Editor’s note: Last week, Maanit Zemel discussed what Canada’s Anti-Spam Legislation (CASL) is and why it matters to your business, no matter where in the world you may be located. She also mentioned that a good CASL compliance policy could go a long way in protecting you. In today’s post, Maanit provides you with the seven steps you need to take to prepare an effective CASL compliance policy. Enjoy!
For even more information and tips on CASL, listen to episode #025 of The Crisis Intelligence Podcast.
Tips for preparing a CASL compliance policy
By Maanit Zemel
In my last blog submission, I gave an overview of Canada’s Anti-Spam Legislation (CASL) and briefly explained why it is important for organizations and businesses to develop and implement effective CASL compliance policies. For one, if you are not in compliance with CASL’s rules regarding the transmission of commercial electronic messages (CEMs), you can face very significant consequences. Second, if a regulatory proceeding is commenced against your organization, one of the only defences available to you is the “due diligence” defence. However, without having developed and implemented a reasonable CASL compliance policy that is tailored to your business’ or organization’s communication practices, you may not be able to rely on the “due diligence” defence.
Although there is no “one policy fits all”, following are some of the steps that each organization should take when developing its CASL compliance policy.
Step #1: Get to Know CASL
- Get to know CASL and its requirements.
- Educate your executives on CASL.
- “Get your Board onboard” – bring the issue to the attention of your board of directors, as they may need to make some important risk management decisions.
Here’s a good place to get started with this step: Episode #025 of The Crisis Intelligence Podcast – Canada’s Anti-Spam Legislation (CASL) with Maanit Zemel
Step #2: Conduct a Preliminary Audit
- Conduct a preliminary audit of your organization’s contacts and the manner in which those contacts were obtained.
- Conduct a preliminary audit to understand what commercial electronic messages your organization sends and to whom.
Step #3: Obtain Consents (remember that CASL regulates that all CEMs to Canadians must be “opt-in”)
- Prepare consent forms to use for new contacts and customers and then use them for each new contact/customer.
- Insert consent requests into all relevant documentation (contracts, sign-up sheets, newsletters, marketing materials, responses to quotes, etc).
- Insert consent requests into all on-line forms.
- Address “Consent, Information & Unsubscribe” requirements with any third parties that communicate on behalf of your organization.
Step #4: Include the Prescribed Information
- Every commercial electronic message should contain the sender’s name and contact information and the information of any party the electronic message is sent on behalf of.
- Every commercial electronic message should contain a statement that the recipient can unsubscribe from receiving further electronic messages.
- Every commercial electronic message should have an unsubscribe mechanism.
- Create systems to ensure unsubscribe requests are implemented within 10 days of receipt.
Step #5: Establish Processes for Tracking Consents and Unsubscribes
- Establish processes for tracking those who have consented, the dates of consent and the manner of consent (preferably through an automated system).
- Establish processes for tracking consents given orally or in hard copy form.
- Establish processes for tracking implied consent.
- Establish processes for tracking unsubscribes.
- Create a centralized database for all contacts and ensure all emails are vetted through the centralized database.
Step #6: Draft CASL Compliance Policies
- Develop an internal CASL compliance policy, which would depend upon your organization’s communication practices and risk tolerance. For example, while some organizations’ policies may require employees to obtain express consents before sending out any electronic messages, others may rely on the implied consent provisions of CASL and/or some of the CASL exemptions.
- Conduct in-house training for staff.
- Develop a website CASL compliance statement.
- Update your privacy policies to ensure compliance with CASL’s privacy requirements.
- Develop CASL compliance terms and indemnification terms for third-party contracts.
Step #7: Closing and Future Audits
- Conduct a closing audit after you have completed all of your CASL compliance steps to double check that nothing has slipped through the cracks.
- Conduct regular or random audits (for example, annual or semi-annual) to ensure compliance with the policies and to determine whether changes to the policies are needed.
I strongly recommend that your organization obtain legal advice when going through this process and developing its CASL compliance policies. I also do not recommended that you copy other organizations’ policies and use them as your own. After all, each organization is unique and so are its CASL compliance policies.
*DISCLAIMER: This blog is made available to the general public for information / educational purposes only and is not meant as legal opinion or advice. Readers are cautioned against acting on information provided in this publication without first seeking specific legal advice with respect to their unique circumstances.
Maanit Zemel is a lawyer and the founder of MTZ Law, an internet law and commercial litigation boutique law firm in Toronto. Ms. Zemel has substantial experience and expertise in internet law, including Canada’s Anti-Spam Legislation (CASL), online defamation, and cyberbullying. Ms. Zemel also has substantial experience in commercial litigation involving domestic and international disputes. In addition, Ms. Zemel is an adjunct professor at Ryerson University in Toronto, where she teaches business law. Connect with her on LinkedIn and follow her on Twitter.