Canada: Developing An Organizational Compliance Program Under Canada's Anti-Spam Legislation (CASL)

CASL is now in force

As of July 1st, individuals and organizations who send or receive commercial electronic messages (CEMs) in Canada must comply with Canada's Anti-Spam Legislation (CASL)'s anti-spam provisions.  With CEMs being broadly defined, many organizations, including registered charities and not-for-profit organizations, are caught by CASL.

Guidelines to help organizations develop organizational compliance programs

On June 19, 2014, the Canadian Radio-television and Telecommunications Commission (CRTC) issued Compliance and Enforcement Information Bulletin CRTC 2014-326: Guidelines to help businesses develop corporate compliance programs (the "Compliance Guidelines").

The Compliance Guidelines' stated purpose is to provide general guidance and best practices on the development of organizational compliance programs to facilitate compliance with CASL as well as the CRTC's Unsolicited Telecommunications Rules (the "Rules").

The CRTC acknowledges in the Compliance Guidelines that no two organizations are the same and every organization has different risks.  As a result, compliance programs will vary depending on the size of an organization, its risk profile, and its available resources.

Why should an organizational compliance program matter to you and your organization?

The Compliance Guidelines expressly state the following:

"Commission staff may take into consideration the existence and implementation of an effective corporate compliance program if the business presents the program as part of a due diligence defence in response to an alleged violation of the Rules or CASL. Although the pre-existence of a corporate compliance program may not be sufficient as a complete defence to allegations of violations under the Rules or CASL, a credible and effective documented program may enable a business to demonstrate that it took reasonable steps to avoid contravening the law. Thus, the program may support a claim of due diligence. As well, Commission staff can take the existence of such a program into consideration when determining whether a violation of the Rules or CASL is an isolated incident or is systemic in nature, and whether sanctions against a business should include AMPs [Administrative Monetary Penalties]."

Given the potential for serious consequences under CASL (i.e., AMPs of up to $10 million per violation for organizations, personal liability for directors and officers, vicarious liability for employees' actions, and a private right of action commencing  July 1, 2017), developing an organizational compliance program should be on an organization's 'to do' list, especially in light of the CRTC's comments above.

Components of an organizational compliance program

The Compliance Guidelines set out the components of an organizational compliance program that the CRTC believes are important.  This CRTC does not intend this information to be exhaustive or prescriptive , and organizations may take other reasonable steps to comply with CASL and/or the Rules.

The Compliance Guidelines' suggested components of an organizational compliance program are as follows:

1.  Senior Management Involvement

Senior management of larger organizations should consider playing an active and visible role in fostering a culture of compliance within the whole organization.  In addition, thought should be given to giving a member of senior management the responsibility of overseeing the development, management and execution of the organization's compliance program.  For smaller organizations, thought should be given to identifying a person who could be responsible for ensuring an organization's compliance.

2.  Risk Assessment

The person responsible for overseeing compliance should consider conducting a risk assessment to determine which activities of the organization are at risk for constituting a violation under CASL or the Rules.

3.  Written Organizational Compliance Policy

Following the completion of a risk assessment, the person with responsibility should consider developing a written organizational compliance policy.  The policy should be made readily accessible to  everyone within the organization, kept up-to-date and appropriately reflect how CASL is being interpreted.  The Compliance Guidelines note that a policy may also:

a)      establish internal procedures for compliance with the Rules and/or CASL;

b)      address related training that covers the policy and internal procedures;

c)      establish auditing and monitoring mechanisms for the corporate compliance program;

d)      establish procedures for dealing with third parties (for example, partners and subcontractors) to ensure that they comply with the Rules and/or CASL;

e)      address record keeping, especially with respect to consent;  and

f)       contain a mechanism that enables employees to provide feedback to the chief compliance officer or point person.

4.  Record Keeping

The benefits of good record keeping are highlighted in the Compliance Guidelines.  Of the six benefits listed, the last one may be of great benefit to an organization: "establish a due diligence defence in the event of complaints to the Commission against the business."  It is also suggested that certain records and documents be maintained in hard copy and/or electronic records.  The list set out in the Compliance Guidelines is worth reviewing.

5.  Training Program

Providing training on an organizational compliance program, and providing appropriate follow-up, will be vital to helping an organization ensure that its representatives understand their obligations.  In respect of training, the Compliance Guidelines go so far as to suggest employees provide, following training, written acknowledgements that they understand the organization's compliance policy.  In addition to training, an organization should consider monitoring legislative or regulatory changes, and adjusting their organizational compliance policy, and applicable training, accordingly.

6.  Auditing and Monitoring

To help prevent and detect non-compliance, and to assess the effectiveness of the organizational compliance program, an organization should consider performing on-going monitoring and periodic auditing.  The results of audits should be recorded, maintained and communicated to the appropriate individuals within an organization, and changes to the organizational compliance policy and program should be made, where appropriate.

7.  Complaint-handling System

The Compliance Guidelines suggest that organizations put into place a complaint-handling process and that the organization should try to resolve complaints within a reasonable period of time.  The CRTC notes that "the complaint-handling system should not be confused with the requirements in the Rules and CASL regarding the withdrawal of consent."

8.  Corrective (Disciplinary) Action

The Compliance Guidelines suggest that organizations should consider taking corrective or disciplinary action against its representatives to address non-compliance with the organizational compliance policy.  Such action may, where appropriate, include refresher training.

Section 8 of CASL (installation of computer programs)

On January 15, 2015, CASL's provisions pertaining to the installation of computer programs (including applications or "apps") comes into force.  There remain many unanswered questions about these provisions, and we are waiting for interpretational guidance from the government.

In my role as the Chair of the Canadian IT Law Association (IT.CAN)'s Public Affairs Forum, I will be chairing a session for IT.CAN on September 9th entitled "CASL Section 8 Session with the CRTC and Industry Canada".  Participating in this session will be representatives from both the CRTC and Industry Canada.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.