Was it all for nothing? CASL, I mean.
The mad rush towards the July 1, 2014 deadline, the thousands (in many cases, hundreds of thousands) of dollars spent on compliance, the escalating salvo of shrill e-entreaties to please, please, please provide consent.
All the hype, all the fuss and….nothing. Was it Y2K all over again?
From the perspective of organizations, the eerie calm may indeed be reminiscent of those first few seconds past midnight on January 1, 2000. For the CRTC, however, the regulatory wheels have been furiously churning for months. Unlike Y2K, the first few hours after July 1, 2014 saw the CRTC online spam reporting go live, with newly hired (news reports variously reported 15 and 30 new employees) ready to start processing complaints. And complaints there were.
Speaking on July 4, 2014, the CRTC’s chief compliance and enforcement officer Manon Bombardier told media that over one thousand complaints had been submitted in the first two days. By July 9, 2014 that number was up to 12,000. By the end of July, it was edging past 50,000. By October 7, 2014, 120,000 irate Canadians had filed complaints.
Will all of these complaints be investigated? Even the CRTC has acknowledged that is unlikely. It has promised that all complaints will be reviewed, but will be selective when it decides whether a complaint will be investigated.
Organizations with their fingers crossed, hoping CASL would be a toothless tiger, are in for a rude awakening. The CRTC has already begun the first steps to enforcing CASL.
The first step appears in your mailbox in the form of a Notice to Produce, issued pursuant to section 17 of CASL. The Notice “requires you to produce the documents below”, and a long list of documents is itemised. The boilerplate also advised that “if you intend to contest this notice, you must submit an application for review” in accordance with conditions set out in the Notice. The conditions only permit you to contest the Notice where the requirement to produce is unreasonable in the circumstances, would disclose privileged information, or to review conditions imposed to prevent disclosure.
Organizations receiving such a Notice may want to think seriously about contesting it as the disclosure requirements are burdensome (see more on this point, below) and in some cases unrelated to the issue. Organizations will be left guessing as to what “the issue” might be as it appears that no complaint is included with the Notice. In other words, organizations will not know the case they have to meet, nor will they be able to easily challenge the disclosure on the basis of being unreasonable because they won’t know to what the Notice relates. For instance, a Notice that requires an organization to produce the customer records that underlie a claim of an “existing business relationship” may be reasonable in some circumstances, but wholly unreasonable if the complaint that triggered the Notice was about a confusing unsubscribe function.
No Grace Period
Organizations anticipating a post-July 1 “grace period” will be disappointed, as the Notice in question begins by requiring the production of a “complete contact list of potential email recipients” the organization could have used to send commercial electronic messages (“CEM”) since July 2, 2014. The grace period, if there is one, appears to be a single day.
Scope of Disclosure
For every email address which appears on the list mentioned above, the Notice in question demands documentation on:
- The method the email address was obtained;
- The kind of consent obtained, and the nature of the relationship which supports such consent; and
- The date on which that consent was obtained.
In addition, the Notice in question demands the production of:
- All documents and data pertaining to policies and procedures for obtaining, recording and tracking consent for sending of CEMs;
- All templates used for CEMs sent during the relevant period;
- All documents and data pertaining to policies and procedures for scrubbing email contact lists, including documentation on how the unsubscribe mechanism works;
- Documents (including payment information and contracts or agreements) with third parties who have sent CEMs on behalf your organization;
- Audited financial statements (unaudited if audited statements are not available); and
- Information on: restrictions of use of assets; credit facilities; amounts due to owners or shareholders and amounts due from owners or shareholders.
Organizations receiving a Notice like this are very likely to find these requirements burdensome, particularly since organizations are given only 15 days to produce these materials. For an organization which sends out, say, a few thousand promotional messages per month, this has the potential to tie up marketing and IT resources for days.
Organizations concerned about their CASL compliance practices, or simply concerned about their resources and ability to respond in a timely way to a CRTC CASL investigation, should stress test their organization using the checklist above. While this is by no means comprehensive, it nonetheless provides a basic understanding of what to expect from the CRTC. It will allow organisations to get ahead of any investigation, and fill gaps in their CASL compliance program.
This article was originally published in the Canadian Corporate Counsel Association (CCCA) Magazine: www.ccca-acceje.org.