With less than two weeks to go before the coming into force date for the main provisions of Canada’s Anti-Spam Legislation (CASL), the Canadian Radio-television and Telecommunications Commission (CRTC) published a number of infographics and a Compliance and Enforcement Information Bulletin CRTC 2014-326: Guidelines to help businesses develop corporate compliance programs (Compliance Bulletin).
Designed as one of the most stringent anti-spam regimes in the world, CASL will have a significant impact on the electronic communication practices of companies in Canada as well as foreign companies sending commercial electronic messages (CEMs) to recipients in Canada. The main anti-spam provisions of CASL, which come into force on July 1, 2014, prohibit (subject to limited exceptions) the sending of a CEM to an electronic address, unless the recipient has consented to receiving the message and the message meets certain form and content requirements.
The CRTC has published several infographics dealing with information required to be included in a CEM, managing consents obtained on behalf of unknown third parties, the difference between express and implied consent, pre-CASL express consents, and what constitutes a CEM. In particular, one of the infographics highlights that valid express consent obtained before CASL continues to be valid after July 1, 2014.
CASL COMPLIANCE ‘BEST PRACTICES’ ACCORDING TO CRTC
The stated purpose of the Compliance Bulletin is to “provide general guidance and best practices for business on the development of corporate compliance programs” under CASL and the CRTC’s Unsolicited Telecommunications Rules (Rules), which regulate communications by telephone, fax and automatic dialing-announcing devices.
The Compliance Bulletin highlights the value of an effective corporate compliance program as a “risk-management strategy” to help businesses reduce the likelihood of breaching CASL or the Rules and in assisting with establishing a due diligence defence. The CRTC indicates that it will take the existence and implementation of a corporate compliance program into consideration when enforcing CASL, including in determining whether an administrative monetary penalty is warranted and whether a violation constitutes an isolated incident or forms part of a more systemic problem. However, businesses are warned that a corporate compliance program may not be sufficient as a complete defence to allegations of violations under the Rules or CASL.
Tailoring the Policy to the Needs of the Business
The CRTC emphasizes that each business should tailor its corporate compliance program to its particular needs and circumstances, noting that the proposed compliance strategies in the Compliance Bulletin may or may not be appropriate depending on the organization’s size and risk exposure. In particular, some of the best practices set out in the Compliance Bulletin may not be suitable to smaller businesses with limited resources. Though businesses are required to comply with CASL and the Rules regardless of size, the CRTC notes that compliance programs will vary widely.
Involving Senior Management
With respect to large businesses, the CRTC recommends that senior management get involved in “fostering a culture of compliance within their organization,” highlighting that policies are more likely to be followed with strong senior management support. Appointing a chief compliance officer to be responsible for developing, managing and executing the compliance policy is a best practice to consider. Smaller businesses should consider appointing a “point person” to be responsible for CASL compliance.
Risk Assessment and Response
The Compliance Bulletin recommends that the chief compliance officer (or point person) conduct a risk assessment to identify the activities of the business that are at risk of contravening CASL and/or the Rules and develop policies and procedures to lessen those risks.
Once the risks of the business have been identified, the CRTC recommends that the chief compliance officer (or point person) draft a corporate compliance policy that can be easily accessed by all employees, including managers. The compliance policy should address, in particular, internal compliance procedures, training, auditing and monitoring mechanisms, procedures to ensure compliance by third-party vendors and partners, record keeping and feedback mechanisms for employees. The policy should be updated as necessary to reflect changes in the law, non-compliance issues or new business activities.
The Compliance Bulletin also emphasizes the importance of good record-keeping practices for several reasons, including establishing a due diligence defence.
For the purposes of CASL, the Compliance Bulletin recommends that businesses maintain physical and/or electronic records of:
- CEM policies and procedures
- Unsubscribe requests and actions
- Evidence of express consent (such as audio recordings or forms) by consumers who agree to be contacted via a CEM
- CEM recipient consent logs
- CEM scripts
- Actioning unsubscribe requests for CEMs
- Campaign records
- Staff training documents
- Other business procedures
- Official financial records.
The Compliance Bulletin emphasizes that effective training programs for staff at all levels of the organization are integral to an effective corporate compliance program. The training should be tailored to the specific activities of the business and should explain what conduct is prohibited and what employees should do if they witness prohibited conduct. Businesses should provide further training as required and obtain a written acknowledgement from staff that they understand the compliance policy.
The CRTC stresses the importance of auditing and monitoring the effectiveness of the compliance program on an ongoing basis, which, depending on the needs of the business, may be carried out with or without the assistance of a third party. In addition, quality assurance programs are a best practice to consider. Audit results should be recorded and presented to senior management and audit recommendations should be implemented as appropriate.
The implementation of a consumer complaint-handling system is recommended, but should not be confused with CASL’s requirements regarding the withdrawal of consent.
Finally, the CRTC recommends the adoption of a disciplinary code which addresses contraventions of CASL by employees. In particular, refresher training may be appropriate in certain circumstances, in addition to corrective or disciplinary actions. Recording contraventions and the organization’s response to them is also a suggested course of action.
CLOSING IN ON COMING INTO FORCE
With only 10 days left until CASL’s anti-spam provisions come into force, businesses should ensure that they have all necessary compliance strategies in place to facilitate compliance with the legislation. Once these provisions come into force on July 1, 2014, they will be immediately enforceable and compliance will be required.