The survey, entitled “Bridging the Gaps in Understanding and Compliance,” also found that many companies, both large and small, do not understand how to properly implement CASL compliance strategies.
CASL has been in force for almost three years but the “private right of action” is set to take effect July 1, which will allow private citizens to sue for violations, setting the stage for class action law suits.
“Some organizations have a lot of work to do,” says Andrew Nunes, an author of the report and a partner and vice chairman of the technology law group in the Toronto office of Fasken Martineau DuMoulin LLP. “It could end up being very costly if they do not take adequate steps to satisfy CASL’s requirements and implement an appropriate compliance program."
Nunes says many companies did not “understand some of the basics for compliance. And there seemed to be a lack of awareness of the additional CRTC requirements for record keeping and compliance programs.”
The survey was sent to mailing lists for the Direct Marketing Association of Canada, Blazon.Online and Fasken Martineau and received more than 200 responses. About 80 per cent of respondents said they were either “extremely involved” or “very involved” in the design and implementation of their organization’s CASL strategy. Respondents represented a broad range of industries.
The authors of the report said the biggest areas of concern are misunderstandings about the types of messages governed by CASL, whether the sending of certain “Commercial Electronic Messages” requires consent or would fall under an exemption, and how express consent can be obtained.
“It is probably a good idea [for companies] to revisit their internal understanding and compliance to verify that they adequately meet the requirements of the legislation and expectations of the CRTC,” says Nunes.
Amongst the respondents, 40 per cent did not appreciate that consent is generally required to send an electronic message requesting consent to send e-marketing messages, and 40 per cent of respondents also did not appreciate that CASL applies to messages received in Canada regardless of the jurisdiction from which the message was sent.
For consent, at least 23 per cent of respondents did not appreciate that “express consent” can only be obtained using an opt-in mechanism and 64 per cent of respondents did not appreciate that a CASL-compliant message requires more than just consent and a working unsubscribe mechanism. Under the legislation, the message also needs to include the prescribed identification and contact information for the sending organization (and any organization on whose behalf the message is sent).
The survey also highlighted how many companies do not fully grasp the consequences of not complying with CASL — 63 per cent of respondents did not know that the CRTC can impose an administrative monetary penalty of up to $10 million for each violation of CASL, 30 per cent of respondents did not appreciate that directors can be personally liable for CASL violations by their organization, and 40 per cent did not appreciate that officers can be personally liable.
About 28 per cent of respondents also incorrectly believe (or are not sure) that the CRTC can only impose penalties on repeat offenders or organizations that knowingly violate CASL. As well, 46 per cent of respondents were unaware that an organization could be liable for statutory damages under CASL, which does not require proof of actual damages.
The report also highlighted how many companies are not implementing internal processes that would help ensure compliance — 64 per cent of respondents said that their organizations did not have (or they did not know if they had) a formal written CASL policy, 63 per cent of respondents stated that their organization does not require personnel to undergo CASL training, 60 per cent of respondents indicated that their organization does not audit CASL compliance or were unsure and only 48 per cent and 50 per cent of respondents were confident about their organizations’ ability to evidence compliance with the consent and content requirements, respectively.
Finally, 40 per cent of respondents indicated that they do not have contracts in place with third party e-marketing service providers even though organizations can be held liable for breaches by their service providers.
“I think the organizations that have the highest risk are large organizations, and those that send a lot of messages regardless of their size,” says Nunes. “Come July 1, the risk for everybody goes up. [With the private right of action] there certainly will be a significant increase in people that are looking to enforce the legislation.”