Canada: First Steps If You Receive A CASL Enforcement Notice

There have been a disappointing lack of publicly-reported enforcement actions under Canada's Anti-Spam Legislation (CASL) since it came into force in July 2014 – in fact, to date there has only been one. Given the ambiguity and complexity of the legislative scheme, combined with the potential for very severe penalties, this is disappointing to the business community that has sought to better understand the positions and interpretations that the CRTC actually took in live enforcement cases. Consequently, as an unfortunate result of the silence on the enforcement front, some organizations have taken the view that the CRTC has not been actively enforcing the legislation.

We understand that the CRTC has already received hundreds of thousands of complaints under CASL, and the CRTC has necessarily been involved in a substantial triage process.  Given the mandate and resources of the CRTC, and in particular its public statements with respect to CASL enforcement, we are of the view that further information on enforcement action will be forthcoming and demonstrate to organizations that the law has teeth.

If your business or organization receives an enforcement notice from the CRTC, you may wish to consider taking some or all of the following steps:

• Review the notice. What has the CRTC accused you of doing? What options has it given you? Is there a deadline for your response?
• Begin preparations immediately. Non-compliance with CASL could cost your organization significant sums with the potential for penalties in the millions of dollars. As with any regulatory action, time is of the essence. Inaction is not a defense.
• Appoint an individual to be responsible for the complaint. Preparing to defend your organization from liability under CASL will involve assessing the facts and the allegation, gathering records and documentation from a variety of sources, and looking at them as a whole. Regardless of the size of your organization, an individual will be needed to not only coordinate searches for information, but to also understand the application of those records in building a defense to the enforcement action.
• Track your deadline for response. The regulator may expect responses to the allegations by a certain deadline. Keep that date in mind.
• Involve your legal counsel. Engaging experienced competent legal counsel, especially counsel familiar with CASL, is essential to protect your rights and to navigate the regulatory process, and may provide a claim of legal privilege for your assessment. Legal counsel should review all communications proposed with the regulator.
• Gather evidence of compliance. The best defence to an enforcement action under CASL is to prove that your organization complied with its obligations. Due diligence is a defense to such enforcement action. If you receive a complaint, you should immediately begin to search for information that would support such a defense.
• Review your due diligence materials. In anticipation of CASL, many organizations assembled a due diligence "war-file," including policies, procedures, consent tracking and other evidence of reasonable efforts to ensure compliance with the law. Upon receiving a CASL enforcement notice, revisit this file and assess its relevance to the complaint. Remember, due diligence is another defence to CASL liability.
• What did you learn? Your preparations should help you to understand better how effective your compliance efforts have been. If the compliance is found not to be as effective as the law requires, then this is an opportunity to improve those practices and be better prepared for the future.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.