When the CTRC begins conducting an investigation, they can send you a request for information that requires you to provide within 30 days, all the data covering the period of the inquiry. The information needed includes:
- The list of all the recipients for all your commercial electronic messages
- The type of consent for each recipient (explicit or implied)
- The date of consent
- All the information held on the person
- A CSV file with the justified information for each consent
- Database guidelines for contact management
- Electronic communication policies
- Screenshots of subscription forms
At the end of their investigation, the CRTC sends a notice of violation that details the alleged infractions committed by your business. You then have 30 days to negotiate an agreement whereby you agree voluntarily to pay a “lump sum” and implement a full compliance program under the supervision of the CRTC.
In the absence of an agreement, the CRTC imposes a fine that you can challenge in court if you have the time and resources to do so. Because of the cost and time of such a high-risk challenge, it’s easy to understand why all the companies given notices so far, with the except of one, have negotiated agreements and made voluntary payments.
N.B.: There is no presumption of innocence, a protection that applies to criminal law but not to administrative laws like those investigated by the CRTC. It’s like a ticket given by a policeman to you on the side of the road: you’re guilty and required to pay unless you can prove your innocence or that a mistake was made. Unlike this situation, often resolved in municipal courts with reasonable expenditures and delays, challenges to CASL are long and costly.