What is CASL & Is Your Business At Risk?
Building CASLs in the Sky
Just in case you haven’t heard, the ‘Canadian Anti Spam Legislation’ (CASL) has been passed and will come into full force July 1st, 2014. This has SERIOUS implications for marketers and businesses alike and is being referred to as the “toughest anti-spam law in the world”. But do not fear. I will take you through the ins and outs of this act and teach you how to protect yourself from penalty. This post will be a bit longer than usual, but it just might save your business.
The irony of the CASL act is that it isn’t really about spam. Instead it’s about governing the sending of ‘commercial electronic messages’ (CEMs), software installation, and certain telecommunication practices. A CEM is defined as any electronic message “whose purpose is to encourage participation in a commercial activity”. CEMs include, but are not limited to:
- Instant messaging
- SMS promotions
- Any other offers to purchase, sell, barter, or lease a product, good, service, or land title
If you are sending any type of corporate electronic communication to an individual’s electronic account (be it email, social media profile, telephone account, etc.) with the intent to persuade them to enter into commercial activity with you, then you need to have their expressed or implied consent by July 1st. Section 6 of the act (which addresses CEMs) will come into play July 1, 2014, and section 8 (which requires consent to install programs on an individual’s computer—like cookies) will go live January 15, 2015.
Is Your Business At Risk?
It is now very important to ask yourself, “is the message I am sending a CEM?”
If your intent is to commercially engage the individual, to drive them to your website, or to get them to participate in any other commercial activity, then you need to make sure you comply with the legislation.
To comply with CASL, it is mandatory for all outbound CEMs to conform to three main elements:
Identity – Your CEM must clearly state who the message is from and (if different) on whose behalf the message was sent. Also, not every person who is involved in the sending must be identified, but rather, only the people who play a material role in the content and/or the choice of the recipients.
Respond-ability – Both the physical and the electronic address of the sender must be included in the CEM so that the recipient is able to respond if they so wish. Also, the contact information must be valid for a minimum of 60 days after the message has been sent so the recipient can contact you if needed.
Unsubscribe – There must be a clearly labelled and fully functional mechanism to opt-out (unsubscribe) from receiving CEM’s. Once a user unsubscribes, you have 10 days to remove them from your list(s).
As of July 1, these elements are mandatory and have legal ramifications if not adhered to. Further, you now must have clear consent to even send the message.
In the event of a dispute, the onus is on the sender to demonstrate that they obtained consent prior to sending a CEM. This means that you must have records of the consent that you have been granted, if under scrutiny. Also, when acquiring the consent, you must clearly outline the purpose(s) for which the consent is being sought. Furthermore, consent cannot be required for the supply of goods and services; meaning, mandatory consent cannot be worked into any contracts or service agreements.
Systems like Mailchimp have double opt-in consent built right in, but if you don’t use a system like this then you need to develop a way to both acquire consent and then archive that proof to protect yourself. The act segments consent into expressed and implied.
Expressed – The recipient must take a positive action to indicate their consent and to show that they understand (and want) what you’re offering. The implication here is a pre-checked consent box is no longer legal, as inaction is not considered to be intention. Also, expressed consent can only be opt-in, not opt-out. If you have a pre-existing list where consent was explicitly granted by the user themselves (through a sign up form or other similar means) then that consent is considered to be CASL compliant. Expressed consent can be still acquired by email before July 1st; but after that date, it will need to be obtained by more traditional means (snail mail, telephone, sign up forms, etc.).
Implied – Consent is implied for 36 months starting July 1, 2014 where there is an “existing business or non-business relationship” (within the last two years) that includes the communication of CEM. The government has strongly suggested using this “transitional period” to acquire expressed consent for the continued sending of CEMs. It’s just not worth the risk to carry on without expressed consent because implied consent is much harder to prove. However, If you intend to rely on implied consent, make sure you have records and documentation that prove the existence of the prescribed relationship(s).
It is also worth noting that if your request for expressed consent contains incorrect wording, and the recipient does not respond to that request, then you may put yourself at risk of undermining your (existing) implied consent and lose the ability to contact that person electronically in the future. For example, the request for consent MUST contain the clause “your consent can be withdrawn at any time” to be legally compliant.
More On Implied Consent
Business Cards – In the ‘business card example’ laid out in the legislation, if you receive a business card from an individual and that individual did not say, “I do not wish to receive promotional or marketing messages at this address” and no similar statements are made on the card itself,, then you technically have their implied consent. But do you really want to try and prove that conversation in court? It is extremely important to acquire expressed consent as soon as possible to ensure that you are protected.
Membership – The act also states that consent may be implied where CEMs are sent to members of an association, club or voluntary organization. When sending CEMs to your membership based on implied consent, you must ensure that you are only sending to members. This area of the law is fairly ambiguous, so it is still best to acquire expressed consent from these types of contacts as well.
Conspicuous Electronic Address – The law also states that if an individual has conspicuously published their electronic address—say on a website—that the individual has given implied consent to contact them. However, there is risk in relying on this clause too heavily as ‘conspicuously published’ has yet to be defined. If you do go this route, be sure to keep detailed records and documentation of how and when that contact address was obtained.
Just like every rule, there are a couple of exceptions for CASL:
Referrals – Electronic referrals will receive a “one time exemption” from the act so long as the person making the introduction has a pre-existing relationship with both parties. When responding to an electronic referral, you must be sure to state the name of the person that has given you the referral.
Registered Charities – CEMs sent by or on behalf of a registered charity, where the primary purpose is to raise funds for the charity, will be exempt.
Politics – Political figures and parties are exempt from CASL so long as they are not selling or promoting a product. They can use CEMs to solicit donations and support.
Family Relationship – If you have a family relationship with the recipient—defined as a husband/wife or parent/child relationship—then electronic communication between those parties is exempt. Hypothetically speaking, if you text your cousin to tell them to come to your store’s big sale, it is technically a violation; although, the cousin would have to complain to the CTRC.
Personal Relationship – A two way, meaningful relationship with physical ties between two individuals is also exempt under CASL. An isolated social media relationship does NOT constitute a personal relationship under the law.
Business Inquiry – You are allowed to contact a business to inquire about their services and the business can respond to this inquiry so long as the response is relevant to the inquiry itself. You have a 6 month window to respond.
Employee to Employee – Within a single organization, employees are permitted to send CEMs to one another so long as the communication is relevant to regular business operations.
B2B – Staff from one organization can send CEMs to staff at another organization so long as there is a pre-existing business relationship between the companies and the CEM concerns only relevant and regular business matters. This exemption will be difficult to rely on, so some organizations are exchanging letters of ‘organizational consent’ wherein expressed consent is granted at the organizational level.
Important Notices – Warranty information, recall information, safety/security notices, and factual information about an existing subscription are also exempt under the act.
There are fairly severe penalties that for non-compliance with CASL, referred to as ‘Administrative Monetary Penalties’. Individuals who violate this act can be fined up to $1,000,000. Businesses can be fined up to $10,000,000 and upper management (directors, officers, etc.) can be held liable for their business’ violation. The following will be considered by the courts when determining the penalty:
- the purpose of the penalty;
- the nature and scope of the violation;
- the person’s history with respect to any previous violation under this Act
- the person’s history with respect to any previous undertaking
- any financial benefit that the person obtained from the commission of the violation;
- the person’s ability to pay the penalty;
- whether the person has voluntarily paid compensation to a person affected by the violation;
- the factors established by the regulations; and
- any other relevant factor
Aiding and Abetting – You might be tempted to respond to any allegations with false information or other methods of questionable legality. However, further fines and penalties ($10,000-$25,000 for individuals and $100,000-$250,000) will result if untruthful or incomplete information is uncovered. It is best to be forthright with this law and to proactively take measures to protect your business. The best defence if under scrutiny is due diligence.
To ensure you are protected if questioned on CASL compliance, you should take measures to demonstrate your due diligence as this will be your primary defence against allegations. Some measures include:
- Internal Audit – Take a good hard look at ALL of your outbound communication. Categorize what is and isn’t a CEM and implement the prescribed message elements on those that fit the classification.
- Corporate Policy – Create and maintain documentation on how your organization handles consent acquisition and also how records of that consent are kept. This is especially critical for implied consent.
- Training – Provide and document the training of relevant staff to ensure they know how to comply with the law.
- Scrubbing – If you haven’t received consent by July 1st, you will need to clean your list and remove all instances.
What This Means to You
If you don’t have consent to send a message to someone, simply sending them an electronic message asking for consent is a violation after July 1st. After that point, you’ll need to get consent by other means (phone call, snail mail, etc.).
- Tweeting, blogging, and other non-directed messages do not apply to this law. Sending direct messages to individuals using these channels (or any electronic channel) DOES apply.
- Pre-selected consent check boxes are forms are no longer acceptable. The consumer MUST take an active step in providing their consent.
- The act of giving consent cannot be bundled in or subsumed with other requests or general terms and conditions. They must be clearly and separately identified.
- Aiding and Abetting Clause: It qualifies as an offence to aid, induce, procure or cause to be procured the doing of any act contrary to the CASL. As such, ‘Refer a friend’ style promotions must be very carefully structured.
What Should You Do?
Act Now! – Prior to July 1, 2014, request consent directly from any individuals you communicate with who you are not 100% certain have already provided their consent, and also those for which you cannot produce proof of consent. Any consent you receive prior to July 1, 2014 qualifies as compliant with CASL. Also, ensure that any vendors who send CEMs on your behalf are up to speed on the new rules, and are contractually obligated to comply with CASL. Be certain to keep detailed records and documentation of your consent.
Policy – Create and maintain corporate policy and documentation that outlines your business’ approach to consent acquisition and also what measures your company has taken to ensure compliance with the law.
The Big 3 – Ensure your CEMs clearly identify the sender and the purpose for which the message was sent. Make certain to include both the physical and the electronic address that the message is sent from in the CEM and that those addresses can be responded to (and will remain valid for 60 days). Assure a clear and fully operational unsubscribe mechanism is in place.
Clear Language – The language you use must be clear and you must ensure there are no false or misleading statements.
- Auditing your database and external communications.
- Creating and deploying your consent request.
- Strategic services to ensure your organization is CASL compliant for July 1st, onward.
***Please note the foregoing is provided to you as general information only, and is not intended as a substitute for specific legal advice or counsel. Please contact proper legal council to obtain specific legal advice before taking or refraining from taking any action.***