On January 6 2014, we issued a bulletin entitled Ten Key Requirements of the Canadian Anti-Spam Law You Need to Know (John P. Beardwood and Gabriel M. A. Stern), in which we identified ten key issues/requirements of Canada's "anti-spam law" (formally known as An Act to promote the efficiency and adaptability of the Canadian economy by regulating certain activities that discourage reliance on electronic means of carrying out commercial activities, and to amend the Canadian Radio-television and Telecommunications Commission Act, the Competition Act, the Personal Information Protection and Electronic Documents Act and the Telecommunications Act, but informally and better known as "CASL"), as those requirements apply to commercial electronic messages ("CEMs"), and to unsolicited installed programs ("UIPs").
As the date for the anti-spam provisions to come into force rapidly approaches (i.e. July 1, 2014)[1], organizations are increasingly focused on how to become compliant prior to the deadline. Much of this focus, and our advice, has necessarily been on developing both a rapid strategy to obtain express consent for the future delivery of CEMs, and to design templates to ensure that these CEMs contain the requisite content. However, as we set out below, there are five important reasons why organizations should look beyond immediate short term compliance, in order to develop and implement a CASL-specific policy.
1. Scope of CASL application to multiple departments
CASL has implications for multiple departments across an organization. The CEM requirements affect not only the marketing department, and the IT department, but also individual email communications (a common misconception is that CASL only applies to bulk email outs). In turn, the UIP requirements will affect not only the IT department, in particular where the organization is in the technology space, but also the marketing department to the extent that it uses cookies or other UIPs.
Further, while generally the subject of less attention than emails, CASL applies to other electronic messages, namely: text, sound, voice or image messages to (i) an instant messaging account, (iii) a telephone account, or (iv) somewhat ambiguously, "any similar account".[2]
In short, organizations need to carefully review their communications strategy to ensure that they understand each type of electronic message which they send and the CASL requirements which apply to each. The optimal approach to manage these multiple touch points at the organizational level, and in particular to ensure that an organization's response does not, advertently or inadvertently, become "siloed", is for an organization to develop and implement an organization-wide CASL policy that addresses the application of CASL to multiple internal stakeholders.
2. Managing the interaction of CASL requirements with other organization policies
The obligations under CASL necessarily interact with other policies which an organization may have implemented. By way of example:
- While another common misconception is that CASL is yet another Canadian privacy law (it is not: the focus is on commercial electronic messages, whether or not they use or include personal information), CASL does nevertheless interact with an organization's privacy policy. For example, where the electronic addresses are identifiable such that they constitute personal information, or the content of the email itself contains personal information, privacy issues will be triggered. In addition, an organization's existing privacy consents may be able to be leveraged as CASL consents, although that will be very much depended on their content as CASL requests for consent must contain content that privacy consents do not.[3]
- Organizations that have "Do Not Call" (or "DNC") policies will have to understand and document a defined line between the application of their DNC and CASL policies. For example, while CEMs also include sound or voice messages to a telephone account, they also exclude communications which are interactive two-way voice communications between individuals, facsimiles to a telephone account, and recordings "sent"[4] to a telephone account. For those organizations that have both DNC and CASL compliance issues, implementing separate policies which clearly cross-reference each other will facilitate in clearly delineating the differences for the organization's users.
- Organizations are increasingly adopting Bring Your Own Device ("BYOD") policies for employees, that prescribe what is and not permissible with respect to such devices in the workplace and/or in connection with work product. Given that CEMs expressly include texts and electronic messages sent to an instant messaging account[5], BYOD policies will need to be revised to contemplate the CASL requirements for such electronic communications sent using employees phones and tablets, for example.
3. Complexity of transitioning into compliance: tracking implications
Transitioning an organization into compliance not only requires that some key decision points be made, and documented in a policy, but also effectively imposes certain tracking obligations for companies. For example:
- For companies relying on the deemed consent applicable for pre-existing business relationships - for example, where a recipient made a purchase during the two years preceding the sending of the email - that deemed consent has a two-year expiration date, unless the pre-existing business relationship is refreshed by the recipient, for example, making a new purchase. Organizations that intend to rely on that exemption, rather than on express consent, will need to have a customer relationship management ("CRM") system, or equivalent, which is capable of tracking such expirations dates and any refreshes for each recipient.
- Similarly, organizations may choose to rely to a certain extent on the deemed consent provision where the recipient has (a) disclosed to the sender the electronic address, (b) without indicating a wish not to receive unsolicited commercial electronic messages at such address, and (c) the CEM is relevant to recipient's business/official role/functions. The most obvious example of such disclosure is in the form of a recipient's business card, but to the extent that the organization is relying on that provision, it will need to implement a reasonable system of recording that such card was in fact was the source of the electronic address, such that the organization will later be able to evidence same. In light of that requirement, organizations may wish to purchase a business card scanner.
These twin requirements of tracking and evidencing (a) the timing and duration of a recipient consent, and (b) the source of each electronic address, strongly militate in favour of organizations adopting and implementing a policy which is used as the basis of processes and procedures to accomplish these objectives, in particular if assets will need to be purchased to do so.
4. Enforcement and the Due Diligence Defence
Enforcement Mechanisms
There are various provisions which set out the enforcement framework for CASL. They include, among others[6]:
a) a mechanism wherein every person who contravenes any of sections 6 to 9 of CASL (that is, with respect to CEM and UIP requirements) commits a violation for which they are liable for an administrative monetary penalty, where the maximum penalty is (i) $1,000,000 in the case of an individual, and (ii) $10,000,000 in the case of any other person ("Violations");
b) personal liability for any officer, director, agent or mandatary of a corporation that commits a contravention of any of sections 6 to 9 of CASL[7], for the contravention or reviewable conduct, as the case may be, if they directed, authorized, assented to, acquiesced in or participated in the commission of that contravention, or engaged in that conduct, whether or not the corporation is proceeded against ("Contraventions and Reviewable Conduct"); and
c) offences, for every person who (i) refuses or fails to comply with a demand to preserve transmission data or a notice to produce a document, or who contravenes the CASL requirement for the person to give all assistance that is reasonably required to enable a designated person to execute a warrant (i.e. non-compliance), or (ii) obstructs or hinders, or knowingly makes a false or misleading statement or provides false or misleading information to, a designated person who is carrying out their duties and functions under this Act (i.e. obstruction or false information), wherein there is also personal liability for any officer, director, agent or mandatary of a corporation that commits an offence if they directed, authorized, assented to, acquiesced in or participated in the commission of the offence, whether or not the corporation is proceeded against ("Offences")[8].
Due Diligence Defences under CASL
However, CASL provides for a due diligence defence in each of the above three contexts, as follows:
1) a person will not be found to be liable for a Violation if they establish that they exercised due diligence to prevent the commission of the Violation.[9]
2) a person will not be found to have committed any Contravention or Reviewable Conduct if they establish that they exercised due diligence to prevent the contravention or conduct, as the case may be.[10]
3) a person will not be convicted of an Offence for "non-compliance" if they establish that they exercised due diligence to prevent the commission of the Offence.[11]
CASL Policy as a Factor in Establishing a Due Diligence Defence
In light of the availability of a due diligence defence as means to avoid liability for Violations, Contraventions and Reviewable Conduct, and Offences, organizations need understand what measures they can adopt to support such a defence. As we describe below, one of the key elements of such a defence is the existence of a policy:
- The test for establishing due diligence is as follows: the accused must establish on a balance of probabilities that (1) it believed in a mistaken set of facts, which, if true, would render the act or omission innocent, or (2) it took all reasonable steps to avoid the particular event that transpired.[12]
- The determination of whether an accused met the due diligence standard will depend on the facts of each case, including the degree of knowledge expected of the defendant, the extent of the harm or damage caused, and the particular industry and activity involved. In assessing whether an accused exercised all the steps that could reasonably be expected in the circumstances[13], the court will review a number of factors, including the accused's use of preventative systems.
- It is important that preventative procedures be documented in a form that goes beyond mere workplace manuals[14] - for example, to the point of being documented as formal policies. Courts will also inquire into whether (a) the policy and procedures met or exceeded standards in the corporation's industry, and (b) the relevant regulatory policy was in fact understood by individuals within the corporation.[15] To that latter point, preventative measure activities include training programs, internal and external audits, and risk assessments.[16]
In summary, the establishment, and adoption (through training, etc.) of a CASL policy appears to be a minimum standard in establishing the due diligence defence. Evidence of continuous, genuine and comprehensive efforts on the part of the corporation to implement a CASL Policy will significantly support a finding that the corporation exercised the required due diligence.
5. Personal Liability for Executive and the Board
Finally, once a CASL Policy has been implemented, how senior a level of the organization should review/approve the policy? As we set out below, there are two very good arguments for having the policy reviewed at the officer and Board level.
First, given that in some circumstances CASL imposes personal liability on officers and directors, and that there is a due diligence defence available to those individuals as outlined above, officers and directors obviously have a vested interest in ensuring that that due diligence defence is supported through the adoption and implementation of an appropriate CASL policy.
Second, corporate governance literature regarding the due diligence defence suggests that "senior management" and "high-level personnel" should get involved in the review of corporate regulatory compliance policies.[17] For example, the Competition Bureau has also identified the "involvement and support of senior management"[18] as one of five requirements of a proper compliance policy, regardless of the size, complexity, or nature of the corporation.
However, while the Bureau does not specify which individuals fit into the definition of "senior management," it does note that such management should ensure that the board of directors remains alert to the progress of the compliance program and any breaches thereof, and that any compliance policy should be founded upon strong leadership.[19] The Bureau also recommends that (a) a member of senior management should be appointed as a compliance officer and (b) a corporation's compliance model should also include: Corporate Compliance Policies and Procedures, Training and Education, Monitoring, Auditing, and Reporting Mechanisms, and Consistent Disciplinary Procedures and Incentives.[20] This is consistent with the 1996 Delaware Court of Chancery case of Re Caremark International Inc. Derivative Litigation,[21] where the court found that directors may be held personally liable for employee misconduct if the directors "fail to attempt in good faith to assure that a corporate information and reporting system, which the board concludes as adequate, exists."[22]
In summary, evidence that a corporation's board of directors and/or officers approved a policy regarding CASL compliance will likely be viewed favourably by a court/regulator in determining the existence of a due diligence defence.
Conclusion
A CASL policy serves an invaluable role in effectively co-ordinating the organization-wide implementation of CASL across multiple departments; managing the interaction of CASL requirements with other organization policies, such as privacy, DNC and BYOD policies; facilitating the tracking of the timing and duration of a recipient consent, and the source of each electronic address; and supporting the availability of a due diligence defence in the case of a breach of the legislation. Further, we recommend that such policy be approved at the officer and/or Board level, in particular given the risk of personal liability for such individuals.
Finally, a sixth reason to implement a CASL policy is that as the organization develops new communications methods (whether through social media, SMS or otherwise), those initiatives will need to be assessed for CASL compliance - just as new technology initiatives that may impact personal information need to undergo a privacy impact assessment - and that "CASL impact assessment" will be greatly facilitated by the existence of a CASL policy that documents the organization's decided approach to CASL compliance.
[1] The provisions regarding unsolicited installed programs - including cookies - come into force on January 15, 2015, and the provisions providing for a private right of action come into force on July 1, 2017.
[2] In contrast, the range of excluded messages is very narrow, and consists of a CEM that (a) in whole or in part is an interactive two-way voice communication between individuals, (b) is sent by means of facsimile to a telephone account, (c) is a recording sent to a telephone account (which may exclude a voicemail left on an internet telephone system), or (d) is sent and received on an "electronic messaging service" (unfortunately not defined, but which may include instant messaging) provided that the required form of unsubscribe mechanism is present and the recipient consents to receive it (either expressly or by implication).
[3] Note that CASL states that in the event of a conflict between a provision of CASL and a provision of Part 1 of the Personal Information Protection and Electronic Documents Act, the provision of CASL operates despite the provision of that Part, to the extent of the conflict. The ambiguity arises from when the two sets of requirements will be said to "conflict", as opposed to being complementary.
[4] It is not clear whether this means only automated messages which are "sent" to an account, if it is also intended to include live voice mails messages which are "left" at an account.
[5] Note that there is an exclusion from the CEM definition for an electronic message which is sent and received on an "electronic messaging service" (unfortunately not defined, but which may include instant messaging) provided that the required form of unsubscribe mechanism is present and the recipient consents to receive it (either expressly or by implication).
[6] For example, CASL also contemplates the provision of injunctive relief, and a private right of action (to come into force on July 1, 2017), which if successful can result in a court order requiring the offending person(s) to pay the applicant (a) compensation in an amount equal to the actual loss or damage suffered or expenses incurred, and (b) in the case of a breach of (i) the anti-spam provisions, a maximum of $200 for each breach, not to exceed $1,000,000 for each day on which a breach occurred, and (ii) the UIP provisions, $1,000,000 for each day on which a breach occurred.
[7] Or of section 5 of the Personal Information Protection and Electronic Documents Act that relates to a collection or use described in subsection 7.1(2) or (3) of that Act, or to have engaged in conduct that is reviewable under section 74.011 of the Competition Act,
[8] Every person who commits an Offence is guilty of an offence punishable on summary conviction and is liable (a) to a fine of not more than $10,000 for a first offence or $25,000 for a subsequent offence, in the case of an individual; or (b) to a fine of not more than $100,000 for a first offence or $250,000 for a subsequent offence, in the case of any other person.
[9] CASL, section 33(1).
[10] CASL, section 54(1).
[11] CASL, section 46(2).
[12] R v. Sault Ste. Marie, [1978] 2 SCR 1299 at 1326.
[13] Archibald, Jull, and Roach outline 14 factors which will be assessed by the court to determine whether the accused exercised all the steps that could reasonably be expected in the circumstances: T.L. Archibald, K.E. Jull, & K.W. Roach, Regulatory and Corporate Liability: From Due Diligence to Risk Management, 2004 at 4-7.
[14] R v. Taggart Construction Ltd. [2007] O.J. No. 5328 (QL) (C.J.), generally.
[15] R. v. Placer Dome (CLA) Ltd. 2006 ONCJ 306 at 78.
[16] The kinds of preventative systems required to demonstrate due diligence were also delineated in R v. Aecon Utilities 2009 ONCJ 706 at 39: annual updating of relevant workplace policies, provision of formal annual training, performance of annual external audits, and weekly meetings on various topics to promote regulatory compliance. Evidence of knowledge management systems (methods of creating, storing, and applying knowledge and information) is also helpful in demonstrating due diligence.
[17] For instance, Archibald et al, recommend a Seven-Step Corporate Compliance Program that involves "high-level personnel" in overseeing the corporation's regulatory compliance effort: T.L. Archibald, K.E. Jull, & K.W. Roach, Regulatory and Corporate Liability: From Due Diligence to Risk Management, 2004 at 7:20:45.10.
[18] Competition Bureau, Corporate Compliance Program, 2010, at p. 7. (PDF)
[19] Ibid. at p.7.
[20] Ibid. at p.8.
[21] Caremark International Inc. (1996), 698 A (2d) 959 (Del. Ch. 1996).
[22] The Office of Inspector General of the U.S. Department of Health and Human Services and The American Health Lawyers Association, "A Resource for Health Care Boards of Directors", p. 1 (PDF).
