Since Canada's anti-spam legislation (CASL) was enacted in
2014, businesses have been faced with the challenge of keeping
adequate records of their authority to send commercial electronic
messages under CASL's various categories of express and implied
consent. As the CRTC began CASL enforcement actions, the ability of
companies to prove that they had appropriate consent under the law,
and to respond to CRTC production notices requesting consent
records, became a topic of increasing concern. However, as little
information was publicly disclosed about enforcement proceedings
undertaken to date, the full extent of the CRTC's expectations
regarding consent records was unclear.
The CRTC has now issued public guidance on keeping records of
consent in an Enforcement Advisory notice published July 27.
Businesses and individuals sending commercial electronic messages
should keep physical or electronic copies of: (1) all evidence of
express and implied consent; (2) documentation regarding the
methods through which consent was collected; (3) policies and
procedures regarding CASL compliance; and (4) all unsubscribe
requests and resulting actions.1 Businesses that have
not yet taken steps to ensure this information is consistently
recorded in an accessible manner or to develop CASL policies and
procedures should do so as soon as practicable. Although the
Enforcement Advisory is not a binding regulation under the Act, the
adage that "ignorance of the law excuses no man" is
applicable: companies subject to a CASL enforcement proceeding can
expect little leeway from the CRTC for failing to implement the
record-keeping procedures it has now published.
What You Need To Know
Evidence of consent, as well as unsubscribe
requests, may come in many different forms. Regardless of whether
in the form of audio recordings, copies of signed consent forms, or
employee records of having obtained verbal consent, the sender must
keep a copy of the record in a format that can be promptly
retrieved on request.
Scrutiny of policies and procedures: Although
CASL does not require that businesses make their CASL policies
publicly available (unlike the openness principle in the
Personal Information Protection and Electronic Documents
Act that effectively requires organizations to publish their
privacy policies), CASL compliance policies and procedures should
be drafted with the expectation that they will be reviewed by the
regulator. The CRTC Advisory, and past enforcement actions,
indicate that the regulator will request and review policies and
procedures in the course of compliance investigations. In addition,
businesses should ensure that their records of consent, unsubscribe
requests and other actions actually conform to the record-keeping
procedures set out in their internal compliance documentation.
Benefits of good record-keeping include
establishing a due diligence defence in the case of a CASL
violation, facilitating the resolution of consumer complaints,
identifying potential non-compliance issues and implementing
corrective actions before any regulatory enforcement is commenced.
CASL compliance officers should communicate the benefits, as well
as the regulatory imperatives, to consent record-keeping within
their organizations to encourage executive and operational
attention to appropriate policy-making, training and internal
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).