In January 6 2014, we issued a bulletin entitled Ten Key Requirements of the Canadian Anti-Spam Law You Need to Know (John P. Beardwood and Gabriel M. A. Stern), in which we identified ten key issues/requirements of Canada's "anti-spam law" (formally known as An Act to promote the efficiency and adaptability of the Canadian economy by regulating certain activities that discourage reliance on electronic means of carrying out commercial activities, and to amend the Canadian Radio-television and Telecommunications Commission Act, the Competition Act, the Personal Information Protection and Electronic Documents Act and the Telecommunications Act, but informally and better known as "CASL"), as those requirements apply to commercial electronic messages ("CEM's"), and to unsolicited installed programs ("UIP's").

As the date for the anti-spam provisions to come into force rapdily approaches (i.e. July 1, 2014)[1], organizations are increasingly focused on how to become compliant prior to the deadline.  Much of this focus, and our advice, has necessarily been on developing  both a rapid strategy to obtain express consent for the future delivery of CEM's, and to design templates to ensure that these CEM's contain the requisite content.  However, as we set out below, there are five important reasons why organizations should look beyond immediate short term compliance, in order to  develop and implement a CASL-specific policy.

1. Scope of CASL application to multiple departments

CASL has implications for multiple departments across an organization.  The CEM requirements affect not only the marketing department, and the IT department, but also individual email communications (a common misconception is that CASL only applies to bulk email outs).  In turn, the UIP requirements will affect not only the IT department, in particular where the organization is in the technology space, but also the marketing department to the extent that it uses cookies or other UIPs.

Further, while generally the subject of less attention than emails, CASL applies to other electronic messages, namely: text, sound, voice or image messages to (i) an instant messaging account, (iii) a telephone account, or (iv) somewhat ambiguously, "any similar account".[2] 

In short, organizations need to carefully review their communications strategy to ensure that they understand each type of electronic message which they send and the CASL requirements which apply to each.  The optimal approach to manage these multiple touch points at the organizational level, and in particular to ensure that an organization's response does not, advertently or inadvertently, become "siloed", is for an organization to develop and implement an organization-wide CASL policy that addresses the application of CASL to multiple internal stakeholders.

2. Managing the interaction of CASL requirements with other organization policies 

The obligations under CASL necessarily interact with other policies which an organization may have implemented.  By way of example:

  • While another common misconception is that CASL is yet another Canadian privacy law (it is not:  the focus is on commercial electronic messages, whether or not they use or include personal information), CASL does nevertheless interact with an organization's privacy policy.  For example, where the electronic addresses are identifiable such that they constitute personal information, or the content of the email itself contains personal information, privacy issues will be triggered.  In addition, an organization's existing privacy consents may be able to be leveraged as CASL consents, although that will be very much depended on their content as CASL requests for consent must contain content that privacy consents do not.[3] 
  • Organizations that have "Do Not Call" (or "DNC") policies will have to understand and document a defined line between the application of their DNC and CASL policies.  For example, while CEM's also include sound or voice messages to a telephone account, they also exclude communications which are interactive two-way voice communications between individuals, facsimiles to a telephone account, and recordings "sent"[4] to a telephone account.   For those organizations that have both DNC and CASL compliance issues, implementing separate policies which clearly cross-reference each other will facilitate in clearly delineating the differences for the organization's users.
  • Organizations are increasingly adopting Bring Your Own Device ("BYOD") policies for employees, that prescribe what is and not permissible with respect to such devices in the workplace and/or in connection with work product.  Given that CEM's expressly include texts and electronic messages sent to an instant messaging account[5], BYOD policies will need to be revised to contemplate the CASL requirements for such electronic communications sent using employees phones and tablets, for example.

3. Complexity of transitioning into compliance:  tracking implications

Transitioning an organization into compliance not only requires that some key decision points be made, and documented in a policy, but also effectively imposes certain tracking obligations for companies.  For example:

  • For companies relying on the deemed consent applicable for pre-existing business relationships - for example, where a recipient made a purchase during the two years preceding the sending of the email - that deemed consent has a two-year expiration date, unless the pre-existing business relationship is refreshed by the recipient, for example, making a new purchase.  Organizations that intend to rely on that exemption, rather than on express consent, will need to have a customer relationship management ("CRM") system, or equivalent, which is capable of tracking such expirations dates and any refreshes for each recipient.
  • Similarly, organizations may choose to rely to a certain extent on the deemed consent provision where the recipient has (a) disclosed to the sender the electronic address, (b) without indicating a wish not to receive unsolicited commercial electronic messages at such address, and (c) the CEM is relevant to recipient's business/official role/functions.  The most obvious example of such disclosure is in the form of a recipient's business card, but to the extent that the organization is relying on that provision, it will need to implement a reasonable system of recording that such card was in fact was the source of the electronic address, such that the organization will later be able to evidence same.  In light of that requirement, organizations may wish to purchase a business card scanner.

These twin requirements of tracking and evidencing (a) the timing and duration of a recipient consent, and (b) the source of each electronic address, strongly militate in favour of organizations adopting and implementing a policy which is used as the basis of processes and procedures to accomplish these objectives, in particular if assets will need to be purchased to do so.

4. Enforcement and the Due Diligence Defence

Enforcement Mechanisms

There are various provisions which set out the enforcement framework for CASL.  They include, among others[6]:

a) a mechanism wherein every person who contravenes any of sections 6 to 9 of CASL (that is, with respect to CEM and UIP requirements) commits a violation for which they are liable for an administrative monetary penalty, where the maximum penalty is (i) $1,000,000 in the case of an individual, and (ii) $10,000,000 in the case of any other person ("Violations");

b) personal liability for any officer, director, agent or mandatary of a corporation that commits a contravention of any of sections 6 to 9 of CASL[7], for the contravention or reviewable conduct, as the case may be, if they directed, authorized, assented to, acquiesced in or participated in the commission of that contravention, or engaged in that conduct, whether or not the corporation is proceeded against ("Contraventions and Reviewable Conduct"); and

c) offences, for every person who (i) refuses or fails to comply with a demand to preserve transmission data or a notice to produce a document, or who contravenes the CASL requirement for the person to give all assistance that is reasonably required to enable a designated person to execute a warrant (i.e. non-compliance), or (ii) obstructs or hinders, or knowingly makes a false or misleading statement or provides false or misleading information to, a designated person who is carrying out their duties and functions under this Act (i.e. obstruction or false information), wherein there is also personal liability for any officer, director, agent or mandatary of a corporation that commits an offence if they directed, authorized, assented to, acquiesced in or participated in the commission of the offence, whether or not the corporation is proceeded against ("Offences")[8].

Due Diligence Defences under CASL

However, CASL provides for a due diligence defence in each of the above three contexts, as follows:

  1. a person will not be found to be liable for a Violation if they establish that they exercised due diligence to prevent the commission of the Violation.[9]
  2. a person will not be found to have committed any Contravention or Reviewable Conduct if they establish that they exercised due diligence to prevent the contravention or conduct, as the case may be.[10]
  3. a person will not be convicted of an Offence for "non-compliance" if they establish that they exercised due diligence to prevent the commission of the Offence.[11]

CASL Policy as a Factor in Establishing a Due Diligence Defence

In light of the availability of a due diligence defence as means to avoid liability for Violations, Contraventions and Reviewable Conduct, and Offences, organizations need understand what measures they can adopt to support such a defence.  As we describe below, one of the key elements of such a defence is the existence of a policy:

  • The test for establishing due diligence is as follows:  the accused must establish on a balance of probabilities that (1) it believed in a mistaken set of facts, which, if true, would render the act or omission innocent, or (2) it took all reasonable steps to avoid the particular event that transpired.[12]
  • The determination of whether an accused met the due diligence standard will depend on the facts of each case, including the degree of knowledge expected of the defendant, the extent of the harm or damage caused, and the particular industry and activity involved.  In assessing whether an accused exercised all the steps that could reasonably be expected in the circumstances[13], the court will review a number of factors, including the accused's use of preventative systems.
  • It is important that preventative procedures be documented in a form that goes beyond mere workplace manuals[14] - for example, to the point of being documented as formal policies.   Courts will also inquire into whether (a) the policy and procedures met or exceeded standards in the corporation's industry, and (b) the relevant regulatory policy was in fact understood by individuals within the corporation.[15]  To that latter point, preventative measure activities include training programs, internal and external audits, and risk assessments.[16]

In summary, the establishment, and adoption (through training, etc.). of a CASL policy appears to be a minimum standard in establishing the due diligence defence. Evidence of continuous, genuine and comprehensive efforts on the part of the corporation to implement  a CASL Policy will significantly support a finding that the corporation exercised the required due diligence.

5. Personal Liability for Executive and the Board

Finally, once a CASL Policy has been implemented, how senior a level of the organization should review/approve the policy?  As we set out below, there are two very good arguments for having the policy reviewed at the officer and Board level.

First, given that in some circumstances CASL imposes personal liability on officers and directors, and that there is a due diligence defence available to those individuals as outlined above, officers and directors obviously have a vested interest in ensuring that that due diligence defence is supported through the adoption and implementation of an appropriate CASL policy.

Second, corporate governance literature regarding the due diligence defence suggests that "senior management" and "high-level personnel" should get involved in the review of corporate regulatory compliance policies.[17] For example, the Competition Bureau has also identified the "involvement and support of senior management"[18] as one of five requirements of a proper compliance policy, regardless of the size, complexity, or nature of the corporation. 

However, while the Bureau does not specify which individuals fit into the definition of "senior management," it does note that such management should ensure that the board of directors remains alert to the progress of the compliance program and any breaches thereof, and that any compliance policy should be founded upon strong leadership.[19] The Bureau also recommends that (a) a member of senior management should be appointed as a compliance officer and (b) a corporation's compliance model should also include: Corporate Compliance Policies and Procedures, Training and Education, Monitoring, Auditing, and Reporting Mechanisms, and Consistent Disciplinary Procedures and Incentives.[20] This is consistent with the 1996 Delaware Court of Chancery case of Re Caremark International Inc. Derivative Litigation,[21] where the court found that directors may be held personally liable for employee misconduct if the directors "fail to attempt in good faith to assure that a corporate information and reporting system, which the board concludes as adequate, exists."[22]

In summary, evidence that a corporation's board of directors and/or officers approved a policy regarding CASL compliance will likely be viewed favourably by a court/regulator in determining the existence of a due diligence defence.

Conclusion

A CASL policy serves an invaluable role in effectively co-ordinating the organization-wide implementation of CASL across multiple departments; managing the interaction of CASL requirements with other organization policies, such as privacy, DNC and BYOD policies;  facilitating the tracking ofthe timing and duration of a recipient consent, and the source of each electronic address; and supporting the availability of a due diligence defence in the case of a breach of the legislation.  Further, we recommend that such policy be approved at the officer and/or Board level, in particular given the risk of personal liability for such individuals.

Finally, a sixth reason to implement a CASL policy is that as the organization develops new communications methods (whether through social media, SMS or otherwise), those initiatives will need to be assessed for CASL compliance - just as new technology initiatives that may impact personal information need to undergo a privacy impact assessment - and that "CASL impact assessment" will be greatly facilitated by the existence of a CASL policy that documents the organization's decided approach to CASL compliance.