Financial services firms are among the many organizations falling behind on efforts to comply with Canada’s anti-spam legislation (CASL), as many have yet to grasp the law’s full implications, according to a new report from law firm Fasken Martineau DuMoulin LLP and the Direct Marketing Association of Canada, both based in Toronto.

The report was based on a survey of a broad cross-section of industries, including 21% from the financial services sector, which represented the largest industry group polled. Participation was limited to those familiar with CASL.

However, almost three years since CASL was introduced, many organizations lack the proper measures to avoid running afoul of the Canadian Radio-television and Telecommunications Commission’s (CRTC) rules around sending unsolicited communications electronically, the report finds.

Specifically, of the more than 200 participants polled, 23% are still unfamiliar with how to secure “express consent.” Under CASL, there has to be some sort of “opt-in mechanism,” such as a box to tick off, agreeing to the receipt of an e-newsletter, for example.

Moreover, the report finds that about 64% of those surveyed didn’t understand that a functioning “unsubscribe” button is insufficient ground for consent, while another 63% weren’t unaware that the CRTC can impose fines for those who run afoul of the rules. (Penalties can set CASL violators that operate as businesses back by as much as $10 million.)

The report arrives in anticipation of CASL’s “private right of action” measure, which will take effect July 1. This provision makes it possible for individuals who lodge established complaints to receive compensation; statutory damages could amount to $200 for each infraction.

Confusion over what CASL entails and the resulting deficiencies, the report notes, may partly be attributed to organizations’ “mistaken belief” that it’s modelled after the U.S.’ CAN-SPAM Act, which came into force in 2004. For example, unlike the U.S.’s spam legislation, which is limited to emails, CASL covers all electronic correspondences.

Still, few organizations have made efforts to write up a formal policy, much less require its staff to “undergo CASL training” or conduct audits, with 60% saying that their organizations don’t do compliance reviews.

“Some organizations have a lot of work to do,” says Andrew Nunes, partner and vice chair of the technology law group at Fasken Martineau, in a statement. “It could end up being very costly if they do not take adequate steps to satisfy CASL’s requirements and implement a compliance program.”

To bridge the gap, the report suggests, organizations also need to set up a “detailed record-keeping system” to keep track of all the necessary requirements so they have a trail of documents to draw on if their compliance is called into question.

Photo copyright: zerbor/123RF