A Digital Marketer’s Guide to Canada’s Anti-Spam Law “CASL”
On July 1, 2014, Canada enacted legislation called “An Act to promote the efficiency and adaptability of the Canadian economy by regulating certain activities that discourage reliance on electronic means of carrying out commercial activities, and to amend the Canadian Radio-television and Telecommunications Commission Act, the Competition Act, the Personal Information Protection and Electronic Documents Act and the Telecommunications Act, makes the annexed Electronic Commerce Protection Regulations,” or as most people refer to it - Canada’s Anti-Spam Legislation (CASL).
This law applies to Canadian commercial email marketers, as well as commercial email marketers globally sending messages to Canadian subscribers. There are limited exceptions for political parties and charities sending communications that focus solely on fundraising activities. The following is a high level overview of the requirements of the new law; steps to take to prepare for compliance; and important dates to keep in mind for various requirements. We have also provided a number of online resources that should assist you in your compliance efforts.
Please review your email program with your legal counsel to ensure that your program is meeting CASL’s requirements. The information provided is for your background and overall guidance and should not be considered as legal advice for your specific needs.
Step One: Take a look at your data
- Where do your email addresses come from?
- What type of consent did you receive (express or implied) to send commercial messages? See page 3 for the definitions of the types of consent.
- Create a process for identifying which type of consent you have received, how and when.
- Develop a process moving forward.
- Be sure to keep records:
- Initial consent date
- Upgraded consent date
- Consent level
- Consent source
- IP address, recommended but not required
Note: Asking for consent via email is considered a “commercial” email message that is covered under the law. If you received express consent prior to July 1, 2014 then the express consent carries forward. If you received implied consent prior to July 1 2014, then the implied consent carries forward for the full 3 year transition period - until July 1, 2017 - as long as they were being sent CEMs prior to July 1, 2014. As of June 7th, 2017 the Government of Canada has suspended the scheduled start date of Private Right of Action (PRA) – the provision that would have allowed individuals to sue – under CASL. The end of the transition period (Section 66), and regular enforcement of CASL's other provisions will still continue as scheduled on July 1st, 2017.
Step Two: Understand What Constitutes a “Commercial” Message, or “CEM”
CASL covers any commercial electronic message or “CEMs” (email, SMS, etc…) that encourages participation in a commercial activity. While transactional messages are also covered by the legislation, there are exclusions around the consent requirements when sending them. However, CASL does not allow any commercial content in transactional messages; this differs from CAN-SPAM where you can have a small portion of the secondary content in a transactional message devoted to a commercial promotion. Under CASL, only those who have provided consent should see a commercial message, even if it is in a transactional communication. CEMs do NOT include: robocalls, faxes, postings to blogs, Facebook, or tweets where you are posting to your own social media accounts. CEMs must be a commercial message sent to an electronic address – email account, telephone account, instant messaging, social media account, etc.
- Refer-a-friend: You may send one CEM to a referred client, without first obtaining consent, but you must include the first and last name of the person who made the referral. Also, proper contact information and unsubscribe requirements apply. This category also includes family and personal relationships as defined by the law.
- Partners: If a consumer provides express consent to Company “A” to share his or her email address with its partners, the consumer may withdraw consent at any time to any one of the companies and they need to share consumer’s changed preferences with others as appropriate, and proper contact information and unsubscribe requirements apply. Company A also needs to be identified in any email sent where they collected permission and may not be the sender.
- B2B:Emails are exempt from CASL if it is sent within the organization and relates to the organization – as a result of an ongoing business relationship. Also, it is exempt if it is sent from one organization to an outside organization in response to an inquiry, or if the communication relates to the ongoing business relationship.
- Promotional emails, e-newsletters and communication outside the scope of the ongoing business relationship would NOT be exempt if they are encouraging the recipient to purchase a product or service.
- Simply providing a hyperlink or logo in the e-signature would not constitute a CEM; however a tagline that encourages the recipient to purchase a product or service would constitute a CEM.
- Nonprofits/charities: If you are sending CEMs, with the primary purpose to raise funds for a registered charity, as defined under the Income Tax Act, then this communication would be exempt from some of CASL’s permission requirements but not the identification and unsubscribe requirements. This message can be coming directly from, or sent on behalf of, the registered charity.
Additional Scenarios Where Consent Is NOT Required:
- Quotes or estimates, you do not need consent but you do need to provide disclosure and unsubscribe requirements.
- Messages that facilitate or confirm transactions.
- Provides warranty, recall, safety or security information.
- Provides information about:
- ongoing use or ongoing purchases
- ongoing subscription, membership, accounts, loans or similar
- employment relationships or benefit plans
- Delivers a product good or service, including updates and upgrades.
Personal and Family Relationships are Exempt:
- What Qualifies as a Personal Relationship?
- The individuals involved know the real identity of each other. (It is not sufficient to know just the virtual identity or alias of the individual via social media.) AND
- You’ve had a direct, voluntary, two-way communication.
- What Qualifies as a Family Relationship?
- The individuals involved are descended from the same grandparents, are married, have a common-law partnership or any legal parent-child relationship; AND
- You’ve had a direct, voluntary, two-way communication.
Step Three: ALWAYS GET THE CONSENT OF YOUR SUBSCRIBERS
You can obtain consent in two ways, either express or implied consent. If you received express consent before July 1, 2014 then just make sure you have records to support that. You do not need to re-confirm consent prior to CASL.
- Express consent requires the email recipient to have taken some action to give you permission to send emails.
- You should provide simple, consumer-friendly, clear and easy ways to describe purpose for obtaining consent and to opt-out.
- Email recipients must sign a document, proactively check a box on a form, input their email address, or obtain verbal consent followed with a written record of the consent (this should be available to a consumer on a mobile device as well).
- Separate out terms & conditions from promotional consent: If you currently bundle consent for terms & conditions, with consent for promotional emails then you must unbundle each item. Consent cannot be obtained via a pre-checked box either. You may bundle consent for in-house and third-party partner promotions together, but you should unbundle these types of promotional offers as a best practice.
- It must be clear who is asking for consent, and if consent is being sought for another person then you should provide the name of that person.
- Your physical mailing address should be provided as well as another method for a consumer to contact you to opt-out (i.e., provide a telephone number, an email address, a tiny url or a link to website.)
- Provide notice that the consumer can unsubscribe at any time by using the unsubscribe found in each email.
- It is a recommended practice to send a confirmation or welcome email to the subscriber.
- Implied consent occurs when you have an existing business or non-business relationship with the email recipient within the last two years; or an email address has been conspicuously published or disclosed to sender such as on a business card or has been posted online. Additionally, the recipient has not indicated a desire to be removed from email communications from you or provided a statement with the published or disclosed email to that effect. An existing business relationship occurs when you and the recipient have engaged in a transaction, barter or contract.
A non-business relationship includes an organizational membership, volunteer efforts, or donations to a charitable organization or political candidate/party. Political organizations/candidates and registered charities raising funds are exempt from CASL. Please consult with legal counsel to ensure compliance- If you received implied consent prior to July 1, 2014, then in most cases, you have until July 1, 2017 to reconfirm permission for sending CEMs to the consumer. [Please note the ability to file a Private Right of Action under CASL has been suspended by the Government of Canada.]
- Some companies are trying to convert implied to express consent within 24 months to ensure compliance with CASL and to have a streamlined drip campaign.
- Please note that if you received an email address but have no date stamp or record of when you received the email then there is no evidence that implied consent was given – such as providing an email address at the cash register and the program did not provide a date stamp. These types of emails would not qualify for implied consent.
- If you receive implied consent after July 1, 2014 then you must meet the following deadlines to reconfirm sending CEMs:
- At the end of a subscription, contract, barter or other transaction then you have 24 months to continue to send commercial emails, unless the consumer opts-out prior to that time.
- If the consumer has bought in the past from the marketer, or third party who sends emails on behalf of the marketer, and didn't sign up to receive promotional emails then you have two years from the date of purchase to get explicit consent. You should clearly identify the person who sent the email message and the person -- if different – on whose behalf it is sent. Additionally, the contact information provided in the email needs to be valid for a minimum of 60 days after the message has been sent. Every time the consumer purchases again from the same company or renews a subscription – the clock restarts with the newest purchase date or end date of new subscription. Implementing double opt-in will also provide the proper consent needed for your email program.
- If a consumer contacts you with an inquiry, then you have 6 months after the response to the inquiry to send CEMs.
- Please note that some companies are only employing express consent after July 1, 2014 because of concerns about:
- enforcement of CASL and/or
- costs, time and resources to track requirements of both implied and express consent for new clients; otherwise might need to employ complex tracking measures and protocols for different groups/categories.
- If you received implied consent prior to July 1, 2014, then in most cases, you have until July 1, 2017 to reconfirm permission for sending CEMs to the consumer. [Please note the ability to file a Private Right of Action under CASL has been suspended by the Government of Canada.]
Compliance Tips – Review your consents against this criteria:
- Have you had a Business Relationship/Non-Business Relationship with the individual you are emailing in the last 2 years that meets the 2 years implied consent requirements?
- Do you collect Express consents? Do they meet the requirements under the legislation?
- Are you tracking consent properly to prove consent should you be challenged by a regulator?
- Are you able to identify the subscribers on your lists that will have their consents expire, or maybe have already expired?
Step FOUR: INCLUDE DISCLOSURES WHEN ASKING FOR CONSENT
You must let the recipients know clearly:
- The type of messages you'll be sending;
- Whether the messages are: marketing, promotional, product updates or releases, newsletters, etc.; and
- The opt-in needs to be an action that the consumer must take, i.e., provide a separate checkbox or have them type in email address. This cannot be bundled in with consent for terms and conditions. You need separate links to your privacy policy and marketing preferences.
- Provide notice about unsubscribe being available in all future email communications
- Provide contact information, one of email, web or phone.
Step FIVE: CREATE A COMPLIANT UNSUBSCRIBE PROCESS
- Clearly identify yourself in the CEM.
- Provide a method for a recipient to readily contact you.
- Email Address, Web form or phone number
- The unsubscribe method must be live for 60 days after an email send. You can't confirm unsubscribes by asking "are you sure?"
- Unsubscribes need to be processed without delay—and certainly within 10 business days.
- Unsubscribe process should be by the same means sent unless impracticable.
- Companies cannot charge consumers to opt-out. However, a company is not held responsible if consumers have plans that charge for text messages/emails.
- Provide links in footer of emails:
- Link to privacy policy statement.
- Link to unsubscribe process indicating that recipient can unsubscribe at any time.
- Both transactional and marketing emails must have these links.
- You can still provide subscribers a link to a preference center but they must not be required to “login” to change their preferences.
Step SIX: CONTINUE TO FOLLOW SOME BASIC RULES OF CAN-SPAM
Just as you’ve been doing under CAN-SPAM, you should never send deceptive or misleading subject lines or “from” email addresses and names. Additionally, in email communications you must maintain a valid postal address in the email and one other method to communicate with the sender: a web address, email address or phone number. It is important to note that you should never harvest email addresses via dictionary or harvesting attacks.
- For U.S. companies sending CEMs to Canada, you must follow CASL.
- For Canadian companies sending CEMs to the United States, then you may follow CAN-SPAM.
Step SEVEN: SPECIAL NOTE – INSTALLING SOFTWARE
You need to have express consent when installing a computer program/software on someone else’s device. The CASL enforcement date began January 15, 2015. For any software installed prior to January 15, 2015, there will be a three year transitional period. The only exceptions to obtaining express consent is if you have a court order and for certain security purposes.
Step EIGHT: UNDERSTAND THE PENALTIES – ENFORCEMENT
Three Canadian Enforcement Agencies are working together to promote, investigate and enforce CASL: The Canadian Radio-television and Telecommunications Commission (CRTC); Competition Bureau; and Office of Privacy Commission. Additionally, these Agencies will be working with the Federal Trade Commission and the Federal Communications Commission.
The Agencies will not be employing a step-by-step process whereby there’s a progression in the complaint handling process. The enforcement bodies will be looking at each case and determining the next steps in its compliance. For instance, if there is a blatant disregard of the law then the company can be fined immediately – there would be no intermediate steps. Please be sure to educate yourself and your company on the new requirements and bring your company into compliance.
The penalties of violating CASL can be up to $1 million for individuals in violation and $10 million for companies in violation. Each “send instance” can be considered a violation, so the penalties can add up quickly.
As of June 7th, 2017 the Government of Canada has suspended the scheduled start date of the Private Right of Action for CASL. The end of the transition period (Section 66), and regular enforcement of CASL's other provisions will still continue as scheduled on July 1st, 2017.
RECENT VIOLATIONS
Fines for violations of CASL have been issued. For instance, on March 5, 2015 The Canadian Radio-television and Telecommunications Commission issued a $1.1 million fine to Compu-Finder for allegedly not using the proper unsubscribe mechanism when sending email without recipient consent.
Stay up to date on enforcement action and casework by visiting: http://www.crtc.gc.ca/eng/internet/anti.htm or http://fightspam.gc.ca/eic/site/030.nsf/eng/home
CASL and Strategies to Employ
CASL has undoubtedly affected the manner in which many companies have used email as a marketing strategy in the past. Email list growth posed a major concern with CASL taking effect but according to industry studies and reports in this area – email volume continues to rise.
Recipients of emails need to have consented to receiving the emails. The manner in which marketers think about welcome email programs and preference centers can help deal with issues around consent. Changing the way marketers think about preference centers and welcome email programs will allow for up front clarity on what consumers can expect from the email program and elect to receive emails in the manner most appealing to them.
CASL pushes marketers to be smarter about marketing. Making sure subscribers actually want the email they receive will allow for more effective emails. Marketers can focus more on tailoring emails to subscribers to make sure the email lists they utilize achieve the best results. For example, triggered email messages elicit higher open and click rates, yet a very small percent of email is triggered. Focusing on mobile email will also provide an opportunity to achieve better results as those on mobile email are often times more engaged and loyal customers. When marketers focus on what is working among consumers and pay attention to those who want to receive emails, email marketing can be that much more successful.
RESOURCES
Please review your email program with legal counsel to ensure that your program is meeting CASL’s requirements, as the information contained here should not be considered as legal advice.
You can also learn more from the following online resources:
- Canada’s Anti-Spam Law
- Government of Canada Anti-Spam site
- Government of Canada’s Regulatory Impact Analysis Statement
- Government Regulations pursuant to CASL
- CRTC Regulations for CASL
- CRTC Main site
- Government of Canada suspends lawsuit provision in anti-spam legislation
Member Questions?
Members may email ANA at ethics@ana.net or eec@ana.net
THANK YOU
A special thanks to the ANA Email Experience Council (EEC) for contributing to this Guide. We appreciate the leadership of Matthew Vernhout and Dennis Dayman for making possible this valuable resource.