Canada’s Anti-Spam Legislation
How CASL affect businesses, organizations and individuals who are sending commercial electronic messages. This includes text messages, instant messaging, email and social media.
Canada's new Anti-Spam Law, or CASL (pronounced “castle”), comes into force on July 1, 2014. Are you ready? Under the new rules, things that have been ok are not any longer.
Download a printable version of this post.
Source: JGS, http://www.ascii-art.com
1. What Is CASL?
The legislation aims to protect consumers while still allowing businesses and organizations to function and be competitive.
But, CASL is broad reaching and the penalties are shockingly stiff.
- The maximum penalty for a single contravention is $1 million for individuals in violation of the Act and $10 million for other legal entities.
- And, by July 1, 2017, anyone has the right to take private action against a person or legal entity contravening the Act.
CASL covers spamming, which is broadly defined as any unsolicited commercial electronic message (CEM) that encourages participation in a commercial activity, whether profit is involved or not. CEM includes email, but also text messages, instant messaging, and social media.
Your current activities might be considered spamming under the new rules. For example, CASL requires you to have express consent, not implied, although there are timeframes for implied that are acceptable.
Implied consent is where you have:
- Existing business relationships due to a purchase, acceptance, contract, or inquiry;
- Non-business relationships resulting from a donation/gift, volunteer work, or membership;
- Published addresses, i.e., email lists compiled of people whose email address is published online, maybe on a blog or membership list, and they accept unsolicited commercial messages, and your message is relevant to their business duties.
CASL also covers hacking, malware, fraud, harvesting (using computer systems to collect electronic addresses without consent), and privacy invasions.
2. How Are You Affected?
Employees and third-party agencies must understand and comply with CASL. In fact, organizations are liable for contraventions by employees. And, an employee, officer, director or agent of the corporation may be held personally liable if they directed, authorized, consented to, acquiesced or participated in the contravention.
The penalties are steep. Max $1 million for individuals in violation and $10 million for other legal entities. As mentioned above, by July 1, 2017, anyone has the right to take private action against a person or legal entity contravening the Act.
- So if you use an agency, what's their compliance policy? CASL takes effect next month, July 1.
- If your internal teams are sending out email newsletters, invitations, cold pitches or other forms of commercial messages, are you in compliance with the new laws?
I highly recommend consulting with your legal team to understand CASL and your own business activities.
I am not a lawyer so having read the rules, here are some scenarios on my mind and the questions I would ask legal.
Example 1: Media Relations, including Blogger Outreach
Meet Roberta, she is a publicist for an author and regularly pitches bloggers for book reviews, sends out event invitations and maintains several contact lists.
- Under CASL, Roberta is violating the Act if she's cold pitching bloggers or sending event or other promotional notices (unless the recipients expressly publish their emails and accept unsolicited emails).
- If Roberta is using bots or other computer programs to scrape and collect contact info then this is likely in violation too so I'd review these practices and audit the mailing lists to determine who has given express consent vs. implied.
Example 2: Email Newsletter
Meet John. He runs a technology start-up that involves software downloads, and he has a regular email newsletter. He also manages a local meet-up group.
- Under CASL, John should review the process used to sign up people for the newsletter. For example, if the purchase confirmation page includes something like “you are about to download the software” and it has an auto-checkbox to sign up for the newsletter then this is a violation. You need people to opt-in vs. opt-out. And separate mechanisms are required for gaining express consent. You can't bundle newsletter sign up with purchase download, and agreement to Terms and Conditions or other stipulations.
- John will also have to confirm that the recipients on his company email lists and his meet-up group lists have given express consent, i.e., they haven't been added to the list just because they made a purchase or just because they happen to be a member of an organization. That will be in violation of the Act.
Example 3: Social Media
Meet Sara, she's a communications manager for a trade association and organizes events, webinars and promotes member products and services with several communications channels, including on Twitter, Facebook, LinkedIn and Instagram.
- The Unfollow and Unsubscribe mechanisms on these social media channels mean that commercial electronic messages sent through those channels should be fine since people have expressly consented in that they have chosen to follow the account.
- But it's unclear to me how the Act pertains to Facebook ads and even the News Feed algorithm. For example, if Sara clicks “boost post” and the post is promoted to friends of fans, then is that a violation? If Sara message someone on one of these tools who isn't a follower, is that a violation?
3. What Do You Need to Do?
1. Take stock of all existing commercial electronic messages, recipients and recipient databases. What commercial messages do you currently send, in what form (or by what electronic means), who are they sent to and why. Keep in mind that your marketing department might not be the only ones who need to comply. IT, Inventory, Sales, Legal may all be sending commercial electronic messages, in particular since CASL includes, but is not limited to, email, text, instant messaging, and social media.
2. Confirm consent type. Check all the existing mechanisms and wording to determine whether you have express consent or only implied consent. See above for examples of implied consent.
3. Identify exceptions
- Sender has a family or personal relationship with the recipient. For example Christine, friend of Allan, could suggest her Financial Planner contact Allan to offer financial services. As long as the Financial Planner sends only 1 unsolicited email and states in the email that Christine referred Allan.
- Recipient requested, made an inquiry or filed a complaint. Ok to respond.
- Sender is enforcing a legal right.
- Sender is communicating business-to-business information in the context of an ongoing business relationship. i.e., Publisher sending existing bookseller-clients a notification of special promotions.
- Sender is a foreign business sending commercial electronic messages to a foreign recipient who accesses the message while roaming in Canada. This also applies to a commercial electronic message that is sent to a recipient in a foreign state and complies with the foreign state's anti-spam laws.
- Sender is a registered charity or political party/candidate and the primary purpose of the message is to raise funds for the charity or solicit a contribution. But you can't automatically add people to an newsletter or alert list.
- There are also timeframes to upgrade recipients from Implied to Express Consent.
4. Establish Robust Data Management Practices. If consent is only implied, you need a system for managing upgrading recipients to express consent.
5. Upgrade Implied Consent to Express Consent. Send out a CASL-compliant request for Opt-In. You may have received one of these already as many companies have started sending out opt-in confirmations. Look up the required wording for your opt-in messages.
6. Ensure CASL-compliant unsubscribe mechanisms are in place. Look up the require functionality of unsubscribing.
7. Audit Social Media, Text, Instant Messaging and other commercial electronic messages to ensure CASL compliance. Direct messaging should be examined, but simply posting is fine. Overall, this is the greyest of grey areas for me. As I understand it, you need to:
- Include a disclosure statement in your direct message allowing the recipient to decline further messages from you. Good luck with that on Twitter with 140 characters.
- Organizations should retain and archive their social media messages and posts so they can produce records if audited by regulators. Yippee skippy.
8. Ensure third-party contracts adhere to the new laws.
Sources & Resources
Download a printable version of this post.
Canada's Anti-Spam Legislation (Government site) with sign-up for alerts.
http://fightspam.gc.ca/eic/site/030.nsf/eng/00258.html
Steve Szentesi Law Corporation provides details on CASL, in particular Consent and Form Requirements.
http://www.canadianadvertisinglaw.com/anti-spam-law/
Davis LLP has put together a series of documents to help people understand and prepare for CASL compliance. Best resource I've found.
http://www.davis.ca/en/publication/anti-spam/