Required reading for email marketers: a case study in how not to collect and use e-mail addresses

Earlier this morning, the Office of the Privacy Commissioner of Canada published the results of the first action taken under the “address harvesting” provisions introduced to PIPEDA by CASL. This investigation also resulted in the first implementation of a Compliance Agreement, made possible through amendments to PIPEDA under the Digital Privacy Act.

"Our Office recently concluded an investigation that has resulted in two important firsts along with some key lessons learned for businesses conducting e-mail marketing.

The investigation represents our first action taken under the “address-harvesting” provisions of the Personal Information Protection and Electronic Documents Act (PIPEDA) introduced by Canada’s anti-spam law (CASL).   It also resulted in the implementation of our first compliance agreement, a new tool made possible by changes to PIPEDA introduced by theDigital Privacy Act.

Identifying a potential problem: 
Following the launch of the Canadian Radio-television and Telecommunications Commission’s (CRTC) Spam Reporting Centre, we identified a cluster of hundreds of submissions received from the public about the e-mail marketing activities of Compu-Finder, a Quebec-based corporate training provider.
We launched an investigation against the company that examined its privacy management practices and possible use of address harvesting software. In discussions with the CRTC, we found that they were pursuing action against Compu-Finder under their CASL mandate regarding the sending of unsolicited commercial e-mails (“spam”).  As a result, we agreed to share information between our offices, as permitted under CASL and a related Memorandum of Understanding.

The investigation:
During our investigation, the company reported that as of January 2014, it held approximately 475,000 e-mail addresses. Of these, around 170,000 were collected using address-harvesting software.

The company claimed that, in anticipation of the coming into force of CASL, it reduced the number of its addresses to just over 100,000 including 28,000 collected by address harvesting software.

Collecting from websites:
Compu-Finder also said it collected emails from websites of companies which it believed would be interested in its training and which had on obligation to provide such training under Quebec legislation. Yet while its sessions were offered almost exclusively in French at facilities in Montreal and Quebec City, e-mails were continually sent to recipients across Canada as far away as British Columbia and even overseas.

Compu-Finder believed that it could rely upon implied consent to collect and use many of the e-mail addresses in its possession due to: existing business relationships; the non-sensitive nature of the information collected; the open publication of the e-mail addresses; and, the relevance of its commercial e-mails to the professional activities of the individual recipients.

Yet we found that some of the websites the company collected addresses from had clear non-solicitation notices. We also interviewed some individuals who provided submissions to the Spam Reporting Centre and found that none had any business relationship with the company and the messages they received were not relevant to their work. For example:

One individual received e-mails promoting a course for finance directors when he was a computer science professor at a university;

Another person received e-mail messages promoting courses on measuring a business’s profitability despite being a scientist working for a government agency; and

An e-mail to another recipient promoted training on leading groups, although he was a self-employed bookkeeper.

Collecting by phone:
Compu-Finder also collected addresses by phone. We obtained a copy of the script used by the company’s employees, which did not explain that the purpose for collecting the addresses was to send individuals e-mails selling the company’s services. In addition, it was clear that Compu-Finder was collecting the e-mails from reception, administration and support staff, rather than the individuals who used the addresses.

Lack of records:

Read The Privacy Commissioner's blog

0 Comments Write your comment

    1. Loading...