If you are confused by Canada’s new Anti-Spam law – you are not alone. This Guide was written as an easy way to understand what changes (if any) you need to implement to comply with this new legislation. It was written concisely, in plain English, while still giving you everything you need to make sure you remain compliant.
CASL has taken close to a decade to come to where it is today. It was never meant to stifle business in Canada.
This legislation touches on all aspects of digital communication, including social media, cellphone and email in a “technologically neutral” approach. At its core, CASL is simply a way for Canadians (and those marketing to Canada) to promote e-commerce while reducing the amount of spam, spyware/malware, phishing and identity theft.
- Does CASL apply to me?
- What is a “CEM”?
- What are the requirements of CASL?
- CASL vs CAN SPAM
- How can I prove consent?
- What Should I do to Conform to CASL?
- Penalties and Enforcement
Does CASL apply to me?
This is the first question you must answer yourself and the short answer is:
CASL will be enforced on anyone in Canada and anyone that is sending commercial electronic messages (CEMs) to Canadians.
If you own or operate a business in Canada, or if you have emails on your list ending in “.ca” – chances are pretty good that CASL applies to you. If you own or operate a business outside of Canada and the recipient(s) on your list are NOT in Canada, CASL does not apply. However, you must still adhere to the rules and regulations of the foreign state in which you live. For a complete list of foreign states that currently have Anti-spam legislation, see here : http://kb.cakemail.com/en/deliverability/what.spam.laws.should.i.follow/
If you are not certain the recipients on your list reside in Canada, it is up to you to find out.
The country of origin of your recipients is valuable information, and now it could help you make sure you comply with this new law. If you don’t have it, make sure you send a campaign to get it. IP address Geolocation is another useful tool, but don’t rely on this alone, it may not always be reliable as people may be travelling to Canada.
What is a “CEM”?
As defined by the CRTC*, a CEM is any electronic message that “encourages participation in a commercial activity” regardless of whether there is an expectation of profit.
What are the requirements of CASL?
If you are sending commercial electronic messages CEMs to anyone in Canada, you need to make sure you have consent to do so (either “Express” or “Implied”).
The sender must be clearly identified and include a valid Postal Address, which must be valid for aminimum of 60 days after the message has been sent.
You must include a working unsubscribe mechanism which will enable the recipient (at no cost) to remove themselves from the list, and this mechanism must stay valid for a minimum of 60 days after the message has been sent. The unsubscribe request must be processed without delay and must be processed within 10 business days. The recipient must not be asked to provide any information other than his email address.
*Canadian Radio-television and Telecommunications Commission
CASL vs CAN SPAM
The biggest difference between CASL and the CAN SPAM Act in the US is that Canada requires “Express” consent. For this reason, the remainder of this guide will focus mainly on making sure you have proper consent.
Note : While sending to purchased or rented lists in the US is not a violation of CAN SPAM, it is a direct violation of CASL and will not be permitted.
What is “Express” consent?
In order for it to be deemed “Express” consent, the individual must take affirmative action to “opt-in” to your list willingly.
You must ask yourself : Did the recipient say “Yes” to receive my CEM?
CONSENT = PERMISSION
What is “Implied” consent?
“Implied” consent is when a relationship exists, but the recipient is added to your list without any affirmative action.
Note : A message sent seeking consent (such as a Confirmation email) is also considered a CEM and must therefore comply with all the requirements of CASL. Most senders will need to acquire “Implied” consent (for example by making a purchase, at a trade show) prior to sending the confirmation email.
How can I prove consent?
Example 1 – Express consent
Someone fills out a form on your website with the intent of being placed on your list. A confirmation email is sent which requires the recipient to click a link in order to confirm that he wishes to be placed on the list. When they click the link, the date/time and IP stamp would be recorded as follows :
Name : Kevin Huxham Email : firstname.lastname@example.org SignupDateTime : 2013-04-21 21:16:58.090 EST IP : 188.8.131.52 Host : mx3.mydummyaccount.com
Note : The information above in bold is recorded by default for every confirmed opt-in list with CakeMail and can be provided on request.
The form could also be setup to ask for :
Address : 4020, St. Ambroise, #301 City : Montreal Prov/State : Quebec Country : Canada Postal : H4C 2C7 Phone : 555-555-5555
Example 2 – Express consent
A person gives you their business card at a trade show with the intent of being placed on your list. The problem with this is you need to be able to prove you didn’t pick it up off the floor of the men’s room. Ideally, a confirmation email would be sent at (or shortly after) the event requesting confirmation (where the above information could be recorded). “Express” consent could be proven if you had the recipient provide his consent to be placed on your list on the back of the card. It would then be necessary for you to keep the card as proof.
Example 3 – Express consent
A person gives you their email address over the phone with the intent of being placed on your list. The same process of sending a confirmation email applies, but “Express” consent could be proven IF you recorded the conversation for each recipient.
Example 4 – Express/Implied
The recipient provides their email address to the sender at checkout after making an online purchase. IF this is accompanied by a clear statement that requires affirmative action (such as by having the recipient check an empty box that states “Yes, please sign me up to receive your newsletter”) it would be deemed “Express” consent under CASL. IF NOT, it would fall under the category of “Implied” consent and would give the sender a period of 24 months to send CEMs and/or acquire “Express” consent so long as they keep the record of purchase and can prove a business relationship exists.
Note : “Express” consent never expires, unless recipient requests to be removed.
Example 5 – Implied consent
If someone expresses interest in your business as part of the sales process or enters their email address on your website to download educational material (like this whitepaper), they are to be considered “prospects” and “Implied” consent is given to send CEMs for a period of 6 months only.
Example 6 – Implied consent
The recipient is added automatically or is required to uncheck a box to opt-out during the checkout process. This method is not considered “Express” consent under CASL and will typically generate a large volume of emails flagged as spam which negatively affects your reputation as a sender and, in turn, your delivery.
Example 7 – Unknow 3rd party affiliate
Affiliate lists are the result of one company sharing an email address (or a list of addresses) with another. If a person signs up to receive emails from Company A, they should receive emails from Company A only (unless stipulated separately during the opt-in process). If they also receive email from Company B, C, and D, they will be more likely to complain.
Under CASL, Company A must clearly show to the recipient that they are signing up to these “unknown 3rd party list(s)” and all parties are accountable for managing that consent. If a recipient no longer wishes to receive emails from Company B, it is Company A’s responsibility to inform and withdraw consent from Company C, D within 10 business days.
What Should I do to Conform to CASL?
DOES CASL APPLY TO YOU
- Audit of all online communications (Newsletters, Transactional, SMS/MMS, Social Media): are they covered by CASL?
- Are the emails you send accessed in Canada?
CREATE COMPLIANCE & READINESS TEAMS(S)
- Learn everything you need to know about CASL
- Build education and awareness internally (from intern to CEO)
- Ensure current/future contracts, processes are compliant
- Create roadmap and start update process
EXAMINE CURRENT LEVELS OF CONSENT
- Do you have “Express” or “Implied” consent for each contact?
- Burden of proof: make sure you can prove consent
- Identify input sources ( Points of Sale, Call Center, Web social, Events, 3rd Party signups…)
- Use the 3 year transition period to obtain “Express” consent from all contacts
- Clearly identify yourself with a Valid Postal address
- Provide an unsubscribe mechanism in every CEM
MANAGE YOUR CONTACT LIST
- Identify gaps in list data: Consent date, consent level, source IP/host, current status
- Create a centralized database and keep things clean
- Be able to process and act on all unsubscribe requests
- Review 3rd part contracts
- Work vicarious liability into all employee contracts, adopt compliance policies and sanctions for employees who do not comply
- Should you get insurance?
- Obtain legal advice – Choose a lawyer who respects and understands CASL
Penalties and Enforcement
The enforcement of CASL is done primarily by the Canadian Radio-Television and Telecommunications Commission (CRTC) and the penalties involved are as follows :
|VIOLATION||PENALTY||PRIVATE RIGHT OF ACTION|
|Sending unsolicited commercial e-messages||Maximum per breach:
$1,000,000 for individuals
$10,000,000 for corporations
|$200 / day per breach not to exceed $1,000,000 per day|
|Altering transmission data||Up to $1,000,000 / day|
|Unsolicitated installation of computer programs||Up to $1,000,000 / day|
|Making false and misleading representations in e-messages||Up to 1 year imprisonment and up to $200,000 in fines ( on summary conviction )
Up to 14 years imprisonment and a fine at the Court’s discretion ( on indictment )
|$200 / day per breach not to exceed $1,000,000 per day|
|Collecting e-addresses using computer programming||Maximum per breach: $1,000,000 for individuals $10,000,000 for corporations||Up to $1,000,000 / day|
|Collecting personal information through unauthorized access to a computer program|
Note : A Private Right of Action came into effect July 1st, 2017 allowing class action lawsuits to be filled by anyone against senders that do not comply with CASL.