The Canadian Radio-television and Telecommunications Commission (CRTC) has issued new Compliance and Enforcement Guidelines for Canada’s Anti-Spam Legislation (CASL) which will come into force in stages beginning July 1, 2014.
Why is a Compliance Program Important?
A compliance program is a critical element in establishing a due diligence defence to a violation of CASL. The CRTC may take into account an organization’s compliance program in exercising discretion to take enforcement action and in terms of the size of any administrative monetary penalties imposed. Although the Guidelines are late in coming given that the implementation of this complex legislation is coming into force in days, the Guidelines are helpful in understanding what the CRTC considers to be a compliance program and what an organization may need to do to establish due diligence as a defence.
Compliance Programs are Not One Size Fits All.
The CRTC recognizes that compliance programs need to be tailored to the size and resources of a business. The CRTC expects larger organizations to implement more of the elements of a compliance organization than small and medium size enterprises (SMEs). Nevertheless, SMEs are not “off the hook”.
Anti-Spam Compliance Officer
The CRTC wants to see senior management involved in fostering a culture of compliance. It appears that the CRTC would like to see a senior leader in larger organizations named as a “Chief Compliance Officer” with responsibility and accountability for the development, management and execution of a CASL compliance program. In SMEs, a point-person who is responsible or accountable would be appropriate.
Among the duties of a Chief Compliance Officer or point-person is to ensure that a risk assessment for violations of the legislation. This should include an inventory of business functions and the types of communications they send. Dentons recommends paying particular attention to ensuring that “private lists” outside of the corporate client relationship management system and the use of external vendors and employee-sourced tools be reviewed carefully for the risks that they present.
Organizations should develop policies tailored to the particular compliance risks of the organization and updated frequently to address new issues, products or services. The CRTC suggests that a compliance policy might address the following points:
- establish procedures to comply with CASL
- provide for training on CASL and the policy
- include auditing and monitoring mechanisms to establish compliance
- address rules for using third parties to ensure compliance (e.g. contractual and other means)
- provide for record keeping, especially with respect to consent
- provide for reporting issues to the Chief Compliance Officer or point person
Record keeping is one of the thorniest issues with respect to CASL. It is a significant burden on organizations to track consent and exceptions to consent in an opt-in anti-spam model. By contrast, an opt-out model (had Canada chosen that route) would have imposed much less burden.
The CRTC has set a high record-keeping threshold. Among the most important points relating to CASL, the CRTC has said organizations should keep the following records:
- CASL policies and procedures
- all unsubscribe requests and actions
- evidence of express consent (audio recordings or forms) by consumers who agree to be contacted via a commercial electronic message
- commercial electronic message recipient consent logs
- commercial electronic message scripts
- actioning unsubscribe requests for commercial electronic messages.
- campaign records
- staff training documents
It is unfortunate that the CRTC has returned to suggesting audio logs of express consent. This is impractical. It is also highly intrusive of personal privacy and at odds with an organization’s obligations under Canada’s privacy legislation. A record created in the ordinary course of business that is logged and time stamped should be sufficient. However, organizations are advised to consider the CRTC’s position and seek guidance.
There are no surprises with respect to training. Organizations are expected to provide on-going tailored training with respect to CASL and the organization’s policies and procedures. Training should include refresher programs.
The CRTC suggests that employees provide written acknowledgement that they understand the corporate compliance program. The effectiveness of the training should be evaluated and the organization should monitor and enforce compliance. The CRTC suggests that effective training programs should include the following:
- CASL requirements
- potential liabilities
- the organization’s policies and procedures
- background information on CASL and the CRTC’s Rules
Non-compliance must be taken seriously. A disciplinary code should include CASL violations. Escalating discipline from refresher training to other more serious action should be included for non-compliance. The CRTC recommends retaining records of contraventions and the response. Dentons recommends seeking legal advice on these issues as they have a number of serious employment law and litigation implications, particularly in view of the private right of action included in CASL.
Audits, Monitoring and Complaints
Organizations are expected to have a system in place to audit and monitor compliance with CASL. Audits do not necessarily have to be conducted by third parties. However, they should include testing a statistically significant percentage of the organization’s telephone or email marketing campaigns. The results of the audit should be retained. Senior management is expected to respond to any deficiencies that are exposed by the audit.
In addition, an organization’s Chief Compliance Officer or point person in the case of a SME, is expected to respond to and resolve CASL-related complaints if they occur. Dentons recommends that procedures for handling and escalating complaints should be included in corporate policies and communicated externally.
The CRTC’s Compliance and Enforcement Information Bulletin CRTC 2014-326 can be found here.