Despite being in force for over two years, many of the key provisions of Canada's Anti-Spam Legislation (“CASL” or the “Act”) remain shrouded in uncertainty. One such provision, for example, is the Act’s due diligence defence regime. While a person cannot be found liable for a violation of the Act if they establish that they exercised due diligence in their anti-spam practices, the Act is silent on what must be undertaken in order to rely on this defence.
Seeking Due Diligence Guidance
Although CASL itself offers no clarity, the Canadian Radio-television and Telecommunications Commission (“CRTC”) has provided advice over the years for how organizations can exercise due diligence under other legislation regimes. Such guidance may potentially be useful in the context of CASL.
One of the earliest examples of this is the CRTC’s Unsolicited Telecommunications Rules (the “Rules”) in Telecom Decision 2007-48, established in relation to Canada’s National Do Not Call List (“DNCL”). Due diligence, as in CASL, is a defence to a contravention of the DNCL. The Rules provide the public with the CRTC’s specific criteria for assessing a due diligence defence. According to section 526 of the Rules, due diligence in the context of the DNCL can be established when:
a. the telecommunication resulted from an error; and
b. the organization’s routine business practices included:
a. adequate written policies and procedures;
b. monitoring and enforcement of the Rules and its own policies and procedures;
c. on-going employee training;
d. the maintaining of records; and
e. a requirement that third-party service providers agree to comply with the Rules.
The CRTC has historically set a high bar for establishing due diligence under the DNCL, requiring evidence that the party took all reasonable steps to comply with the Rules. For example, in Telecom Decision CRTC 2012-173, the CRTC found that, on a balance of probabilities, the company’s on-going employee training did not satisfy that part of the criteria because evidence of the training’s contents was not provided. Similarly, in Telecom Decision CRTC 2012-478, the CRTC noted that another company had instituted sound policies and procedures, but denied its due diligence claim because it had subsequently failed to follow them.
Another example of CRTC guidance can be found in the Compliance and Enforcement Information Bulletin CRTC 2014-326, released in June 2014. This bulletin includes similar best practice advice as the Rules, recommending written policies, record keeping, training programs, and mechanisms for identifying, handling and correcting errors. Notably, the bulletin also gives advice specifically for larger-scale organizations. It encourages senior managers in larger organizations to involve themselves in their organization’s compliance efforts and to take an active role in promoting the adoption of internal policies. These organizations are also encouraged to review their higher risk business units, and ensure that these units receive additional and sufficient attention.
Not surprisingly, the criteria from the Rules and the aforementioned bulletin appear in the CASL undertakings entered into since 2014. To date, the CRTC has agreed to undertakings with Plentyoffish Media, Porter Airlines, Rogers, and Kellogg Canada. These undertakings are filed at the Federal Court of Canada, and are accessible by the public. In each undertaking, the compliance measures adopted by the corporation are listed. Although the lists vary based on the applicable circumstances, they include familiar requirements such as adequate policies and procedures, training, monitoring and auditing.
Some learnings are also seen from the recent CRTC compliance and enforcement decision, CRTC 2016-428, October 26, 2016, in which it found that Blackstone Learning Corp. ("Blackstone") committed nine violations of CASL. In that case Blackstone did not take the opportunity to either provide guidance as to its efforts at due diligence and, in respect of its claim of implied consent under the conspicuous publication provisions under section 10(9) of CASL, failed to provide the CRTC with representations and provided no supporting information to the CRTC with respect to (a) where or how it discovered any of the recipient addresses, (b) when the addresses were obtained, (c) whether their publication was conspicuous, (d) whether they were accompanied by a statement indicating that the person does not want to receive unsolicited CEMs, or (e) how Blackstone determined that the messages it was sending were relevant to the roles or functions of the intended recipients. In the absence of that detail the CRTC found that Blackstone had committed the violations.
The lesson is that the CRTC, when considering the due diligence defence, will focus on the specific requirements of CASL and each of the elements required for the applicable conduct that is being questioned.
As well, the courts’ consideration of due diligence provisions of other legislative regimes offers guidance on certain common law norms. For example, section 283 of the Canadian Environmental Protection Act, 1999, contains a similar provision to CASL, giving parties the opportunity to show that they “exercised all due diligence” to prevent the commission of an act. When applying this provision, the Court in R v Canadian Tire Corp,  OTC 668, was unswayed by the “broadly-worded policy, proclamation of general philosophical objectives and reliance on an overall good prior record” put forward by the defendant. After reviewing due diligence jurisprudence, similar to the result in the Blackstone decision, the Court held that due diligence had to be exercised in relation to the specific contravention to establish a section 283 defence.
Due Diligence in Practice
What these sources of guidance suggest is that a multi-faceted compliance program will likely be necessary to garner due diligence protection. While a compliance program with some of these elements may be beneficial when negotiating an undertaking with the CRTC, the due diligence defence may require evidence of a coordinated and bona fide effort undertaken by the defendant to implement and adopt any such program.
For further information on developing and implementing a strong compliance program, as well as a comprehensive guide on CASL and its impacts on your organization, please visit Bennett Jones’ Anti-Spam Learning Centre, or contact one of our CASL specialists.