1. PURPOSE OF POLICY
The purpose of this policy is to ensure the Organization complies with Canada’s Anti-Spam Legislation (“CASL”).
2. BACKGROUND CASL
came into effect on July 1, 2014. All types of organizations including non-profits, registered charities, partnerships, sole proprietorships, corporations, and public companies, as well as individuals, are bound by it. CASL covers a broad range of activities and will significantly impact how the Organization communicates via electronic means.
3. ACTIVITIES CASL REGULATES
The primary focus of CASL for the Organization is the regulation of Commercial Electronic Messages (“CEMs”).CASL sets the requirements that must be met before a CEM can be sent by persons or organizations to an electronic address. A CEM, as defined by CASL, refers to any electronic message sent to an electronic address by any means of telecommunication, including e-mails, instant messaging, texting, or similar electronic methods of communication where it would be reasonable to conclude the message has as one of its purposes (not necessarily its sole, or even main, purpose) to encourage the recipient to participate in a Commercial Activity (as defined at the end of this document). A CEM includes but is not limited to: offers to purchase, sell, barter or lease land, products, good or services; offers of business, investment or gaming opportunities; and advertisements, marketing, and promotions of land, products, goods, services, an organization, a person or person’s image. CASL prohibits sending a CEM via any electronic means (e-mail, social media, instant messaging, texting or similar method) without the recipient’s prior express or implied consent. While this policy focuses on the Organization’s rules for the sending of CEMs, CASL also prohibits the following: phishing for data or installing malware or spyware; the use of false or misleading representations and deceptive marketing practices for on-line promotions or marketing; altering transmission data without express consent; and privacy invasion via your computer, including data mining for personal information or using personal information collected from data mining.
4. COMPONENTS OF THE ORGANIZATION’S CASL COMPLIANCE PROGRAM
Pursuant to the Canadian Radio-Television and Telecommunications Commission’s Compliance and Enforcement Information Bulletin (CRTC 2014-326), the Organization has developed a CASL compliance program built upon the components set out below. Senior Management Involvement: The Organization’s senior management shall play an active and visible role in fostering a culture of CASL compliance. A point person responsible for the Organization’s CASL Compliance has been identified and this person shall be referred to as the CASL Compliance Officer. Risk Assessment: The CASL Compliance Officer shall conduct periodic risk assessments to determine if any of the Organization’s activities are at risk of violating CASL. This may include conducting an internal audit of the Organization’s electronic communications from time to time to assess areas of risk. Written CASL Compliance Policy: The Organization has developed this policy to ensure compliance with CASL. Periodic review of this CASL Compliance Policy will be conducted as necessary and this policy will be revised as necessary. Record Keeping: The Organization shall maintain, in accordance with our document retention policy, hard copies or electronic records of the following: policies and procedures; unsubscribe requests and actions; evidence of express consents; and staff training documents and processes. Training Program: The Organization will support Users (as defined at the end of this document) in fulfilling their obligations under CASL including offering training on how to avoid prohibited conduct under CASL. This training will be provided to new hires and refresher training shall be available to existing Users who have completed the standard training. Upon completion of training, the Organization may request written acknowledgement from each User that they understand the CASL Compliance Policy. The Organization may maintain a record of these acknowledgements. Auditing and Monitoring: The CASL Compliance Officer’s duties may include monitoring any legislative or regulatory changes and interpretations and enforcement by the CRTC. A regular audit of our electronic communications may be conducted as part of a CASL monitoring program. Recommendations emerging from audits will be addressed by the Organization and will be incorporated into the CASL Compliance Policy as appropriate. Complaint Handling: The CASL Compliance Officer is responsible for putting in place a complaint handling system to enable parties to submit complaints to the Organization. We will respond to and address complaints within a reasonable time. Corrective Action: The Organization has disciplinary provisions in this policy to address contraventions.
5. INTENT OF POLICY
The Organization understands that the objective of CASL includes deterring Spam (as defined at the end of this document). We wish to take appropriate steps to comply with CASL and ensure that our employees, representatives, consultants, customers, clients, stakeholders, and others who receive communication from the Organization do not receive Spam. The Organization strives to ensure that every message that is sent provides relevant information to meet the recipient’s needs. This CASL Compliance Policy outlines the efforts the Organization is taking to ensure that its Electronic Communication Tools (as defined at the end of this document), are appropriately utilized at all times in compliance with CASL. This policy establishes guidelines and minimum requirements governing the acceptable use of the Organization’s Electronic Communication Tools. The Organization recognizes that its Electronic Communication Tools increase productivity and the use of these tools demonstrates to the public that we leverage the latest systems and communication methods to best serve our employees, representatives, consultants, customers, clients and stakeholders. The intent of this policy is to allow for the full realization of the benefits of the Organization’s Electronic Communication Tools, while avoiding the risks and costs of failure to comply with CASL.
6. SCOPE OF POLICY
This policy applies to all Users who access or use the Organization’s Commercial Electronic Tools: CASL is comprehensive, sweeping legislation that captures CEMs sent from business to business, business to consumer, and also CEMs to individuals. CASL applies to any CEM, including e-mails, instant messages, text messages, or any other electronic message sent or accessed from a computer system located in Canada. CASL does not apply to certain messages specified in the legislation and summarized in Section 13 of this policy. Consent is not required for certain messages specified in the legislation and summarized in Section 14 of this policy. CASL does not apply to mail sent through Canada Post, phone calls, voice mail, or faxes. This policy applies whether or not a User’s access is during normal working hours or whether such access is from the Organization’s premises or elsewhere.
7. INTERNATIONAL APPLICATION CASL
has international reach and applies to any CEM received in Canada and to CEMs sent from Canada to a foreign state. CASL specifically states that it prohibits sending or causing or permitting to be sent to an electronic address a CEM if a computer system located in Canada is used to send or access the electronic message unless the message complies with the consent, information and unsubscribe requirements of section 6 of CASL.
8. OBJECTIVES OF POLICY
The objectives of this policy are to ensure that: the Organization’s Electronic Communication Tools are used in compliance with CASL and for the benefit of the Organization; Users understand that CEMs including e-mail messages and other electronic messages are subject to CASL compliance; disruptions to the Organization’s activities from inappropriate use of our Electronic Communication Tools are avoided; the Organization, the CASL Compliance Officer and Users are all aware of their responsibilities regarding CASL compliance and acceptable use of the Organization’s Electronic Communication Tools as defined by this policy and other internal policies regarding matters such as privacy and confidentiality; and the components of the Organization’s CASL Compliance Program are articulated and complied with.
9. IDENTIFYING COMMERCIAL ELECTRONIC MESSAGES
In determining whether one of the purposes of a message is to encourage participation in Commercial Activity, the following factors are to be considered: the content of the message; any hyperlinks in the message to commercial content or a commercial website or database; or contact information contained in the message whereby it would be reasonable to conclude that contact information has as one of its purposes to encourage participation in a Commercial Activity.
10. GENERAL RULES FOR SENDING CEMs
RULE 1 - CASL prohibits the sending of CEMs unless the Organization has the prior express or implied consent of the recipient. Express consent exists where the recipient elects to receive electronic messages. It must be a positive opt-in consent and the Organization must retain a record of this consent. Opt-out consents such as those permitted under privacy law are not acceptable for CASL. Express consent lasts until the person chooses to unsubscribe. Implied consent exists in certain situations including where: the person is in an “Existing Business Relationship” (as defined at the end of this document”) with the Organization. This implied consent is not permanent; it expires two (2) years after the Existing Business Relationship ends. The recipient’s e-mail address is voluntarily disclosed to us, such as on a business card handed to us and the message is about the recipient’s business, role, function or duties. The recipient’s electronic contact details are conspicuously posted such as in a public directory, on their employer’s website or elsewhere and the message is about the recipient’s business, role, function or duties. The recipient requested a quote or estimate from us. Our CEM is facilitating, completing or confirming previous commercial transactions with us. Our CEM is providing information relating to the recipient’s employment relationship or benefit plan with us. It is an internal message within the Organization concerning the activities of the Organization. It is a CEM to another organization if we have a relationship with the recipient organization and the message concerns the activities of the recipient organization. The foregoing are the more common circumstances where implied consent might arise. Sections 13 and 14 of this policy enumerate the full list of circumstances under CASL in which CASL does not apply or the recipient is deemed to have given implied consent. RULE 2 - The message contains contact information to identify the sender, which includes our business name, a mailing address AND an electronic communication method consisting of any one of: an e-mail address; or a website address; or a phone number. RULE 3 - The electronic communication informs the recipient of their right to unsubscribe and has a clear and obvious mechanism to allow the recipient to unsubscribe from receiving CEMs from the Organization.
11. ORGANIZATION’S OBLIGATIONS
The Organization will facilitate compliance with CASL by: providing appropriate education, training and resources to Users to ensure they understand their responsibilities when sending electronic messages; collecting and recording express consent wherever possible; supporting employees in setting up their e-mail and CEMs to contain the mandatory CASL information and unsubscribe information; enabling an unsubscribe mechanism on all CEMs and honouring this choice if received by unsubscribing the recipient within 10 days of receiving the request; ensuring the Organization’s IT system is capable of capturing appropriate consent and unsubscribe features; inserting a CASL consent form, if deemed prudent, on the Organization’s website; ensuring appropriate complaint mechanisms are in place for prompt responses to any concerns or complaints; monitoring our CASL compliance; and taking corrective action if a CASL breach is discovered.
12. USER’S OBLIGATIONS
All Users have an obligation to ensure that their electronic communication adheres to the guidelines of this policy and are required to observe the following: CEMs sent by a User must comply with the CASL rules outlined in Section 10 of this policy. Any messages that are sent must include a clear subject line that tells the recipient what to expect in the body of the e-mail; Messages sent by a User must be relevant to the business, role, function or duties of the recipient. Jokes, chain e-mails, YouTube videos, etc. are Spam. Users are asked to send Spam or personal and family e-mails through their personal e-mail account rather than using the e-mail address supplied by the Organization. Furthermore, Users wishing to raise funds for a charity or political candidate should do so from their own personal e-mail accounts, and not from an e-mail address of the Organization; Express or implied consent must be obtained from the recipient before a CEM that is subject to CASL consent requirements is sent; and Marketing e-mails must be approved by the CASL Compliance Officer prior to being sent.
13. EXCLUSIONS UNDER CASL FOR CEMs
The following CEMs are excluded from CASL: messages sent from one person to another person if they have an existing “Family Relationship” or “Personal Relationship” (as those terms are defined at the end of this document). Messages sent to a person engaged in a Commercial Activity containing an inquiry or application regarding that activity. Messages sent internally within the Organization where the message concerns the activities of the Organization. Messages sent from a representative of the Organization to a representative of another organization if the organizations have a relationship and the message concerns the activities of the recipient organization. Messages sent in response to a request, inquiry or complaint or otherwise solicited by the recipient. Messages sent in regard to legal or juridical orders, rights or obligations. Messages sent to a foreign state so long as they are sent in compliance with that state’s anti-spam law.
14. CONSENT IS NOT REQUIRED FOR SOME CEMs
Consent is implied or not required in the following circumstances: a message that responds to a requested quote or estimate. A message that facilitates, completes or confirms a commercial transaction previously agreed to. A message that provides warranty information, product recall information or safety information about goods or services purchased. Factual information about an ongoing purchase of goods or services offered under a subscription, loan, membership or similar relationship. Information directly related to an employment relationship or benefit plan. A message about upgrades or updates to products, goods or services. A message to a recipient with whom the Organization had an Existing Business Relationship with the recipient. A message to a recipient who conspicuously published their electronic address (e.g., business card, website) and the message is relevant to the recipient’s business, role, functions or duties. A message to a recipient who disclosed their electronic address (e.g., In a conversation or letter) and the message is relevant to the recipient’s business, role, functions or duties. The first message sent as a result of a referral from a common contact. NOTE: Although consent may not be required for the foregoing, such messages must nevertheless include the same information and unsubscribe requirements as any message requiring consent.
15. PRINCIPLES OF ACCEPTABLE USE
As with any resource provided by the Organization, our Electronic Communication Tools are to be dedicated to legitimate activities and governed by rules of conduct similar to those applicable to the use of our other resources. The use of our computer and e-mail resources imposes certain responsibilities and obligations on all Users and is subject to all of the Organization’s policies and procedures as well as all applicable provincial and federal laws. In the unlikely event of a conflict between the Organization’s computer use policy and this policy, then this policy shall prevail, as CASL requirements take priority.
16. UNACCEPTABLE USE
The Organization’s Electronic Communication Tools are the property of the Organization and may not be used knowingly to violate CASL or the anti-spam laws and regulations of any other nation. Violations of CASL involving our Electronic Communication Tools may subject violators to prosecution by federal authorities. The Organization will cooperate with any legitimate law enforcement activity. Suspected law violations may be referred to the appropriate government agencies.
17. DUTIES OF CASL COMPLIANCE OFFICER
Oversight of compliance with CASL rests with the CASL Compliance Officer. The CASL Compliance Officer’s duties are as determined by management from time to time and may include: conducting periodic risk assessments to determine which activities are at risk of violating CASL. This includes conducting an internal audit of the Organization’s electronic communications to assess any areas of risk from time to time; monitoring any legislative or regulatory changes and interpretations and enforcement by the CRTC; establishing and implementing training programs to support Users’ understanding of CASL and the requirements of this policy; putting in place a complaint handling system to enable parties to submit complaints to the Organization; investigating complaints related to Users’ compliance with CASL and this policy; and maintaining and performing periodic reviews of the Organization’s compliance with this policy.
18. CORRECTIVE ACTION
If a material CASL violation is identified, it shall be promptly reported to the CASL Compliance Officer and dealt with in an appropriate manner.
19. SANCTIONS
Inappropriate use of the Organization’s Electronic Communication Tools may result in negative publicity and serious damage to the Organization’s reputation as well as expose the Organization to significant legal and regulatory penalties and liabilities. Although the Organization has policies, processes and tools in place to ensure compliance, Users should avoid any misuse of Organization resources which may increase the risk of violation of CASL. Violations of this policy may subject Users to the loss of internet and e-mail privileges and may result in disciplinary action including termination of employment. Where a User has committed unlawful acts utilizing the Organization’s equipment, we may seek legal remedies against such violators including damages, indemnification and costs.
20. LIABILITY
The Canadian Radio-Television and Telecommunications Commission will measure the Organization’s overall compliance with CASL in the event of a third party complaint or if the Organization experiences a CASL breach, be it intentional or unintentional. The Organization may be vicariously liable under CASL for acts of employees and agents. Administrative monetary penalties can be up to $10 million under CASL. In addition, the federal government is reviewing the notion of CASL breaches being the subject matter of private civil actions including class action litigation.
21. CASL REVIEW, MEASUREMENT AND MONITORING
The Organization shall review and monitor compliance with this policy. This includes monitoring to ensure that: The Organization offers training to all employees who may send out electronic messages. The Organization and its employees send out only permitted CEMs. CEMs subject to CASL compliance are properly identified and prior express or implied consent is obtained from the recipient before they are sent.
22. DEFINITIONS
“CASL” is the acronym for Canada’s Anti-Spam Law. The formal title of the Act is “An Act to promote the efficiency and adaptability of the Canadian economy by regulating certain activities that discourage reliance on electronic means of carrying out commercial activities, and to amend the Canadian Radio-television and Telecommunications Commission Act, the Competition Act, the Personal Information Protection and Electronic Documents Act and the Telecommunications Act, SC 2010, c. 23.” “CASL Compliance Officer” means the person who is responsible for overseeing the Organization’s compliance with CASL. “CEM” means Commercial Electronic Message as fully defined in CASL and explained in the definition of Commercial Electronic Message below. “Commercial Activity” under CASL means any particular transaction, act or conduct that is of a commercial character whether or not the person who carries it out does so in the expectation of profit. Commercial Activity includes selling, marketing, advertising or promoting a person, organization or its goods, services or products. “Commercial Electronic Message” (CEM) as defined by CASL, refers to any electronic message sent to an electronic address by any means of telecommunication, including e-mails, instant messaging, texting, or similar electronic methods of communication where it would be reasonable to conclude the message has as ONE of its purposes to encourage the recipient to participate in a Commercial Activity. A CEM includes but is not limited to: offers to purchase, sell, barter or lease land, products, good or services; offers of business, investment or gaming opportunities; and advertisements, marketing, and promotions of land, products, goods, services, an organization, a person or person’s image. “Electronic Communication Tools” includes computer programs, computer systems, networks, e-mail and other internet resources, and electronic communication devices including computers, mobile phones, tablets, laptops and similar devices. “Existing Business Relationship” means the recipient has purchased, leased or bartered for a product, good or service, accepted a business, investment or gaming opportunity from the Organization, entered into a contract with the Organization or made an inquiry or application for a product good or service from the Organization. Implied consent for Existing Business Relationships is time limited. Under a transitional CASL rule, this implied consent is deemed to last until July 1, 2017 if the relationship included communication between the parties of Commercial Electronic Messages. Thereafter, it expires two years after the business relationship ends or 6 months after an inquiry or application is made. “Family Relationship” means the relationship between an individual who sends a message and the individual to whom the message is sent if those individuals are related to one another through a marriage, common-law partnership or any legal parent-child relationship and those individuals have had direct, voluntary, two-way communication. “Personal Relationship” means the relationship between an individual who sends a message and the individual to whom the message is sent, if those individuals have had direct, voluntary, two-way communications and it would be reasonable to conclude that they have a personal relationship, taking into consideration any relevant factors such as the sharing of interests, experiences, opinions and information evidenced in the communications, the frequency of communication, the length of time since the parties communicated or whether the parties have met in person. “Spam” means unsolicited and unwanted electronic messages, also known as “junk” e-mail or text messages that may be damaging, fraudulent or misleading. Often, but not always, spam is sent in bulk batches. “User” means any employee, representative, partner, agent, affiliate, contractor, guest or third party who accesses or uses Electronic Communication Tools provided by the Organization. We are committed to ensuring that you do not receive any, unwanted e-mails from our servers. Should you have any questions about Banhall's spam management strategies, write us at: CASL policy Banhall Consulting Ltd. PO Box 42109 RPO Guildford, Surrey, BC V3R 1S5 or use the following link to send us an email.