Stage one of Canada’s new Anti-Spam Law came into effect on July 1, 2014, creating a new regulatory framework for any organization sending Commercial Electronic Messages (CEMs) to or from Canada.
Designed to reduce spam, spyware/malware, email address harvesting and network rerouting, CASL contains some of the toughest measures of its kind in the world, with severe penalties for non-compliance including fines, criminal charges, civil charges and personal liability.
It’s a complex framework with strict requirements for all CEMs, myriad rules on consent as well as numerous full and partial exemptions. Are you confident your organization is ready for CASL? Is your technology? What about proving compliance?
6. Spam statistics
One Canadian FSI reported that it deletes around
SPAM emails per hour during peak email times
150,000
7. Spam statistics
The same Canadian FSI deletes approximately
spam messages in a typical day
2 million
8. Canada’s Anti-Spam Law (CASL) is a new
regulation designed to reduce spam, spyware/
malware, email address harvesting and network
rerouting.
So, what is CASL?
9. CASL applies to all commercial electronic messages
(CEMs) in Canada.
These include:
• Commercial emails
• Text messages
• Social media messages
Which communications does
CASL cover?
10. What constitutes a CEM?
Simply put, for a piece of communication to be
considered a CEM, it has to have two components:
It must be sent to or from an electronic address
Its content, hyperlinks or contact information
must be designed to sell, promote or advertise a
product or service
CASL also applies to global organizations that send
CEMs to Canada.
1
2
11. CASL applies to any organization that sends
commercial emails, text messages and social
media messages from or to an electronic device in
Canada.
These include:
• Businesses
• Non-profits
• Trade associations
• Schools, universities
Which organizations does CASL
impact?
12. What are the timelines for CASL?
CASL will be rolled out in three stages:
• July 1, 2014 – All CEMs must meet CASL’s
anti-spam requirements
• January 15, 2015 – Consent is required to
install spyware or software on another person’s
computer
• July 1, 2017 – Organizations that violate CASL
can be sued for actual or statutory damages
under a private right of action
13. Do penalties exist for
non-compliance?
Penalties for non-compliance are severe and
include:
• Hefty fines
• Criminal charges
• Civil charges
• Personal liability
14. CASL rules, simplified
Consent.
The sender must have implied or express consent to
send a CEM.
Identification.
CEMs must identify the sender and include contact
information.
Unsubscribe.
Every CEM must include an option to unsubscribe or
opt-out.
Unless exempt, all CEMs accessed on a computer system
or electronic device must include all of the above.
1
CASL demands that all CEMs meet three basic
requirements. These are:
2
3
15. Are there exemptions?
The list of exemptions is long – and it’s always best
to read the fine print. There are both full and partial
exemptions that exist under CASL.
The following pages detail summaries of both the
full and partial exemptions that exist under CASL.
16. Full exemptions
Full exemptions fall into five categories:
• Family or business relationships
• Business inquiries
• Legal
• Closed loop or secure messaging
• Designated groups
17. Family or business relationship
exemptions
Full exemptions for:
• CEMs exchanged between family and friends
• CEMs exchanged within or between
organizations, provided they have an existing
relationship and the CEM concerns the activities
of an organization
18. Business inquiry exemption
Full exemptions for:
CEMs providing a response to a request, inquiry
or complaint (provided there is no upselling)
19. Legal exemptions
Full exemptions for:
• CEMs sent to satisfy or enforce a legal obligation
• CEMs sent to listed foreign countries, where it
is reasonable to believe that the message will be
opened in a listed foreign state
20. Closed loop or secure messaging
exemptions
Full exemptions for:
• CEMs sent from messaging platforms (e.g.
BBM messenger, LinkedIn) where the required
identification and unsubscribe mechanisms are
clearly published on the user interface
• CEMs sent and received within limited-access
secure accounts (e.g. banking portals)
21. Designated group exemptions
Full exemptions for:
• CEMs sent by or on behalf of a registered charity
for the primary purpose of fundraising
• CEMs sent by or on behalf of political parties
seeking contributions
22. Partial exemptions
Partial exemptions can be classified in three parts
including:
• Customer-initiated interactions
• Information about an existing business
relationship
• Third-party referrals
23. Customer-initiated interactions
Partial exemptions:
You do not need consent for a CEM that is sent to
fulfil the request of a recipient, such as:
• Providing a quote
• Facilitating a commercial transaction
• Delivering a product or service
For more information on the electronic commerce
protection regulations and its exemptions, read our
FAQ
24. Partial exemptions:
CEMs can be sent if they provide information about
an ongoing business relationship, such as:
• Warranty, product recall or safety alerts
• Factual information about the ongoing use of a
product/service
• Information about an existing employment
relationship
For more information on the electronic commerce
protection regulations and its exemptions, read our
FAQ
Information about an existing
business relationship
25. Third-party referrals
Partial exemptions:
A single CEM can be sent to a prospective customer
without prior consent on the basis of a third-party
referral (e.g. “refer a friend” or “suggest us” emails),
so long as:
• The referral is by a person who has an existing
personal, business or family relationship with the
sender and recipient
• The message discloses the full name of the person
who made the referral
• The message clearly identifies the sender and person
making the referral, and includes both contact
information and an unsubscribe option
26. What is implied consent?
In certain situations, organizations don’t require express
consent to send a CEM – implied consent is enough.
Consent is implied if:
• There is an existing business or non-business
relationship
• The recipient is part of a published directory
• The recipient has voluntarily disclosed their email
address, such as by handing out a business card
In all situations, the CEM must be relevant to the
recipient’s business or role. If the recipient indicates, that
they do not want to receive electronic communication,
consent is no longer implied.
27. Obtaining express consent
For all non-exempt CEMs, recipients must offer express
consent by actively and positively indicating that they
want to receive your CEMs. Recipients can express
consent in a number of ways, including:
• Checking a box to indicate consent in the form of
“opting in”
• Typing an email address into a field
• Providing “unbundled” consent that is separate from
the general terms and conditions of use or sale
Please note: while pre-checked consent boxes are
no longer permitted as a form of consent, those that
existed on email communications before July 1, 2014
will be grandfathered in.
28. Requesting consent
Just as CASL includes rules for sending CEMs, all
outgoing requests for consent must include a few
basic elements.
These are:
• The name of the sender and the third party
seeking consent (if different)
• A physical mailing address
• A telephone, email or web address
• A statement indicating that consent may be
withdrawn
29. Preparing for CASL: Immediate
steps
Designate a CASL working group to review your
current CEM processes and identify compliance
gaps.
Develop an implementation plan.
Reach out to contacts in your database in an
effort to turn implied consent into express
consent.
1
2
3
30. CASL compliance: Questions
to note
• How will you manage your unsubscribes if you
share content lists?
• How will you prospect if you rely on the B2B
exemption?
• Will you rely on a centralized unsubscribe model
or federated model to build a CASL-compliant
database?
• Will you rely on the transitional period to convert
all implied consent to express consent?
31. The technology perspective
Ensuring compliance with CASL – both
immediately and over time – requires designing and
implementing technology platforms that perform a
variety of functions, including:
• Managing and tracking opt-outs and consents
• Recording subscribe and unsubscribe histories
• Producing reports
All of the above information is needed for you to
illustrate your due diligence.
32. Customizing technology
Your company’s platform will need to take your
specific situation into account. For example, simply
building an unsubscribe mechanism requires
consideration of factors such as:
• Should the process be manual?
• Will you keep a federated unsubscribe database
or a web page that allows unsubscribes from
certain services?
33. After July 1
While CASL’s Anti-Spam provisions take effect on
July 1, here are a few helpful tips to keep in mind
after the deadline:
There is a grace period
Businesses that have existing relationships benefit
from a three-year grace period to verify and confirm
implied consents.
You can no longer send an email to ask for
consent
After July 1, senders can only offer check boxes to
acquire a recipient’s express consent.
34. Proving compliance
You must keep strong records of all consents
and unsubscribes so that they are:
• Documented
• Amalgamated
• Stored
Remember, if you’re sending CEMs, the proof of
consent burden is on you.