The 5 Stages of CASL Compliance

 Jan 14, 2018 10:30 AM
by Derek Lackey

Understanding the law is a good start. 

Knowing what consent you are claiming, being fully compliant when sending messages and respecting individual’s right to chose - these are all solid foundations for a CASL compliant program. 

It is NOT CRTC’s place to tell you what to do in order to be compliant.
The CRTC recognizes that small businesses cannot match the resources of larger organizations so they have developed a series of ‘illustrative’ practices rather than ‘prescriptive' that will assist all organizations in their effort to be CASL compliant. 

They will however tell you what you cannot do, engaging you in the process and making you think your email marketing plans through - from front to back. It is your responsibility as an organization, to understand this new law and comply. 

If you develop the strategy for building your lists you are much more likely to be discriminate. In the past if there was any doubt, we would simply add the email address to the list and see if they engaged or unsubscribed. No skin off our nose. In the CASL Era we have a criteria - a set standard that we measure that same individual against. If they fit we add them to our list, understanding where they came from, what our relationship is with them at any given point in time and when they should be deleted from our list. 

Let’s face it, even if you are very discriminate about who is and who is not on your list, if they have not opened one of your last 15 emails, should they remain on your list? CASL aside, good business practices suggest you should drop them from your list, or at the very least send them a notice that requests them to click or take an action if they wish to remain on your list.

Many of us have been caught up in ‘bigger is better’ when in reality ‘quality and engagement of your list’ is what email marketing is all about. 

The relatively small cost of emailing an individual week after week, with no regard to their interest or engagement, fostered a ‘what the heck’ attitude and created fertile ground for the ‘bigger is better’ mentality when it comes to email lists. CASL changes that. The potential cost for being that indiscriminate is now significant. The potential cost of the private right to action will make things even more interesting.

CRTC - Compliance and Enforcement information

In June 2014, just prior to the July 1, 2014 date when CASL began being enforced, CRTC published a document called Compliance and Enforcement information Bulletin CRTC 2014-326. <> The purpose of the document was "to provide general guidance and best practices for businesses on the development of corporate compliance programs."

Although each case will be judged on it's own merits, CRTC states that 
" The development and proper implementation of a documented and effective corporate compliance program is a useful risk-management strategy: it may 
(i) reduce the likelihood of businesses violating the Rules and/or CASL, and (ii) help businesses establish a due diligence defence in the case of a violation of the Rules or CASL. "

Take note, a 'due diligence defence' is not out of the question. CRTC recognizes that while we are all on new ground with this new law, there are ways to reduce the risks and penalties. The CRTC Enforcement Staff can exercise some discretion when evaluating fines or undertakings.

Having a well thought out, documented process that is part of your staff training process could go a long way to your due diligence defence.

Who Is In Charge?
Once again, if Senior Management was involved in the development and implementation of your Compliance Process, CRTC interprets that as a deeper commitment.  "Rules and policies by themselves have a greater chance of success in preventing misconduct when senior management strongly conveys that violations of the Rules and/or CASL are not acceptable." They go on to suggest that "a member of senior management could be named as the business’s chief compliance officer,".  The more senior the manager the better the optics. CRTC may view this as a measure of commitment to your CASL compliant email marketing process.

No ‘Cookie-cutter’
Each organization should develop their own plan. "The chief compliance officer or point person should consider conducting a risk assessment to determine which business activities are at risk for the commission of violations under the Rules and/or CASL. The chief compliance officer or point person should then develop and apply policies and procedures to mitigate those risks."

Based on CRTC "to provide general guidance and best practices for businesses on the development of corporate compliance programs.”, we developed a 5 stage process to ensure CASL compliance. 


1. Email Marketing Audit - an indepth examination of your current email marketing practices is an absolute necessity for every organization. Compliance with this new law start with understanding where you are on the continuum. You should do a complete risk assessment to determine challenges for your organization.

2. Develop Your Email Marketing Plan - first and foremost, CASL must be clearly understood. The Compliance Officer should then lead the team in designing a written corporate compliance policy for all aspects of CASL. Lawyers and outside consultants should be considered at this stage as it is critical to develop a compliant program.

3. Document The Plan - a well thought out, properly documented plan will go a long way to convincing CRTC that 
you care and 
b) you are committed to CASL compliance. 

This also allows you to incorporate it into your staff training (stage 5). All organizations will be expected to keep hard copy or electronic files of the following information: 
- your commercial electronic message policies and procedures;  
- all unsubscribe requests and actions;  
- all evidence of express consent (e.g. audio recordings or forms) by consumers who agree to be contacted via a commercial electronic message; 
- commercial electronic message recipient consent logs; 
- commercial electronic message scripts; and
- actioning unsubscribe requests for commercial electronic messages. 
- campaign records;  
- staff training documents; 
- other business procedures; and 
- official financial records.

4. Tracking Technology - as CRTC demands you know - in real time - the source of every name on your opt-in list, how it got there and what your organization’s relationship is with each individual, for every single person on your email list, you will require robust technology that automates as much of this process as possible. Good record keeping is an absolute cornerstone of any CASL Compliance Program. Your organization must understand each and every individual's current and past relationship with the Company, if you are claiming express or implied consent. In CRTC’s words: "Good record-keeping practices may help businesses:  (i) identify potential non- compliance issues,  (ii) investigate and respond to consumer complaints, (iii) respond to questions about the business’s practices and procedures, (iv) monitor their corporate compliance program, (v) identify the need for corrective actions and demonstrate that these actions were implemented, and (vi) establish a due diligence defence in the event of complaints to the Commission against the business.”.

5. Staff Training - you must have a formal plan to communicate with existing as well as new staff members so everyone in the organization understands your email policies and practices and why it is important for them to know and respect them. In CRTC’s words: "The policy may also: a) establish internal procedures for compliance with the Rules and/or CASL; b) address related training that covers the policy and internal procedures; c) establish auditing and monitoring mechanisms for the corporate compliance program; d) establish procedures for dealing with third parties (for example, partners and subcontractors) to ensure that they comply with the Rules and/or CASL;  e) address record keeping, especially with respect to consent; and f) contain a mechanism that enables employees to provide feedback to the chief compliance officer or point person. CRTC places a great deal of weight on effective staff training that begins at the very top levels of management so CASL is taken seriously throughout the Corporation. "Effective training of staff at all levels on what constitutes prohibited conduct and on what could be done if they witness prohibited conduct is integral to the implementation of a credible corporate compliance program. Effective training helps employees determine roles and responsibilities, and when to seek advice from senior management. For the training to be effective, links should be made between the business’s policies and procedures, and the situations that employees may face in their daily activities. 

The chief compliance officer or point person should consider developing and implementing a training program, including refresher training, regarding the corporate compliance policy for current and new employees, including managers. After training, employees could provide written acknowledgment that they understand the corporate compliance policy, and these written acknowledgments should be recorded and maintained. The business could also monitor employee comprehension of the corporate compliance policy, and the training program could be adapted and re-administered accordingly. The business could re-administer training following important modifications or updates to the corporate compliance policy. The chief compliance officer or point person could evaluate the effectiveness of this training at regular intervals."

Reviewing Your Program
It is the responsibility of the Compliance Officer to keep up with any changes or modifications required to the Company's Policies and Procedures and to ensure that all staff are updated accordingly. 

Auditing and Monitoring Procedures
In addition, all Auditing and Monitoring Procedures should be documented. "Auditing and monitoring mechanisms help 
(i) prevent and detect misconduct, and
(ii) assess the effectiveness of the corporate compliance program. 

The implementation of these mechanisms also reminds employees and managers that they are subject to oversight. The chief compliance officer or point person could be responsible for ensuring that audits are conducted at regular intervals with or without external help. 

Auditing may involve developing and implementing a quality assurance program that would, for example, monitor a statistically significant percentage of the business’s telephone or email marketing campaigns. The results of all audits should be recorded, maintained, and communicated to senior management. Following an audit, the business should address any recommendations and modify or update the corporate compliance policy as appropriate. "

Managing Complaints
The complaint-handling system should also be documented and clearly communicated. Consumer complaints should be documented and resolutions should be recorded. CRTC does not want any Compliance Officer to think that having a complaint system excuses them from following CASL's rules, such as having a working unsubscribe in every CEM and removing those individuals within 10 days of their request.

Last but not least your firm's corrective or disciplinary policy should be clearly stated, communicated and enforced. "This code would help 
(i) demonstrate a business’s credibility regarding its corporate compliance policy, and 
(ii) deter against possible employee contraventions of the corporate compliance policy. 

Businesses should consider taking corrective or disciplinary action, or providing refresher training, as appropriate, to address contraventions of the corporate compliance policy. Businesses could maintain a record of the contravention and the action taken in response to the contravention."

These suggestions from CRTC are designed to help organizations develop and implement CASL Compliance Programs. While they could help in the case of a due diligence defence, they are more designed to help a Company be more effective when using email marketing. 

Knowing, in detail, how your organization intends to use email marketing is a very good start to being CASL compliant.

Derek Lackey is the Managing Director, Newport Thomson - a global data & privacy compliance consultancy, helping organizations with CASL, PIPEDA, GDPR and CAN-SPAM comp[liance programs.