In less than nine months, on July 1, 2017, persons affected by a contravention of Canada's anti-spam legislation (commonly known as "CASL") will be able to invoke a private right of action to sue for compensation and potentially substantial statutory damages. Organizations should assess their CASL compliance and prepare to respond to CASL lawsuits by reviewing and updating their CASL compliance program.
CASL creates a comprehensive regime of offences, enforcement mechanisms and potentially severe penalties (including personal liability for employers, corporate directors and officers) designed to prohibit unsolicited or misleading commercial electronic messages ("CEMs"), the unauthorized commercial installation and use of computer programs on another person's computer system and other forms of online fraud (such as identity theft and phishing).
For most organizations, the key parts of CASL are the rules for CEMs. Subject to limited exceptions, CASL creates an opt-in regime that prohibits the sending of a CEM unless the recipient has given consent (express or implied in limited circumstances) to receive the CEM and the CEM complies with prescribed formalities (including an effective and promptly implemented unsubscribe mechanism) and is not misleading. An organization that sends a CEM has the onus of proving that the recipient consented to receive the CEM.
Contravention of CASL's CEM rules can result in severe administrative monetary penalties (up to $1 million per violation for individuals and up to $10 million per violation for organizations), civil liability through a private right of action (commencing July 1, 2017) and vicarious liability on employers, directors and officers who are unable to establish that they exercised due diligence to prevent CASL contraventions.
The private right of action may be invoked by any person who alleges they were affected by a CASL contravention, including the sending of a CEM without consent. If a court finds an organization liable for a CASL contravention, then the court may order the organization to pay the claimant compensation for actual loss, damage and expense plus potentially substantial statutory (non-compensatory) damages. For example, a contravention of CASL's CEM rules can result in statutory damages of $200 for each contravention, not exceeding $1,000,000 for each day on which the contravention occurred. CASL provides that the amount of statutory damages must be determined in light of all relevant circumstances.
REGULATORY GUIDANCE FOR CASL COMPLIANCE PROGRAMS
CASL gives the Canadian Radio-television and Telecommunications Commission ("CRTC") regulatory and enforcement authority regarding CEMs and other matters. CRTC has encouraged organizations to develop and implement a credible and effective CASL compliance program as a risk management strategy to reduce the likelihood of CASL contraventions and to help establish a due diligence defense and ameliorate potential sanctions if a CASL contravention occurs.
CRTC's Compliance and Enforcement Information Bulletin CRTC 2014-326 Guidelines to help businesses develop corporate compliance programs (2014-06-19) provides helpful guidance on a CASL compliance program. Following is a summary of CRTC's key recommendations:
- Senior management involvement: For large organizations, senior management should play an active and visible role in fostering a culture of compliance, and a member of senior management should be named as chief compliance officer responsible and accountable for the development, management and execution of a CASL compliance program. Small and medium-sized organizations should identify a point person responsible and accountable for CASL compliance.
- Risk assessment: An organization should conduct a risk assessment to identify CASL compliance risks, and then develop and apply policies and procedures to mitigate those risks.
- Written policy: An organization should develop and implement a written policy for compliance with CASL, including: (1) internal compliance procedures; (2) staff training; (3) auditing and monitoring mechanisms; (4) procedures for dealing with third parties (e.g. partners and subcontractors); (5) record keeping (e.g. records of consent); and (6) employee feedback. The policy should be periodically reviewed and updated to reflect legal developments and address non-compliance issues and new services or products.
- Record keeping: An organization should establish appropriate record keeping practices to help the organization: (1) identify potential non-compliance issues; (2) investigate and respond to complaints; (3) respond to questions about the organization's practices and procedures; (4) audit/monitor the organization's compliance program; (5) identify the need for corrective actions and demonstrate that those actions were implemented; and (6) establish a due diligence defence. The records should relate to all aspects of CASL compliance, including CEM policies and procedures, evidence of express consent, unsubscribe requests and actions, email campaigns, staff training (including signed training completion acknowledgements), audits and corrective actions.
- Training: An organization should establish an effective training program (including periodic refresher training and training updates) for all current and new staff at all levels (including managers and executives) so that staff understand relevant CASL rules and the organization's CASL compliance policy and related procedures. An organization should regularly monitor staff performance to evaluate the effectiveness of the training.
- Legal developments: An organization should monitor changes to CASL and regulatory guidelines, and modify the organization's CASL compliance policy and related procedures and training accordingly.
- Quality assurance: An organization should establish a documented quality assurance program, including lawful auditing and monitoring, to prevent and detect CASL contraventions and assess the effectiveness of the CASL compliance program.
- Complaints: An organization should establish a complaint-handling system so that individuals can submit complaints and the organization can resolve complaints within a reasonable or predetermined period.
- Corrective action: An organization should have a disciplinary code to address CASL contraventions, and should respond to CASL contraventions with corrective or disciplinary action, or refresher training, as appropriate.
CRTC's Enforcement Advisory Notice for businesses and individuals on how to keep records of consent (2016-07-27) provides additional guidance for keeping records of consent to receive CEMs. (see BLG Bulletin Canada's Anti-Spam Legislation Regulatory Guidance).
CRTC's Guidelines acknowledge that not all recommended components of a CASL compliance program will be necessary or practicable for every organization, and that each organization must adapt the recommended program components to the organization's particular circumstances. Nevertheless, CRTC enforcement officers and courts will likely consider CRTC's Guidelines as indicating best practices for CASL compliance. For those reasons, CRTC's Guidelines are a useful tool for any organization that wishes to improve its compliance program.