Earlier today, the Canadian Radio-television and Telecommunications Commission (CRTC) announced its latest investigation, and an undertaking from a major Canadian corporation regarding alleged violations of Canada's anti-spam law (known as CASL). The CRTC alleged that the corporation or its agents sent commercial electronic messages (CEMs) without consent between October, 1 2014 and December 16, 2014. As part of the undertaking, the corporation agreed to pay $60,000 and to update its CASL compliance program. The undertaking resolves all outstanding issues between the organization and the CRTC in relation to the CRTC's investigation of an alleged violation of CASL.
This undertaking, and the three undertakings reported by the CRTC in 2015, serve as an important reminders that CRTC enforcement activities are ongoing in respect of the hundreds of thousands of complaints which have been filed to date under CASL. All domestic and foreign organizations subject to CASL that promote their business or similar activities through email or other electronic messages must bear in mind the following, among other considerations:
- Mitigating factors will not eliminate (but may reduce) financial consequences. Mitigating factors may include, among others, whether the organization fully cooperated with the investigation; whether it was a first offence; whether corrective action was deployed; and the extent to which the breach was caused by the organization directly or its service providers (and in the latter case, the extent to which the organization took steps to oversee or periodically assess service provider conduct).
- The importance of a robust internal compliance program – organizations can mitigate their exposure to CASL breaches and demonstrate due diligence to the CRTC in any investigation by deploying policies and procedures, and by ensuring that relevant personnel are trained on them. As part of a compliance program, the importance of adopting and enforcing a CASL-specific policy that addresses (among other matters):
- Record-keeping obligations. Under CASL, the CRTC can issue a Notice to Produce, requiring an organization to produce documents or information regarding CASL compliance. For example, when investigating a complaint, a Notice to Produce can require the organization to provide the CRTC with specific information for each CEM recipient – including the authority under CASL that permits the organization to send that recipient a CEM, and information to support that authority. If that authority is founded on consent, the supporting information would likely include the date that the recipient consented to receive CEMs, and the manner that the recipient's consent was obtained. Where many recipient electronic addresses are concerned, a Notice to Produce can impose significant challenges to proving CASL compliance. By maintaining appropriate and accurate records, an organization can sufficiently respond to a Notice to Produce and demonstrate CASL compliance. See also, the CRTC's Enforcement Advisory - Notice for businesses and individuals on how to keep records of consent
- Periodic audits / reviews. Organizations should conduct both internal and service provider CASL compliance reviews to assess CASL compliance matters (and remedy any deficiencies). For example, this may involve a semi-annual review of specific electronic address collection methods (e.g., webpage screens) for sufficient consent language, an audit of recent CEMs for message content requirements, and an audit of recipient databases to assess compliance with record-keeping obligations. Similar reviews could be carried out on service provider activities.
- Contracts with service providers. Under CASL, organizations are responsible for the conduct of their service providers. If a service provider acting on behalf of an organization fails to obtain or document proper consent, or to meet CASL's other formalities, the latter organization can be liable under CASL regardless of whether the CRTC decides to take separate enforcement action against the service provider. Therefore, it is important to assess a service provider's CASL compliance in advance of any CASL-related engagement. Also, it is important to include clauses in contracts with service providers that require the service provider to
- comply with CASL;
- submit to periodic reviews of its CASL compliance; and
- indemnify the organization for a CASL breach attributable to the service provider (and in a manner that is not limited by other clauses, such as a limitation on service provider liability).
Due Diligence and Liability for Officers, Directors
The maximum administrative monetary penalty for a CASL violation is $1,000,000 per violation in the case of an individual, and $10,000,000 per violation in the case of any other person.
Under CASL, any officer, director, agent or mandatary of a corporation who "directed, authorized, assented to, acquiesced in or participated in the commission of" a violation can be personally liable for that violation. This liability can arise regardless of whether the corporation itself is the subject of any CASL proceedings. A person can seek to avoid liability for a violation by showing that it/he/she exercised due diligence to prevent the commission of the violation,among other common law principles.
For this reason, directors and officers of organizations should be particularly vigilant in ensuring that their organization has a robust CASL compliance program that addresses the matters discussed above. This is true today, and will take on greater significance when CASL's private right of action comes into force on July 1, 2017.