July 1st, 2016 marked the second year anniversary of the Canadian Anti-Spam legislation. With only one year remaining of the 3-year transition period, the clock is ticking on when consumers will have the right of private action for CASL violations. Based on this timing, we have sourced a professional opinion on CASL. Here is the exclusive Q&A with CASL expert Fazila Nurani, to get her take on the current status and potential future of the Canadian Anti-Spam Legislation for Canadian business.
Interview with CASL Expert Fazila Nurani
The Status and Potential Future of CASL: An Interview with Fazila Nurani – Privacy lawyer and CASL expert
Fazila Nurani is one of Canada’s top privacy and information security lawyers, and the founder of PRIVATECH – a privacy compliance and solutions company. She has extensive experience working in both public and private sectors as a consultant and CASL expert, and has offered great insight about the current state of the anti-spam legislation leading up to, and beyond, the end of the transitional period.
For Canadian businesses, has the transition to CASL compliance been a smooth one?
I would say that it has definitely been a rocky one. Primarily because there’s been so much confusion as how to approach the legislation around the consent issue. That’s really the big challenge; not knowing whether to change practices or continue as is. Should we go for the express consent route or can we rely on implied consent or understand the multitude of exceptions to the consent rule? It’s been rocky because there’s just been so much confusion about the “best approach”. This uncertainty and lack of confidence speaks to the fact that this legislation is complex.
In your opinion, how would you rate businesses on their efforts of implementing CASL rules and requirements? Do you believe many (or some) businesses are still at risk?
They are. Though there have only been a handful of fines under the legislation, there is so much more activity happening than a lot of businesses realize as it is not made public. For example, notices to produce documentation are regularly issued by the CRTC but not made public. While the major violations have received media attention, warning letters that CRTC sends to organizations are not public. People think that everything has quieted now with respect to CASL enforcement, but really, it’s just that the public decisions that have subsided.
I also think many believe that this law applies to businesses which solely exist to spam – the bad guys, but clearly based on how CRTC is interpreting the legislation, that is not the case. Organizations that have received warning letters and complaints from the CRTC have been told about their problematic practices that must be corrected in order to avoid penalties.
When it comes to CASL and Privacy legislation, can you identify the biggest challenges that businesses are facing today?
The biggest challenge from my perspective is the lack of a consistent approach across the organization. This is primarily because there is no CASL compliance framework or program in place.
Just as an example, I was recently working with an insurance company comprising of remote and independent insurance agents. They all have their own lists and engage in their own marketing efforts. There is no consistency from the organization and because of that, CASL compliance becomes very challenging. That is a big issue – not having that consistent framework across the organization.
As a CASL expert, what is one piece of advice you would want to give to Canadian companies in regards to CASL rules and processes?
CASL is still being perceived as only the marketer’s issue; that it’s up to the marketing folks to figure it out, make sure they understand it and comply. But by putting full responsibility on the marketing team, you are not capturing all CEMs that are sent out. Remember, the definition of a CEM is very broad.
So my biggest piece of advice would be to not think of CASL as a marketing issue. It is certainly an issue for everyone in the business because they are likely sending out CEMs, even if some groups may not think of their messages as promotional.
Why do you think CASL and Privacy legislation get a bad rap from businesses?
Many pieces of legislation that are more compliance based are thought of as barriers to business operations – they seem to get in the way of business. Compliance requires more effort, additional processes, and sometimes, additional expense.
But you have to remember that when it does
What is a common complaint from your clients regarding the CASL legislation that you consistently address?
The one that I hear mostly from compliance officers, who are actually well educated about the legislation, is “why does this have to be so complicated?”.
Why are there so many provisions that appear to contradict one another? Or why is there an overlap on certain aspects of the legislation?
What potential outcomes and events do you see occurring regarding CASL enforcement when July 1st, 2017 comes around?
There’s going to be another scramble. Though it may be a while before there is a class action type threat with respect to the consumer private right of action.
Many organizations have been waiting through the three-year transition period for implied consent to end. As we approach July 2017, organizational efforts will likely be focusing on cleaning company databases. There will be a drop in customer lists when the implied consent expiration is accounted for.
Do you have any insight or thoughts on what Canadian businesses might expect in the future of privacy and CASL laws?
For one thing, the CRTC has made it very clear that they will release more guidance documents.
It’s hard to say if there will be any public decisions for violations because what that would mean is that an organization is not taking the concern seriously or was ignoring the warning letters. I think we will see less of those because businesses are realizing that this can really cost them. They are not taking CASL lightly anymore.