Canada’s Anti-spam legislation (CASL) – Performance measurement report 2017-2018

1. Introduction

Canada's Anti-Spam Legislation (CASL) protects Canadians from spam and other electronic threats, while ensuring that Canadian businesses can remain competitive in the global marketplace. Generally, the law prohibits sending commercial electronic messages without the recipient's consent; installing computer programs without the express consent of the owner of the computer; making false or misleading representations to the public in the form of electronic messages; collecting personal information through the illegal access of a computer; and collecting and using electronic addresses through computer programs (address harvesting).

CASL was passed in 2010 and the majority of provisions came into force in 2014 with a three-year transition period to allow time for consumers and businesses to become aware of and comply with the legislation.

In 2017, CASL was evaluated by ISED's Audit and Evaluation Branch, which identified a need for greater coordination amongst government partners on outreach and education. This annual report is part of management's actions to respond to this need.

It is also consistent with a recommendation made by the House of Commons Standing Committee on Industry, Science and Technology in their statutory review report on CASL.

2. Results at a Glance

Promoting:

In 2017-18, there were 400,184 visits to Fightspam.gc.ca including 339,978 unique visitors; 68.8% were from Canada, 22.2% from the United States and 9% from all other countries.

The Canadian Radio-television and Telecommunications Commission (CRTC) had 133,386 unique page views and 173,578 page views of its CASL-related website.

The Office of the Privacy Commissioner's (OPC's) CASL-related webpages were viewed more than 20,000 times while its "Helpful tips for businesses doing e-marketing" webpage was consulted more than 14,400 times.

In 2017-18, the number of CASL-related social media negative mentions (18%) continued to decline. When compared to the measurement of tone of mentions in the two previous years (26.4% negative mentions in 2015-16, 22% negative mentions in 2016-17), these findings indicate a steady, decreasing trend in negative perceptions.

Monitoring:

Canadians made 343,799 submissions to the Spam Reporting Centre, including 7,873 web form submissions and 335,926 email forwards. The CRTC issued 13 notices to produce to organizations in order to verify compliance with CASL.

Enforcing:

The CRTC took 5 enforcement actions: 2 warning letters and 3 undertakings.

The Competition Bureau resolved 2 cases that resulted in $2.25 million in administrative monetary penalties, while 1 application was filed with the Competition Tribunal.

The OPC received nine written CASL-related complaints from the public, 6 of which were accepted and successfully resolved through early resolution or referred for investigation.

3. Partners

The CASL initiative is administered by Innovation, Science and Economic Development Canada (ISED) and enforced by the CRTC, the OPC and the Competition Bureau. Roles and responsibilities of all organizations have been defined in foundational documents including laws and regulations.

Innovation, Science and Economic Development Canada

Innovation, Science and Economic Development Canada is the Department responsible for CASL within the Government of Canada; within ISED the Marketplace Framework Policy Branch and the Office of Consumer Affairs share CASL responsibilities.

National Coordinating Body

The National Coordinating Body, which resides in ISED's Privacy and Data Protection Directorate within the Marketplace Framework Policy Branch, is responsible for policy and research, public communications and outreach oversight, monitoring and reporting on the overall effectiveness of the regime.

Office of Consumer Affairs

The Office of Consumer Affairs coordinates consumer and business education and awareness efforts for the CASL initiative.

Enforcement Partners

Canadian Radio-television and Telecommunications Commission (CRTC)

The CRTC is Canada's broadcasting and telecommunications regulator. The CRTC has the primary enforcement responsibility under CASL and investigates, takes action against, and sets administrative monetary penalties for:

• Sending non-compliant commercial electronic messages. An example of a non-compliant message is a message sent without prior consent;
• Altering transmission data without consent. For example, this prohibits conduct by which Internet users are directed to websites they did not intend to visit and includes other illegal activities that target Internet users;
• The installation of a computer program on a computer system or network without consent. This includes malware, spyware and viruses installed with computer programs, hidden in spam messages or downloaded through links to infected websites.

Competition Bureau

The Competition Bureau, is an independent law enforcement agency which ensures that Canadian businesses and consumers prosper in a competitive and innovative marketplace, including the electronic marketplace.

CASL, through amendments to the Competition Act, enables the Competition Bureau to more effectively address false and misleading representations and deceptive marketing practices in the electronic marketplace, including false or misleading sender or subject matter information, electronic messages and locator information such as URLs and metadata.

Office of the Privacy Commissioner of Canada

The OPC is an Agent of Parliament which protects the privacy rights of Canadians. Through amendments to the Personal Information Protection and Electronic Documents Act (PIPEDA) the Privacy Commissioner enforces CASL with respect to two types of conduct:

• The collection and use of personal information through access to computer systems contrary to the law;
• Electronic address harvesting where bulk email lists are compiled through mechanisms including the use of computer programs that automatically mine the Internet for addresses.

4. The Ecosystem

4.1 International Context

The proliferation of spam and electronic threats such as malware, phishing, false and misleading content and identity theft are a harmful, costly, and evolving set of issues for Internet users, businesses, and governments around the world. The cost of these threats continues to rise despite spam filters and new technologies. In 2017, 14.5 billion spam emails were sent worldwide every day accounting for 45% of all emails sent.

Because the majority of these threats are coming from outside Canada, CASL partners have established relationships with sixteen countries including Australia, the Netherlands, the United Kingdom and the United States in an effort to address some of these issues. To this end, the CASL partners are also members of the Unsolicited Communications Enforcement Network (UCENet), an international network of agencies that share information and collaborate to address spam and other electronic threats.

4.2 E-commerce trends, indicators and challenges

CASL protects Canadians from spam and other online threats while ensuring that businesses can continue to compete in the global marketplace. It allows Canadian enforcement against spammers operating in Canada and facilitates co-operation in global anti-spam enforcement actions.

The electronic marketplace in which CASL exists is complex and fast-evolving; CASL is part of a broad range of domestic and international legal and policy frameworks in the areas of spectrum, telecommunications, privacy protection and cyber resilience, including cyber security.

In 2017, online privacy and trust remain a concern for Canadians: 44% of Canadian internet users reported being more concerned about their online privacy than a year ago. Cyber criminality was the primary source of concern for Canadians; they also expressed distrust of social media platforms, search engines and internet technology companies, with 58% of Canadian internet users feeling that social media has too much power. Despite this, e-commerce continued to be healthy with 86% of Canadians making an online purchase during the same year.

These concerns reflect a real challenge, as 39% of Canadian businesses reported experiencing an attack by malicious software. Canadians lost more than $33 million to online purchase scams and wire fraud alone.

To respond to this, an estimated $2.26 billion was spent in Canada for cybersecurity. An estimated 71% of security breaches affected small businesses while 24% of Canadian businesses reported not using anti-malware software.

This illustrates the pertinence of CASL, which helped keep Canada out of the top 10 spamming countries.

5. The Achievements

5.1 Policy and Coordination

CASL policy, research, oversight and coordination are the responsibility of the National Coordinating Body, which resides in ISED's Marketplace Framework Policy Branch. On an ongoing basis, the National Coordinating Body keeps abreast of the most recent developments in spam, online threats, cybersecurity and e-commerce spheres by performing strategic intelligence scans, information research, analyzing metrics and trends. The National Coordinating Body also works with national and international partners with the view to aligning legislative and regulatory frameworks with international anti-spam and malware industry best practices. For example, alongside CASL enforcement partners, the National Coordinating Body participates in (and sponsors) spam-related international fora such as the Messaging, Malware and Mobile Anti-Abuse Working Group (M3AAWG) and UCENet, a network of anti-spam, consumer protection and telecommunications regulatory authorities.

The National Coordinating Body is responsible for informing and advising the Minister responsible for CASL, the Minister of Innovation, Science and Economic Development, of all developments that relate to the CASL initiative management and policy. It also oversees communications and outreach efforts including the development of the fightspam.gc.ca website, which is the responsibility of the Office of Consumer Affairs.

The National Coordinating Body also coordinates CASL governance-related activities by chairing Directors' General Steering Committee meetings to discuss policy and strategy.

The National Coordinating Body leads and coordinates the development of an annual CASL initiative Performance Measurement Reports which are produced in accordance with Treasury Board policies and guidelines. A report was completed for 2016-17 and in previous years in collaboration with all CASL partners.

The Performance Measurement Framework for CASL was updated in 2017. The National Coordinating Body and all CASL partners collaborated with ISED's Audit and Evaluation Branch in coordinating this effort.

The Audit and Evaluation Branch also completed an evaluation of CASL in 2017-18. The evaluation examined the initial achievements of the initiative, its management, and the extent to which CASL's impact on the electronic marketplace could be measured. It also identified a need for greater coordination of education and outreach activities among partners. This annual report is part of management's actions to respond to this need. The National Coordinating Body supported the Branch for that exercise, and will coordinate the implementation of the Management Response and Action Plan, which is management's response to the Evaluation's recommendations. All partners worked in collaboration with the National Coordinating Body to develop the plan, as they did for the evaluation itself.

National Coordinating Body CASL policy-focused achievements for 2017-18:

CASL provides for a Private Right of Action, which was scheduled to come into force in July 2017. In response to broad-based concerns raised by businesses, charities and the not-for-profit sector, the National Coordinating Body coordinated the consultation and performed the policy research and analysis which led to the suspension of the coming into force of the Private Right of Action by the Government of Canada on June 2, 2017.

Section 65 of CASL requires that the Act, which came into force in 2014, be reviewed by a parliamentary committee three years after coming into force. A review was therefore undertaken by the House of Commons Standing Committee on Industry, Science and Technology between September 26 and December 12, 2017. The National Coordinating Body was responsible for ISED's appearance before the Committee and required support of the Committee's work. On December 13, 2017, the Committee tabled its report entitled: "Canada's Anti-Spam Legislation: Clarifications are in Order". The report makes 13 recommendations respecting the application and requirements of CASL and asks for a Government's response, which the National Coordinating Body is tasked with preparing.

Alongside the National Coordinating Body, all partners appeared before the Committee, where all expressed support for the legislation and its impact on helping to fight spam and address online threats which can be harmful to Canadians. Here are the CASL partners' statements before the Committee.

• https://www.priv.gc.ca/en/opc-actions-and-decisions/advice-to-parliament/2017/parl_20171024/
• https://www.ourcommons.ca/Content/Committee/421/INDU/Brief/BR9285658/br-external/CanadianRadio-televisionAndTelecommunicationsCommission-e.pdf (PDF, 303.72 KB)
• https://www.ourcommons.ca/DocumentViewer/en/42-1/INDU/meeting-80/evidence
• https://www.ourcommons.ca/DocumentViewer/en/42-1/INDU/meeting-72/evidence

5.2 Promoting Compliance

Office of Consumer Affairs

The Office of Consumer Affairs manages CASL-related communication products for Canadian individuals and businesses, including the Fightspam.gc.ca website.

Fightspam.gc.ca promotes CASL-related information. In 2017-18, there were 400,184 visits to the website:

• 339,978 unique visitors;
• 303,327 who visited once;
• 36,651 who visited more than once.

Distribution of visitors on fightspam.gc.ca in 2017-18:

• 68.8% from Canada;
• 22.2% from the United States;
• 9% from all other countries.

Distribution of CASL-related social media mentions in 2017-18:

• 71% from Canada;
• 14.5% from the United States;
• 4.5% from the United Kingdom;
• 10% from all other countries.

The Office published 10 CASL-related Facebook posts on Your Money Matters and Questions d'argent Facebook pages in 2017-18. Together, these Facebook posts had a total reach of 48,730. Through online and social media monitoring, the Office reported 2,475 CASL-related mentions.

Key trends and highlights of CASL social media mentions in 2017-18:

• 62% of mentions concerned the CASL Private Right of Action (June 8, 2017);
• Prior to June 8, all top performing mentions were either discussions/tips about the upcoming implementation of the Private Right of Action;
• Soon after June 8, all top-performing mentions were reactions to the announcement of the suspension of CASL sections dealing with the Private Right of Action; and
• As of July, the volume of mentions remained low. Top mentions, from then on, related to various topics such as compliance, consent, the Private Right of Action, and the Committee review.

In 2017-18, the number of negative mentions continued to decline:

• 36.75% positive mentions;
• 45.25% neutral or ambivalent mentions;
• 18% negative mentions.

When compared to the tone of mentions in the two previous years (26.4% negative mentions in the 2015-16, 22% negative mentions in 2016-17), these findings indicate a steady, decreasing trend in negative perception.

On top of promoting online information, the Office distributes print copies of Worried It's SPAM? postcards to help Canadians recognize potential spam messages.

Distribution of print postcards to regional MP offices in 2017-18:

• 1,400 English postcards;
• 840 French postcards.

Ongoing promotion of CASL compliance to business is done online via the fightspam.gc.ca website. In total, 77,985 visits were made to web pages that specifically tackle the topic of CASL compliance for businesses.

CRTC

Complementing fightspam.gc.ca, the CRTC's website also provides CASL-related information to Canadians and stakeholders to make it easier for everyone to get the help they need. In 2017-18, the CRTC also continued to strengthen CASL's social media presence, using Twitter and Facebook to educate and inform stakeholders and Canadians.

The online experience was enriched with easy-to-access alerts, videos and infographics, resulting in a 34% increase in website visits from people on mobile devices, and an overall increase of 9% in new visitors across all devices. This means the CRTC is reaching more Canadians than ever.

In 2017-18, the CRTC:

• Had 133,386 unique page views and 173,578 page views of its website related to CASL;
• Released 52 tweets resulting in 60,692 impressions and 26 retweets;
• Published 20 Facebook posts reaching 68,513 people and resulting in 286 reactions;
• Held more than 40 compliance and outreach sessions with various business associations and consumer groups across Canada;
• Delivered a keynote speech on corporate compliance with CASL at the Canadian Credit Counsel Conference; and
• Participated in a live chat with the Canadian Business Network that focused on their members' compliance obligations under CASL.

Competition Bureau

In 2017-18 the Competition Bureau increased awareness of CASL-related issues in a number of ways in order to reach as many Canadian consumers and businesses as possible:

• Published the 3rd volume of the Deceptive Marketing Digest on May 2, 2017. This volume focused primarily on how enforcement agencies can work better together as members of the Organization of Economic Co-operation and Development Committee on Consumer Policy as well as the International Consumer Protection and Enforcement Network. It also examined recent enforcement work relating to the digital economy, specifically certain marketing practices that may result in "bill shock".
• Published Big Data and Innovation: key themes for competition policy in Canada in February 2018, as part of its commitment to keep pace with emerging issues in the digital economy.
• Issued 13 consumer and business alerts addressing a wide range of issues including fake tech expert claims, fake CEO scams, free trial or subscription trap scams and online shopping scams.

OPC

The OPC delivers ongoing CASL-related compliance guidance for businesses and advice for individuals through different channels. The OPC's website (https://www.priv.gc.ca/en/) is its primary tool for reaching individuals and sharing information with businesses.

Highlights for 2017-18 include:

• CASL-related webpages were viewed more than 20,000 times;
• The "Helpful tips for businesses doing e-marketing" webpage was consulted more than 14,400 times;
• Online resources for seniors, which include CASL-related information on online privacy, mobile privacy and preventing identity theft, were updated.

Sharing content through social media channels:

• CASL-related tips and material were promoted to businesses in a series of tweets and LinkedIn posts with graphics, including images and photos, for example during Fraud Prevention Month.

Participating in events and conferences:

• OPC officials exhibited and spoke at events and seminars including:
  • A cross-Canada speaking tour aimed at small businesses; and
  • Sessions on CASL-related topics for lawyers, privacy officers and cybersecurity experts.

Distribution of materials:

• 2,400 copies of "Helpful tips for businesses doing e-marketing" guidance and 2,076 copies of "Top 10 tips to protect your inbox, computer and mobile device" were shared at events;
• 9,000 copies of the 2018 privacy calendar in which a month was devoted to CASL (and corresponding editorial cartoon) were sent;
• Compliance information (including CASL) was mailed to more than 500,000 small businesses through a Canada Revenue Agency insert; and
• Outreach through public libraries across Canada which included CASL-related advice and information on library date-due receipts.

Articles and running radio spots:

• The Spring 2018 edition of Canadian Retailer Magazine (approximately 32,500 readers) included an OPC article on resources related to PIPEDA and CASL;
• Articles in community newspapers across the country; and
• A radio campaign on local radio stations in Canada during Cyber Security Awareness Week which reached over 1.8 million Canadians.

Responding to inquiries to the OPC's Information Centre:

• A total of 52 CASL-related requests from individuals and businesses were received — most by telephone.
• The top three broad CASL-related categories were: compliance by organizations, spam concerns from organizations, and address harvesting.

5.3 International and Domestic Cooperation

All enforcement agencies worked collaboratively and met regularly with domestic and international partners in order to promote compliance with CASL.

CRTC:

• Through UCENet, the CRTC worked with 10 agencies to identify entities that are engaging in online marketing activities that could be considered illegitimate, non-compliant, unfair or fraudulent.
• As part of this initiative, UCENet partners reviewed over 900 websites and examined more than 6,500 consumer complaints related to affiliate marketing. This initiative not only allowed the CRTC to identify potential violations but will also help in developing future communication products and enforcement tactics.

Competition Bureau:

• Actively participated in the International Consumer Protection and Enforcement Network (ICPEN) and the OECD Committee on Consumer Policy. Also attended meetings of UCENet, M3AAWG and the Internet Corporation for Assigned Names and Numbers (ICANN) meetings.

OPC:

• Actively participated in, and supported several international regulatory networks, including: UCENet, M3AAWG and the Global Privacy Enforcement Network (GPEN).
• In June 2017, the OPC took part in UCENet's first regulatory "sweep" on the subject of affiliate marketing. The global sweep identified a number of compliance issues with this form of marketing and websites were flagged for further action by participating UCENet authorities.
• The OPC presented a case study and an update on CASL at the joint annual meeting of UCENet and M3AAWG in Toronto, an event attended by private-sector IT security experts.
• The OPC is a member of GPENs Executive Committee, hosts and administers the GPEN website, takes part in teleconference calls and attends annual meetings.
• In 2017-18, the OPC and the Ontario Information and Privacy Commissioner's Office reviewed online applications and websites used in classrooms from kindergarten to grade 12, as part of the 5th GPEN global "sweep" examining "user controls over personal information". The OPC noted that while many applications and sites had taken steps to protect the privacy of children and youth, others were encouraging students to volunteer more information than necessary .
• In June 2017, the OPC co-chaired the first GPEN Enforcement Practitioner's Conference in Manchester, England. Investigative personnel from 33 regulatory authorities around the world shared enforcement techniques and best practices.
• The International Conference of Data Protection and Privacy Commissioners (ICDPPC)is the main global forum for data protection and privacy authorities. The Privacy Commissioner serves on the ICDPPC Executive Committee which oversees the activities of the Conference. At the 39th Conference in Hong Kong, the OPC received two ICDPPC global privacy awards, along with US and Australian counterparts, for the joint investigation of the Ashley Madison privacy breach. The OPC also participates in ICDPPC enforcement-related matters. Additionally, the OPC participates on the Digital Consumer Working Group, which has been tasked with examining the intersection of privacy, consumer protection and competition regulation, and ultimately how to promote collaboration across these spheres.
• Asia Pacific Privacy Authorities (APPA) – The OPC spoke at the 47th APPA Forum in Sydney, Australia examining how Asian privacy authorities can better work together in the areas of regulatory guidance and enforcement matters, and the benefits of doing so. In November 2017, the OPC co-hosted the 48th Forum in Vancouver, Canada under the theme of working with industry, civil society and academia on privacy research.
• ICPEN — The OPC has sought to develop links with the consumer protection and anti-trust regulators in ICPEN in recognition of the growing connection between privacy and consumer protection and anti-trust issues. In 2017-18, GPEN obtained ICPEN observer status with the OPC serving between the two networks.

5.4 Monitoring Compliance

CRTC

The CRTC monitors CASL compliance in several ways, including by:

• Collecting and analysing complaint data;
• Identifying trends and threats by leveraging data feeds;
• Reviewing and analysing other information collected from stakeholders; and
• Performing regular environmental scans.

In 2017-18, the CRTC:

• Received 7,873 web form submissions and 335,926 email forwards in the SRC for a total of 343,799 submissions from Canadians; and
• Issued 13 notices to produce in order to verify compliance.

OPC

The OPC concluded its review of Compu-Finder's implementation of privacy measures, finding that the Quebec-based training provider had fulfilled its obligations stemming from a compliance agreement with the OPC established in April 2016.

5.5 CASL Enforcement Operations

CRTC

The CRTC has developed a trusted network of domestic and foreign allies with whom it has established protocols for information sharing and enforcement collaboration. In 2017-18, the CRTC signed separate memorandums of understanding with the Ministry of Internal Affairs and Communications in Japan, the United Kingdom Information Commissioner and the Australian Communications and Media Authority to combat email spam and nuisance phone calls. The CRTC now has a total of 16 countries as established partners.

CRTC's international partners

Description of CRTC's international partners world map

A world map representing the 16 countries with whom the CRTC has established partnership, including the United States, Mexico, United Kingdom, Ireland, Netherlands, Sweden, France, Spain, Portugal, Israel, Australia, New Zealand, Hong Kong, Korea, Japan and Canada.

CRTC enforcement tools include:

• Warning letters;
• Undertakings; and
• Notices of Violation, which may include administrative monetary penalties (AMPs).

The CRTC's enforcement actions are published on its website. In 2017-18, the CRTC took 5 enforcement actions:

• 2 warning letters; and
• 3 undertakings.

2017-18 case results included:

• 514-BILLETS, whose main business activity is ticket resale for sporting and cultural events, was required to pay $100,000 for allegedly violating Canada's anti-spam law. The CRTC investigated the allegation that the company failed to comply with various requirements of the legislation between July 2014 and January 2016. During this period, the company allegedly sent text messages without the recipient's consent, without information identifying the person who sent the messages, and without information enabling the recipient to readily contact the sender. In recognition of the alleged violations, 514-BILLETS agreed to pay an amount of $75,000 in the form of $10 rebate coupons offered to 7,500 clients and have paid $25,000 to the Receiver General for Canada. In addition, to ensure that its future activities are fully compliant with CASL, 514-BILLETS will put in place a compliance program and appoint an officer responsible for organizational compliance.
• Ancestry Ireland Unlimited Company, which represented the CRTC's first undertaking with a non-Canadian corporation. Ancestry voluntarily entered into an undertaking concerning alleged violations of Subsection 3(2) of the Electronic Commerce Protection Regulations (CRTC) (CRTC Regulations). Ancestry undertook to comply with and ensure that all third parties sending commercial electronic messages on its behalf comply with CASL and the CRTC Regulations, particularly subsection 3(2) of the Regulations. In addition, Ancestry has agreed to put in place a program, which it provided in detail, to ensure compliance with CASL. Based on the nature of the alleged violations and the proactive cooperation demonstrated by Ancestry, no payment was required as part of the undertaking.

Competition Bureau

In 2017-18, the Bureau:

• 2 resolved cases that resulted in $2.25 million in administrative monetary penalties.
• 1 application filed with the Competition Tribunal

April 2017 — The Bureau reached a consent agreement with Hertz Canada Limited and Dollar Thrifty Automotive Group Canada.

• $1.25 million in administrative monetary penalties.

February 2018 — The Bureau reached a consent agreement with Enterprise Rent-A-Car Canada Company (Enterprise).

• $1 million in administrative monetary penalties.

January 2018 — The Bureau filed an application to the Competition Tribunal against Ticketmaster over alleged misleading ticket prices.

OPC

• In 2017-18, the OPC received nine written CASL-related complaints from the public, with some of them resulting in investigations.

Complaints received:

• 3 complaints were closed at intake:
  • 2 complaints were redirected to the senior management of the organizations involved;
  • 1 complaint was considered to be outside the OPC's jurisdiction to investigate;

6 complaints were accepted. Of these:

• 3 complaints were handled as consent complaints through early resolution with 1 deemed well-founded, and the other 2 considered resolved without a finding being made;
• 3 complaints were referred to investigations with 2 ultimately considered to be outside the OPC's jurisdiction and 1 being the subject of an ongoing investigation.

The OPC pursued 3 CASL-related investigations during the year:

• In one investigation regarding allegations of unsolicited email communications, the complainant withdrew the complaint before a final report could be issued;
• A second investigation into allegations of unsolicited email communications and the indiscriminate collection of contact information by a publishing company is still ongoing and is expected to be concluded in 2018-19.
• In June 2016, it commenced a commissioner-initiated investigation into the privacy practices of Canadian software company, Wajam, regarding its social media search software of the same name (later renamed and promoted as "Social2Search"). The OPC examined: (i) how and when the company obtained consent to install its software; (ii) whether the company was making it difficult for users to uninstall the software, and; (iii) if the company was adequately protecting users' personal information. It concluded its investigation in 2017-18 and found that Wajam breached PIPEDA with regard to each of the three above issues and other matters including: the lack of a privacy framework; the lack of openness about the software and how it functioned, and; the continued storing of personal information long after users had uninstalled the program. CASL amended PIPEDA's provisions to restrict when a company can collect and use personal information via software that has been installed without consent. The investigation highlighted the importance of software developers obtaining meaningful, express consent for the installation of software which collects and uses personal information. During the course of its investigation, Wajam stopped distributing its software in Canada. It later sold its assets, including the software, to a company in Hong Kong.
• In April 2011, CASL amended PIPEDA's provisions, enabling the OPC to collaborate and share information more easily with its provincial and international data protection authorities. The OPC has since engaged in multiple joint or coordinated enforcement actions with international and domestic partners.
• In 2017-18, the OPC discussed privacy matters of mutual interest, shared information and commenced joint-investigations with the Offices of the Information and Privacy Commissioner of Alberta and British Columbia. The joint investigation with British Columbia opened in March 2018 examined Facebook and Aggregate IQ (relating to the widely reported Facebook/Cambridge Analytica matter).
• The OPC also works with international data protection agencies on various compliance activities involving collaborative enforcement action. In 2017-18, it collaborated on major international investigations including:
  • Equifax Inc. - in September 2017 the OPC opened an investigation into a large data breach at this organization after receiving complaints and calls from concerned Canadians. This investigation is still ongoing.
  • VTech Holdings Ltd — in January 2018, the OPC published its findings into the global data breach at this connected toy maker which compromised the personal information of millions including more than 500,000 Canadians. The investigation benefited from collaboration with data protection partners in the United States and Hong Kong.
  • Facebook Friend-Finder- in September 2018, the OPC issued the results of its investigation into a data breach involving contact information uploaded by Facebook users through the site's Contact Importer tool, also known as "Friend Finder". In collaboration with the Data Protection Commission of Ireland, the OPC conducted an investigation that resulted in Facebook providing greater transparency for users regarding the contact matching process associated with the tool, making improvements to the tool, and ceasing its retention of the matched contact information of non-users.