4 Vital Steps to Take to Prepare for CASL
The Shift from the Can-Spam Act to CASL
CAN-SPAM is the current spam regulations that businesses are following when it comes to email communication. CAN-SPAM basically follows the opt-out model, which means that businesses can email an individual until they ask them to stop by unsubscribing. CASL works on the opt-in model, which means that people have to give either implied or express consent.
The second key difference between CAN-SPAM and CASL is that CASL does not only apply to email. It applies to multiple digital channels, including text messages (SMS) and installed computer programs.
The third key difference is that CAN-SPAM only applies if the email has a primary intent that is commercial. CASL applies if there is any commercial activity encouraged. For example, if an individual makes a purchase, a business may send them an email that summarized their recent transaction, but can’t send a secondary marketing message, such as other products they may be interested in, because it encourages additional commercial activity.
What You Need to Know About CASL Consent
As a digital marketing agency, we have been informing clients that the foundation of CASL is consent, so let’s take a deeper look at the two types of consent: Express Consent and Implied Consent.
Express consent is when the recipient has given you direct permission to email them. To ensure that express consent is valid, you must do the following:
- Clearly describe the purposes for requesting consent.
- Provide the name of the organization/person seeking consent, and identify on whose behalf consent is sought, if different.
- Provide contact information such as a mailing address (PO boxes are valid), telephone number, email address or website address.
- Indicate that the recipient can unsubscribe or withdraw consent at any time.
One important thing to note is that express consent must be an affirmative action. This means you cannot have a pre-checked box on a registration form to secure consent.
The two most common ways that express consent is acquired are:
- A sign up form on your website.
- A confirmation link in an email.
Whenever you obtain express consent, it is important that you document everything. As the sender it is your responsibility to prove that you received proper express consent. This means tracking items like the date, time, IP address, form used, link clicked in email, etc.
It is also worth knowing that express consent does not expire until the recipient revokes it.
This type of consent is where you can email someone because you have an existing relationship with them, even though they never explicitly requested that you email them.
According to CASL, consent will be implied in the following scenarios:
- The recipient and sender have an “existing business relationship” or an “existing non-business relationship” which we discuss further below.
- If the recipient has “conspicuously published” their email address, the publication is not accompanied by a statement that the recipient does not wish to receive unsolicited messages, and the message is relevant to the person’s business, role, functions or duties.
- If the recipient has disclosed their email address to the sender without indicating that they do not want to receive unsolicited messages and the message is relevant to the person’s business, role, functions or duties. This can be thought of as the “business card” consent.
An “existing business relationship” exists where the sender and recipient have engaged in business together within the previous two years from the date the message is sent.
This could mean that the recipient purchased a product/service from you or entered into a written contract.
Another form of “existing business relationship” exists when the recipient has made an inquiry to the sender in the previous six months. This is the method of consent that lets you respond to new customer emails without having to worry about violating CASL.
An “existing non-business relationship” is defined as a relationship that exists from the recipient’s activities as a donor or volunteer for a registered charity, political party or political candidate, a member of a club, association or voluntary organization. It is important to note that this is very narrow in scope and not necessarily what you would assume.
If educational institutions, medical providers, hospitals, charities, clubs, and other non-business organizations provide services to the public they cannot automatically claim that an existing non-business relationship exists. There was thought that the final regulation would adjust this, but it did not happen. So, unless the non-business relationship fits into the really tightly defined definition (i.e. donor to a charity), then you would need a business relationship or express consent.
Transitional Period For Implied Consent
With CASL, as stated earlier, you have six months of implied consent to communicate with someone after they submit an inquiry or two years if they make a purchase. This date renews every time they submit a new inquiry or make a purchase. But, as you could imagine, this can be difficult to keep track of. It is for this reason that it is recommended to get express consent whenever possible.
Section 66 of CASL provides a special transitional period for scenarios where there is implied consent based on an existing business or non-business relationship for a period of 36 months (unless the recipient withdraws consent earlier) and the relationship includes the communication of CEMs.
During the transitional period, the definition of existing business or non-business relationship is not subject to the limitation periods (6 months and 2 years) that would otherwise be applicable under CASL, for implied consent to exist. What’s important to keep in mind is that the 36 months is based on the last time you communicated with them. It is for this reason that it is important to communicate with your list of prospects and clients prior to July 2014 to ensure that you can maximize the 36 month window.
Penalties For Violating CASL
Penalties for violations can range from up to $1 million for individuals and $10 million for companies.
The Reach of the Law
The law is not limited to Canadians. It impacts anyone that is sending communication to recipients in Canada. According to one CRTC official “If the spammer is offshore, we have the ability under the law to cooperate with foreign governments, to share information and to bring proceedings together against individuals that are offshore.”
Additional Highlights of CASL
Here are some of the additional things to consider when it comes to CASL:
- Requests for consent must also include a statement that the person can withdraw their consent at any time.
- When obtaining consent, it must be an affirmative action (you can’t pre-check form fields to obtain legitimate consent).
- Your message must have a working unsubscribe mechanism.
- If someone requests to be unsubscribed it must be processed within 10 days.
- Unsubscribes cannot be reconfirmed, so you can’t send them a message asking them if they are sure that they have unsubscribed.
- No misleading or false subject lines or sender names. You must make it very clear who you are when collecting data and when sending messages.
- Must include a physical postal mailing address and one additional way to contact the sender (e.g. web form, email address or phone number). PO boxes are accepted as a valid address.
- When sending on behalf of another organization, that organization must be identified.
- If you send an initial email to someone based on a referral, the person who made the referral must be stated in the message.
Implementation in Phases
Although the majority of the law comes into effect July 2014, some components will be phased in over time. For more information on CASL and upcoming legislation, visit the Government of Canada’s Website.
4 Steps to Take Right Away
The four primary steps to take right away to ensure that you comply with CASL are as follows:
- Email your database to ensure that you can maximize your 36 month window.
- Ask for Express consent on all of your marketing campaigns through either your existing Web forms or a response email.
- Ensure that your emails include all of the necessary requirements, such as a physical address.
- Ensure that your database captures all of the necessary information, such as the IP address.