441-00957 (Media and telecommunications)

Receiving unsolicited telecommunications is a serious concern for many Canadians. Unsolicited telecommunications, which often are fraudulent in nature, seek to not only take advantage of Canadians, but also undermine their confidence in the telecommunications system and the electronic marketplace. The Government of Canada, along with Canada’s national telecommunications regulator, the Canadian Radio-television and Telecommunications Commission (CRTC), have introduced targeted measures to respond to the wide range of unsolicited phone calls, faxes, social media messages, texts, and e-mails that Canadians may receive. 

Canada’s Anti-Spam Legislation (CASL) plays an important role in building trust in the digital environment. CASL prohibits companies from sending individuals commercial electronic messages without their consent, including email, social media and text messages; altering the transmission data in an electronic message so the message is sent to a different destination without your express consent; installing software on your electronic devices without your consent; using false or misleading representations to promote products or services online; and collecting personal information by accessing a computer or electronic device illegally and collecting and/or using email or other electronic addresses without permission. Recognizing the significant social and economic burden created by spam in Canada and around the world, CASL was created in order to protect Canadian consumers and businesses from the inconvenience, costs, and risks associated with spam and has been largely effective in addressing these challenges.

To illustrate, since CASL came into force in 2014, the amount of spam originating from Canada has decreased by more than one-third. A 2015 Cloudmark study showed that within a year of the legislation being introduced, there was a 37% decrease in Canadian-based spam and 29% less email overall (spam or legitimate) in Canadians' in-boxes. Also, whereas Canada figured among the top five spam-producing countries before CASL came into force, today it no longer appears among the top 20. In 2014, Canada was home to a disproportionate number of spamming organizations with 7 of the top 100 located in our country. Today, there is not a single Canadian organization figuring on the Spamhaus 100 Known Spam Operations list, which are responsible for 80% of spam worldwide (Spamhaus is an international non-profit organization tracking spam and other cyber threats and providing intelligence to the internet's major actors including law enforcement agencies). Since CASL came into force, the amount of spam that reaches Canadians has continuously decreased, and the international anti-spam legislative framework, of which CASL is a key element, have meant a decrease in the global spam rate, which has fallen from 90% in 2015 to 45.1% in 2021.

Three government agencies share the responsibility for enforcing the Act: the CRTC (primary enforcement responsibility), the Competition Bureau and the Office of the Privacy Commissioner. Significant penalties can be imposed by these independent agencies for CASL violations. Enforcement agencies have a variety of options at their disposal to ensure compliance with CASL, including negotiated agreements, warning letters and administrative monetary penalties (AMPs).

1. The CRTC can issue administrative monetary penalties (AMPs) for violations of sections 6 through 9 of CASL; AMPs are designed to promote compliance.The maximum penalty per violation is $1,000,000 in the case of an individual, and $10,000,000 in the case of an organization.
2. The Competition Bureau can seek AMPs or criminal sanctions under the Competition Act; the consequences associated with being found to have engaged in deceptive marketing practices depend on whether the conduct falls under the civil or criminal provisions of the Competition Act. Civil provision (making a false or misleading representation): the Court may order to stop engaging in such conduct, to publish a corrective notice and/or to pay an AMP. For individuals, the penalty can be up to $750,000 for a first-time violation and up to $1 million for subsequent incidents. For corporations, the penalty can be up to $10 million for a first-time violation and up to $15 million subsequently. Criminal provision (knowingly or recklessly making a false or misleading representation): summary conviction: Fine of up to $200,000 and/or imprisonment for up to one year. Conviction on indictment: Fines are at the discretion of the Court and imprisonment can be for up to 14 years.
3. The Office of the Privacy Commissioner of Canada focuses on 2 types of violations: collecting personal information by accessing a computer system or electronic device illegally and harvesting electronic addresses.

These recent examples of enforcement actions by the three enforcement agencies illustrate CASL’s efficiency in combating spam and other electronic threats and of its imposed penalties:

CASL enforcement by the CRTC:

Since CASL came into force in 2014, the CRTC has issued $1.9 million in AMPs against violators. For example, in January 2021, the CRTC’s Chief Compliance and Enforcement Officer issued administrative monetary penalties totalling $300,000 to four Canadians for their involvement with a company in the Dark Web Marketplace known as CanadianHQ, which subsequently shut down.

In December 2021, the CRTC reached an agreement with Gap Inc. (Gap) for allegedly violating CASL. In addition to implementing corrective measures, Gap agreed to make a payment of $200,000. Gap proactively made changes to its marketing practices to meet CASL requirements. This investigation was supported by complaints received from Canadians.

CASL enforcement by the Competition Bureau:

The Competition Bureau has recently concluded these cases involving provisions of the Competition Act which came into force with CASL. To resolve the Bureau’s concerns, Avis/Budget agreed to pay $3 million in penalties, as well as $250,000 towards the Bureau’s investigative costs, while Amazon agreed to pay $1 million in penalties, as well as $100,000 towards the Bureau’s investigative costs. Hertz – Dollar Thrifty agreed to pay $1.25 million in penalties, and Enterprise Rent-a-Car Canada agreed to pay $1 million in penalties.

CASL enforcement by the OPC:

The Privacy Commissioner has pursued CompuFinder for a separate violation under the address-harvesting provision of CASL and entered into a compliance agreement with that company. In June 2017, the Commissioner also completed an investigation into Wajam Internet Technologies Inc., a Canadian company that distributed an unsolicited add-on to its program to track users online and collect personal information. As a result of the investigation, the company ceased those practices.

Unsolicited Telecommunications Rules:

In addition to CASL, the Government of Canada has put in place robust policies to help Canadians reduce the number of unsolicited telephone calls and faxes they receive. The CRTC is responsible for enforcing the Unsolicited Telecommunications Rules, which include the National Do Not Call List (DNCL) Rules, the Telemarketing Rules and the Automatic Dialing and Announcing Device (ADAD) Rules. The DNCL is designed to reduce the number of unsolicited telemarketing calls and faxes Canadians receive by allowing consumers to place their telephone and fax numbers on a registry of numbers that telemarketers are not allowed to contact. Secondly, the Telemarketing Rules detail specific limits on when telemarketing can be conducted, as well as other requirements on the conduct of telemarketers. Lastly, the ADAD Rules set out restrictions for telemarketers that seek to use devices that dial telephone numbers automatically and deliver a pre-recorded message, sometimes referred to as ‘robocalls’.

The CRTC takes violations of these rules very seriously and can issue penalties if a telemarketer breaks them. Penalties can be issued for up to $1,500 per violation for an individual and up to $15,000 per violation for a corporation.  Since the Unsolicited Telemarketing Rules came into force in 2008, the CRTC has issued $11,263,427 in penalties against those who have violated the Rules.

However, the Unsolicited Telemarketing Rules are designed to reduce but not eliminate telemarketing calls and faxes. Some telemarketing calls and faxes are exempt from the National DNCL, including those made by or on behalf of registered charities, newspapers, political parties and their candidates, organizations conducting market research, polls or surveys and companies that have an existing business relationship with the person they are calling.

The Government of Canada also recognizes that Canadians may receive fraudulent telephone calls.  As opposed to legal telemarketing, these unsolicited communications constitute a criminal act under the Criminal Code and are often made by nefarious actors operating outside of Canada.  Fraudulent telephone calls are a significant source of concern for Canadians and that is why the Government of Canada continues to take concrete actions to combat these crimes.

The CRTC, as Canada’s national telecommunications regulator, is responsible for setting requirements for Telecommunications Service Providers (TSPs) to take specific initiatives to combat fraudulent telecommunications. For example, the CRTC sets requirements for industry to implement technical solutions that prevent unsolicited and fraudulent calls from reaching Canadians, such as universal call blocking, which requires TSPs to block calls at the network level when caller identification (ID) information either exceeds 15 digits or when it does not conform to a number that can be dialled, e.g., 000-000-0000. 

The CRTC is also working to leverage industry expertise in developing new strategies to fight fraud.  For example, in December 2021, the CRTC approved a request from Bell Canada to permanently implement a call blocking solution that uses artificial intelligence to prevent scam calls originating from outside of Canada from reaching Canadians. From July 2020 to September 2022, this initiative prevented over 1.5 billion calls from reaching Canadians.

The CRTC has also required industry to develop a standardized, industry-wide call traceback process in order to determine the origin of unsolicited and fraudulent calls. The CRTC has approved final recommendations from industry regarding the traceback process and has set out its expectation that all TSPs participate in the traceback process. The CRTC required a joint industry-CRTC working group (the CRTC Interconnection Steering Committee or CISC) to provide quarterly status reports on the number of initiated tracebacks and the results, along with analysis and recommendations regarding failed attempts to trace calls. The latest quarterly status reports show that the call traceback process for fraudulent calls made from within Canada will continue to become more effective as more TSPs participate.

The CRTC also works with industry to alert Canadians if an incoming call may be part of a scam. This is important given the rise of caller ID spoofing, which is when the caller ID of an incoming telephone call is falsified by the scammer. Since November 30, 2021, TSPs have implemented a new framework to combat caller identification (ID) spoofing referred to as Secure Telephone Identity Revisited/Signature-based Handling of Asserted Information using toKENs or STIR/SHAKEN. This approach works by notifying Canadians whether an incoming voice-over-Internet protocol call originates from a number that has been authenticated. This framework will directly combat scams where fraudsters spoof the caller ID of organizations in an attempt to defraud their victims.

TSPs were required by the CRTC to submit an implementation readiness assessment report before the launch of STIR/SHAKEN in November 2021.  The CRTC has also required TSPs to submit status reports every 6 months regarding their continuing efforts to deploy STIR/SHAKEN until the framework is fully implemented.  In May 2022, reports from TSPs were received covering a period from September 2021 to February 2022. These reports indicate that TSPs had largely implemented STIR/SHAKEN for voice calls travelling over the internet while continuing to work on upgrading their legacy equipment that does not support STIR/SHAKEN.  In November 2022, status reports from TSPs were received covering a period from March 2022 to August 2022. These reports indicated that many carrier interconnections continue to use technology that does not support STIR/SHAKEN and that TSPs must continue to upgrade this equipment.  Similarly, the reports showed that the number of mobile handsets that can display STIR/SHAKEN information being sold by carriers is increasing, but that some consumers will need to upgrade their devices before they can take advantage of STIR/SHAKEN. 

The full implementation of the STIR/SHAKEN framework is a complex initiative and international organizations, equipment manufacturers, handset manufacturers and other partners are also responsible for implementing key aspects of the framework.  While some Canadians are already receiving verified and signed calls, it is expected that, over time, this approach will become more effective as TSPs upgrade their networks and more Canadians use telephones that work with this approach.  Requiring the implementation of leading-edge technology solutions to fight unsolicited calls while collaboratively working with industry to ensure their successful implementation will further contribute to a safer and stronger telecommunications sector in Canada.

Finally, in addition to strong collaboration with industry and international partners, the best tool in combatting fraudulent calls may be increasing consumer awareness by sharing information concerning current threats. The RCMP, the Competition Bureau, and the Ontario Provincial Police operate the Canadian Anti-Fraud Centre (CAFC), which is a key organization when it comes to increasing the availability and accessibility of fraud data. This organization works closely with national and international partners to proactively identify emerging domestic and international scams and threats. When it receives information on a fraud case, the CAFC analyzes the associated data and disseminates relevant information to numerous partners, including law enforcement organizations, telephone companies, email service providers, financial institutions, and credit card companies. In so doing, it can hinder communications between fraudsters and potential victims, and, at times, it has successfully contributed to blocking the receipt and laundering of victims’ funds. Furthermore, the CAFC’s website includes an up-to-date list of scams, including by type of medium, such as telephone, as well as information for Canadians about how to protect themselves from fraud and what to do if they are a victim of fraud.

The Government is also taking steps to enhance the quality of information on fraud in Canada by improving the processes by which Canadians can report fraud. For example, the RCMP’s National Cybercrime Coordination Unit (NC3) and the CAFC are developing a new National Cybercrime and Fraud Reporting System to improve the processes used to report fraud and cybercrime incidents to law enforcement. The NC3 will reach full operating capability in 2024.

The Government of Canada will continue to pursue technical and regulatory solutions to protect Canadians, the Canadian telecommunications system and electronic commerce infrastructure.