First Reference company logo

Inside Internal Controls

News and discussion on implementing risk management

machine cogs image

Canada’s anti-spam legislation – Information bulletin CRTC 2014-326

spamOn June 19, 2014, the Canadian Radio-Television and Telecommunications Commission (CRTC) published Compliance and Enforcement Information Bulletin CRTC 2014-326. The information bulletin provides guidelines to help businesses and their employees develop corporate compliance programs in order to comply with the rules of CASL that came into force on July 1st, 2014. Although July 1 has passed, it is never to late to take appropriate measures to comply.

CASL is a new law that aims to crack down on unwanted spam messages. This law requires all businesses that are selling or promoting products or services through commercial electronic messages (CEM) to prove they have consent to reach out to new, existing and potential customers. Unless an appropriate exemption is found, an individual or organization needs the consent of the recipient before sending a CEM. Consent can be expressed or, in limited circumstances, implied.

The purpose of the new law is also to reduce spam and viruses and increase consumer confidence in e-commerce. In addition, all electronic marketing messages will need to clearly and prominently identify the sender and receiver of the CEM, include the sender’s contact information and provide an unsubscribe mechanism, unless fully exempted from the Act. It also requires businesses/individuals to enable opt out from some or all commercial electronic messages within 10 business days.

Businesses and individuals have a three year grace period after July 1, 2014, to verify and confirm consent to send CEM, but can still only communicate with recipients they have existing business relationships with.

The bulletin sets out a number of suggestions and best practices on how to implement a CASL compliance program. This includes,

  • Appointing a member of senior management as CASL chief compliance officer or point person
  • Conducting a risk assessment such as your current communication and marketing practices and IT capabilities. This means reviewing and analyzing your organizations digital marketing practices, customer intake and transaction processes and client relationship records. Assessment of eligibility for various exemptions under law
  • Assessing the company’s Privacy Policy and update if necessary
  • Developing a written corporate CASL compliance policy that establish internal procedures for compliance with the rules and/or CASL including telemarketing and marketing policies and procedures, as well as commercial electronic message policies and procedures
  • Developing systems to obtain and document express consent
  • Developing systems to track the type and scope of consents and when they expire or are revoked through an unsubscribe
  • Developing systems to ensure that CEMs are not sent except where consent exists
  • Establishing a system of record keeping (hard copy or electronic)
  • Developing a training program for all staff
  • Developing and implementing an auditing and monitoring program
  • Establishing a customer complaint system
  • Establishing a mechanism that enables employees to provide feedback to the chief compliance officer or point person
  • Developing a disciplinary code to address contraventions by staff and demonstrate the organizational due diligence and commitment to CASL compliance

In addition, the program should also consider:

  • Developing consents, disclosures and notices to computer users about the installation of computer programs to run the company’s products, services and processes
  • Developing a checklist and process to review/revise contracts with third parties to require compliance with CASL should be established. The organization should also ensure marketing lists from third party providers contain “representation & warranty” that the list will be maintained in compliance with CASL. In addition, ensure outsourced digital marketing company contracts are CASL compliant.
  • Developing a system to obtain a new consent from the person replacing the person who provided consent initially. Customer consent isn’t necessarily transferable

The Bulletin provides illustrative examples concerning how each of these elements may vary depending upon the size of the organization.

This requires well thought out organizational tools, from simple spreadsheets, access database to complex data management systems and software, depending on the company’s budget, people and systems to enter and manage the data, and a coordinated internal communications plan.

As a result, you need to get your IT department on board or obtain the services of CASL experts to work on developing the systems and internal controls you need to implement your CASL compliance program, policies and procedures. Your sales and marketing department should also be involved because they will be able to provide guidance on your communication practices and will have to implement the program along with the IT department.

When implementing the program you need to remember that CASL applies to all employees in an organization who send commercial electronic messages (CEMs) on behalf of your organization. CASL is not limited to your sales and marketing departments. This means there should be a method for everyone to check recipient lists against databases when sending CEMs.

The CRTC suggests that employees provide written acknowledgement that they understand the corporate compliance program. The effectiveness of the training should be evaluated and the organization should monitor and enforce compliance. The CRTC suggests that effective training programs should include the following:

  • CASL requirements
  • potential liabilities
  • the organization’s policies and procedures and internal controls
  • background information on CASL and the CRTC’s Rules

Non-compliance must be taken seriously. A disciplinary code should include CASL violations. Escalating discipline from refresher training to other more serious action should be included for non-compliance. The CRTC recommends retaining records of contraventions and the response.

Thus, all the above mechanism, processes, systems, policies, procedures, training and operational controls need to be documented by your IT department for use by all employees. IT should also establish forms and checklists to ensure all CEMs the company sends comply with formalities and that unsubscribe requests are implemented without delay, according to the law, within 10 days.

The CRTC has said organizations should keep the following records:

  • CASL policies and procedures
  • All unsubscribe requests and actions
  • Evidence of express consent (audio recordings or forms) by consumers who agree to be contacted via a commercial electronic message
  • Commercial electronic message recipient consent logs
  • Commercial electronic message scripts
  • Actioning unsubscribe requests for commercial electronic messages
  • Marketing campaign records
  • Staff training documents

Information can be suppressed but never deleted.

The cost of not complying is steep and includes administrative monetary penalties of up to $10 million for a company; fines of $1 million per day and $1 million per violation; risk of class-action lawsuits against companies; reputational and operational risks. In addition, a private right of action will come into force as of July 1, 2017 to give persons who have been affected by a contravention of CASL a right to bring an action for damages and a statutory penalty of $200 per offence.

CASL specifically extends liability to the officers, directors and agents of a corporation that contravenes CASL if they directed, authorized, assented to, acquiesced in or participated in the contravention. However, no person is liable for a violation under CASL where they establish that they exercised due diligence to prevent the commission of the violation.

Under CASL, organizations that claim they have the consents required by CASL bear the burden of proving this. So make sure you have your compliance program in place and that it is well planned, executed and documented to provide the basis for a future due diligence defence, if one ever becomes necessary.

Follow me

Yosie Saint-Cyr, LL.B., Managing Editor

Managing Editor at First Reference
Yosie Saint-Cyr, LL.B., is a trained lawyer called to the Quebec bar in 1988 and is still a member in good standing. She practised business, employment and labour law until 1999. For over 18 years, Yosie has been the Managing Editor of the following publications, Human Resources Advisor, Human Resources PolicyPro, HRinfodesk and Accessibility Standards PolicyPro from First Reference. Read more
Follow me

Latest posts by Yosie Saint-Cyr, LL.B., Managing Editor (see all)

Send to Kindle

, , , , , , , , , , , , , , , , , , , , , ,

Comments are currently closed.