Positioning Your Organization to Mitigate CASL Liability Through the Due Diligence Defence. Roadmap

Transcription

1 Positioning Your Organization to Mitigate CASL Liability Through the Due Diligence Defence Association of Corporate Counsel Wednesday, February 7, 2018 Andrew Nunes Daniel Fabiano Stephen Cheeseman Roadmap 1. marketing in perspective 2. The PRA delay 3. Recent CRTC enforcement activities 4. Three-year statutory review of CASL 5. The due diligence defence 6. Practical tips for establishing and implementing a CASL compliance program 1

2 Marketing in Perspective Understanding your organization s marketing practices marketing tools - PC Reviews marketing do s and don ts The PRA Delay Private right of action ( PRA ) was to go into effect on July 1, 2017 The PRA would allow affected individuals to sue organizations and their officers, directors and agents for alleged CASL violations Damages include: a. compensation = actual loss suffered/expenses incurred, and b. statutory damages = up to $1,000,000/day Limited to breaches which have not been addressed through another enforcement mechanism under CASL 2

3 The PRA Delay PRA suspended on June 7, 2017 To eliminat[e] any unintended consequences for organizations that have legitimate reasons for communicating electronically with Canadians CASL is alive and well and the CRTC continues to pursue violators Recent CRTC Enforcement Activities 2017 Compu.Finder - $200,000 Mr. Halazon and TCC - $10,000 William Rapanos - $15, Blackstone Learning Corp. - $50,000 Since coming into force the CRTC has conducted over 30 investigations, delivered 22 warning letters, and issued $1,958,000 in penalties which have since been reduced to $468,000 3

4 Recent CRTC Enforcement Activities CRTC investigation triggers: Complaints from Canadians Leads from international partners Data feeds and honeypots Working with industry Complaints to the Spam Reporting Centre Source: CRTC Outreach Presentation (WINTER ) Recent CRTC Enforcement Activities complaints decreased in 2017 while SMS complaints have tripled CASL applies equally to SMS as it does Other type of message Number of Webform Submission by Type Other electronic threat (ie website) Unknown SMS Instant Message Source: CRTC Outreach Presentation (WINTER ) 4

5 Three-Year Statutory Review House of Commons Standing Committee on Industry, Science and Technology Issued report Canada's Anti-Spam Legislation: Clarifications are in Order (December 13, 2017) Three-Year Statutory Review The report makes 13 recommendations, including: Clarifying types of messages that are "commercial electronic messages" Clarifying "express consent" and "implied consent" Clarifying how CASL applies to charities / non-profits Investigating how to be more transparent in their methods, investigations, and determinations of penalties Delaying the PRA until its impact is fully investigated 5

6 Due Diligence Defence Subsection 33(1): A person must not be found to be liable for a violation if they establish that they exercised due diligence to prevent the commission of the violation. Nature / scope of due diligence not set out in CASL Due diligence activities referenced in CRTC guidance materials, enforcement decisions, undertakings Practical Tips: Establishing and Implementing a 1. Establish an organization-wide CASL compliance program Conduct overall assessment of organization s CASL-related activities Determine which organizational activities are at risk for CASL breach Effective compliance programs contain some or all of the following practical tips 6

7 Practical Tips: Establishing and Implementing a 2. Involve senior management Active and visible role to foster culture of compliance Ensures greater chance of buy-in by personnel Ensures senior management is itself attuned to liability Practical Tips: Establishing and Implementing a 3. Appoint a chief compliance officer (CCO) A point person responsible for CASL compliance. Coordinate response to complaints, assess new initiatives, conduct audits 7

8 Practical Tips: Establishing and Implementing a 4. Formalize a written compliance policy Documents approach to addressing all CASL requirements and due diligence measures Does your organization have a formal, written CASL policy? 11% 36% Accessible to staff; up to date 53% Yes No Not Sure Fasken Martineau/DMAC - CASL Survey Report: Bridging the Gaps in Understanding and Compliance Practical Tips: Establishing and Implementing a 5. Education and employee buy-in Does your organization require personnel to attend training to understand your organization s CASL policy and how your organization is managing e-marketing messages according to CASL? All staff receive training appropriate to their function 63% 29% Requirements, prohibitions, context 8% Yes, and I have attended that training Yes, but I have not attended that training No Fasken Martineau/DMAC - CASL Survey Report: Bridging the Gaps in Understanding and Compliance 8

9 Practical Tips: Establishing and Implementing a 6. Record-keeping Need to document: express consent implied consent proof of message contents unsubscribe requests, resulting actions Policies and procedures Staff training documents Could your organization prove (with supporting documentation) that it has the authority under CASL to send every e-marketing message sent by your organization (e.g., express consent, implied consent or an exception to consent)? 31% 21% Yes No Not Sure 48% Fasken Martineau/DMAC - CASL Survey Report: Bridging the Gaps in Understanding and Compliance Practical Tips: Establishing and Implementing a 7. Complaints and correction Complaint-handling system to enable customers to submit complaints Ensure prompt response/resolution of complaints Policies should provide for corrective or disciplinary action for personnel involved in contraventions of compliance program / CASL policy 9

10 Practical Tips: Establishing and Implementing a 8. Service providers Organizations can be liable for actions of service providers Does your organization have written contracts with third parties who provide e-marketing services? 16% Pre-contractual due diligence Appropriate contractual clauses 30% 37% Periodic compliance audit 17% Yes We do not use any service providers related to e-marketing No Not sure Fasken Martineau/DMAC - CASL Survey Report: Bridging the Gaps in Understanding and Compliance Practical Tips: Establishing and Implementing a 9. Auditing and monitoring Prevent and detect misconduct How often does your organization audit its compliance with CASL? 23% 29% Assess effectiveness of compliance program Audits should occur at specified intervals, be documented, and result in a report to senior management 37% 11% At least once every 12 months Less than once every 12 months Not at all Not sure Fasken Martineau/DMAC - CASL Survey Report: Bridging the Gaps in Understanding and Compliance 10

11 Q&A? Andrew S. Nunes PARTNER Fasken Daniel Fabiano PARTNER Fasken Stephen Cheeseman OWNER & PRESIDENT Global RCR Inc