CASL is now in force
As of July 1st, individuals and organizations who send or receive commercial electronic messages (CEMs) in Canada must comply with Canada’s Anti-Spam Legislation (CASL)’s anti-spam provisions. With CEMs being broadly defined, many organizations are caught by CASL.
Guidelines to help organizations develop corporate compliance programs
On June 19, 2014, the Canadian Radio-television and Telecommunications Commission (CRTC) issued Compliance and Enforcement Information Bulletin CRTC 2014-326 (Guidelines to help businesses develop corporate compliance programs) (the Compliance Guidelines).
The stated purpose of the Compliance Guidelines is to provide general guidance and best practices on the development of corporate compliance programs to facilitate compliance with CASL as well as the CRTC’s Unsolicited Telecommunications Rules (the Rules).
The CRTC acknowledges in the Compliance Guidelines that no two organizations are the same and that every organization has different risks. As a result, compliance programs will vary depending on the size of an organization, its risk profile, and its available resources.
Why should a corporate compliance program matter to you and your organization?
In the Compliance Guidelines, the CRTC expressly states the following:
“Commission staff may take into consideration the existence and implementation of an effective corporate compliance program if the business presents the program as part of a due diligence defence in response to an alleged violation of the Rules or CASL. Although the pre-existence of a corporate compliance program may not be sufficient as a complete defence to allegations of violations under the Rules or CASL, a credible and effective documented program may enable a business to demonstrate that it took reasonable steps to avoid contravening the law. Thus, the program may support a claim of due diligence. As well, Commission staff can take the existence of such a program into consideration when determining whether a violation of the Rules or CASL is an isolated incident or is systemic in nature, and whether sanctions against a business should include AMPs [Administrative Monetary Penalties].”
Given the potential for serious consequences under CASL (i.e., AMPs of up to $10 million per violation for organizations, personal liability for directors and officers, vicarious liability for employees’ actions, and a private right of action (which right commences on July 1, 2017)), developing a corporate compliance program, if one has not already been developed, should be on an organization’s ‘to do’ list, especially in light of the CRTC’s comments above.
Components of a corporate compliance program
The Compliance Guidelines set out the components of a corporate compliance program that the CRTC believes are important. The Compliance Guidelines do note that the information contained therein is not intended to be exhaustive or prescriptive, and that the CRTC recognizes that organizations may take other reasonable steps to comply with CASL and/or the Rules.
Under the Compliance Guidelines, the following are the suggested components of a corporate compliance program:
1. Senior Management Involvement
For larger organizations, senior management should consider playing an active and visible role in fostering a culture of compliance within the whole organization. In addition, thought should be given to giving a member of senior management the responsibility of overseeing the development, management and execution of the organization’s corporate compliance program. For smaller organizations, thought should be given to identifying a person who could be responsible for ensuring an organization’s compliance.
2. Risk Assessment
The person with responsibility (as identified above) should consider conducting a risk assessment to determine which activities of the organization are at risk for constituting a violation under CASL or the Rules.
3. Written Corporate Compliance Policy
Following the completion of a risk assessment, the person with responsibility (as identified above) should consider, in collaboration with others within an organization, developing a written corporate compliance policy. If such a written policy is created, it will be important to ensure that it is readily accessible by everyone within an organization, and that it is kept up-to-date and appropriately reflects how CASL is being interpreted. The Compliance Guidelines note that a policy may also:
a) establish internal procedures for compliance with the Rules and/or CASL;
b) address related training that covers the policy and internal procedures;
c) establish auditing and monitoring mechanisms for the corporate compliance program;
d) establish procedures for dealing with third parties (for example, partners and subcontractors) to ensure that they comply with the Rules and/or CASL;
e) address record keeping, especially with respect to consent; and
f) contain a mechanism that enables employees to provide feedback to the chief compliance officer or point person.
4. Record Keeping
The benefits of good record keeping are highlighted in the Compliance Guidelines. Of the six benefits listed, the last one may be of great benefit to an organization: “establish a due diligence defence in the event of complaints to the Commission against the business.” The Compliance Guidelines also suggest that certain records and documents be maintained in hard copy and/or electronic records. The list set out in the Compliance Guidelines is worth reviewing.
5. Training Program
Providing training on a corporate compliance program, and providing appropriate follow-up, will be vital to helping an organization ensure that its representatives understand their obligations. In respect of training, the Compliance Guidelines go as far to suggest that representatives of an organization provide, following training, written acknowledgements that they understand the organization’s corporate compliance policy. In addition to training, an organization should consider monitoring legislative or regulatory changes, and adjusting the corporate compliance policy, and applicable training, accordingly.
6. Auditing and Monitoring
To help prevent and detect non-compliance, and to assess the effectiveness of the corporate compliance program, an organization should consider performing on-going monitoring and periodic auditing. The results of audits should be recorded, maintained and communicated to the appropriate individuals within an organization, and changes to the corporate compliance policy and corporate compliance program should be made, where appropriate.
7. Compliant-handling System
The Compliance Guidelines suggest that organizations put into place a complaint-handling process so individuals can submit complaints to an organization, and that the organization should try to resolve complaints within a reasonable period of time. The CRTC notes that “the complaint-handling system should not be confused with the requirements in the Rules and CASL regarding the withdrawal of consent.”
8. Corrective (Disciplinary) Action
The Compliance Guidelines suggest that organizations should consider taking corrective or disciplinary action against its representatives to address non-compliance with the corporate compliance policy. Such action may, where appropriate, include refresher training.
Section 8 of CASL (installation of computer programs)
On January 15, 2015, CASL’s provisions pertaining to the installation of computer programs (including applications or “apps”) comes into force. There remain many unanswered questions about these provisions, and we are waiting for interpretational guidance from the government.
In my role as the Chair of the Canadian IT Law Association (IT.CAN)’s Public Affairs Forum, I will be chairing a session for IT.CAN on September 9th entitled “CASL Section 8 Session with the CRTC and Industry Canada“. Participating in this session will be representatives from both the CRTC and Industry Canada. If you have any questions, comments or concerns regarding section 8 of CASL (installation of computer programs) that you would like me to bring forward at the session, please feel free to contact me at firstname.lastname@example.org.
If you would like to follow me on Twitter®, you can find me @canadaantispam.