By Tricia Kuhl (Partner), Laurie Birbilas (Associate) and Céline Poitras (Associate), Blake, Cassels & Graydon LLP (Blakes)
Designed as one of the most stringent anti-spam regimes in the world, Canada's Anti-Spam Legislation (CASL) imposes significant restrictions on the use of electronic messages (e-messages) to encourage participation in commercial activities. Most of CASL, including the rules applicable to commercial electronic messages, came into force on July 1, 2014. Provisions related to the unsolicited installation of computer programs will come into force on January 15, 2015. Organizations will therefore need to build and implement compliance programs that meet CASL's strict standards. This list sets forth ten compliance strategies that organizations may wish to implement to get onside with the law.
1. Identify Current Practices
As a first step, your organization should identify its current practices for sending e-messages and installing computer programs. To do so, your organization may wish to prepare a list of all e-messages which it sends to or from a computer system in Canada, as well as a list of all computer programs and functionalities of same that your organization installs on computer systems in Canada. You should also identify the ways in which you are seeking consent (opt-in vs. opt-out) and the various sources from which obtain the names and contact information of individuals to which e-messages are sent.
2. Assess which E-Messages and Computer Programs are Covered by CASL
Once you have prepared a list of the types of e-messages your organization is sending, you will need to categorize these e-messages in order to identify those which fall under the scope of CASL. To this end, you will need to identify the e-messages that are "commercial" in nature and the e-messages that are being sent to an "electronic address" in Canada. You should similarly categorize the types of computer programs that your organization installs. These steps will allow you to consider whether there are any exceptions or exemptions that apply to the categories of e-messages or computer programs installed.
3. Assess Status of Consents
Once you have determined the e-messages that are covered by CASL, you will need to assess the current status of consents. First, you should examine whether opt-in express consent has been obtained from any of the e-message recipients and ensure that any opt-in consents already obtained meet CASL standards. Likewise, you should examine whether appropriate consent has been obtained from or notices given to any of the computer program users (note that the type of consent and notice required depends on the type of computer program). Second, you should assess whether consent may be implied from any of the recipients or users (e.g. based on an existing business relationship, an existing non-business relationship or because the recipient has conspicuously published or voluntarily disclosed their e-address without indicating that they do not wish to receive e-messages).
4. Develop Appropriate Consent Language and Processes
The next step will be to implement appropriate consent language and processes. To that end, your organization will need to develop a prescribed form for e-messages, as well as consent language and appropriate disclosures and notices for the installation of computer programs.
5. Upgrade Implied Consent and Obtain Express Consent as Necessary
To the extent possible, implied consents should be upgraded to express consents. In other words, your organization may take advantage of existing implied consents to secure express consents which do not expire and remain valid until consent is withdrawn.
6. Ensure Unsubscribe Mechanism is Operational and Complies with Prescribed Requirements
Your organization must also implement a functional unsubscribe mechanism that enables recipients to indicate (at no cost to them) that they no longer wish to receive Commercial Electronic Messages (CEMs) from the sender. This unsubscribe mechanism must be included in every CEM that is sent from or on behalf of the organization and it must be valid for at least 60 days after the CEM is sent. Further, effect must be given to the unsubscribe mechanism without delay and in any case within 10 business days.
7. Implement Robust Data Management and Operational Controls
Going forward, your organization should implement a system to manage and update the lists of individuals who have provided consent. Date-tracking should be used to monitor occurrences of implied consent and when such implied consents will lapse. It is also important to record the purposes for which and the manner in which consent was obtained. We note that particular attention will need to be given to consent obtained orally for evidentiary reasons.
8. Adopt Internal Policies and Guidelines and Training Programs
All individuals who send messages on the organization's behalf should be are aware of their obligations under CASL. Your organization will therefore need to adopt internal policies and guidelines and training programs to educate its staff and upper management. It may be necessary to develop a presentation to management and select employees on how to comply with the policy and guidelines. In particular, a presentation to upper management should explain the compliance program and penalties as well as differences between the Canadian regime and applicable international regimes. Your organization may also wish to develop a compliance policy and guidelines explaining "do's and don'ts" for employees in a way that simplifies the more complex requirements of the law in a targeted fashion. To ensure that your employees are complying with the strict requirements of CASL, you may wish to develop an internal disciplinary system for non-compliance.
9. Adjust and Adapt Contracts
In addition to the actions of employees or agents representing your organization, CASL also requires that your organization consider the practices of other organizations that send CEMs on its behalf. Accordingly, you should review contracts with vendors and service providers that send CEMs on behalf of the organization to ensure that such entities are contractually obligated to comply with CASL. You should also assess and adapt any contracts or communications with clients or prospective clients to seek express consent (where applicable).
10. Follow-Up
Once you have completed all of the foregoing steps, it is critical that you develop audit practices and monitor compliance on an ongoing basis. Further, we note that these follow-up practices may assist in the preparation of a due diligence defence if ever it is required.
Conclusion
As the main provisions came into force on July 1, 2014, businesses should ensure that they have all necessary compliance strategies in place to facilitate compliance with the legislation. The ten strategies discussed above provide guidelines for organizations to maintain compliance with CASL
