Ensuring Online Signature Lawfulness for Paid-Time-Off Policy in Canada

How to eSign a document: online signature lawfulness for Paid-Time-Off Policy in Canada

hi my name is david fraser i'm an internet technology and privacy lawyer with the firm mcginnis cooper in halifax canada in today's video i intend to provide an overview at a relatively high level but digging into some of the details of canada's notorious anti-spam law i'm going to focus on the rules for commercial electronic messages now the usual disclaimer is going to apply this is intended to be informational and educational and for information only this should not be taken as legal advice this is a complicated area of the law where things change and there are differing interpretations of some of the different provisions of this statute i'm going to talk about general rules but many of these have exceptions that could apply in some cases but not all so if you have any specific legal questions or any questions about any of the subjects touched on in this video you should really seek out advice from a qualified lawyer who practices in this area and i should also emphasize that the opinions that i'm going to express are mine and mine alone and should not be attributed to my law firm or any of its clients and of course since we're talking about canada's anti-spam law this this information is only applicable to canada so in this video i'm going to go through a bit of the background of the legislation where it came from what time it emerged from i'm going to talk about the act itself and its regulations how it's structured i'm going to go over some key definitions and key concepts and then i'm going to talk about the general rules that are applicable for sending commercial electronic messages in canada talk about the forms of consent that are applicable under this legislation talk about how to obtain consent in a lawful manner talk about how the legislation is enforced and i'm going to recap at the end with the maybe some best practices it's always worthwhile asking what the legislation is intended to address and we often think of the sort of things that you would find in your spam folder fraudulent emails generic erectile dysfunction drugs marriage scams inheritance scams all those sorts of things and certainly that is captured within this legislation but many people are surprised to discover what is also captured so this shows a picture of my son who a number of years ago started a lemonade stand selling lemonade and cookies in order to raise money for the leukemia and lymphoma foundation his cousin was suffering from that disease at that time and what he wanted to do was send an email to all of our neighbors letting them know that he was having this lemonade stand as a fundraiser for the for the foundation and many people would be surprised to discover that that would be considered spam it would be illegal for him to send those messages to members of our neighborhood and so it really serves as a good illustration of the over breadth at least in my view of this legislation it it goes too far in a lot of ways so let's talk a bit about the background to the legislation so until it came into effect in 2014 canada did not have any specific anti-spam law there is no law that was specifically designed to address unsolicited commercial electronic communications we have privacy laws that regulate the collection use and disclosure of personal information including email addresses we have the criminal code which deals with fraud deals with impersonation something that you'll often find in your spam folder we have a competition law that deals with misleading advertising but in fact very few of these were actually used but by the time 2014 rolled around we were one of the very few countries left in the oecd that did not have a specific law intended to address spam so how do we get here so in 20 2004 the government of canada established a spam task force and this was a group of experts very well respected experts in in their fields who in the course of a year put together a report so it was established in may 2004 they reported in may 2005 which is very quick for a task force report to be put together but in my view the legislation which is based on this task force report really addresses spam as it existed 10 years ago the environment is different the technology to identify and sequester spam and to filter it and to eliminate it is very different from what it was in two thousand four it's a different problem problem uh and really the legislation in 2014 addresses the issue as it existed in 2004 and it's always worth asking did we really need it in my view the answer is no we didn't need it but the reason why we did have it was because the existing laws were actually not being enforced at all by the organizations that were in charge so for example the personal information protection and electronic documents act of canada which regulates the collection use and disclosure of personal information in the course of commercial activity including email addresses and how they're used is regulated by the privacy commissioner of canada or at least enforced by the privacy commissioner of canada and only one or two cases that i can think of actually dealt with unsolicited commercial electronic messages the criminal code also addresses fraud impersonation misrepresentation but i'm not familiar with any circumstance in which a police agency or a law enforcement agency in canada actually did anything with respect to fraudulent email communications likewise we have a competition act and we had in 2014 a competition act that deals with unfair trade practices deceptive trade practices deceptive marketing uh but again i'm not familiar with the competition bureau of canada ever actually having done anything in the area of deceptive commercial electronic messages so in my view the existing laws that were on the books that could have gone a long way towards tackling the problem were rarely enforced and rarely used so what we ended up with was something that's often called canada's anti-spam law now here's the long title of it i don't know why they did not come up with a snappy uh short version but everybody just calls it canada's anti-spam law or castle for short and castle has an interesting regulatory scheme so we have the statute itself and two regulations and two different kinds of regulations and all three of these have to be read and have to be read carefully in order to understand the legislation certainly i had many clients in 2014 smart people smart business people very savvy who took the statute took the regulations took a weekend to read them and try to understand them and really weren't able to make heads or tales of the rules it's a really opaque statute and it's hard to figure out exactly what it's intended to dress and exactly how it's intended to work hopefully this uh presentation will simplify that to a certain degree so we have the governor and council regulations and what those do is they exempt certain messages and categories of messages from the scheme they also deal with how to get consent on behalf of somebody else and also includes the list of foreign states that i'll talk about later it's a very important list and the crtc also has its own regulations and the crtc regulations set out what has to be in commercial electronic messages and how you obtain consent now both of those topics are ones that i will be digging into uh in this video so what does the act cover that covers a number of activities only one of which i'm going to touch on in this video commercial electronic messages what people often think of as being spam but the legislation also deals with the installation of software spyware rootkits and things like that and also the alteration of transmission data related to electronic communications but as i said i'm going to talk about spam now before i do that i'm going to have to tell you that you need to forget everything you know about spam you need to forget everything you know about express consent everything you know about implied consent everything you know about what is a commercial activity and you might as well throw out some common sense while you're at it this legislation deals with commercial electronic messages all commercial electronic messages not just what you and i would consider to be spam this legislation also deals with express consent and implied consent in its own peculiar way that you really need to recalibrate your thinking about expressed consent and applied consent particularly if you have any experience in the privacy arena where you walked into this environment with a pretty good understanding of what expressed consent and implied consent mean for privacy they mean something very different they're defined very differently in in a very prescriptive sort of manner in this legislation and there's also a different definition of commercial activity different from what we have in the personal information protection and electronic documents act and you know suspend your disbelief when it comes to common sense uh because there are some issues in this legislation that are a little bit mind-bending so what are the key rules so the key rule kind of rule number one is you cannot send a commercial electronic message to anyone unless you have their consent and that consent can be expressed or implied as defined in the legislation or unless there is an exception to the consent rule the second key rule is that every single commercial electronic message must contain prescribed information and an unsubscribe mechanism unless it fits within an exemption so let's look at some key definitions i'm not going to read this whole slide but commercial activity is defined in the legislation and is defined in a way that's slightly different from the way that we've seen it in the personal information protection and electronic documents act so it doesn't matter whether somebody intends as a profit making venture or otherwise a very broad range of activities are considered to be commercial commercial activities and it exempts a whole bunch of activities that really would not be commercial at all like law enforcement and things like that not sure why they came up with such a convoluted definition but they certainly want to capture as much business activity or not-for-profit activity as they possibly could another key definition is electronic message which is defined as a message sent by any means of telecommunication including a text sound voice or image message it's pretty clear that this captures email communications it captures text messages but it also captures instant messages whatsapp facebook messages twitter dms all of those would be electronic messages that are captured within the purview of this statute we also have a definition for an electronic address which is a broad definition it means an address used in connection with the transmission of an electronic message to an electronic mail account an instant messaging account a telephone account or any similar account so a broad definition email addresses phone numbers twitter handles all the things would be considered to be electronic addresses if you can send an electronic message to them so here's a key definition i've already used the term commercial electronic message a bunch of times in this video and this is absolutely essential for understanding what is in and what is out of the purview of at least the anti-spam provisions in the legislation so i'm going to read this a commercial electronic message is an electronic message that having regard to the content of the message the hyperlinks in the message to content on a website or other database or the contact information contained in the message it would be reasonable to conclude it has has its purpose or only as one of its purposes to encourage participation in a commercial activity then it goes on and deems certain things to be commercial electronic messages which would be electronic messages that offer to purchase sell barter or lease products good services land or an interest or right in land paragraph b says an electronic message that offers to provide a business investment or gaming opportunity it's pretty straightforward so far paragraph c says an electronic message that advertises or promotes any of those things okay that makes sense paragraph d is particularly problematic though because this would be a commercial electronic message if it's an electronic message that promotes a person including the public image of a person as being a person who does any of those foregoing things any of those things listed in a b or c and why this is weird and why this is problematic is that most business people when they send an email from their business account there's a signature that's appended so for example if you get an email from me it's gonna say david fraser partner mcginnis cooper it's gonna have the firm logo embedded in it and it's gonna have my contact information now that's the same information that's on my business card is that information that promotes me as an individual who provides legal services does it promote my firm as a firm that provides legal services does the fact that that signature is appended on an email message regardless of the purpose of the message that turns it into a commercial electronic message it could be i'm not sure why they would include this particular paragraph in here unless that was what they were were in fact trying to capture now with those key definitions here we get into an elaboration of the main rules so this is the consent rule you'll recall that i said you cannot send a commercial electronic message to a recipient unless you have the consent of the recipient either expressed or implied here's where it's expressed in the statute section 6 sub 1 says no person shall send or cause or permit to be sent to an electronic address a commercial electronic message unless the person to whom the message is set has consented to receiving it whether the consent is expressed or implied so let's pause here for one moment it's not just the sending of a message if you permit such a message to be sent you could be in contravention of this legislation where the line is certainly the operator of an email service or a telecommunications company is specifically exempted elsewhere in the legislation from this but if you're a marketing manager if you're a ceo and you permit such a message to be sent there is directors and officers liability in this and permitting something to be sent is a pretty low threshold so you have to have consent under paragraph a there express or implied and then paragraph b says the message has to comply with subsection two and that's what i call the content rule so consent under the consent rule the content of the message is under the content rule and what the content rule says is the message must be in a form that conforms with the prescribed requirements so prescribed means set out in the regulations and must set up prescribed information that identifies the person who sent the message and the person if different on whose behalf it is sent paragraph b says it has to set out information enabling the person to whom the message is sent to readily contact one of the persons referred to in paragraph a presumably to let them know you no longer want to receive commercial electronic messages from them and paragraph c says it has to include an unsubscribe mechanism in ance with section 11 sub 1. so we have the consent rule we have the content rule some forms of messages are exempt from one or other or both so certain categories of messages are exempt from the consent and the content rules so you don't have to worry about whether you have consent and you don't have to include the prescribed information in the message so this would be an inquiry related to the recipient's business this is a bit of a no-brainer this would be me sending an email to a company asking them about their services i'm trying to buy their services i'm not trying to sell services to them so if i were to let's say email a car dealer and ask them what's the price on this particular model i don't have to have their consent to send it and i don't have to include my contact information my full contact information and an unsubscribe mechanism why that even needs to be said i don't know here's a weird one though between a sender and a recipient who have a qualifying personal or family relationship and it note qualifying so the legislation and its regulations set out what is a qualifying personal or family relationship that would allow you to send a a message to that family member free of government regulation and really when you read those rules and i'm not going to dig into them but when you read those rules it really doesn't necessarily align with how many people's personal lives or their family lines lives are arranged it also specifically excludes two-way interactive voice communications i assume that's telemarketing and that's dealt with under other canadian regulations it excludes fax communications and also voice recording sent to a phone account which a number of marketing companies that i've heard of will kind of drop a voicemail message in your voicemail account without your phone ever having rung which is extremely annoying why this form of marketing communications is excluded when other forms are not is beyond me we also have certain categories of messages that are exempt from the consent rule but not the content rule so these would be commercial electronic messages that you can send without the recipient's consent but you still have to identify the sender you still have to include a readily performed unsubscribe mechanism which is a little bit bonkers in my view so for example i talked about emailing a car dealership asking for information about a particular model so they can reply to that message without my consent although common sense would say they should have my implied consent to reply to my message and they can send me that quota estimate but they have to identify who they are and they have to provide an unsubscribe mechanism and unsubscribe from what i've emailed them asking for information i didn't sign up for their mailing list there's nothing that i have signed on to but it has to include a readily performed unsubscribe mechanism and maybe maybe that's because there is implied consent to send commercial electronic messages to somebody who has asked for a quote for a period of six months and this is to proactively allow me to say hey i don't want any of your your commercial electronic messages but there are also emails that facilitate complete or confirm a transaction so that would be you order a product from an e-commerce vendor and they send you your receipt and in fact by law they have to send you that information under canadian consumer protection legislation but they have to provide an unsubscribe mechanism which unsubscribe from what information about a warranty issue or recall again what am i unsubscribing from i'm getting a notification related to my warranty or related to a recall and factual information about a transaction membership so this could be your receipt but it could also be the email from your health club telling you that your membership is about to expire next month or is about to automatically renew not the sort of thing that i would even think of as being commercial electronic messages necessarily but they do have to identify themselves and provide an unsubscribe mechanism there are also certain messages that are exempt from both the consent and the content rules and this would be email messages that are from employee to employee within the same organization but as long as they're about the organization's activities certainly i know of some clients who have stopped permitting employees to use internal mailing lists for announcements related to let's say hockey club fundraisers and things like that because they were concerned that those would be commercial electronic messages that the organization had permitted to be sent which frankly should be categorically excluded from the legislation in the first place also exempted our employee to employee communications where you have an employee in one organization emailing an employee of another organization if those two organizations have a relationship and the commercial electronic message is relevant to the recipient organization's activities i'm not sure exactly what this is intended to do because we have this legislation definitions for business relationships non-business relationships but nowhere is relationship defined and frankly two entities organizations are always going to have a relationship in time and space but what is this intended to mean presumably it means where the two organizations have been doing business from time to time uh that an employee of one organization can email an employee of the other organization where it's for business purposes there's an exemption related to in response to a request inquiry or complaint and i'm not sure how that is different from a request for a quote but there you have it some messages enclosed messaging system so this would be signed into your online banking system and you get a notification from your bank or a message from your bank that would be excluded from these rules and also registered charities or political parties when they do fundraising now charities and political parties are elsewhere regulated in these rules but they can send you requests for money without your consent and without identifying themselves where they have to identify themselves in other circumstances and also i find myself wondering whether political parties and registered charities are really engaged in commercial activity when they're doing any of their core functions but at the end of the day consent is key the reality is you have to have consent to send a commercial electronic message unless one of those exemptions applies and importantly the onus is on the sender to be able to prove consent for every single message and we're not just talking about bulk email or bulk sms this applies to single messages and bulk messages equally and also implied consent is not at all what you think it is implied consent is set out in the legislation it exists only if there is an existing business relationship between the sender and the recipient or an existing non-business relationship between the sender and the recipient and i'll talk about what those are in just a moment there's also implied consent where somebody has published or conspicuously disclosed their electronic address and in doing so didn't say i do not want to receive commercial electronic but only if the commercial electronic message is relevant to the recipient's business role so what does that mean what's that getting at so if you go to my law firm's website and you look at my profile it will include my email address my email address is conspicuously published on my firm's website it does not say you cannot send me commercial electronic messages so somebody who wants to reach me and wants to send me a commercial electronic message that's relevant to my occupation as a technology internet and privacy lawyer has implied consent to do so but again it has to be relevant to my business role or the recipient's business role so for example law firms buy a lot of photocopier paper uh i'm not the guy who makes that decision so if you send me information about photocopier paper i don't think it fits within that exception but let's say if our office manager if if their email address was conspicuously published on our website then you probably could it also applies in the circumstances related to giving somebody a business card probably dropping a business card in a in a in a fishbowl uh at a uh at a trade show where it's clear that they're going to contact you subsequently with information about their products and services but again do you really know whether or not the message you're sending is really relevant to the recipient's business function so but what all of this means is businesses have to be extremely diligent in maintaining databases about their databases you need to have metadata under what circumstance did you receive this email address and also in order for the existing business relationship to be triggered there's a clock on it it runs out and it's not implied consent in the way that we ordinarily think of it it's rooted in these other concepts so an existing business relationship relates to a transaction with the recipient in the past two years if it's been more than two years since you had a transaction with that person you no longer have an existing business relationship that equals implied consent but there are other triggers as well for example the acceptance of an opportunity within the past two years that'd be a business opportunity a gaming opportunity an investment opportunity a bartering transaction within the last two years there's also related to if there is a written contract in force or expired within the last two years now this could include for example agreement to terms of service or terms of use on a website an electronic contract is a contract in writing for the purposes of canadian law and so there may be implied consent to send commercial electronic messages to people who are members of your service or who have signed up or have an active account on your service but i would be mindful of whether or not they've been active in the previous two years there's also implied consent where there's been an inquiry or an application in the past six months so somebody reaches out to a business asking for information about their products or services that business has now implied consent to send commercial electronic messages to that individual for a period of two years or sorry for a period of six months it should be noted that this existing business relationship passes to a purchaser of the business so if somebody comes along and buys that business that existing business relationship continues now it expires at the same time that it would otherwise if the purchase hadn't taken place so those are existing business relationships we also have a concept of an existing non-business relationship and so this would be for example a donation to a registered charity in the last two years volunteering with a charity or volunteering with a political party in the past two years a member of a club association etc in the last two years and there are some particular definitions in the in the regulations so if somebody is a member of a club or an association and that could be a not-for-profit i'm not sure why it would be a commercial activity if they're an active member you can send them commercial electronic messages with implied consent now implied consent they can opt out of and they can cancel and they can veto it at any time express consent is another concept that's really different from what at least privacy lawyers have gotten used to over the last 20 years express consent has to be obtained in the prescribed manner and there are essentially kind of magic words that have to be used at the time of obtaining express consent you have to disclose the purpose for which you are getting consent that can be done orally or in writing preferably in writing because you do have to prove the consent that you got if the crtc comes knocking on your door it has to include identity and contact information who will be the sender and what's their contact information and a consent withdrawal statement and an email or an sms to somebody asking them if they want to receive emails or sms messages is deemed itself to be a commercial electronic message so you can't obtain consent that way so essentially if you're looking for consent you need to say hey would you like to receive marketing materials or commercial electronic messages from mcginnish cooper and then have to include the contact information and have to say you can unsubscribe at any time this express consent has to be opt in and it can't be bundled with anything else and it cannot be pre-selected so for example uh what's shown on the screen here would be acceptable if the individual toggles that checkbox themselves rather than if it is pre-checked then it is not a valid consent as far as the regulator is concerned now you can have subscriptions and express consent where the individual opt-in is by the person providing their electronic address and hitting subscribe or agree or something else like that as long as it's not bundled with anything else so the entering of the electronic address and clicking submit is their opt-in so that is consent so let's talk about what has to be in commercial electronic messages so commercial electronic messages must contain the name of the sender or the person on whose behalf the commercial electronic message is sent and it has to include the mailing address and telephone number email address or website url of the sender or the person on whose behalf the commercial electronic message is sent and it also has to include a readily performed unsubscribe mechanism now the unsubscribe mechanism must allow the recipient to indicate at no cost to themselves that they do not wish to receive commercial electronic messages usually this has to be through the same channel of communication that the commercial electronic message was received so replying to the email saying unsubscribe or replying to a text message with the word stop or it can be through other means if the first means are not practicable in most cases i think a clicking a link to unsubscribe has been seen to be adequate although it does not necessarily go through the same channel of communications the electronic address or web page for unsubscribing has to remain valid for 60 days following the sending of the commercial electronic message to which it relates and you must give it effect to the unsubscribe request without undue delay but no later than 10 days so within the content rule also so here's an example of what would be an adequate information in the footer of a commercial electronic message this message was sent by acme co 123 main street anytown ontario h0h1h0 info acmeco.ca assuming that whoever answers or opens that email inbox can deal with unsubscribes and a click here to unsubscribe it's worth noting that it really should be a one-click procedure maybe a two-click you click on the click here to unsubscribe and you click to confirm putting through uh putting somebody through a whole rigmarole having them sign into an account or something else like that or even create an account would likely be significantly offside as it would be found to be not readily performed so there are some cross-border considerations that come into play so castle is an example of a long-arm statute it is deemed to apply to any commercial electronic message where a computer system located in canada is used to send or access the electronic message now that's absurd in some ways because where servers are located can be entirely independent of the what has a real and substantial connection to any particular transaction or any particular legal act very few people understand or know where their servers are that they're using if they're using a web-based email service and also if you send an email to me it goes to a large email service provider to whom we my firm has contracted out its email service then it ends up on my laptop or on my smartphone and does that intend to capture every computer that is involved in the using for sending or for accessing the electronic message certainly i access it on my smartphone or i access it on my laptop but it it's a pretty broad definition and it obviously kind of obviously captures a commercial electronic message that's sent from within canada to some place outside of canada but and this is important so much e-commerce and internet-related business is international the consent in the content rules will not apply if the sender reasonably believes that the recipient of that message is located in one of the countries listed in the regulations and that message complies with the anti-spam rules of that destination country so there is a little bit of a safe harbor if you're operating in canada for example and you're sending a message to somebody that you know is in the united states and you know that your message complies with canned spam then you're on side and you don't have to worry about castle likewise if you're sending a message to a recipient who you know is in europe and you know you're complying with the european regulations then you don't have to sweat castle so much so what about enforcement of this act well enforcement is in the hands of the crtc the crtc is a long-standing organization or agency as part of the canadian federal government uh it has regulated telecommunications and broadcasting for quite some time but this is a new venture for them where they are moving into a very broad area of enforcement and this legislation is a regulatory scheme that is intended to take all the stuff outside of the criminal law now there are some criminal offenses that are contained in the legislation and criminal powers that could be triggered but by and large it's a regulatory scheme that involves something called administrative monetary penalties and administrative monetary penalties are equivalent to fines but are structured in such a way that the person who's at the receiving end of that is not entitled to due process and procedural fairness in the same way that they would in a criminal uh prosecution so for example instead of proof beyond a reasonable doubt it's all on a balance of probabilities a crtc enforcement person essentially carries out an investigation and they have extremely broad investigative powers and then they write you a ticket and that ticket includes a penalty and you can pay that penalty or you can challenge it you can challenge the underlying facts and you can challenge the penalty itself and these penalties are intended to not be a punishment if they were punishment then this would be criminal law but are intended to ensure compliance to de-incentivize mischief now the penalties sound pretty significant to me for an individual the maximum penalty is 1 million dollars and for a corporation it's 10 million dollars there are a range of factors that are supposed to be considered in determining what penalty is appropriate it also includes the ability of the uh wrongdoer to pay the fine and the impact or i guess the administrative monetary penalty and the impact on their business but most importantly it's largely to remove incentives to misbehavior there are a whole bunch of complicated uh procedural things that can go on in in connection with an investigation in the imposition of penalties an offender can give an undertaking that halts the enforcement it ultimately is very similar to a u.s consent decree where you promise to be on your best behavior and do certain things for a period of time and as i said the initial finding penalty can be reviewed by the full commission so in my experience the crtc itself is frustratingly opaque and efficient we don't have a whole lot of information about how many investigations they've carried out what has triggered those investigations they have released a number of published findings or a number of published at least press releases to announce penalties that they've imposed on various organizations most of those publicly disclosed enforcement actions are against reputable canadian businesses i don't think they've ever gone after a african prince for example or an inheritance scammer or anybody who's selling counterfeit generic drugs but they have gone after reputable canadian businesses and very large number of them don't have to do with consent but have to do with technical problems with the unsubscribe mechanism or something else like that we don't know exactly what they what their priorities are how they determine what companies to go after we actually don't know how many companies they've gone after altogether it's also important to know that officers and directors can be penalized in fact have been penalized i flagged that as an issue earlier about permitting messages to be sent there is a due diligence defense that they can be used but it's only applicable where you've really made heroic and herculean efforts to make sure that a contravention would not take place the legislation one of the things that really got a whole lot of people's attention in 2014 was that it included a private right of action and this was supposed to come into effect on july 1 2017 and it's been put on hold um wisely so because in it an individual could have sued for actual damages and a maximum two hundred dollars per contravention not exceeding a million dollars per day for commercial electronic messages there's a list of factors that could be considered in determining statutory damages and certainly no one individual was likely to go and file a lawsuit to get their 200 the concern was that we would end up with a significant number of class action lawsuits in response to probably good faith mistakes made by businesses it frankly i would be in favor of a private right of action to corporations having to deal with the masses of spam and the costs associated with that if i were an internet email service provider probably 80 percent of my bandwidth is going towards transporting spam and if i could use a private right of action to go after the spam kings or the organizations that are responsible for large portions of that that would probably do a lot to disincentivize this ending of spam but in any event it was suspended in 2017 and it's not likely to come back into play so here's a little bit of a summary so this is entirely based on consent if you have a commercial electronic message that you want to send to a to an electronic address to a recipient you have to have the consent expressed or implied of the recipient unless an exception applies this law applies regardless of the volume of the communications this applies to a single message and it involves it also applies to a million messages so even a very personalized message related to sending it to somebody who you think might be interested in receiving it you still have to check all the boxes of the legislation in order for it to be lawful organizations really should have policies and procedures related to their electronic communications when the crtc commences an investigation they have a pretty long list of information that they're looking for and among that will be all of your policies and procedures related to electronic communications if you don't have that that's probably going to lead to the assumption that you're not very diligent out of the gate when it comes to these sorts of things and that's not how you want to start an investigation so you want to have those policies and they're not just window dressing you need to follow them i mentioned earlier that you need to have a database of information about your databases you need to understand if you're going to rely on implied consent related to existing business relationship when was the last time you transacted with that individual if you got their express consent what did you say to them was that express consent compliant at the time it was sought and obtained when was it obtained your unsubscribe mechanisms have to work perfectly because if they don't that could be significantly problematic and it's also been my experience in working with many many businesses on this that the sales department presents a greater risk than the marketing department marketing departments tend to be full of people who have databases that they have taken very good care of they understand where the data came from in most cases and they're pretty careful about the messages that they send out sales people tend to be a little bit more lone wolf tend to be have a quota that they need to make by the end of a particular month they would have their own list of contacts and the circumstances under which those contacts were collected would be perhaps unknown or unknowable to the business and so simply a riskier sort of proposition so hopefully this has been an interesting educational informative introduction to at least the spam rules in canada's anti-spam law if you have any specific questions well if you have a specific legal issue you want to reach out to a qualified lawyer but if you have any questions please leave them in the comments below and also if you have any suggestions for further videos on this channel please also put those in the comments below thanks so much you