Since Canada's anti-spam legislation (CASL) was enacted in 2014, businesses have been faced with the challenge of keeping adequate records of their authority to send commercial electronic messages under CASL’s various categories of express and implied consent. As the CRTC began CASL enforcement actions, the ability of companies to prove that they had appropriate consent under the law, and to respond to CRTC production notices requesting consent records, became a topic of increasing concern. However, as little information was publicly disclosed about enforcement proceedings undertaken to date, the full extent of the CRTC’s expectations regarding consent records was unclear.
The CRTC has now issued public guidance on keeping records of consent in an Enforcement Advisory notice published July 27. Businesses and individuals sending commercial electronic messages should keep physical or electronic copies of: (1) all evidence of express and implied consent; (2) documentation regarding the methods through which consent was collected; (3) policies and procedures regarding CASL compliance; and (4) all unsubscribe requests and resulting actions.1 Businesses that have not yet taken steps to ensure this information is consistently recorded in an accessible manner or to develop CASL policies and procedures should do so as soon as practicable. Although the Enforcement Advisory is not a binding regulation under the Act, the adage that "ignorance of the law excuses no man" is applicable: companies subject to a CASL enforcement proceeding can expect little leeway from the CRTC for failing to implement the record-keeping procedures it has now published.
What You Need To Know
- Evidence of consent, as well as unsubscribe requests, may come in many different forms. Regardless of whether in the form of audio recordings, copies of signed consent forms, or employee records of having obtained verbal consent, the sender must keep a copy of the record in a format that can be promptly retrieved on request.
- Scrutiny of policies and procedures: Although CASL does not require that businesses make their CASL policies publicly available (unlike the openness principle in the Personal Information Protection and Electronic Documents Act that effectively requires organizations to publish their privacy policies), CASL compliance policies and procedures should be drafted with the expectation that they will be reviewed by the regulator. The CRTC Advisory, and past enforcement actions, indicate that the regulator will request and review policies and procedures in the course of compliance investigations. In addition, businesses should ensure that their records of consent, unsubscribe requests and other actions actually conform to the record-keeping procedures set out in their internal compliance documentation.
- Benefits of good record-keeping include establishing a due diligence defence in the case of a CASL violation, facilitating the resolution of consumer complaints, identifying potential non-compliance issues and implementing corrective actions before any regulatory enforcement is commenced. CASL compliance officers should communicate the benefits, as well as the regulatory imperatives, to consent record-keeping within their organizations to encourage executive and operational attention to appropriate policy-making, training and internal audits.
1 Enforcement Advisory – Notice for businesses and individuals on how to keep records of consent: http://news.gc.ca/web/article-en.do?nid=1104989.
To discuss these issues, please contact the author(s).
This publication is a general discussion of certain legal and related developments and should not be relied upon as legal advice. If you require legal advice, we would be pleased to discuss the issues in this publication with you, in the context of your particular circumstances.
For permission to republish this or any other publication, contact Janelle Weed.
© 2019 by Torys LLP.
All rights reserved.