Canada’s new anti-spam legislation (commonly known as CASL) is now in effect, and the Canadian Radio-television and Telecommunications Commission (CRTC) has the authority to regulate the law, specifically commercial electronic messages, the alteration of transmission data in electronic messages, and the installation of computer programs on another person’s computer system, in the course of a commercial activity.
The fundamental underlying principle in the new statute is that such activities can only be carried out with consent. Commercial electronic messages that are regulated under the new legislation include any type of electronic messages sent to Canadians, including email, text messages and messages sent through social media.
The CRTC has created guidelines that go beyond the legislation. The CRTC’s guidelines represent a complex and bureaucratic approach to compliance with CASL. It remains to be seen whether they will be widely followed, but they certainly represent a gold standard for compliance.
It should be clear that managing your anti-spam obligations will mean modifying your information technology processes. Information Technology PolicyPro is monitoring developments to consider how the CRTC guidelines could be implemented by small and medium businesses in a practical and efficient manner.
The guidelines set out eight elements for a compliance program.
1. Senior management involvement
Senior management should actively encourage compliance. A chief compliance officer should be responsible and accountable for developing, managing and executing the program. Smaller businesses should establish a contact person who is responsible and accountable for compliance with CASL.
2. Risk assessment
A risk assessment should be conducted to determine if any business activities are at risk for violating CASL. Policies to mitigate risks should be developed and applied.
3. Written corporate compliance policy
Organizations should develop and implement a written corporate compliance policy. The model policy included with Information Technology PolicyPro contains essential elements of the CRTC’s guidelines such as internal procedures for compliance and related training; auditing and monitoring mechanisms; procedures for dealing with third party compliance; record keeping, especially with respect to consent; and a mechanism to allow employees to provide feedback to the chief compliance officer or point person.
4. Record keeping
Records should be maintained of policies and procedures; unsubscribe requests and actions; evidence of express consent; recipient consent logs; unsubscribe requests staff training documents; and official financial records.
5. Training
A training program, including refresher training, should be developed, and there should be situational training that links daily activities to the policies and procedures. Employees should provide written acknowledgement that they understand the corporate compliance program. The business should monitor employee comprehension of the policy and evaluate the effectiveness of the training at regular intervals, updating as necessary.
6. Auditing and monitoring
Auditing should be undertaken at regular intervals and may involve developing a quality assurance program that monitors the email marketing campaigns. Recommendations resulting from the audit should be reviewed and adopted.
7. Complaint-handling system
A complaint-handling system that allows customers to submit complaints should be put in place.
8. Corrective action
Businesses should establish an organizational disciplinary code to address contraventions. As appropriate, businesses should take corrective or disciplinary action, or provide refresher training. Records of contraventions and actions taken in response should be maintained.
- How does IT recovery planning differ from business continuity planning? - August 4, 2015
- How to manage bank accounts: the basics - July 6, 2015
- Refresher on financial statistics and metrics - April 6, 2015
David Collier-Brown says
Ironically, the amount of organization effort is far larger than the technical effort. In my current job, the database contains a date of last acceptance, and the login code checks to make sure it’s newer than the date the terms and conditions last changed. If not, the person gets sent to the T&C page to agree or disagree. That’s one if-statement and a page with two push-buttons.
The checking to make sure that’s both necessary and sufficient is genuinely larger, but the cost of staying compliant is really really small.