Last week the CRTC published an undertaking made by Kellogg Canada Inc. to pay a $60,000 fine after violating Canada’s Anti-Spam Law (CASL). A third party sent promotional email messages to recipients on behalf of Kellogg’s from October 1 to December 16, 2014. Apparently, Kellogg did have consent but was unable to provide records and proof. Without the proper documentation, the CRTC determined that these messages were sent without express or implied consent.
This case is a caution that companies need to ensure that their service providers comply fully with CASL. This judgement also stresses the importance of a company to have a compliance program in place, that meets the CRTC’s eight requirements, including proper record-keeping.
This means you must be able to, at all times, provide to the authorities a list of all the persons to whom you have sent electronic communications to during the last three years. You must supply proof of consent, that includes the date of consent for each one of your contacts, as well as transcripts of all the messages you sent to each contact.
Through the implementation of a proper compliance program, Kellogg has committed to review and revise its written policies and procedures, update its training programs to address CASL obligations, track CASL complaints and their resolution, and update its auditing mechanisms to assess compliance.
In a statement to ITBusiness.ca, Kellogg said, “We are aware and disappointed in our company’s alleged violation of Canada’s anti-spam legislation as it relates to commercial electronic messages sent by our third-party suppliers on behalf of Kellogg Canada in late 2014. … At Kellogg, consumers are at the heart of all we do, and we will continue to earn their trust and demonstrate a commitment to integrity and ethics each and every day.”
Note that service providers can be held accountable. Although it was not the case with Kellogg’s, the third party in this situation could have been fined for not respecting CASL, and/or Kellogg’s could have sued their third party supplier.
Update May 16th, 2017: This morning, IAB Canada invited two CRTC enforcement officers to Toronto, Kelly-Anne Smith, Legal Counsel, and Dana-Lynn Wood, Senior Enforcement Officer, to present the status of CASL enforcement.
The CRTC has explained, in reference to the responsibility of agencies and technology platforms, that if the providers are involved in the content of the message, they may be held jointly liable for violations of Canada’s Anti-Spam Legislation. Learn more about what changes July 1st, 2017 here.
Violations of CASL can result in penalties up to $1 million per violation for individuals and up to $10 million per violation for organisations. Businesses, representatives, employees, officers, directors, and administrators can all be held personally liable and forced to pay a fine. A compliance program is your only defence. Click here to learn more about all the requirements.