Planning for Canada’s anti-spam legislation (CASL) – Suggestions for auditing your organization’s current electronic communications practices

In the December 2013 issue of this newsletter, we reported that the anti-spam provisions of Canada’s anti-spam legislation (CASL) will be coming into force on July 1, 2014. In that article, we highlighted how and why CASL applies to charitable and not-for-profit organizations, and we noted that there are a number of steps that charitable and not-for-profit organizations can take when developing their CASL compliance strategies.

This article focuses on the first important step of any CASL compliance planning: auditing an organization’s current electronic communications practices.

Without a comprehensive understanding of the nature and the flow of electronic messages within and outside of an organization, it will be very difficult for an organization to put into place effective and appropriate policies, procedures, and/or computer systems and networks in order to ensure that the organization is CASL compliant.

There are a number of questions an organization should ask itself when undertaking an audit (sometime referred to as a “gap analysis”) of its current electronic communications and other practices. These questions will enable the organization to determine the issues that must be addressed in order to bring itself into compliance with CASL. These questions may include:

1. What forms of electronic communications does the organization use to communicate with internal and external parties? (e.g., email, instant messaging, text messaging/SMS, social networks (e.g., Facebook®, LinkedIn®, Twitter®), other electronic services (e.g., portals or web-forums))
2. On behalf of which entities does the organization send out electronic communications? (e.g., primary organization, related or affiliated organizations)
3. To whom does the organization send external electronic communications? (e.g., clients/customers, potential clients/customers, volunteers, other charitable and not-for-profit organizations, landlords and/or subtenants, government/quasi-government bodies, suppliers, other)
4. For each of the communications media listed above in Question #1, what information about the primary organization, or one of its affiliated or related entities, is included with each message that is sent? (e.g., email signatures, other identifiers)
5. Does the organization presently request consent to send electronic communications to recipients? If yes, how are these requests made?
6. Does the organization track the manner in which the contact information of recipients of its messages is received by the organization? (e.g., whether the organization obtained the information from a business card, email, program/event registration, referral, etc.)
7. Does the organization add its contacts to a contacts list, database, or customer relationship management (CRM) software?
8. Does the organization use, or permit someone else to use, any email address harvesting programs to collect email address to add to any contact lists?
9. Does the organization use any email addresses that have been collected, either by it or by a third party, by means of an email address harvesting program?
10. Does the organization purchase any email address lists from any third parties? If yes, who are the lists purchased from, and what does the organization do with the email addresses that it purchases?
11. Do the methods by which the organization collects personal information through the use of computer systems, either directly or by permitting someone else to do so, as well as the use made of this information, comply with all legal requirements?
12. Does the organization rely upon any third parties to communicate electronically with anyone on its behalf? (e.g., do any third parties send out emails on behalf of the organization or do any third parties send out messages on behalf of the organization through any social media channels?)
13. Does the organization perform any electronic messaging on behalf of any third parties, or make available any email addresses to any third parties? (e.g., industry, professional associations, other third parties) If yes, why does the organization make such email addresses available to the third parties, and what do the third parties do with such email addresses?
14. Does the organization alter, or cause to be altered, the transmission data in any electronic messages? (e.g., the organization causes an electronic message to be sent to a destination that is different from that which the sender intended)
15. Does the organization install, or cause to be installed, a computer program on any other person’s computer system? (e.g., offer software to clients/customers/volunteers/etc. so they can use it to interact with the organization through an online portal or other electronic means)
16. Does the organization use, or make available for use by someone else, any software programs or websites that collect, unknown to users, information about such users (e.g. cookies)?
17. If an organization answers yes to Question 15 above, are any of the following functions performed by such computer program(s):

(a) collecting personal information stored on the other person’s computer system;

(b) interfering with the owner’s or an authorized user’s control of the computer system;

(c) changing or interfering with settings, preferences or commands already installed or stored on the computer system without the knowledge of the owner or an authorized user of the computer system;

(d) changing or interfering with data that is stored on the computer system in a manner that obstructs, interrupts or interferes with lawful access to or use of that data by the owner or an authorized user of the computer system;

(e) causing the computer system to communicate with another computer system, or other device, without the authorization of the owner or an authorized user of the computer system; or(f) installing a computer program that may be activated by a third party without the knowledge of the owner or an authorized user of the computer system? 

Upon conducting this review and collecting this information, organizations should speak to their advisors to develop a plan to bring them into CASL compliance. As is clear from the list of questions above, the new legislation has implications that impact nearly all aspects of an organization’s electronic communications and data collection activities. Given the scope of the issues that must be addressed, and the fast-approaching deadline by which an organization must be CASL compliant, organizations should waste no time in beginning to develop their CASL compliance strategy.

Unfortunately, effectively developing and implementing a CASL compliance strategy requires a considerable investment of time and energy as well as financial, human and other resources. In light of the limited resource challenges faced by many organizations in the charitable and not-for-profit sector, becoming CASL compliant will likely be more onerous for these organizations. Regrettably, this point did not seem to resonate particularly well with the Canadian government when it implemented CASL.

Notwithstanding the challenges, it is important that all organizations bring themselves into compliance with CASL. Non-compliance with CASL may lead to significant consequences and penalties, including: (i) the imposition of major monetary penalties; (ii) corporate officers and directors being held personally liable for corporate violations; (iii) vicarious liability arising for violations committed by employees or agents; (iv) a private right of action (including the possibility of a class-action lawsuit) against an organization and the individuals who work or volunteer for the organization; and (v) reputational risks. 

If you would like to discuss CASL and its requirements, please contact your Miller Thomson LLP advisor or the author.