March 19, 2013

Upcoming CASL (Canadian Anti-Spam Legistation) Details and What Marketers Need to Know

by Chris Kolbenschlag, Director of Deliverability at Bronto

Sometime in the next six months, we expect to hear from Industry Canada on their final regulations on the Canadian Anti-Spam Legislation (CASL). Once the final regulations are approved, marketers will have one year to ensure compliance and enforcement of the law. Since this date is quickly approaching, I wanted to review these regulations and definitions (subject to change) as well as cover the best practices to ensure you are in compliance. CASL covers all electronic messages, but in this post I will only be addressing how the law affects email messages sent from or received in Canada.

First, let's take a look at the proposed law (Note: some of these definitions can change) requirements for all messages sent from or to Canada.

Proposed CASL law requirements:

  • Permission must be obtained before sending mail. You will need clear consent and proof of consent such as time stamp etc.
  • Working unsubscribe mechanism (either a link within the email or a working reply to address) and unsubscribe requests must be processed within 10 business days and the working unsubscribe mechanism must work for 60 days past the send date. You cannot confirm unsubscribes (can't send an email saying "you are unsubscribed"). It is acceptable to offer to unsubscribe to one newsletter or all newsletters.
  • No false or misleading header and/or subject lines.
  • No harvesting or dictionary attacks.
  • No pre-checked boxes, must require affirmative action.
  • Must include a valid postal mailing address (can be a P.O. box) AND one of the following: web address (contact form), email address or phone number.
  • Charity organizations fall under CASL if they are soliciting or selling anything.
  • You must clearly identify the sender of message
  • Must include a clear from name and relevant subject line
  • Sending "On behalf of" is the case of when a sender is delivering/sending another person's advertising content to their own list. In this situation, each party (sender and advertiser) must be identified in the email message. For example in the case of a list rental – Lord and Taylor is sending on behalf of Guess clothing, both Lord and Taylor and Guess must be identified.

Here are the exemptions of the law:

  • When people ask for estimates, quotes, informational requests on accounts, loans and memberships.  Example of these types of emails is when you go to a website and request more information rather than signing up for a newsletter, you are requesting specific information.
  • Responding to an inquiry such as complaint, a question or a solicitation by the recipient.
  • An email sent from an employee to another employee (if work related) within the company.
  • Any legal messages such as a recall, debt collection request, legal or copyright notices.
  • One company to another company, if the companies have a business relationship.
  • Emails between family or personal relationships
  • Transactional - however, if any marketing language is in message, then it isn't transactional - (this one is still under review).
  • Message is sent to someone in Canada and the sender does not know the receiver is in Canada. This is when the sender couldn't be expected to have known the receiver was in Canada.
  • Third party referrals - clients can send a single non-consent email based on a third party referral as long as the person or company making that referral has either an non-business or personal/family relationship with BOTH the recipient AND the receiver. Also, the sender must disclose the name of the person/company who made the referral and that the email was sent based on that referral.
  • If you previously made a donation to a charity within past 18 months.

Now, let's get a little more specific on permissions since this is where the rubber hits the road. The main theme for consent is it will be absolutely vital to make sure you will be able to provide evidence of a sign up. Be sure you are collecting time and date stamp, scripts, phone calls etc.

CASL consent is laid out in four circumstances:

  1. Conspicuous publication of an email address where a person has published their email on a website and did not expressly state they do not want unsolicited email AND the message must be related to the recipients job role/business. For example, Matt Vernhout Director of Client Support and ISP Relations at TC Media and founder of EmailKarma.net says "it's OK to send unsolicited email to a person if relevant to their job. So you can send an email about a new law book to a lawyer but not to the entire firm or secretary. The email message/offer has to be relevant and as long as it's relevant to the individual's job function and the email address is conspicuously published without a disclaimer advising against sending unsolicited email."
  2. Recipient has disclosed email address to the sender and has not stated they do not want to receive unsolicited messages and the message is related to the recipient's job role/business. An acceptable example of this would be someone who has provided their business card.
  3. Implied consent - comes in the form of an existing business or non-business relationship between recipient and sender. A business relationship is considered when a customer purchases a product/service or enters into a contract. A non-business relationship is when your customer does volunteer work for you or becomes a part of your organization. Also, if you purchased something in the past 2 years, you can send to them for those 2 years under implied consent but you must obtain explicit consent during that time period to be able to continue to send to them after the 2 year period is over. If they buy something from you again during that 2 years, the 2 year clock is reset.
  4. Explicit consent - is when the recipient provides permission to the sender to send them messages like a webpage sign-up form. Explicit consent cannot be obtained through opt-out mechanisms such as a pre-checked boxes since it is an action to revoke permissions versus an action to extend consent. Also not acceptable is having to agree to terms and conditions. For oral or written consent, in either of these methods, it is vital to prove that consent was obtained. These 2 methods will be the most critical and challenging to be able to provide proof of consent, so you should record everything.

Wondering which addresses were collected prior to this law and if you need to go back and get permissions? Addresses that were added via a non-acceptable permission method such as an append or purchased list should never be mailed to again. For people who purchased in the past from you and did not sign up, you will have 2 years to collect explicit consent by sending them an email asking for explicit permission to send them marketing messages.

On the sensitive subject of purchased lists, CASL does not actually prohibited buying lists as long as the correct permissions were collected and recorded. Make sure all the vendors collected the right permissions and from each person. You and the vendor are both on the hook for this to ensure permissions were obtained.

Violations and Enforcement of CASL:

  • Penalties can range from up to $1 million for individuals and $10 million for companies.
  • Any single person can bring this law against a sender up to $1 million. However, if you are wrong, you can pay the court/legal fees.
  • If you can show you made strong efforts (due diligence) to do everything you could have done to obtain permissions, it will be taken into consideration should a lawsuit come up. This is why it is so important to make sure you keep track of all data you are collecting to show a person gave consent.
  • Officers of an organization can be held accountable for their organization's messages.

Here are some best practices to follow to ensure you are keeping in line with CASL.

  • Identify inactive addresses and send a re-engagement campaign to opt them back in if nearing the 2 year (post-purchase) mark. Don’t mail to people who haven't interacted with you in over 2 years.
  • Keep sign ups simple and clear. Collect bullet proof documentation that you have permission:
    • Document sign ups directly from website
    • Record time and IP address at sign up
    • Do not pre-check boxes for online sign ups
    • Document how a person begins a relationship with you (purchaser, shopper, etc)
  • Send a clear welcome email to verify and confirm subscription
  • Keep your from name, address and subject lines clear and consistent
  • Must include your postal address.
  • Tell people who you are and how to reach you. If someone is mailing for you, then you need to make sure that their information is included too.
  • If sending for someone else, state both parties names and who is sending on behalf of who.
  • Working unsubscribe mechanism (use both a link and reply address for redundancy).
  • Update your privacy policy on data collection

Since it has not yet been determined how exactly CASL will come out and be put into law, there are still more questions left to answer which we hope will be addresses in the coming months. At this time, it's best to start the process of making sure you are aligned and ready once the final regulations are completed and implemented. Note: I am not an attorney or legal advisory on this subject and these are only my opinions on email related topics. For actual legal advice, please contact the appropriate authorities.

Chris Kolbenschlag
Director of Deliverability at Bronto

About the Author
Chris Kolbenschlag's picture

Chris Kolbenschlag, Director of Deliverability at Bronto

Read about Chris

Join the Conversation