First Reference company logo

Inside Internal Controls

News and discussion on implementing risk management

machine cogs image

Developing a corporate compliance program under Canada’s Anti-Spam Legislation (CASL)

CASL is now in force

As of July 1st, individuals and organizations who send or receive commercial electronic messages (CEMs) in Canada must comply with Canada’s Anti-Spam Legislation (CASL)’s anti-spam provisions. With CEMs being broadly defined, many organizations, including registered charities and not-for-profit organizations, are caught by CASL.

Guidelines to help organizations develop corporate compliance programs

On June 19, 2014, the Canadian Radio-television and Telecommunications Commission (CRTC) issued Compliance and Enforcement Information Bulletin CRTC 2014-326: Guidelines to help businesses develop corporate compliance programs (the “Compliance Guidelines”).

The Compliance Guidelines’ stated purpose is to provide general guidance and best practices on the development of organizational compliance programs to facilitate compliance with CASL as well as the CRTC’s Unsolicited Telecommunications Rules (the “Rules”).

The CRTC acknowledges in the Compliance Guidelines that no two organizations are the same and that every organization has different risks. As a result, compliance programs will vary depending on the size of an organization, its risk profile, and its available resources.

Why should a corporate compliance program matter to you and your organization?

In the Compliance Guidelines, the CRTC expressly states the following:

Commission staff may take into consideration the existence and implementation of an effective corporate compliance program if the business presents the program as part of a due diligence defence in response to an alleged violation of the Rules or CASL. Although the pre-existence of a corporate compliance program may not be sufficient as a complete defence to allegations of violations under the Rules or CASL, a credible and effective documented program may enable a business to demonstrate that it took reasonable steps to avoid contravening the law. Thus, the program may support a claim of due diligence. As well, Commission staff can take the existence of such a program into consideration when determining whether a violation of the Rules or CASL is an isolated incident or is systemic in nature, and whether sanctions against a business should include AMPs [Administrative Monetary Penalties].”

Given the potential for serious consequences under CASL (i.e., AMPs of up to $10 million per violation for organizations, personal liability for directors and officers, vicarious liability for employees’ actions, and a private right of action (which right commences on July 1, 2017)), developing a corporate compliance program, if one has not already been developed, should be on an organization’s ‘to do’ list, especially in light of the CRTC’s comments above.

Components of a corporate compliance program

The Compliance Guidelines set out the components of a corporate compliance program that the CRTC believes are important. The Compliance Guidelines do note that the information contained therein is not intended to be exhaustive or prescriptive, and that the CRTC recognizes that organizations may take other reasonable steps to comply with CASL and/or the Rules.

Under the Compliance Guidelines, the following are the suggested components of a corporate compliance program:

1. Senior management involvement

For larger organizations, senior management should consider playing an active and visible role in fostering a culture of compliance within the whole organization. In addition, thought should be given to giving a member of senior management the responsibility of overseeing the development, management and execution of the organization’s corporate compliance program. For smaller organizations, thought should be given to identifying a person who could be responsible for ensuring an organization’s compliance.

2. Risk assessment

The person with responsibility (as identified above) should consider conducting a risk assessment to determine which activities of the organization are at risk for constituting a violation under CASL or the Rules.

3. Written corporate compliance policy

Following the completion of a risk assessment, the person with responsibility (as identified above) should consider, in collaboration with others within an organization, developing a written corporate compliance policy. If such a written policy is created, it will be important to ensure that it is readily accessible by everyone within an organization, and that it is kept up-to-date and appropriately reflects how CASL is being interpreted. The Compliance Guidelines note that a policy may also:

a) establish internal procedures for compliance with the Rules and/or CASL;

b) address related training that covers the policy and internal procedures;

c) establish auditing and monitoring mechanisms for the corporate compliance program;

d) establish procedures for dealing with third parties (for example, partners and subcontractors) to ensure that they comply with the Rules and/or CASL;

e) address record keeping, especially with respect to consent; and

f) contain a mechanism that enables employees to provide feedback to the chief compliance officer or point person.

4. Record keeping

The benefits of good record keeping are highlighted in the Compliance Guidelines. Of the six benefits listed, the last one may be of great benefit to an organization: “establish a due diligence defence in the event of complaints to the Commission against the business.” The Compliance Guidelines also suggest that certain records and documents be maintained in hard copy and/or electronic records. The list set out in the Compliance Guidelines is worth reviewing.

5. Training program

Providing training on a corporate compliance program, and providing appropriate follow-up, will be vital to helping an organization ensure that its representatives understand their obligations. In respect of training, the Compliance Guidelines go as far to suggest that representatives of an organization provide, following training, written acknowledgements that they understand the organization’s corporate compliance policy. In addition to training, an organization should consider monitoring legislative or regulatory changes, and adjusting the corporate compliance policy, and applicable training, accordingly.

6. Auditing and monitoring

To help prevent and detect non-compliance, and to assess the effectiveness of the corporate compliance program, an organization should consider performing on-going monitoring and periodic auditing. The results of audits should be recorded, maintained and communicated to the appropriate individuals within an organization, and changes to the corporate compliance policy and corporate compliance program should be made, where appropriate.

7. Compliant-handling system

The Compliance Guidelines suggest that organizations put into place a complaint-handling process so individuals can submit complaints to an organization, and that the organization should try to resolve complaints within a reasonable period of time. The CRTC notes that “the complaint-handling system should not be confused with the requirements in the Rules and CASL regarding the withdrawal of consent.”

8. Corrective (disciplinary) action

The Compliance Guidelines suggest that organizations should consider taking corrective or disciplinary action against its representatives to address non-compliance with the corporate compliance policy. Such action may, where appropriate, include refresher training.

Section 8 of CASL (installation of computer programs)

On January 15, 2015, CASL’s provisions pertaining to the installation of computer programs (including applications or “apps”) comes into force. There remain many unanswered questions about these provisions, and we are waiting for interpretational guidance from the government.

In my role as the Chair of the Canadian IT Law Association (IT.CAN)’s Public Affairs Forum, I will be chairing a session for IT.CAN on September 9th entitled “CASL Section 8 Session with the CRTC and Industry Canada”. Participating in this session will be representatives from both the CRTC and Industry Canada.

By J. Andrew Sprague

Reproduced with permission from Miller Thomson LLP.

If you have any questions, comments or concerns regarding section 8 of CASL (installation of computer programs) that you would like me to bring forward at the session, please feel free to contact me at

If you would like to follow me on Twitter®, you can find me @canadaantispam.

Miller Thomson enjoys a reputation as one of Canada’s most respected national business law firms. Daily, our people demonstrate a consistent ability to provide practical, creative and cost-effective advice, combined with an unyielding service commitment to our clients. The firm’s dedication to its lawyers, staff and the communities in which we practise, gives us a distinctive position in the Canadian legal industry.

Occasional Contributors

In addition to our regular guest bloggers, Inside Internal Controls blog published by First Reference, provides occasional guest post opportunities from various subject matter experts on the topics of risk management and best practices in finance and accounting, information technology, environmental issues, corporate governance, sales/marketing and operations, not-for-profits and business related issues in Canada. If you are a subject matter expert and would like to become an occasional blogger, please contact Yosie Saint-Cyr at If you liked this post and would like to subscribe to Inside Internal Controls blog click here.

, , , , , , , , , , , , , , , , , , ,

Comments are currently closed.