As the effective date of Canada’s Anti-Spam Legislation (CASL) has passed, and most organizations have scrambled to determine what the legislations means to their organization’s communication channels, we now turn our mind to ongoing corporate compliance. The Canadian Radio-television and Telecommunications Commission (the “CRTC”) (the main enforcement body for CASL), released its Compliance and Enforcement Bulletin CRTC 2014-326: Guidelines to help businesses develop corporate compliance programs (the “Guidelines”). The Guidelines provide what the CRTC believes to be best practices for businesses to comply with CASL and, in so doing, provides some guidance for businesses developing a compliance program.
The Guidelines note the limited resources of small and medium-sized organizations and that, as a result, compliance programs will vary widely between organizations. The Commission will assess compliance on a case-by-case basis.
The CRTC states that a corporate compliance program may not provide a complete defence to a violation under CASL. However, it acknowledges that a credible and effective documented corporate compliance program may support a due diligence defence. Further, the program may be considered by the Commission in determining whether a breach is an isolated incident or systematic in nature.
The Guidelines identify the following components that should be included in an effective corporate compliance program:
- Senior management involvement;
- Risk assessment;
- Written corporate compliance policy;
- Record keeping;
- Training program;
- Auditing and monitoring;
- Complaint-handling system; and
- Corrective (disciplinary) action.
Senior Management Involvement
The senior management of a large business should actively and visibly foster compliance within their organization. A member of senior management should take on the role of chief compliance officer, and be responsible and accountable for developing, managing and executing the corporate compliance program.
Small and medium-sized businesses should establish a “point person” who is responsible and accountable for compliance with CASL.
A risk assessment should be conducted to determine if any business activities are at risk for violating CASL. When risks are identified, policies to mitigate those risks should be developed and applied.
Written Corporate Compliance Policy
A written corporate compliance policy should be developed once the risk assessment has been conducted. This policy should be easily accessible to all employees and regularly updated. The Guidelines suggest the policy related training; auditing and monitoring mechanisms; procedures for dealing with third party compliance; address record keeping, especially with respect to consent; and a mechanism to allow employees to provide feedback to the chief compliance officer or point person.
Businesses are advised to maintain hardcopy or digital records relating to: commercial electronic message (“CEM”) policies and procedures; unsubscribe requests and actions; evidence of express consent; CEM recipient consent logs; CEM scripts; actioning unsubscribe requests for CEMs; campaign records; staff training documents; and official financial records.
Training is crucial for the implementation of a credible corporate compliance program. A training program, including refresher training, should be developed. For training to be effective, the business should undertake situational training that links daily activities to the business’s policies and procedures. Once training is completed, an employee should provide written acknowledgement that they understand the corporate compliance program. The business should monitor employee comprehension of the policy and evaluate the effectiveness of the training at regular intervals, updating the program as necessary.
Auditing and Monitoring
Auditing should be undertaken at regular intervals and may involve developing a quality assurance program that monitors a statistically significant percentage of the business’s email marketing campaign. Following an audit, the business should address any recommendation and modify the corporate compliance policy as required.
A complaint-handling system, which allows a customer to submit complaints to the business, should be put in place. This is not to be confused with CASL requirements regarding withdrawal of consent.
Corrective (Disciplinary) Action
Businesses should establish an organizational disciplinary code to address contraventions. As appropriate, businesses should take corrective or disciplinary action, or provide refresher training. Records of contraventions and actions taken in response should be maintained.
In the first few days of CASL coming into effect, the CRTC reported that it received over 1,000 complaints against businesses. The CRTC’s resources are not unlimited and the CRTC has said that it will use its resources to address systemic issues and issues where there is or may be the greatest harm. However, they also noted that they will look into every complaint. While businesses cannot stop people from filing complaints, they can ensure they have a solid, documented and credible compliance program to show regulators if and when they do come knocking.