A. INTRODUCTION
On June 19, 2014, the Canadian Radio-television and
Telecommunications Commission (CRTC) published a new bulletin concerning
Canada’s anti-spam legislation (CASL). Compliance and Enforcement Bulletin CRTC
2014-326 (the “Bulletin”) provides guidelines from the CRTC to help businesses develop
corporate compliance programs.
The Bulletin provides “general guidance and best
practices” for businesses, but will also be of assistance to charities and
non-profit organizations where their activities include the sending of
“commercial electronic messages” (CEM) as set out in CASL. This Charity Law Bulletin provides a summary of some of the guidance and
best practices contained in the Bulletin which may have some application to
charities and non-profit organizations.
Although the Bulletin provides advice preparing a
compliance program for both the CRTC Unsolicited Telecommunications Rules (referring to the Do Not Call List) and for CASL, the focus of this Charity
Law Bulletin will be on the advice the Bulletin contains with regard to
establishing a compliance program for CASL. Charities and non-profit
organizations conducting activities that the Unsolicited Telecommunications
Rules apply to are encouraged to refer directly to the Bulletin for
additional guidance.
B. PREPARING A COMPLIANCE PROGRAM
As noted in previous Charity Law Bulletins and Charity
Law Updates, violations of CASL may result in significant penalties. A
charity or non-profit organization may have to pay a monetary fine if it is
found not to have complied with CASL. As well, section 31 of CASL states that
the directors and officers of corporations may be liable if they “directed,
authorized, assented to, acquiesced in or participated in the commission of the
violation”.
In this regard, the only defence under CASL for a
violation is where the organization can demonstrate that it exercised due
diligence. As such, the Bulletin states that implementing a compliance program may
“(i) reduce the likelihood of businesses violating… CASL, and (ii) help
business establish a due diligence defence in the case of a violation…”
However, it is important to note that the Bulletin also indicates that “the
pre-existence of a corporate compliance program may not be sufficient as a
complete defence”. As such, while having a compliance program, including a CASL
policy, will be of assistance to charities or non-profit organizations involved
in sending CEMs, the mere adoption of such a program will not always be
sufficient to protect the organization where a breach of CASL occurs.
The Bulletin also notes that it should not be read as
“prescriptive”, as it does not constitute legal advice, nor is it intended by
the CRTC to be exhaustive. As well, the CRTC, although in reference to
businesses, notes that “small and medium-sized business do not have the
resources that large corporations have”. One would assume that this comment applies
equally to smaller charities and non-profit organizations who may not have the
same capacity as larger organizations, given the disparity of size and
resources in the not-for-profit sector.
1. Elements Identified by CRTC as Components of a Compliance Program
The following components of a compliance program are
identified in the Bulletin:
· Senior management involvement;
· Risk Assessment;
· Written corporate compliance policy;
· Record keeping;
· Training program;
· Auditing and monitoring;
· Complaint-handling system; and
· Corrective action.
The Bulletin provides illustrative examples concerning
how each of these elements may vary depending upon the size of the organization.
For example, concerning the involvement of senior management, it is suggested
that “a member of the senior management could be named as the business’s chief
compliance officer” so that this person can be the individual responsible for
the organization on CASL. With regard to smaller organizations, the Bulletin
suggests that the organization could “identify a point person who is
responsible and accountable for compliance”.
2. Summary of Program Components
a) Maintaining and Reviewing an Up-to-date Policy
As discussed in previous Charity Law Updates, part
of a demonstrating due diligence under CASL may involve developing a policy in
order to educate employees or volunteers concerning the obligations of the
charity or non-profit organization under the legislation.
In this regard, the Bulletin provides some helpful
guidance concerning what issues the policy might address. These include, for
example:
· Establishing internal procedures for compliance;
· Addressing related training that covers the policy and internal
procedures;
· Establish auditing and monitoring mechanisms;
· Establish procedures for dealing with third-parties;
· Address record keeping; or
· Provide a feedback mechanism for employees to persons responsible
for compliance.
The Bulletin also stresses that a policy should be
“easily accessible to employees, including managers”. As well, the policy
should be reviewed regularly to ensure that it is up to date. It is not clear
whether “accessible” means easy to find, or easy to understand in this context.
However, if employees are not able to find the policy, or not able to follow it
once they do, the policy will not likely be seen by the CRTC as an aid in
establishing due diligence.
b) Proving Compliance
As a review, charities or non-profit organizations that
send a CEM must be able to demonstrate that they have consent, either express
or implied, to do so. While an organization may have obtained express consent
in the past, if there is no record of that express consent available, then the
organization may as well have had no consent. In this regard, the Bulletin also
includes some suggestions concerning the types of records, either physical or
electronic, that an organization may want to have on hand in establishing a
compliance program. With respect to the types of records that an organization
may want to keep concerning CASL, the Bulletin includes the following:
· CEM policies and procedures;
· All unsubscribe requests and actions;
· Evidence of express consent;
· CEM consent logs;
· CEM scripts;
· Actioning unsubscribe requests for CEMs;
· Staff training documents; and
· Official financial records.
Some elements appear repetitive, such as keeping records
of “unsubscribe requests and actions” and “actioning unsubscribe requests”.
These suggestions emphasize, however, the need to maintain records that
demonstrate compliance with CASL. For example, unsubscribe requests need to be
made effective within 10 days in accordance with CASL. In this regard, it would
be prudent for charities and non-profit organizations that need to comply to keep
records that indicate that these requests are actioned within the timeline
prescribed in the legislation. This comment would apply equally to other
obligations under CASL.
c) Continuous Monitoring and Improvement
The record keeping practices suggested in the Bulletin
recommend keeping records of training documents. In this regard, although a
policy is one helpful element of establishing due diligence, it will also be
important to make sure that employees and volunteers are trained on all other
aspects of the compliance program being implemented.
The Bulletin recommends not only developing a training
program, but that it should include “refresher training, regarding the
corporate compliance policy for current and new employees, including managers”.
It is also suggested in the Bulletin that those who complete the training sign
a “written acknowledgement that they understand the corporate compliance
policy, and these written acknowledgements should be recorded and maintained”.
There are also recommendations in the Bulletin with
respect to auditing and monitoring the compliance program. This is a helpful
suggestion, and although not every organization may have the resources to
undertake this type of review, at a minimum some system of monitoring mechanism
should form part of the compliance program. It should be noted that the
Bulletin suggests that the “results of all audits should be recorded,
maintained, and communicated to senior management”. Keeping records of this
kind will help demonstrate that not only does the organization have a
compliance program, which may include a policy, but that the compliance program
is regularly reviewed to see that employees and volunteers are following it.
Lastly, the Bulletin also recommends a mechanism for
handling complaints and for implementing discipline where the compliance
program is not followed. A complaints mechanism, while useful, may not
necessarily relate to compliance. CASL itself does not require that
organizations that send CEMs respond to complaints, but only that they action
unsubscribe requests. In this regard, the Bulletin helpfully indicates that a
mechanism for dealing with complaints “should not be confused with the
requirements in… CASL regarding the withdrawal of consent”. However, one
positive aspect of having a complaints mechanism, which the Bulletin does not
address, is that responding to complaints may mean that the complainant is less
likely to complain directly to the CRTC. This likely would help to reduce the
incidence of any enforcement action being brought by the CRTC against the
organization.
C. CONCLUSION
Few charities and non-profit
organizations expected that CASL was something for which they may need to
implement a compliance program or policy. The Bulletin, while helpful, does
raise how onerous demonstrating compliance with CASL may be for those
organizations that need to do so. CASL, though, may not apply to an individual
charity or non-profit organization unless that organization is sending a CEM.
As well, many registered charities will rely on the exemption under CASL for
CEMs that have a primary purpose of raising funds. However, for those charities
that send CEMs in relation to commercial activities that are not exempt,
implementing a compliance program is a prudent measure in establishing due
diligence so that inadvertent breaches of CASL do not result in penalties or
liability exposure for board members.