The Canadian Radio-television and Telecommunications Commission (CRTC) recently issued an Enforcement Advisory, providing guidance on how individuals and businesses can better achieve compliance with the record-keeping and consent requirements prescribed under Canada's Anti-Spam Law (CASL).
First effective on July 1, 2014, CASL generally prohibits certain electronic interactions without consent. The main activity regulated by CASL is the sending of electronic messages with a commercial purpose, known as "commercial electronic messages" or CEMs, without express or (statutorily-prescribed) implied consent. The Enforcement Advisory is primarily directed at senders of CEMs; however, CASL also imposes express consent requirements in connection with CASL-regulated activities outside the CEM context — such as altering transmission data (section 7) and installation of computer programs (section 8). Thus, the Enforcement Advisory has application to a range of CASL-regulated activities.
The Enforcement Advisory notes that CRTC staff, in interactions with businesses and individuals who send CEMs, have observed that CEM senders are frequently "unable to prove they have obtained consent before sending CEMs", despite the clear requirement under section 13 that "a person who alleges that they have consent to do an act that would otherwise be prohibited […] has the onus of proving it." The CRTC advises that individuals and businesses sending CEMs should practice good record-keeping with that burden of proof in mind, recommending that senders at least keep a record, either in hardcopy or electronic form, of:
- all evidence of express and implied consent from consumers who agree to receive CEMs (for example, audio recordings of oral consent, copies of signed consent forms, completed electronic forms, and the like);
- documented methods through which consent was collected;
- policies and procedures regarding CASL compliance; and
- all unsubscribe requests and resulting actions.
The Enforcement Advisory also points to the CRTC's previously-published guidelines on the development and implementation of CASL compliance programs, addressing factors such as involving senior management, conducting a proper risk assessment and inventory, maintaining a written compliance policy, ensuring compliance by third party vendors and contractors, keeping records (as enunciated by this Enforcement Advisory), auditing and monitoring compliance, training staff, handling complaints, and taking corrective or disciplinary action.
As anyone who has tried to filter through CASL with a particular commercial endeavour in mind can undoubtedly attest, CASL is broadly-drafted framework legislation that cannot be universally applied without careful consideration, and the actual steps and details required to properly implement compliance can only be determined on a case-by-case basis. Taking practical steps to document and organize commercial compliance with CASL is a key step to establishing an important defense: CASL requires that a person must not be found liable for a CASL violation if "they establish that they exercised due diligence to prevent the commission of the violation".
While it may be impossible to prevent each and every potential violation of CASL, the CRTC's advice is practical, and following it can only assist businesses and individuals in proactively identifying and responding to potential CASL non-compliance issues in their own commercial contexts.