Keeping up with CASL.
Just over one year ago, on July 1, 2014, Canada’s Anti-Spam Legislation (“CASL”) came into force. (For more background on CASL, please read “Canada's new anti-spam law (CASL) comes into force on July 1, 2014: What does it mean for you and your business?”). The legislation was introduced to purportedly protect Canadians and Canadian businesses from spam. The legislation has compelled organizations across the country to take a look a closer look at how they use technology to communicate and promote their business. Whether CASL has actually assisted in reducing the proliferation of spam is a matter of debate.
Subject to certain exceptions made available by the Act, CASL generally prohibits the sending of “commercial electronic messages” without the recipient’s express or implied consent. A commercial electronic message (“CEM”) is any type of electronic message (emails, text messages, instant messages, etc.) that is intended to encourage the recipient to participate in a commercial activity.
Somewhat frustratingly for those who wish to abide by the legislation, there are three distinct government agencies tasked with enforcement of CASL: the Canadian Radio-television and Telecommunications Commission (“CRTC”), the Competition Bureau, and the Office of the Privacy Commissioner. The CRTC is responsible for assessing and investigating complaints that are submitted to its “Spam Reporting Centre,” as well as issuing fines for violations.
The ambiguous and complex nature of CASL has made it difficult for organizations who are attempting to comply with its provisions, as very little interpretive light has been shed by the enforcement agencies. This is made worse by fact that CASL wields serious teeth, allowing the CRTC to issue Administrative Monetary Penalties (“AMPs”) to organizations of up to $10 million dollars per violation. These penalties are in addition to the negative publicity that arises when an organization is found to have violated the provisions of CASL.
To date, there have only been three significant enforcement actions, with the highest AMP issued by the CRTC being $1.1 million dollars. These actions highlight the areas where organizations appear to struggle with compliance, including:
- sending a CEM without consent, or more importantly, being unable to later prove consent;
- failing to provide the requisite identification and contact information in the CEM;
- sending a CEM that did not contain an unsubscribe mechanism;
- using an unsubscribe mechanism that was not set out clearly and prominently or that was not able to be readily performed; and,
- failing to action unsubscribe requests within the prescribed 10-day period.
It is important to understand that in the event of an investigation, CASL creates a positive obligation on the organization to demonstrate the existence of the recipient’s consent or that an exception otherwise applies. The CRTC has made it clear that an organization cannot rely on general corporate policies and procedures as evidence of the proper consent.
As part of an investigation, the CRTC can issue a Notice of Production, requesting robust amounts of very detailed information from an organization, making compliance with such a request both costly and time-consuming.
Here are a few ways in which your organization can avoid falling into the crosshairs of the CRTC, or if an investigation is commenced, will allow the organization to show that it has made a duly diligent effort to comply with CASL:
Develop a corporate compliance program. This will include designating an individual in your organization responsible for the development of its CASL program, as well as serve as a contract person for questions or concerns regarding daily ongoing compliance. It is imperative that this individual have the support of senior management to ensure that changes, as necessary, are made by the organization. Your organization should ensure that a policy is set out in writing and is readily accessible to all employees.
Consider your training needs. Although everyone in the organization should be familiar with the requirements of CASL, more intensive training should be provided to those employees working in technology and marketing. It is also important that refresher training is provided on a regular basis to account for employee turnover and changes in CASL, its interpretation and its enforcement.
Develop a sophisticated record-keeping system. Each organization may have unique considerations when it comes to developing an appropriate system. This discussion should involve employees working in information and technology. In the event that complaints are made against your organization to an enforcement agency, your organization will be expected to produce detailed records of recipient consent, unsubscribe requests, and unsubscribe action, so the chosen record-keeping system must be capable of rapid and correct collection and production of this information.
Assess your organization’s compliance regularly. This will include the use of spot auditing and monitoring mechanisms to ensure that all internal policies and procedures are being carried out effectively. This will also allow your organization to identify and address any potential problem areas with respect to compliance. A very simple step is to make sure that all larger-scale electronic communications are pre-vetted for CASL compliance before they are sent out.
Set up an internal complaint handling system. If you provide recipient’s the opportunity to make complaints directly to your organization, you are able to respond promptly, adjust your policies accordingly, and possibly resolve issues before they progress into investigations.
Confirm that your unsubscribe mechanism meets the requirements of CASL. The unsubscribe mechanism should be included in every CEM. The unsubscribe mechanism should be consumer-friendly, technology neutral, and accessed by the recipient without any difficulty or delay (such as providing a link to a webpage where the recipient can unsubscribe). Avoid using an unsubscribe mechanism that is more burdensome for the recipient, such as requiring the recipient to log into an account or click through numerous links in order to unsubscribe. Lastly, ensure that unsubscribe mechanisms are functioning and unsubscribe requests are being processed by the system within ten days of receipt.
Ensure that every CEM sent includes the proper identification and contact information for your organization.
Consider the terms of service agreements with third parties. If you choose to use a third party to send communications on your behalf, not only should the service agreement confirm that the third party will be compliant with CASL, but should also provide your organization with audit rights. It would also be prudent to confirm in the service agreement how quickly the third party will be able to produce information in the event that a Notice of Production is received, and how the records will be treated in the event that the service agreement is terminated.
Although the introduction of CASL resulted in an initial frenzy of compliance, this past year serves as a reminder that in order to avoid an expensive and invasive CRTC investigation, organizations should remain diligent, use prudent judgement, and not allow continuing compliance to fall to the wayside.
Paul K. Grower is a partner with Fillmore Riley LLP who practises primarily in the areas of taxation litigation, general commercial litigation, and privacy law. You can reach him at (204) 957 8369 or email@example.com. Brynne N. Thordarson is an associate with the firm who practises in the areas of business law and wills and estates. You may reach her at (204) 957 8306 or firstname.lastname@example.org.