If you’re an email marketer you have undoubtedly heard of CASL, which is the acronym for “Canada’s Anti-Spam Legislation”.
Does this new set of rules apply to you? YES!
Do you need to care about it? YES
Do you understand it? Well, uhh, hmm, kind of, maybe….
There’s lots of information about CASL already available online, but a lot of it is complicated, often riddled with legal jargon, and frankly just not written in plain English so you can gain some sort of handle on what this is all about. That is why we have customers calling us and saying they’ve read all about the new laws, but don’t understand it and are more confused when they started.
Let’s fix that and get you up to speed on the who, what, where, when and why of Canada’s Anti-Spam Legislation!
What is CASL (Canada’s Anti-Spam Legislation)?
CASL is the Canadian Government’s new weapon (or so they hope) in the fight against spam. It outlines new requirements and rules for how commercial electronic messages (CEM) are sent. The highlight reel for the goals of CASL are to prohibit:
- Spamming (…I’m a prince from a far off land, can I borrow your bank account to park my billions of dollars…) [section 6]
- Hacking (… imagine what I could do if I controlled your computer…) [section 7]
- Malware / Spyware (…you didn’t know it, but you just installed a program on your computer so prepare for nonstop pop-up banner ads…) [section 8]
- Fraud (… this week we’re having a 75% off sale… but surprise, it’s really only 15%….) [section 75]
- Harvesting (… I’ll build a big email database by grabbing every email address ever published on the web…) [section 82 (2)]
- Privacy Invasions (… I’ll just help myself to all of your personal information even without your permission…) [section 82 (3)]
The stated purpose of the law is: “An Act to promote the efficiency and adaptability of the Canadian economy.”
Does This Law Affect Me?
Are you sending email from Canada? If so, the answer is yes.
Are you sending email to anyone in Canada even if you are located somewhere else? If so, the answer is yes.
The reason CASL could have a huge impact is because of this second question. The law is not just limited to Canadians, it takes effect any time a Canadian computer is used to access the email (or any commercial electronic message). So, if you’re in the USA, but your email newsletter also goes to those north of the border, then all these rules apply. Even if you’re somewhere overseas, the claim is that CASL is still in force.
This is what Andrea Rosen, the CRTC’s chief compliance and enforcement officer said:
If the spammer is offshore, we have the ability under the law to co-operate with foreign governments, to share information and to bring proceedings together against individuals that are offshore.
I don’t want to go into this quote too much…. but…. (please read this with the highest degree of saracasm)… good luck Canada!
I look forward to hearing about the case: CRTC vs. Random Spammer X located in a cave in a far off land sending emails about the best ways to enlarge your (use your imagination)
The funny thing is that all those “buy drugs from Canada” spam messages we receive usually aren’t sent from within Canada, so the enforcement is going to require this offshore cooperation. Again, good luck Canada!
It should be noted that there is a special exemption in CASL if the sender does not know or could not expect to know that the receiver was in Canada.
What are the main requirements of CASL?
The entire law is long (really long), but in a nut shell, these are the key requirements:
- Permission must be obtained before sending email.
- The permission must be able to be proved with clear consent.
- No pre-checked boxes on forms. The consent must be an affirmative action. [<< Make sure you take note of this for any forms you use!]
- No false or misleading subject lines or from names. The sender must be clearly defined.
- Working unsubscribe mechanism. Any unsubscribe requests must be processed within 10 days and the unsubscribe link must be valid for 60 days after the send date.
- You are not allowed to confirm unsubscribes by sending an “Are you sure you want to unsubscribe?” email.
- Must include a valid postal mailing address (P.O boxes are fine) and one of the following: web address with contact form, email address or phone number.
- If you are sending “on behalf of” another organization, both organizations must be identified.
It should also be noted that charity organizations are included in CASL if they are selling or soliciting anything.
If you’re an existing customer of Elite Email, then your email marketing activities are already abiding by a lot of these requirements.
What is Exempt from CASL?
There are a variety of things that are specifically excluded from the rules outlined in CASL. My theory is that this list will be expanded before things are finalized, but here are the main exemptions right now:
- Email between family or people you have a personal relationship with (… phew, you won’t go to prison for emailing your aunt!)
- Employees at one company emailing employees of another company, if the companies have a business relationship.
- Responding to an inquiry that could be in the form of a question, complaint or solicitation.
- Work-related emails sent between employees at the same company.
- If someone requests more information from your company (could be for a quote, estimate, general information, membership inquiry, etc) then you can reply to them.
- A charity can contact someone if they made a donation in the past 18 months.
- Any legal message relating to a recall, copyright notice, or debt collection request.
- One non-consent email can be sent for third party referrals provided that the person/organization making the referral has either a non-business or personal relationship with the recipient and sender. On top of that, the sender must clearly state who made the referral.
- Transactional emails that do not contain any marketing language (<– We’re for sure going to see this further clarified.)
How Does CASL Define Consent?
The underlying key to CASL is consent, consent, consent. You just cannot do anything without consent.
CASL has mapped out four different circumstances that would qualify as consent.
- Explicit Consent
This is when the recipient gives you direct permission to email them. For example, if someone signs up for your mailing list using an online signup form that would qualify as explicit consent. But, remember, this type of consent cannot be obtained through opt-out, so make sure you don’t pre-check the “Yes, I want your mailings” box because that voids everything (… and then you do not pass go, do not collect $200, and you go straight to jail).
You can also get oral or written consent, but this starts to get tricky because you have to be able to prove that consent was obtained. If you’re planning on getting consent using these methods, make sure you document everything very carefully so you can provide your case if it comes to that.
- Implied Consent
This type of consent takes the form of an existing business or non-business relationship between the sender and recipient. In the eyes of CASL, a “business relationship” is one where a customer has made a purchase from you or entered into a contract. A “non-business relationship” would be if someone does volunteer work for you or actually becomes part of your organization.
One really important thing to note is the “2 Year Rule”. If someone purchased something from you in the past 2 years, then you can send them emails for 2 years from their purchase date under the implied consent criteria. However, during that time you must obtain explicit consent if you want to email them after the two years. Keep in mind that if this same person buys from you again during the two year period, the clock resets and you’ve got two more years before you need explicit consent.
- Conspicuous Publication
This is definitely an interesting part of the current draft of CASL. If you obtain someone’s email address and it meets these criteria, then you have qualified as having enough consent to email them. (1) Their email address is clearly published for viewing; (2) The address is not accompanied by a statement saying that they do not want to receive unsolicited messages; (3) the message is directly related to the person’s business or official role.
Two important things to be aware of is that the clear publishing of the person’s email address must be done by the person directly or with the authorization of the person. So, a company website that lists an employee roster is legit, but some random website that posts a bunch of contact info is not OK. Also, the email you send must be highly related to the person’s job/role , which is very vague in the current draft. But, as an example, you can email a lawyer about a new law book, but you cannot email them about the cool new t-shirts you’re selling.
The last thing on this topic is to keep in mind that PIPEDA prohibits the harvesting of addresses, so you cannot use a program to automatically capture this information from the web.
- Shared Email Address with the Sender
I call this the “business card” rule. If someone gives you their business card then you can email them stuff that is related to their job/role. Of course, they can also give you their email address in other ways, but the main thing is that they are willingly supplying you with their email address and not saying that they do not want to receive emails from you. Although, I can tell you that if someone hands you their business card and says “don’t email me” that probably isn’t a really good sales lead.
When Does It Take Effect?
Before we look at where we’re going, lets take a look back at where CASL has been:
- May 25, 2010 :: Bill C-28 First Reading
- Dec. 15, 2010 :: Royal Assent (Passed)
- July 2011 :: Regulations Drafted
- July 2011 :: Regulations “gazetted” for Review
- Sept. 7, 2011 :: Draft Regulations Comment Deadline
- Mar. 2012 :: CRTC Regulations Gazetted
- Jan. 5, 2013 :: Industry Canada Draft Regulations Published for Comment
- Mid 2013 :: Industry Canada Final Regulations
- Mid 2014 (maybe?) :: CASL Takes Effect
So, the answer to when CASL will go live is still a topic of much debate. (Insert gasp here that the Canadian government moves slowly!)
CASL was recently delayed for a few reasons:
- Still ironing out details as there are many unhappy parties (more on this later)
- There is disagreement between Industry Canada and the CRTC about how the law should be regulated
- There are expected mid-term cabinet changes and these shifts could skew priorities.
If you really want to make a note in your calendar, then current speculation is that the law will not be enforced until the Fall of 2014. This follows a one year grace period after everything is published this year. However, don’t be surprised if this gets delayed yet again.
On top of that, CASL will have a transition period once it comes into effect so that organizations have ample time to obtain the neccessary consent to ensure they are playing by these new rules.
What is the Penalty for Violating CASL?
Canada’s anti-spam law is not fooling around when it comes to the punishment for breaking the rules.
Penalties for violations can range from up to $1 million for individuals and $10 million for companies.
Three interesting things to note about the enforcement of this are:
- Any person can bring this law against a sender up to $1 million. But, if they are found to be incorrect, they will be required to pay court/legal fees. So, it’s not like if you avoid sending emails to the RCMP you can avoid getting in trouble because anyone can make a claim under this new legislation.
- If you can demonstrate that you made very strong efforts (due diligence) to comply with all the rules and done everything to obtain proper consent, then that will play a factor in the event a lawsuit comes up. It is for this reason that it’s super important you keep track of everything so you can cover yourself later with a stronger case if things get messy.
- Officers of an organization can also be held accountable for the messages sent out by their organization. Bottom line, YOU are responsible if you do bad things.
What is the Difference Between CASL and the U.S. CAN-SPAM Act?
There’s a long list of differences between these two sets of regulations, but the major differences are:
- CASL requires express consent to send commercial messages. Basically, the recipient must “opt in” as opposed to the CAN-SPAM Act that mandates “opt out”. So, under the US law, you can send someone a first email as long as they can request no further messages, whereas under the Canadian law even that first email has you breaking the rules.
Note: Email marketing best practices already encourages the opt in procedure as opposed to opt out.
- CASL requires specific disclosure when an organization requests consent. Senders must clearly state the reason they are requesting consent, clearly identify themselves, provide contact information, and explain that consent can be withdrawn later. None of this appears in the CAN-SPAM Act.
- The coverage for CASL covers email, text messages, instant messages, directly pushed social media messages, and installation of computer programs. The CAN-SPAM Act covers email.
What Should You Be Doing to Prepare for CASL?
The good news is that if you are a customer of Elite Email, then you are already doing most things to comply with CASL. Built right into our online email marketing software is a process that makes sure you’re covered on a lot of these items. But, there are still some things I want to highlight so you’ve got a good checklist of items on your radar that you can be aware of.
- Consent, consent, consent… it’s all about consent! We want to have bulletproof iron-clad proof that we’ve obtained consent properly and legitimately.
- Record all sign-ups from your website.
- Capture and record the IP address when the signup is first initiated and later confirmed.
- Document how your relationship with someone began. Did they purchase from you? Did they signup online for your newsletter?
- If you’re getting oral or written consent, make sure it’s something you can later prove. (This could be a challenge, so online signups or something with a digital papertrail is better.)
- Take a detailed look at your database and try to figure out who you need to re-confirm with proper provable consent.
- Are there customers who purchased from you 2 years ago that you won’t be able to email if they don’t re-confirm?
- Are there contacts where you’d have a hard time proving their consent?
- Are there contacts who haven’t engaged with your emails (opened or clicked) in a long time? If so, try to re-engage them or take them off your list.
- When someone signs up for your mailing list, send them a welcome email to verify their subscription.
- This double opt-in or closed-loop subscription process is important not only to comply with CASL, but also to make sure that a sneaky individual didn’t come to your website and signup using their arch enemies email address…. because then you might get spam complaints as well.
- Make sure your subject lines and sender names are correct, clear and consistent. (The three “C’s” if you will.)
- Have a working unsubscribe link and valid contact details so someone can reach you if they want to.
- This includes monitoring replies you receive from your email so if someone says “remove me”, then you can do it right away.
- Sending your emails from a no-reply address is a BAD thing.
- Make sure your postal address is in your emails.
Remember that CASL is still evolving and being refined. No one knows yet exactly what the final set of rules will look like. So, while the above steps will keep your best foot forward, make sure you keep an ear to the ground so that if something does change you are not caught off-guard. Rest assured, the compliance team at Elite Email is also all over this!
What Are Some of The Criticisms of CASL?
There’s been a lot of backlash since CASL was originally proposed. For instance, there was a two month consultation period (ending on Sept. 7, 2011) where 55 different organizations raised their concerns to Industry Canada. As a result of that, a revised regulation was published on Jan. 5, 2013, but the criticisms certainly have not stopped.
I don’t want to go too much into this, however if you want to read more, Marketing Magazine has a good article titled “The Hidden Costs of Canada’s Anti-Spam Law“.
The one over arching theme from everyone who is complaining about this is not that they are against stopping spam. Everyone is on-board with stopping spam as no one needs more junk mail. The criticism is that this new law will do nothing to actually stop spam. It enforces a new, broad and strict set of rules on organizations that are already trying to do things properly, while really doing nothing to stop the worst offenders who are sending spam from a far off land. So, CASL is giving us more red tape and hoops to jump through, but what is it actually doing to benefit Canadian citizens?
On top of that, many in the small business community are outraged because to some it feels like these new laws put up serious barriers to using email effectively because they cannot afford to invest resources to wade through all the red tape. There has been a shift from sending paper flyers through Canada Post to email because it’s more effective, more measurable, more affordable, and definitely more environmentally conscious (to the joy of trees everywhere!). But, if the Canadian Government wants to clamp down on what can be sent through email, will it result in more junk filling up your physical mailbox?
Personally I think there are some good parts of CASL. In certain spots of the legislation you can really see the positive intent of what they are trying to accomplish. But, it’s gotten so bloated with this scenario and that scenario, that I fear the true intent is getting lost and in realty it may only result in punishing the people who were doing everything 99% correctly anyway.
You can get more information direct from the Canadian government at http://fightspam.gc.ca.
This blog post is intended to provide our general comments on the new law. It is not intended to be a comprehensive review nor is it intended to provide legal advice. Readers should not act on information in the publication without first seeking specific advice from their lawyer. In short, I am not a lawyer, nor do I pretend to be a lawyer.