Unsubscribe Requirement Hits Hudson’s Bay Company

In file 9110-2023-0067 the CRTC reports on enforcement action taken against the Hudson’s Bay Company for allegedly violating Section 6(2)(c) and Sections 11(1) and 11(3) of CASL Canada’s Anti Spam Law.

Since CASL came into force in 2014 a large portion of enforcement action has been taken on the need to include in commercial electronic messages (CEMs) an unsubscribe mechanism that could be readily performed.

The investigation led to an allegation that the Hudson’s Bay Company sent CEMs between January 1, 2022, and November 30, 2023, without including an unsubscribe mechanism that could be readily performed.

The Hudson’s Bay Company resolved the allegation with an undertaking. As part of the undertaking, the Hudson’s Bay Company agreed to review and enhance its compliance with CASL, including education and training programs, processes to track CEM complaints, an internal mechanism to escalate and resolve complaints, and monitoring, auditing, and reporting mechanisms to address compliance failures.

As a part of the undertaking, the Hudson’s Bay Company agreed to pay $120,000 to the Government of Canada.

The undertaking completely resolves all outstanding issues between the CRTC and Hudson’s Bay Company regarding the alleged non-compliance with CASL.

The information on the enforcement action comes by way of a short public notice. Unfortunately, other businesses can not see the precise nature of the complaint and so do not know if the Hudson’s Bay Company’s CEMs that were the subject of the allegations had no unsubscribe mechanism at all or an unsubscribe mechanism that was, in the opinion of the CRTC, inadequate in how it performed. It would benefit the compliance efforts of other businesses to understand what vexed the CRTC to address similar concerns in their own CEMs.

Some guidance on what the CRTC considers is non-complainant unsubscribe mechanism that can be readily performed is on the CRTC website, as follows:

One example of a non-compliant unsubscribe mechanism that does not meet the criteria of ‘readily performed’ in the view of Commission staff, would be an unsubscribe mechanism where the user would be required to take several steps to unsubscribe. Here is an example of a six-step approach that would be considered non-compliant under CASL:

1. The user is required to click on a “unsubscribe” hyperlink within a CEM;
2. The user lands on a webpage and must navigate through text that contains multiple links trying to locate the link allowing the user to unsubscribe from future CEMs;
3. Once the “unsubscribe” link is found and clicked, the user is redirected to a ‘login’ button;
4. The user is required to log into their existing account with their user name and password;
5. The user is redirected to a page offering them options to “Quit /Give up/Delete Account” or “Unsubscribe” located at the bottom of the webpage;
6. Only after completing all these steps, does the user receive a notice that the account has been deleted or that they are now unsubscribed.^[1]

The important takeaway from this reported enforcement action is that the CRTC continues to enforce CASL despite the ambiguities and uncertainties that CASL contains. Parliament is urged to address these issues.

The undertaking that the Hudson’s Bay Company agreed to is a good checklist of what an acceptable compliance program should contain.

______________

^[1] Frequently Asked Questions About Canada’s Anti-Spam Legislation, accessed at < https://crtc.gc.ca/eng/com500/faq500.htm>.