Top ten CASL compliance planning activities

April 2018

Our experience working through compliance planning initiatives with many clients has given us valuable insights into what compliance planning means in practice. What follows is our list of the ten most critical (and challenging) compliance planning activities:

1. Creating a comprehensive list of the categories of commercial electronic messages (CEMs) sent by your organization – this includes identifying all of the circumstances in which each business unit within your organization uses e-mail messaging, text messaging, instant messaging and social media messaging to encourage participation in a commercial activity.
2. Developing a policy and guidelines for determining whether a message is a CEM and whether an exception applies – this policy will enable a case-by-case determination in light of the specific circumstances of each category of CEMs that your organization sends.
3. Creating a comprehensive list of the categories of computer programs that your organization directly or indirectly installs on any computing devices that it does not own – in addition to identifying any software included in the organization’s products or services offerings, this includes identifying the circumstances in which the organization distributes software updates or upgrades.
4. Developing a policy and guidelines for determining when the organization will need to (and when it will want to) obtain CASL-compliant consent for installing a computer program, including whether an exception applies – this policy will enable a case by-case determination in light of the specific circumstances of each category of computer program that the organization installs and will include an assessment of whether CASL applies to software that is downloaded by end users.
5. Determining if electronic addresses your organization collected before CASL came into force can still be used, and, if not, scrubbing existing databases or obtaining “fresh” consent will be necessary – this includes evaluating if you have an “existing business relationship”.
6. Updating processes for requesting consent – this may include providing an opportunity to withhold consent separate from acceptance of the terms of a consumer agreement.
7. Ensuring there are adequate systems in place for maintaining a record of each consent obtained – for written consent, this ideally means storing a record of date, time, purposes, and manner of the consent in a database; for oral consent, this ideally means verification by independent third party or retaining a complete and unedited audio recording.
8. Building fields into the organization’s databases to store the data the organization will require to rely upon implied consent – this will typically include fields to record the date when an individual entered into a contract, purchased a product, or made an inquiry.
9. Updating templates used to send electronic messages – this includes ensuring that each template includes all mandatory identity and contact information and a compliant unsubscribe mechanism.
10. Updating unsubscribe mechanisms and processes for giving effect to unsubscribe requests – this includes having systems that will provide any required notices to thirdparties, including affiliates, and for handling requests from individuals to stop receiving all categories of commercial electronic messages.