Canada’s Anti-Spam Legislation (CASL) is said to be the most onerous legislation in the world regarding commercial electronic messages and will be coming into effect on July 1, 2014. So are you ready? If you’re not, don’t panic you’re not alone. A recent Deloitte poll found that “only 13% of organizations say they understand CASL requirements and have begun to apply them to their business.” To help you gain a better understanding of CASL I have gathered information from the Government of Canada website and Managing the message: Canada’s new anti-spam laws set a high a report published by Deloitte. By the end of this article I hope you will have a greater understanding of the new law and what steps you should be taking to prepare for it. Let’s get started.
What is CASL?
The official stated goal of the CASL is “an Act to promote the efficiency and adaptability of the Canadian economy by regulating certain activities that discourage reliance on electronic means of carrying out commercial activities.” In plain terms, the Government of Canada is trying to stop the sending of spam to Canadians by implementing very strict rules around commercial electronic messages (CEMs).
What is a CEM?
A CEM is “any electronic message that encourages participation in a commercial activity, such as an email that contains a coupon or tells customers about a promotion or sale.” To be caught by CASL a CEM must be sent to an electronic address such as an email account, instant messaging account, telephone account or any similar account.
Who is affected?
The law is not just limited to organizatons in Canada. Any firm, whether inside or outside of Canada, sending CEMS to recipients within Canada are affected by CASL. So a company in the US who sends email newsletters to recipients in Canada will be affected by CASL as well.
Consent is at the heart of the CASL. Any Canadian or global organization sending CEMs to recipients within Canada need consent from the recipient to send those messages. This is in contrast to the US CAM-SPAM Act which relies on opt-out consent.
To send a CEM, an organization needs to get express consent either orally or in writing (paper-based or electronic). Also, the contents of the message must include:
- The name of the person or organization seeking consent
- A mailing address and either a phone number, voice message system, email address or website where recipients can access an agent for more information
- A statement identifying the person on whose behalf consent is being sought
- The identity and contact information of any third-party or affiliate used to obtain consent
- A free unsubscribe mechanism that lets recipients electronically opt-out of communications
- The ability to opt-out of all types of communications sent by either your organization or a third-party partner
In limited circumstances consent can be implied. These include:
- If your organization sends a CEM in the context of an existing business or non-business relationship
- If recipients conspicuously publish their electronic contact information without indicating they don’t want to receive communications
- If recipients voluntarily disclose their email contact information to the sender without indicating they don’t want to receive communications
It’s important to note that “implied consent expires in six months if a prospect doesn’t become a client and in two years if an existing client doesn’t buy something new or doesn’t renew their subscription, loan, account or contract.” The rules for implied consent are a bit murky so to be safe it is best to get express consent right away.
You do not need express consent where the CEM is solely intended to:
- Provide a quote or estimate in response to a request
- Facilitate or complete a commercial transaction
- Provide warranty, product recall or safety alerts about a product
- Provide factual information about the ongoing use of an existing product, service or good or an ongoing subscription, membership, account, loan or similar relationship
- Provide information about an employment relationship
- Deliver a product or service (including upgrades)
- CEMs sent between family and friends (related through marriage, common law or any legal parent-child relationship, or if there is a voluntary two-way communication between the individuals)
So what do you need to do before July 1st? Here is what Deloitte recommends you do to prepare:
- Determine if you are sending CEMs
- Identify the channels through which you send CEMs
- Develop a plan to obtain any required consents
- Make sure your CEMs contain the content required by CASL
- Determine how CASL may affect your policies, processes, customer relationship management (CRM) and other IT systems, and staff training and awareness programs
- Revise your policies, processes and systems as required
- Keep an audit trail, since CASL contains a “due diligence” defense
It’s crucial you are prepared for when CASL comes into force as businesses that do not comply will see huge penalties. These include administrative monetary penalties of up to $10 million for corporations and $1 million for individuals. For more information please visit the Government of Canada website or check out the full Deloitte report.