Data Protection Report - Norton Rose Fulbright

A major food manufacturer can be added to the list of companies that have entered into a voluntary undertaking to avoid enforcement proceedings under Canada’s anti-spam legislation (“CASL”).

Kellogg Settlement

For about two and a half months in 2014, Kellogg Canada and/or its third party service providers sent commercial electronic messages (“CEM”) to recipients without the consent of those recipients. CASL generally requires companies to obtain consent  before sending CEMs and that messages include certain content, such as identification and unsubscribe information.  Non-compliance can be addressed under the legislation in one of two ways: (1) a voluntary undertaking; or (2) an administrative monetary penalty following the issuance of a notice of compliance by the Canadian Radio-television and Telecommunications Commission (“CRTC”) following an opportunity for responding submissions in defence of any alleged violations.  Kellogg Canada chose to provide a voluntary undertaking, thereby avoiding the risk of an administrative monetary penalty of up to $10 million for non-compliance with CASL by a corporation.  In doing so, it became the fourth company to avail itself of the undertaking option under CASL.

Kellogg Canada’s undertaking includes a monetary payment of $60,000 plus an undertaking to comply, and ensure that any third party authorized to send a CEM on its behalf complies, with CASL. Kellogg Canada also agreed to review and update its compliance program with the goal to promote compliance with CASL. More specifically, the program will cover elements such as reviewing and revising its written policies and procedures on CASL compliance, implementing training programs for employees, tracking CEM complaints and their subsequent resolution, and updating monitoring and auditing mechanisms to assess compliance with CASL.

CASL Undertakings

Since CASL came into force in July 2014, three companies — Porter Airlines Inc., Plentyoffish Media Inc., and Rogers Media Inc. — have entered into separate undertakings in relation to alleged violations of the consent and/or form requirements for CEMs under CASL and related CRTC regulations.

All of the undertakings include the common elements of:

  1. a monetary payment (ranging between $48,000 and $200,000);
  2. an undertaking to comply with, and ensure that any third party authorized to send a CEM on its behalf complies with, CASL and applicable regulations issued by the ); and
  3. an undertaking to update and implement their respective compliance program to cover elements such as corporate compliance policies and procedures, training and education, monitoring, and auditing. Some undertakings have also included express reference to reporting mechanisms, and consistent disciplinary procedures.

Unfortunately, none of these announced undertakings provide clear guidance in order to gauge how future monetary undertaking payments will be determined.  But they do signal that monetary payments can be substantially less via undertaking than proceeding unsuccessfully through the “notice of compliance” route. For example, an administrative monetary penalty of $1,100,000 was issued against 3510395 Canada Inc. (doing business as Compu-Finder) for multiple violations of CASL within a three month period.  The company had sent out unsolicited emails promoting training courses to businesses without the consent of recipients, and also failed to include a functioning unsubscribe option.  The size of the penalty should be considered with the context of the CRTC finding the conduct to have been flagrant and analysis showing that 26% of complaints submitted to the Spam Reporting Centre for this industry sector related to Compu-Finder.

Our Take

Companies looking to mitigate their CASL compliance risks may wish to review CRTC  guidance when assessing their CASL compliance programs.  According to the CRTC, the key components of an effective CASL compliance program include:

  1. Senior management involvement. For example, in large businesses, a member of senior management may be named as the business’s chief compliance officer and be responsible and accountable for the development, management, and execution of the business’s corporate compliance program. In the case of small and medium-sized businesses, the business could identify a point person who is responsible and accountable for compliance with CASL.
  2. Risk assessments to determine which business activities are at risk for the commission of violations under CASL. The chief compliance officer or point person should then develop and apply policies and procedures to mitigate those risks.
  3. A written corporate compliance policy that is easily accessible to all employees, and regularly reviewed and updated to keep pace with changes in legislation, non-compliance issues, or new services or products.
  4. Good record keeping, which should include, among other things, records of unsubscribe requests and the company’s compliance with the request, and all evidence of express consent (e.g. audio recordings or forms) by consumers who agree to be contacted via a CEM. Businesses should also maintain a record of any contravention and the action taken after identifying any contravention with the Act to be able to demonstrate a robust corrective and disciplinary policy in practice.
  5. Training programs for staff at all levels regarding prohibited conduct under CASL and what should be done when observing prohibited conduct.
  6. Auditing and monitoring mechanisms directed at preventing and detecting misconduct, and assessing the effectiveness of the corporate compliance program.
  7. A mechanism for consumers to submit complaints and for the business to respond to and resolve the complaint within a reasonable timeframe.
  8. An organizational disciplinary code incorporating corrective or disciplinary action, or providing refresher training, as appropriate, to address violations of the corporate compliance policy.

To subscribe for updates from our Data Protection Report blog, visit the email sign-up page.