Table of Contents
Overview
This guide informs organizations about the Office of the Privacy Commissioner of Canada’s (OPC) mandate related to electronic address harvesting and e-marketing. In this context, e-marketing refers to sending marketing and promotional messages to recipients via email, instant messaging, social media or other similar accounts.
Our guide helps you to comply with the Personal Information Protection and Electronic Documents Act(PIPEDA) when it comes to address harvesting and e-marketing activities.
On this page
- Introduction
- Who is responsible for what in relation to e-marketing?
- Third party e-marketing
- Get consent when collecting addresses
- Spamming: cheap, yet costly
- Steps you can take to avoid contravening PIPEDA
- Scenarios
Introduction
Today’s economy is digital and connected. So much of our daily lives now take place on-line that an organization can promote itself to thousands of contacts with a simple click.
While it is technically possible to collect thousands and thousands of electronic addresses for marketing purposes or to buy a list from a third party, doing so blindly comes at a risk, both under the law and to an organization’s brand.
At the federal level, spam and other electronic threats are regulated by Canada’s anti-spam legislation (CASL) and related provisions in the Personal Information Protection and Electronic Documents Act(PIPEDA) and the Competition Act. PIPEDA, the federal private-sector privacy law, applies to the collection, use and disclosure of personal information in the course of commercial activities and contains restrictions relating to electronic address harvesting and e-marketing.
Who is responsible for what in relation to e-marketing?
Our Office shares responsibility in this area with the Canadian Radio-television and Telecommunications Commission (CRTC) and the federal Competition Bureau.
The CRTC is responsible for investigating contraventions of CASL relating to the:
- sending of unsolicited commercial electronic messages
- alteration of transmission data
- installation of software without consent
The Competition Bureau addresses false or misleading representations and deceptive marketing practices in the electronic marketplace under the Competition Act.
For details about the full range of matters dealt with under federal legislation relating to spam and other electronic threats, including those by organizations other than the OPC, visit fightspam.gc.ca.
Address harvesting
Address harvesting generally refers to collecting electronic addresses, such as those for email, instant messaging and social media by the use of computer programs. These programs may harvest addresses, either by collecting them from external sources — for instance, by scraping websites — or by generating a list of such addresses.
With very limited exceptions, PIPEDA prohibits address harvesting. This prohibition is highly relevant to organizations of all sizes in all sectors. lf an organization engages in address harvesting or obtains and uses a list that has been compiled through address harvesting, it runs a real risk of being in contravention of the obligation to obtain meaningful consent under PIPEDA.
Although there are certain exceptions under PIPEDA where personal information can be collected without consent, these exceptions by and large do not apply to address harvesting.
How PIPEDA’s provisions affect businesses doing e-marketing
In addition to the specific provisions on address harvesting, PIPEDA requires more generally that businesses (and other organizations) be accountable for how they collect, use and disclose personal information, including electronic addresses, in the course of their commercial activities. Businesses must ensure that they obtain informed consent to collect and use individuals’ electronic addresses, even if they obtained the addresses from a third-party supplier. This includes lists of electronic addresses.
Organizations have a responsibility to ensure that individuals receiving commercial electronic messages have consented to the collection and use of their address for marketing and other purposes.
For more information about the application of consent with regard to commercial activity under PIPEDA, please see the OPC’s Guidelines for obtaining meaningful consent.
Third party e-marketing
What if my business hired a supplier to do email marketing? Is my organization accountable for work done by a third party on my behalf?
Even in cases where your organization did not collect or generate email address lists for marketing purposes, you are still responsible under PIPEDA for ensuring that your supplier obtained appropriate consent.
For instance, you could be found in contravention of PIPEDA if you:
- acquire and use a list from a vendor who gathered addresses without consent
- hire a company to run a campaign on your behalf and it uses addresses collected without consent
Get consent when collecting addresses
As a general rule, individuals must consent to having their electronic addresses collected and used for marketing purposes.
This means individuals need to be clearly and accurately informed at the point of collection about how their addresses will be used and they must be able to opt out of receiving messages at any time in the future.
CASL also contains specific requirements for consent to send commercial electronic messages and with respect to unsubscribe mechanisms. For further information, please consult the CRTC’s guidance and fightspam.gc.ca.
Addresses posted online
It cannot be assumed that people whose electronic addresses are posted online are necessarily interested in receiving commercial offers. Addresses may be posted online for many different purposes. For example:
- an individual may use an email address to solicit feedback from people interested in the subject of a blog or article they have written
- a club or community group may post email addresses to facilitate contact amongst its members and to organize events
- a charitable organization may do so to receive donations
- organizations may include employee email addresses on a contact page or staff directory to enable communication regarding matters related to their employment or profession
It is important to note that business contact information such as an individual’s work email address is also considered personal information and is subject to PIPEDA, except where its collection, use or disclosure is solely for communicating with the individual in relation to their employment, business or profession.
Organizations may wish to be cautious, assume nothing, and ensure that an address collected for marketing purposes is done with the individual’s full consent. See our blog post, which is a case study in how not to collect and use email addresses to elicit feedback.
Spamming: cheap, yet costly
While sending out unsolicited messages to thousands may be a cheap way of getting a name out, organizations need to consider if spam is a desirable calling card.
Consider for example that in a 2018-2019 public opinion survey, an overwhelming majority of Canadians stated that they are concerned about their privacy. Most have, at some point, refused to provide their information to an organization, and this includes email addresses.
In the same survey, a clear majority of Canadians said they would choose to do business with a company because it has good privacy practices. Businesses and organizations that comply with PIPEDA and CASL—and follow due diligence to ensure that third parties they work with do the same—will benefit by not being seen as spammers.
Steps you can take to avoid contravening PIPEDA
If you’re sending messages yourself using a list obtained directly from a vendor, ask the company how it collected the addresses and obtained consent for their use. It is your responsibility to confirm if the company you are working with is aware of PIPEDA and abiding by its provisions. In other words, while another company may be doing the work on your behalf, you remain accountable.
- If you’re working with a marketing firm, ask them to explain—in detail—where they get the email addresses they will use to promote your business
- If the firm purchased the list from a third party, ask the marketers to explain how the third party originally gathered the email addresses and how they obtained consent
- You should also ask the vendor or marketing firm to explain how they keep lists up to date and how they inform organizations purchasing and using the lists of changes
- For example, how do they ensure that new addresses are only added to a list with appropriate consent?
- How do they ensure that addresses are promptly deleted from a list when consent has been withdrawn by an individual unsubscribing from future emails?
- In all cases, make it clear and set down the requirements in a contract, indicating that you don’t want to have your messages sent to people who have not consented to providing their email addresses or receiving marketing messages
After all, given people’s general distaste for receiving spam, what organization would want to run the risk of being seen as a spammer?
What email list vendors should know about consent
Some vendors of email addresses may be collecting addresses, but not sending messages to them. While the CRTC is responsible for CASL’s rules regarding sending commercial electronic messages and appropriate consent, PIPEDA applies to the collection, use and disclosure of personal information, which includes individuals’ email addresses.
Generally, under PIPEDA, an organization is required to inform individuals in a meaningful way of the purposes for the collection, use or disclosure of personal information. You should obtain individuals’ consent before or at the time of collection, and then renew that consent when a new use for personal information is identified. You should also enable individuals to withdraw consent to the use of their personal information at any time, subject to legal or contractual restrictions and reasonable notice.
As a list vendor, if you collect email addresses in bulk through electronic means and then sell them without informing individuals and obtaining appropriate consent, you could be contravening several of PIPEDA’s provisions.
Scenarios
The following hypothetical scenarios highlight how individuals and organizations could put themselves at risk of being found to have engaged in address harvesting and/or the collection and use of electronic addresses without consent under PIPEDA:
Small business buys email addresses from a vendor
A small business was seeking an affordable way to get word of its product out to thousands of individuals. It purchased a list of email addresses from a vendor. The vendor, however, had generated the list by using “web crawler” software to mine the Internet for posted email addresses and therefore did not have individuals’ consent.
Organization collects addresses for one purpose, then sells them for another
Several consumers submit spam reports claiming that a car parts and services company is sending emails to them when they did not provide the company with their email addresses. All are members of the same car aficionados’ website and provided their email addresses for the members’ password protected section of the site. It appears that the website sold an electronic list of its members’ addresses to the car parts and services company without the members’ consent to do so.
Downloading open business contact information
A list vendor becomes aware that an organization employing thousands of people and committed to the principle of “open data” allows people to download thousands of employee email addresses with little more than a click. The vendor erroneously assumes that since the addresses are associated with an employer they are not subject to PIPEDA. Business contact information may be subject to the Act if it is collected, used or disclosed for a purpose other than communicating or facilitating communication with an individual about their employment, business or profession.
Not collecting, but generating addresses
A tech-savvy entrepreneur wants to sell email address lists to marketers, but wants to avoid what he sees as “stealing” them from individuals whose contact information is posted on the web. So, he uses a tool that generates addresses using common names and matching them with common email service provider domains. His overhead is low, so many are enticed by the list he offers at very low prices—especially given his claim that the addresses weren’t “scraped” from the web. Still, he did not get individuals’ consent for use of their email addresses.