The Canadian Radio-television and Telecommunications Commission (CRTC) enforces Canada's Anti-Spam Legislation (CASL) through a graduated enforcement approach that ranges from warning letters to Administrative Monetary Penalties of up to $10 million per violation. This guide explains what triggers an investigation, what auditors look for, and how to prepare your documentation so your organization is ready if the CRTC comes calling.
What Triggers a CRTC Investigation
The CRTC's Spam Reporting Centre received over 208,000 complaints in a single 6-month period (October 2024 to March 2025), with 39% relating to SMS messages. Of all spam complaints, 51% cited lack of consent as the primary issue. In November 2024, the CRTC sent formal warning letters to 25 companies flagged for high complaint volumes β a clear signal that enforcement action may follow.
Investigations are typically triggered by one or more of the following:
- Consumer complaints β The Spam Reporting Centre aggregates complaints by sender. A spike in complaints about your phone number or organization raises your enforcement profile.
- High complaint volume β Even a small number of complaints relative to your message volume can trigger scrutiny if the complaints are consistent and specific.
- Carrier or ISP referrals β Canadian carriers flag numbers with high opt-out rates or spam filtering triggers and may refer them to the CRTC.
- Competitor complaints β Businesses can and do file CASL complaints against competitors engaging in non-compliant messaging.
- Proactive CRTC monitoring β The CRTC enforcement team conducts its own monitoring of messaging activity across carriers.
- Cross-border intelligence β The CRTC shares information with the FTC, FCC, and international regulatory partners.
What Auditors Look For
When the CRTC investigates an organization, their examination is thorough and documentation-intensive. Auditors focus on the following areas:
Consent Documentation
Proof that express or implied consent was obtained before each message was sent. Auditors review the who, when, how, and why of every consent record.
Unsubscribe Mechanisms
That opt-out mechanisms are functional, free to use, and easy to access. The CRTC will test your unsubscribe keywords and verify that they work as expected.
Opt-Out Processing Times
That requests are honored within the 10-business-day maximum. Auditors compare the date of opt-out requests against subsequent message logs to verify no messages were sent after the processing window.
Sender Identification
That messages properly identify the sender, include contact information (mailing address plus phone or email), and identify on whose behalf the message is sent if applicable.
Record-Keeping Practices
That consent records are organized, complete, and promptly retrievable. Auditors expect structured data exports, not ad hoc searches through email archives.
Internal Compliance Policies
Written CASL compliance policies, staff training records, and evidence that the organization has designated an individual responsible for compliance.
Third-Party Agreements
Contracts with service providers, lead generators, and messaging platforms that require CASL compliance. If a third party obtains consent on your behalf, you must have documentation proving the consent was validly obtained.
Required Documentation Checklist
Have the following documents organized and readily exportable before you receive a notice from the CRTC. Once a preservation demand is issued, you are legally required to retain all relevant records β organizing them in advance saves critical time.
| Document Category | Specific Items Required |
|---|---|
| Consent Records | Complete consent database with timestamps, methods, sources, and IP addresses for every contact |
| Consent Collection Forms | Copies of all web forms, paper forms, scripts, and opt-in pages used to collect consent (current and historical versions) |
| Opt-Out Logs | Full history of every opt-out request: date received, method used, date processed, confirmation sent |
| Message Logs | Complete message history including sender, recipient, content, timestamp, and delivery status |
| Message Templates | All message templates used, including sender identification and unsubscribe instructions |
| Compliance Policies | Written CASL compliance policy document, approved by management, with revision history |
| Training Records | Evidence of staff training on CASL requirements: dates, attendees, materials used |
| Third-Party Agreements | Contracts with messaging platforms, lead generators, and data processors that address CASL obligations |
| Compliance Audit Records | Records of periodic internal compliance reviews, findings, and corrective actions taken |
| Suppression Lists | Current suppression/DNC list with full management history showing how opted-out contacts are excluded |
Sample Consent Record Format
The CRTC expects consent records to be structured, complete, and immediately retrievable. Below is a recommended format that satisfies the CRTC's 2016 Enforcement Advisory on consent record-keeping:
| Field | Example Value | Purpose |
|---|---|---|
| Contact ID | cnt_4k8m2n9x | Unique identifier for the contact |
| Phone / Email | +14165551234 | The channel consent was given for |
| Consent Type | Express | Express or Implied (with subtype) |
| Consent Date | 2025-09-14T14:32:00Z | When consent was obtained (ISO 8601) |
| Consent Source | Web form β alertbolt.com/subscribe | How consent was collected |
| Consent Purpose | Marketing SMS β product updates | Why consent was obtained |
| IP Address | 203.0.113.42 | Corroborating evidence of digital opt-in |
| Opt-Out Date | 2026-01-08T09:15:00Z | When the contact opted out (if applicable) |
| Opt-Out Method | SMS keyword β STOP | How the opt-out was received |
| Last Message Sent | 2025-12-20T11:00:00Z | Date of last CEM sent to this contact |
For implied consent records, include an additional βConsent Expiry Dateβ field calculated as 24 months from the last transaction or 6 months from the inquiry date, depending on the type of implied consent.
Recent CRTC Enforcement Actions
The following table summarizes notable CRTC enforcement actions under CASL. These cases illustrate the range of violations and penalties that Canadian organizations face:
| Year | Entity | Violation | Penalty |
|---|---|---|---|
| 2015 | Compu-Finder | Sending commercial electronic messages without consent and failing to include a functional unsubscribe mechanism. This was the first Notice of Violation ever issued under CASL. | Initially $1.1M, reduced to $200,000 on review |
| 2017 | William Rapanos | Sending over 500,000 unsolicited commercial electronic messages | $15,000 |
| 2020 | Sam Medouni (Quebec) | Sending 31,000+ phishing text messages from 6 fraudulently obtained phone numbers. A significant case because it targeted SMS specifically and demonstrated the CRTC's willingness to pursue individual actors. | $40,000 |
| 2021 | Brian Brummer | Mass unsolicited email marketing campaigns. Penalty issued against an individual spammer, demonstrating that CASL enforcement extends to individuals, not just corporations. | $75,000 |
| 2024 | Hudson's Bay Company | Sending promotional text messages without adequate consent documentation. A landmark case for legitimate retailers, signaling that even established brands are not immune to enforcement. | $120,000 |
| 2024-2025 | 25 unnamed companies | High complaint volumes associated with their messaging programs. The CRTC issued formal warning letters in November 2024 β often a precursor to enforcement action. | Warning letters (enforcement may follow) |
Cumulative Administrative Monetary Penalties since 2014: over $3.2 million CAD. Additional enforcement tools include undertakings (negotiated compliance agreements that may include monetary payments) and preservation demands.
Investigation Timeline: What to Expect
If your organization is the subject of a CRTC investigation, here is the typical sequence of events:
Complaint Received or Issue Identified
The Spam Reporting Centre receives a complaint, a carrier flags your number, or CRTC monitoring identifies a potential violation.
Preliminary Assessment
The CRTC determines whether the complaint warrants a formal investigation. This may involve an initial review of publicly available information about your messaging practices.
Preservation Demand
If applicable, the CRTC orders your organization to preserve all records relevant to the investigation. Destroying records after a preservation demand is a serious offence.
Notice to Produce (Typically 30 Days)
The CRTC issues a compulsory notice requiring your organization to produce specific records. You are typically given approximately 30 days to gather and submit the requested documentation.
Investigation and Evidence Review
The CRTC gathers evidence, reviews your records, and may conduct interviews. This phase can last several months depending on the complexity of the case.
Decision: Warning, Undertaking, or Notice of Violation
The CRTC may issue a warning letter, negotiate an undertaking (a compliance agreement that may include monetary payments), or issue a formal Notice of Violation with Administrative Monetary Penalties.
Response Period (30 Days)
If a Notice of Violation is issued, the recipient has 30 days to pay the penalty, challenge the findings, or negotiate a resolution. Challenges are heard by a CRTC review panel, with appeal to the Federal Court of Appeal.
How AlertBolt Automates Audit Readiness
AlertBolt is designed to produce the exact documentation the CRTC requires, without manual effort from your compliance team:
Consent Tracking
Every contact record includes timestamped consent with type, source, method, and IP address. Implied consent expiration dates are calculated and enforced automatically.
Automatic Opt-Out Processing
STOP, ARRET, UNSUBSCRIBE, HELP, AIDE, and other standard keywords are processed instantly. Confirmation messages are sent automatically. Contacts are added to the permanent suppression list.
Complete Message Logging
Every message is logged with sender, recipient, content, timestamp, delivery status, and campaign association. Logs are retained for the full recommended retention period.
One-Click Audit Exports
Export your complete consent database, opt-out history, message logs, and suppression list in structured formats (CSV, JSON) ready for CRTC inspection β all from the Compliance Center.
Immutable Audit Trail
Every consent change, opt-out, message send, and administrative action is recorded in an immutable audit log that cannot be altered or deleted β providing the evidence integrity that auditors require.
Sender Identification
Organization name and contact information are included in every message automatically. Templates enforce CASL-compliant identification and unsubscribe instructions by default.
Preparation Is Your Best Defense
Organizations that can produce complete, well-organized compliance records quickly are far more likely to resolve CRTC inquiries at the warning letter or undertaking stage, avoiding formal Notices of Violation and the significant penalties that accompany them. The time to prepare is before you receive a notice β not after.