Anti-spam law deadline looms

CASL could impact policies, recruitment and training

With Canada’s anti-spam legislation — CASL — set to come into force July 1, HR professionals have some legwork to do to ensure their organizations don’t run afoul of the rules that restrict how businesses can communicate with each other and the public via email and text.

Workers will need training and policies may need to be rewritten — and that includes a review of how HR departments, and recruiters in particular, are using email to find candidates.

But first it’s a matter of understanding the new rules. The federal law is meant to deter “damaging and deceptive forms” of spam while encouraging the growth of electronic commerce “by ensuring confidence and trust in the online marketplace,” according to the government.

But it’s a very technical statute and there are a lot of exceptions to the rules, said Sylvia Kingsmill, senior manager from enterprise risk services at Deloitte in Toronto.

“One of the challenges has been to interpret what the rules mean and how to operationalize them.”

The act was three years in the making, and it wasn’t until December 2013 that the federal government announced that most of the provisions would kick in this summer, she said.

“That is not a long window to comply with so some organizations will have to short-circuit their compliance plans to ensure they’re 100 per cent compliant by the July 1 deadline.”

The way the law was drafted is quite complex in that you also have to go to the regulations to find out if you can benefit from exceptions — so it’s circular, said Tricia Kuhl, a partner at Blakes in Montreal.

“It’s challenging for most individuals to understand what is exactly exempt and what is covered by the law,” she said.

Among the various G7 countries, Canada has the most onerous version of anti-spam law, according to Kelly Nicholson, a partner at Field Law in Calgary.

“It ends up regulating almost all electronic messages that are sent for commercial purpose and, probably more problematically… what CASL does is impose an opt-in consent regime as opposed to an opt-out regime, which is what we see in the U.S., for example.”

For many organizations, the task of becoming compliant is going to be difficult, he said.

“It’s certainly on the minds of organizations throughout Canada — and should be, because this is big, scary federal legislation that casts a wide net and carries very significant penalties for breach.”

The basic rules

Generally, the new CASL requirements state the sender must obtain consent from a recipient before sending a commercial electronic message (CEM), and must include information that identifies the sender and enables the recipient to withdraw consent.

The requirements around express consent and implied consent are difficult to grasp, said Nicholson. There are three areas of implied consent but knowing when a recipient falls into one of those areas is not always clear and there are several exemptions where consent is not required at all, he said.

“It’s going to be necessary for organizations to essentially do a review of their mailing lists and all of their external contacts in order to understand where they have express consent, where they have implied consent and where no consent is required, so systems have to be developed within the organization in order to provide that filter.”

Once CASL comes into force, of course, a person or company can’t send a commercial electronic message requesting consent, so a lot of employers are scrambling to obtain consent before the deadline.

However, there’s a three-year transitional period starting July 1 during which consent to send messages is implied in pre-existing business and non-business relationships.

Similarly, consent is implied for the same period for the installation of updates or upgrades to computer programs.

“(The transitional period) allows you convert your implied consent into expressed consent if that’s the consent strategy you wish to pursue. Because express is as good as gold — it doesn’t expire until the customer withdraws it and it does away with the tracking that would be required for one-time product purchases,” said Kingsmill.

Penalties, liabilities

Administrative monetary penalties for non-compliance, per violation, can range from up to $1 million for individuals and up to $10 million for corporations. Criminal charges can also be laid against organizations that make false or misleading representations regarding the sender or subject of an electronic message, according to Kingsmill.

Apparently the government wanted to make the penalties more than the simple cost of doing business, said Kuhl, “because certain organizations will take the risk of non-compliance if they feel that the penalty is not very strong and the likelihood of enforcement is very weak.”

Civil charges would allow businesses or individuals to seek damages of $200 per violation, to a maximum of $1 million per day, said Kingsmill. There’s even the potential for class-action lawsuits down the line.

There is also the potential for personal liability for company officers and directors who knowingly infringe the law. And a corporation can be held liable for the acts of its third-party agents and employees, said Nicholson.

“If it can be shown that a director, officer or agent of an organization knew about or acquiesced in a breach of the act, then they can be made personally liable for the penalties… it’s akin to OHS legislation in that respect. So clearly due diligence is going to be key.”

Reasonable steps

For an employer, it’s about taking reasonable steps with a comprehensive, end-to-end CASL-compliance framework, said Kingsmill.

“You would need to have accountability and responsibility — someone needs to clearly own the CASL program or the CASL-compliance initiative, and there has to be some kind of governance around it and engaging the right stakeholders or bringing the right people to the table would include your marketing folks, your event planning, your IT, your legal people and your privacy shop to be able to identify the enterprise-wide processes that need to be revised.”

A CASL policy should also set out the rules of engagement at a very high level. Then it’s about procedures or guidelines to operationalize the rules, said Kingsmill, which means user-friendly business language and teaching people to think before they send.

“The greatest impact... is going to be on all of your outbound electronic communications because many of the internal communications will be exempt… so the focus is on prospecting and your captive sales force and your digital marketing strategies which may need to be tweaked and revisited.”

The most critical success factors are training and awareness, so telling employees what CASL means, what the impact is and how to be compliant, she said.

“To make it stick, it should be really simple because the legislation is so dense and technical in nature.”

All employees should be trained, even if their roles do not involve sending out commercial electronic messages, said Kuhl. And if there’s a breach, it’s similar to a breach of personal information protection legislation.

“If an employee is not complying with anti-spam provisions — so sending messages on behalf of the organization in violation of the company’s internal anti-spam compliance program — I think that could be cause for not necessarily dismissal but certainly for a warning or some ramifications in the employee’s position as an employee.”

Employers are also required to keep track of consents and withdrawn consents, said Nicholson.

“There can’t be any rogue CEMs — everybody in the organization has to be aware of the CASL compliance and you have to make sure that people aren’t off on their own, doing their own thing.”

Recruitment concerns

There’s also the question of recruitment and to what extent the CASL restrictions affect HR’s ability to reach out to and communicate with prospective new employees, either on their own or through a third-party headhunter service, he said.

“There may well be some potential risk in that area… make sure that any third-party headhunter service you retain is CASL-compliant,” said Nicholson.

“Because of the doctrine of vicarious liability, an organization can’t shield itself from liability by interposing a third party in between itself and the recipient of its electronic messaging.”

But, in the end, the law is not designed to punish — it’s intended to go after true spammers, said Kingsmill.

“I believe (the government is) going to look at all the facts of the case and they’re going to look at your due diligence defence and you would assume that they would apply the reasonable person test.”

Latest stories