforcement of CASL in view of their respective legislative mandates.

  • Among All Partners

    • While information sharing is essential as it encourages communication and enables coordination among partners that conduct similar activities, the evaluation found that information sharing has been limited largely given the challenges noted under the governance section. Interviews with CASL partners suggested that ongoing communication would help facilitate the implementation of CASL.

Recommendation: The National Coordinating Body should work with CASL partners to strengthen information sharing in order to facilitate the management and delivery of CASL. Consideration should be given to the sharing16 of aggregate Spam Reporting Centre reporting data.

Information Sharing to Facilitate CASL: With International and Domestic Partners

Finding: CASL includes provisions for information sharing between the enforcement agencies and international partners but, except as it relates to CB, there are no provisions for information sharing with other non-CASL domestic partners, which limits cooperation for compliance activities.

With International Partners

Data analysis and interviews show that CASL delivery partners participate in various international fora and networks and have established a number of international MOUs and bilateral agreements. This allows the partners to share best practices, become aware of investigations and leverage joint efforts where possible. Through MOUs, the partners have established relationships with over ten countries including Australia, the Netherlands, the United Kingdom and the United States.

In 2011, CASL amended PIPEDA to allow the OPC to share information and collaborate with domestic and international data protection agencies. For example in 2015, OPC and the Office of the Australian Information Commissioner conducted a joint investigation into the data breach of the Ashley Madison website that exposed the sensitive personal information of 36 million user accounts.

Also in 2015, CRTC executed its first warrant under CASL as a part of a coordinated international effort led by the US Federal Bureau of Investigation for an international botnet investigation that infected more than one million computers in over 190 countries.

With Domestic Partners

There are no explicit provisions for sharing CASL-related information outside of the CASL enforcement agencies with one exception. CB is able to share information, through pre-existing provisions of the Competition Act, with other law enforcement agencies, or where the information to be shared serves the purpose of administering or enforcing the Competition Act. While CRTC, CB and OPC have access to the SRC, other organizations do not, nor can SRC data be shared with organizations such as the Canadian Anti-Fraud Centre and the Royal Canadian Mounted Police. Interviewees suggested that restrictions on information sharing with domestic law enforcement and national security agencies significantly impact cooperation for compliance activities. While collaboration could assist in protecting Canadians from electronic threats, efforts to address these challenges are not within the control of CASL partners.

Promoting Compliance

Finding: Each delivery partner conducts education and outreach activities with the objective of promoting compliance with CASL. However, these activities are not coordinated and there are many aspects of CASL that may not be well understood.

The FightSpam website is the primary communication vehicle of CASL information to consumers and businesses. It acts as a conduit to the websites of the enforcement agencies. The enforcement agencies also provide mandate-specific guidance and compliance information through their own websites.

FightSpam visits:

  • 885,000 in 2014-15
  • 344,000 in 2015-16
  • 369,000 in 2016-17

To promote compliance, the partners conduct education and outreach to stakeholders which is intended to create awareness about the purpose, requirements and implications of CASL. These activities are essential to educate businesses about the legislation and to promote compliance with CASL.

CASL partners (primarily CRTC and OPC) conduct individual and joint communication and outreach activities with businesses, associations, law firms and other stakeholders. Examples of these activities include:

  • CRTC: In 2014-15, CRTC conducted over 20 outreach activities, reaching over 3,500 organizations across Canada. CRTC also conducted an outreach tour that reached approximately 1,700 business representatives. Since 2015-16, CRTC has conducted more than 15 information sessions with industry representatives and 17 compliance outreach sessions.
  • OPC: In 2014-15, OPC undertook multiple activities including presentations to Canadian businesses, organizations and individuals. Since 2015-16, approximately 29 activities have occurred including a speaking tour targeted to small businesses which included CASL information.
  • CB: CB has a more limited role in CASL-specific communication and outreach activities. CB issues regular alerts to consumers and businesses regarding deceptive marketing practices, and publishes content and guidance on different topics to raise awareness of false and misleading marketing practices in the electronic marketplace. CB has participated in events such as a joint seminar hosted by the American Bar Association and the Canadian Bar Association.
  • OCA: OCA manages the FightSpam website and, up to 2014-15, developed a number of infographics targeted at small- and medium-sized enterprises (SMEs) and individuals.
  • NCB: NCB has not directly led outreach activities but has participated in joint sessions with the CRTC, and is the main contact when stakeholders reach out to the Minister of ISED about CASL- related matters.
CASL partners also educate the public by integrating CASL-related content into general communication on topics such as consumer protection, privacy protection and cyber security. The reach of CASL communication and outreach activities to industry stakeholders, and the extent of public awareness of CASL, is unknown.

Despite these communication and outreach activities, the evaluation found that the frequency and types of outreach conducted vary by partner and that there is infrequent coordination among the partners even though the target audiences are similar. Further, it was found that there are many aspects of CASL that may not be well understood. A 2017 survey of over 200 SMEsFootnote 13 and external interviewees suggested that guidance was insufficient for businesses.

Through an analysis of administrative data, interviews and document review, the evaluation found a number of areas where CASL may not be well understood:

  • Basics of CASL: Including the definition of commercial electronic messages, the requirements of consent and the various exceptions to CASL.
  • Intent of CASL: Some external interviewees believe that deterring unsolicited messages from commercial businesses does not address more harmful threats to the marketplace such as those caused by illegitimate actors. CASL is intended to help deter various kinds of electronic threats. However, to date, the majority of compliance actions have been limited mainly to unsolicited commercial electronic messages, with few enforcement actions against other threats, such as those caused by illegitimate actors. This may influence the perception of external stakeholders and their understanding of CASL's broader purpose.
  • Reach of CASL: Some external interviewees and 48% of respondents from a 2015 survey by CyberimpactFootnote 13 noted that CASL hinders their ability to compete with their international counterparts who may not comply with Canadian legislation. However, this concern is based on a misperception as CASL applies to both domestic and international companies sending commercial electronic messages to recipients in Canada.
  • Scope of CASL: There is limited information on how CASL addresses harmful electronic threats beyond spam and on how CASL complements other Canadian and international efforts for consumer protection and cyber security.

Recommendation: As appropriate, the CASL partners should collaborate and develop a coordinated approach to education and outreach activities to improve the understanding of CASL by businesses, as well as the impact and reach of these activities.

Monitoring Compliance

Finding: The Spam Reporting Centre monitors compliance by gathering information that supports the enforcement agencies in investigating and responding to non-compliance. There may be opportunities for the SRC to support other activities to promote compliance and awareness of spam and online threats.

The SRC serves as a central repository of intelligence by gathering information about spam and other electronic threats. It contains records from public submissions, international reports and other data sources.

SRC data is used by the enforcement agencies to monitor compliance with CASL. As shown through the Service Blueprinting of Spam Reporting (see Appendix D), the SRC database is individually accessed by each enforcement agency who each individually determine how SRC data will be used. Evidence shows that the SRC helps the enforcement agencies investigate and respond to non-compliance. For example:

  • Over 90% of CRTC intelligence reports use information from the SRC, and 86% of their investigations in 2014-15 were advanced using SRC data.
  • OPC analyzed about 1000 submissions related to the Compu-Finder case.
  • CB uses SRC information for general sweeps on trends, statistics to inform priorities and to advance investigations.

The evaluation found that there may be opportunities for SRC data to also be used to improve awareness of CASL. Interviewees suggested that greater awareness of CASL and the SRC would likely increase submissions to the SRC which would provide more information to the enforcement agencies. Further, they suggested that aggregate SRC data could be used for external communication products to promote compliance with CASL. It is important to note that CRTC does provide some aggregate SRC information in outreach presentations but there may be additional opportunities to share this type of information with the public.

The public can submit information about spam and electronic threats to the SRC by forwarding emails or by using an online submission form. The online form is rarely used but is the only mechanism to report electronic threats that are not received by email (e.g., threats received by text message).

1.3 million submissions

Description of 1.3 million submissions

Of the 1.3 million submissions made from the public to the SRC, approximately 2% are made by submitting the online form and 98% are made by forwarding spam emails.

Approximately 1.3 million submissions from the public to the SRC.

CRTC is currently examining technical solutions to gather more data about malware and to receive forwarded text messages from the public.

Investigating and Responding to Non-Compliance

Finding: The enforcement agencies have conducted a number of investigations and issued a range of compliance actions. There is a perception that some types of actions may better promote awareness of CASL and, in turn, improve compliance.

Examples of Investigations

CRTC conducted an investigation of an organization that allegedly sent commercial emails containing an unsubscribe mechanism that did not function properly or which could not be readily performed by the recipient.

CB investigated misleading advertising of companies that resulted in unauthorized charges to consumers. These companies agreed to refund/rebate customers and to donate to advocacy groups working in the public interest.

Each enforcement agency has distinct powers and processes for investigating and responding to non-compliance of legitimate businesses and illegitimate actors. Decisions to pursue a potential investigation and issue a compliance action are based on a number of factors. While these factors vary slightly from partner to partner, in general they include:

  • the nature, seriousness and impact of the violation;
  • the history of non-compliance; and
  • duration and scope of conduct at issue.

There are a number of actions the enforcement agencies can take to encourage compliance, ranging from warning letters to AMPs (excluding OPC) to litigation (in the case of CB).

Compliance Actions (2014-15 to 2016-17)
CRTC CB OPC
  • Warning letters (22)
  • Notices of violation (7)
  • Undertakings (4)
  • AMPs ($1.9M)
  • Consent agreements (7)
  • AMPs ($5.25M)
  • Rebates / refunds to affected consumers ($24.58M)
  • Donations to advocacy groups working in the public interest ($1.05M)
  • Payment of investigative costs to CB ($350,000)
  • Compliance agreement (1)
  • Letters of Concern (6)

Investigations often carry over from year to year, as duration is dependent on the complexity and nature of the potential violations. Between 2014-15 and 2016-17, a total of 36 investigations were completed by the enforcement agencies (23 by CRTC, eight by CB and five by OPC). The majority of these have been related to spam and address harvesting.

Document review and an international comparative analysis indicated that Canada is considered one of the toughest anti-spam regimes in the world. Penalties for violations of CASL can go as high as $1M for individuals and $10M for businesses. External interviewees suggest that escalation approach to compliance actions (e.g. issuing warnings before AMPs) could help businesses better understand and comply before more severe penalties are imposed. However, compliance actions are taken based on an analysis of multiple factors. The evaluation found that there may be opportunities for the enforcement agencies to better explain the factors considered and the determination of penalties.

Impact of CASL on the Electronic Marketplace

Finding: Given that CASL is in its early stages, there is little evidence to conclude on impact. Further, there is limited data available to assess the impact of CASL on the electronic marketplace.

Reduction of Spam Originating in Canada

In 2009, prior to the Royal Assent of CASL, spam represented over 90% of all email traffic in Canada. As of 2015, there was a 37% reduction in the volume of spam originating in Canada.Footnote 20 As well, Canada is no longer in the top 10 list of spamming countries reported by Spamhaus.Footnote 21

This reduction can not be attributed solely to CASL as other mechanisms also protect consumers from electronic threats. For example, one in five emails are blocked by Internet Service Providers.Footnote 22

Given that CASL is in its early years, it is too early to reach conclusions on the impact of CASL on the electronic marketplace. However, the evaluation identified some preliminary observations. To ensure that the impact of CASL can be fully assessed at a later stage, it will be important for the partners to identify appropriate data sources.

Impact on Businesses

While it was not the intent of CASL to cause unnecessary compliance costs, document review and interviews indicate that businesses incur set-up and ongoing operation costs to comply with CASL.Footnote 14 The extent of these costs is unknown. Further, some SMEs may not have the resources to secure legal counsel and technology that would allow them to operate in compliance with the provisions of CASL.
Evidence also suggests that as a consequence, some businesses may be choosing to reduce electronic marketing.Footnote 15 A 2017 survey found that 42% of businesses have decreased their reliance on electronic marketing and 7% have stopped using electronic marketing altogether.Footnote 16 The impact of these costs and the changes to business practices on the ability to compete is unknown.

Impact on Consumers

The opt-in model for consent is meant to encourage businesses to enhance data clean up and processes to manage communication with consumers.Footnote 17 Data show that since CASL's implementation, average unsubscribe rates and complaint rates have decreased, which indicates that customers are receiving the communications they want.Footnote 18 Further, Canadian marketers achieved one of the highest inbox placement rates with an average of 90% - above the global average of 80%.Footnote 19

Recommendation: The National Coordinating Body, in collaboration with the delivery partners, should strengthen its data collection capacity to ensure that performance information is available to assess the impact of CASL.

Conclusions

Based on quantitative and qualitative data sources, the evaluation led to seven findings.

Governance
  • Roles and responsibilities of the CASL partners were defined at the outset and governance mechanisms exist to support delivery. However, the oversight role of the National Coordinating Body could be strengthened and the role of the Office of Consumer Affairs clarified. Further, there is an opportunity to improve cohesion among partners.
Information sharing to facilitate CASL: Among CASL partners
  • Information sharing among the enforcement agencies is effective. Although partners have distinct mandates, there are opportunities to enhance information sharing among all partners.
Information sharing to facilitate CASL: With international and domestic partners
  • CASL includes provisions for information sharing between the enforcement agencies and international partners but, except as it relates to CB, there are no provisions for information sharing with other non-CASL domestic partners, which limits cooperation for compliance activities.
Promoting compliance
  • Each delivery partner conducts education and outreach activities with the objective of promoting compliance with CASL. However, these activities are not coordinated and there are many aspects of CASL that may not be well understood.
Monitoring compliance
  • The Spam Reporting Centre monitors compliance by gathering information that supports the enforcement agencies in investigating and responding to non-compliance. There may be opportunities for the SRC to support other activities to promote compliance and awareness of spam and online threats.
Investigating and responding to non-compliance
  • The enforcement agencies have conducted a number of investigations and issued a range of compliance actions. There is a perception that some types of actions may better promote awareness of CASL and, in turn, improve compliance.
Impact of CASL on the electronic marketplace
  • Given that CASL is in its early stages, there is little evidence to conclude on impact. Further, there is limited data available to assess the impact of CASL on the electronic marketplace.

Recommendations

As a result of the findings of this evaluation, four recommendations have been made:

  1. To improve cohesion, the CASL partners should re-examine the existing governance structure including roles and responsibilities and the supporting committees.
  2. The National Coordinating Body should work with CASL partners to strengthen information sharing in order to facilitate the management and delivery of CASL. Consideration should be given to the sharing of aggregate Spam Reporting Centre reporting data.
  3. As appropriate, the CASL partners should collaborate and develop a coordinated approach to education and outreach activities to improve the understanding of CASL by businesses, as well as the impact and reach of these activities.
  4. The National Coordinating Body, in collaboration with the delivery partners, should strengthen its data collection capacity to ensure that performance information is available to assess the impact of CASL.

Appendices

  • A – CASL Exceptions
  • B – CASL Logic Model
  • C – Evaluation Limitations
  • D – Service Blueprinting of Spam Reporting
  • E – Comparative Analysis

Appendix A: : CASL Exceptions

CASL contains exceptions related to:

  • Commercial electronic messagesFooter 23
    • sent on platforms where the required identification and unsubscribe information is conspicuously published and readily available to the recipient on the user interface, where duplication in each message would be needlessly repetitious;
    • sent and received within limited access secure and confidential accounts to which only the provider of the account can send messages, such as banking websites;
    • solicited or sent in response to complaints, inquiries, and requests;
    • sent due to a legal or juridical obligation or to enforce a right, legal or juridical obligation, court order, judgment or tariff; to provide notice of an existing or pending right, legal or juridical obligation, court order, judgment or tariff; or to enforce a right arising under a law of Canada, of a province or municipality of Canada, or of a foreign state.
    • sent by or on behalf of registered charities* for fundraising purposes; or
    • sent by or on behalf of a political party or organization, or a person who is a candidate—as defined in an Act of Parliament or the legislature of a province—for publicly elected office and the message has as its primary purpose soliciting a contribution as defined in subsection 2(1) of the Canada Elections Act.
  • Altering transmission data
    • It is prohibited, in the course of a commercial activity, to alter or cause to be altered the transmission data in an electronic message. This does not apply if the alteration is made by a telecommunications service provider for the purposes of network management.
  • Express consent
    • If a person is seeking express consent on behalf of a person whose identity is not known (in accordance with sections 6 to 8 of the Act) then
    • (a) the only information that is required to be provided under that paragraph is prescribed information that identifies the person seeking consent; and
    • (b) the person seeking consent must comply with the regulations in respect of the use that may be made of the consent and the conditions on which the consent may be used.

* The Competition Act does not include this exception as provisions of the Competition Act apply equally to charities.

Appendix B: CASL Logic Model

Figure 1: CASL Logic Model

Description of Figure 1

The appendix depicts a logic model for CASL. A logic model shows how program activities are expected to produce outputs and in turn how these outputs are expected to lead to different levels of results or outcomes.

There are 4 sets of activities and outputs:

  1. Advocacy including informal advice or correspondence, formal advice and interventions, and liaising with key institutions (cross jurisdictional).
  2. Compliance Continuum including promoting compliance, monitoring compliance, investigating non-compliance; and conducting enforcement actions to address non-compliance.
  3. Communications and Outreach including media connectivity, outreach initiatives, information products, guidance material concerning the administration and enforcement of CASL-related matters, and information centers.
  4. Enablers including capacity building initiatives, National Coordinating Body outputs (e.g. Policy advice and guidance, public reports, research studies, operating processes and procedures, legislative and regulatory amendments), and cross jurisdictional cooperation (federal, provincial and international).

The four sets of activities and outputs lead to three immediate outcomes:

  1. Awareness of spam and other online threats;
  2. Sharing of information to facilitate CASL; and
  3. Recognition of appropriate and inappropriate practices in the electronic marketplace.

The three immediate outcomes lead to three intermediate outcomes:

  1. Cooperation for compliance activities
  2. Mitigation of threats from impacting the electronic marketplace; and
  3. Proactive actions to protect the electronic marketplace.

The intermediate outcomes lead to one ultimate outcome: electronic commerce in Canada is competitive and strengthens the Canadian economy.

Appendix C: Evaluation Limitations

Performance Information

  • CASL implementation started in 2014-15 limiting the availability of performance information and the ability to identify trends.
  • Each enforcement agency is responsible for different aspects of delivering CASL, operating under distinct legislative, organizational, and remedial regimes, which made it difficult to summarize performance information.
  • Financial and human resources information was also limited as this is an evaluation of the implementation of legislation rather than of a program.

⇨⇨⇨

Mitigation

  1. The evaluation considered the context in which the activities, outputs and outcomes were accomplished.
  2. The findings were triangulated and validated with other lines of evidence.

Respondent Bias

  • The evaluation was undertaken at the same time of the CASL legislative review by the House of Commons Standing Committee on Industry, Science and Technology. Some interviewees were interviewed by both processes. Interviewee responses may have also been impacted by the suspension of CASL Private Right of Action provisions.
  • Interviewee responses may have also been impacted by the suspension of CASL Private Right of Action provisions.

⇨⇨⇨

Mitigation

  1. The purpose of the interview and strict confidentiality of responses were communicated to participants.
  2. Responses were cross-referenced with those of other groups for consistency and validation.
  3. Where possible, findings were triangulated and validated with other lines of evidence

Appendix D: Service Blueprinting of Spam Reporting

Figure 2: Service Blueprinting of Spam Reporting

Description of Figure 2

The visual displays the service delivery process of the Spam Reporting Centre. It was developed considering that consumers and businesses access information primarily though websites, the integration of activities conducted by the partners into spam information for consumers and businesses and actions to mitigate spam and other online threats to protect the electronic marketplace.

The elements presented on the blueprint reflect:

  • Physical evidence: Tangible elements associated with each step that has the potential to influence customer perceptions of the service encounter.
  • Consumer and business actions: Steps that the public may take as part of the service delivery process.
  • Front line staff: Steps taken by contact employees as part of the face-to-face interactions with consumers and businesses.
  • Operational staff: Steps that are not visible to consumers and businesses but that support the service delivery process.
  • Support processes: Activities that support the entire service delivery process.

Consumers and business may identify a need to report spam; and/or become aware of CASL. This leads to consumers and businesses accessing FightSpam website or the websites of the enforcement agencies (CRTC, OPC and CB).  To support these steps of the process, at the frontline staff level, all CASL partners conduct outreach and CRTC, OPC and CB call centres are available for general enquiries. There have been 1.3 submissions to the SRC from the public, of which 2% are from the online form and 98% are from email forwards.

At the operational staff level, the SRC database comprises of data feeds from submissions from the public, honeypots and other data feeds. This results in SRC information that is available to CASL enforcement agencies. The three enforcement agencies individually conduct analysis and intelligence with consideration to their specific mandates. CRTC conducts analysis and intelligence under CASL; OPC under CASL and PIPEDA and CB under CASL and the Competition Act. At this stage, CRTC or OPC may choose to request additional information from a consumer or business that submitted an online submission and allows for the consumer or business to respond that request for additional information.

As a result of the analysis and intelligence that is conducted individually by each of the enforcement agencies, CRTC, OPC or CB may conduct investigations or take compliance actions. Results of this could feed into communication and outreach to the public through publication of actions, consumer alerts and news releases.

Supporting the entire SRC process are five support activities including finance, human resources, IT infrastructure, materials and governance.

Appendix E: Comparative Analysis

Canada has a robust anti-spam legislation with its opt-in model and enforcement capabilities, comparable to Australia and the United Kingdom.

- Canada Australia United Kingdom United States
Legislation Canada's Anti-Spam Legislation Spam Act 2003 Privacy and Electronic Communications (EC Directive) Regulations 2003 Controlling the Assault of Non-Solicited Pornography and Marketing Act
Consent Model Opt-in Opt-in Opt-in Opt-out
Penalties Up to $1,000,000 (Canadian dollars) for individuals and up to $10,000,000 (Canadian dollars) for businesses, per violation. Fines up to $1,370,349 (US dollars) per day. Fines up to $607,927 (US dollars) for serious breaches. Civil penalties up to
$16,000 (US dollars) for each separate e-mail, Damages up to $250 per violation - maximum award of $2,000,000 (US dollars).
Application Commercial electronic messages: messages whose purpose is to encourage participation in a commercial activity. Commercial electronic messages: a message sent by an electronic address and using an internet carriage service with a commercial intent. Voice calls are not considered an electronic message. Electronic means including telephone, automated telephone messages, fax and electronic mail. Commercial electronic mail messages: Any electronic mail message that has primary purpose of commercial advertisement or promotion of a commercial product or service.
Private Right of Action

Sections have been suspended

Intended to apply to businesses and individuals. No need to prove damages.

 Applies to businesses and individuals that have suffered loss or damage. Applies if someone suffers damage.

Applies to Internet Service Providers only as they incur costs for protecting their systems and customers.

Not applicable to individuals.

Endnotes

Management Response and Action Plan

Management Response and Action Plan—Horizontal Evaluation of Canada's Anti-Spam Legislation (CASL)[PDF - 106 KB]

A - For inclusion in the report

The findings and recommendations of the Horizontal Evaluation of the Canada Anti-Spam Legislation initiative were provided to CASL partners including Innovation, Science and Economic Development Canada, the Canadian Radio-television and Telecommunications Commission (CRTC), the Competition Bureau and the Office of the Privacy Commissioner of Canada. Management of all CASL partners have been consulted with respect to the findings included in this report. CASL partners have endorsed the proposed actions to be taken by April 2019 in response to these recommendations.

B - For follow-up purposes - Detailed actions to address the recommendations in the report

CASL partners including the Office of Consumer Affairs, the Canadian Radio-television and Telecommunications Commission (CRTC), the Competition Bureau and the Office of the Privacy Commissioner of Canada have provided input and have endorsed the proposed actions contained in this management response and action plan. ISED, in its role as the National Coordination Body for the CASL initiative, will coordinate with CASL partners any follow up activities related to this plan.

Recommendation Planned Action on the Recommendation Responsible Official (position) Target completion date

To improve cohesion, the CASL partners should re-examine the existing governance structure including roles and responsibilities and the supporting committees.

The National Coordinating Body will cooperate with CASL partners to work to:

  • Initial review and update to the terms of reference for the CASL Steering Committee including roles and responsibilities.

Director General, Marketplace Framework Policy Branch
Innovation, Science and Economic Development Canada (ISED)

June 2018

  • Examine activities of CASL partners in relation to the existing governance structure.
 Director General, Marketplace Framework Policy Branch
ISED		 February 2019

The National Coordinating Body should work with CASL partners to strengthen information sharing in order to facilitate the management and delivery of CASL. Consideration should be given to the sharing of aggregate Spam Reporting Centre reporting data.

The National Coordinating Body will cooperate with CASL partners to:

  • Review and update the terms of reference for the CASL Steering Committee with a view to clarifying information sharing obligations;

Director General, Marketplace Framework Policy Branch
ISED

June 2018
  • Work towards establishing clear protocols for governing the timely sharing of information amongst CASL partners; and

Director General, Marketplace Framework Policy Branch
ISED

 October 2018
  • Explore and identify options for using aggregate SRC reporting data

Director General, Marketplace Framework Policy Branch
ISED

 January 2019

The CASL partners should collaborate and develop a coordinated approach to education and outreach activities to improve the understanding of CASL by businesses, as well as the impact and reach of these activities.

The National Coordinating Body will cooperate with CASL partners to work to:

  • identify opportunities for combined/complementary action when delivering CASL messaging and information;
Director General, Marketplace Framework Policy Branch
ISED		 February 2019
  • communicate the full intent and scope of CASL as it relates to the respective roles and responsibilities of all CASL partners.
 Director General, Marketplace Framework Policy Branch
ISED		 April 2019
  • develop regular and systematic means of communicating CASL education and outreach activities; and
Director General, Marketplace Framework Policy Branch
ISED		 June 2019
  • seek to optimize existing educational efforts and resources to achieve increased efficiency and effectiveness.

In addition the NCB will cooperate with CASL partners to work on options for increasing public understanding surrounding performance data and CASL activities that are currently reflected in the annual CASL performance reports.  Such efforts will focus on ensuring clear and consistent messages to consumers and businesses.

Director General, Marketplace Framework Policy Branch
ISED		 September 2019

The National Coordinating Body, in collaboration with the delivery partners, should strengthen its data collection capacity to ensure that performance information is available to assess the impact of CASL.

The National Coordinating Body will work with CASL partners to strengthen internal and external data collection capacity to better measure the reduction of spam and other threats originating in Canada and the impact of CASL on Canadian businesses and marketing practices.

Director General, Marketplace Framework Policy Branch
ISED

 April 2019
 Report a problem
Date modified: