Canadian Anti-Spam Legislation (CASL) and the impact on your organization be it for profit or not.

1. CASL
WHAT YOUR
ORGANIZATION NEEDS
TO KNOW

2. A little about Algonquin College
Quick Facts:
• 20,000 FT & 35,000 PT students
• 208 programs from 1 year Certificates
to 4 year Bachelor degrees.
• 3 campuses in Ontario, Online and 6
operations internationally
• 4th Largest in Ontario CAAT system of
24 colleges.
For every $1 dollar spent by:
• Students: $4.50 in lifetime return.
• Prov. Gov.: $6.20 in added taxes and
public sector savings.
• Society: $21.30 in added provincial
income and social savings.
• $310 million spent by college operations
• $ 28 million effect of student spending
• $1.6 billion in past student productivity
• $1.8 billion Total effect on local economy

3. And a little about me…
• 25+ years of experience spanning Marketing, Product Marketing, Product
Management, Software Development and Mechanical Engineering
• 3-time Marketo Champion, 2 time Revvie winner for marketing automation
• Leader of the Marketo regional user group – Ottawa
• At Rolls-Royce in Darby, UK when RR Trent 800 engine set a world record
during an developmental test generating 107,000 lbs. thrust.

4. AGENDA
• The Spam Problem
• Legislative Changes
• Examples and Use Cases
• Communication Plan
• Enforcement
• Next Steps

6. SPAM: AN ONGOING
PROBLEM

7. Spam Volume – abuseat.org
7

8. Spam by Geography (by receiver)
8

9. Spam by Geography (Canada)
9

10. LEGISLATIVE CHANGES

11. Canada’s response - CASL
Canadian Anti-Spam Legislation
(CASL) also known as the
“Fighting Internet and Wireless
Spam Act” (FISA)
• Significant 80 page law passed
December 2010. Final
Regulations passed
December 4, 2013.
• CASL is very stringent: Opt-in
and covers much more than
spam
• US CAN-SPAM ACT is
weaker: Opt-out and only
covers spam
1
CASL Timeline

12. CASL is CONSENT

13. The Heart of CASL
In the simplest terms, CASL is not just about spam but rather obtaining
consent:
1. Proscribes a new standard for obtaining consent for commercial
electronic communications (CEMs) with auditable records. CEM
consent expires after 3 years of inactivity.
• CEMs must identify sender, match intent and have a clear opt-out mechanism.
2. Requires explicit consent for installation of software on a personal
device, expires after 1 year of inactivity.
3. Provides an enforcement mechanism and stiff penalties when conditions
are breached.
4. Fundraising activities are exempt but must follow CRA registered charity
guidelines.
1

14. CASL’s Enforcement Targets
1
Spam Hacking Malware
Fraud Email Harvesting Privacy Invasion

15. Legislative Changes: Don’t forget
about Accessibility (AODA)
W3C WAG 2.0 AA standard = AODA for web

16. CASL EXAMPLES AND USE
CASES

17. CEMs in detail
CASL prohibits sending commercial electronic
messages to an electronic address unless:
• The recipient has given expressed or implied
consent, or a pre-established business
relationship with the recipient exists, and
• There is a mechanism for opting out of further
communications
17

18. CEMs are not just…
Not just e-mail
• “Commercial electronic messages” – any electronic message with a commercial
purpose (whether or not the event or offer is free)
• This includes text, sound, voice or image message but NOT fax or voice recordings sent to a
telephone (covered by other CRTC regulations).
• Applies to any electronic message promoting your organization (whether or not the event or
offer is free) that leads to a commercial transaction
Not just individuals
• Applies to emails sent to individuals AND organizations (businesses, corporation,
non-profits, registered charities, etc.).
Not just mass emails
• Even a single email from your desktop could be considered an infraction
Not just in Canada
• Applies to emails sent to, or from Canada and including transiting through
Canadian servers
• Emails sent to foreign recipients exempt if equivalent anti-spam legislation exists
1

19. CEMs are not…
Surveys, polling, newsletters, and messages
soliciting charitable donations, political
contributions, or other political activities that do
not encourage participation in a commercial
activity would not be included in the definition*
*Industry Canada FAQ - http://www.ic.gc.ca/eic/site/030.nsf/eng/00271.html
1

20. Expressed Consent
The request for consent must include:
1. The purpose for which consent is sought (i.e.
more information on services)
2. A statement that the recipient may withdraw
consent (through unsubscribe)
3. Must be separate and distinct.
4. CEMs must contain the identity, business
name, or actual name along with the contact
information (mailing address and telephone
number, email or web address) of the person
or business requesting consent
*Cannot ask for consent via e-mail after July 1, 2014
20

21. Example CEMs
21

22. Example Subscription Center
A method to withdraw
consent must be
provided, usually as an
electronic unsubscribe.
• Unsubscribes are global to
the organization
• Use of best practices can
provide options to divert or
prevent unsubscribes.
• Must be actioned within 10
business days
22

23. Implied Consent Exemptions
1. Existing business relationship
• A purchase or lease of a product, goods, service, etc.
within past two years or
• Any inquiry or application within a six month period.
2. Existing non-business relationship
• Donors or volunteers of registered charities, current
or within past two years
• Members of a club or association, current or within
past two years
23

24. Third-Party Consent - Obtaining
Must ask up front for consent to share with
third-parties

25. Third-Party Consent - Unsubscribe
Unsubscribe must also flow to third-parties

26. Third-Party Consent - Unsubscribe
Unsubscribe can apply to only third-parties

27. Email Lists Buys

28. CASL COMMUNICATIONS
PLAN

29. Communications Objectives
• Raise awareness of CASL and how it impacts your
organization and its employees
• Educate and inform employees about CASL rules and
communicate updated policies and procedures
• Engage employees so that they play an active role in
achieving compliance
• Provide regular updates on the College’s progress and
CASL resources to employees

30. Strategy and Tactics
1. Training and education:
• Develop CASL Learning Modules
• http://lyceum.algonquincollege.com/lts/CASL/
2. Develop a CASL Resource
website/blog
• Learning module,
• Employee checklists
• External CASL resources
• Share updates/best practices

32. Strategy and Tactics
3. Communications Policy
• Develop and approve an electronic
communications policy
• Update privacy policy with consented use,
especially third party relationships
• Recommend legal review
4. Ongoing CASL audits and compliance
• Corporate email footer
• Database audits/reports

33. CRTC/COMPETITION BUREAU
ENFORCEMENT

34. CASL Enforcement
Date Agency Description/Organization Outcome
2016-May-27 Privacy
Commissioner
Email harvesting complaint,
Compu-Finder
Compliance
agreement
2015-Dec-03 CRTC SpamBot take down Court warrant
2015-Nov-20 CRTC Rogers Media Inc. $ 200,000
2015-Jun-29 CRTC Porter Airlines Inc. $ 150,000
2015-Mar-25 CRTC PlentyofFish Media
Inc.
$ 48,000
2015-Mar-05 CRTC 3510395 Canada Inc. Compu-
Finder
$ 1,100,000

35. CRTC Porter decision
With respect to the Porter case, the CRTC
stated:
“This case is an important reminder that …, proof of
consent is required for each electronic address.
Some businesses are under the mistaken impression
that they are compliant with the law by relying on
general business practices or policies as proof of
consent for the majority of the electronic addresses to
which they send their commercial emails. This is simply
not the case.”

36. NEXT STEPS

37. CASL Compliance checklist
1. Internal governance and policy development
2. Review your CEMs – what messages do you send?
3. Review your contact lists – who should be scrubbed?
4. Pursue express consents – get that “gold standard”
5. Update consent procedures – is your consent valid?
6. Record keeping – When does implied consent expire;
are you ready for an audit?
7. Update CEM templates + unsubscribe mechanisms
8. Review Third Party contracts for CASL Compliance
9. Create and deliver employee CASL training and
integrate into onboarding and keep activity records.

38. QUESTIONS?

39. Eric Hollebone
Director, Marketing
Algonquin College
hollebe@algonquincollege.com
613 727-4723 x5054
ca.linkedin.com/in/erichollebone
twitter.com/erichollebone

40. BACKGROUND

41. Relevant Web Links
• CRTC FAQ
http://www.crtc.gc.ca/eng/casl-lcap.htm
• Government of Canada CASL Regulations
http://www.ic.gc.ca/eic/site/030.nsf/eng/00273.html
• Government of Canada Fighting Spam information
http://fightspam.gc.ca/
Notices of Violation 2015 http://www.crtc.gc.ca/eng/com500/ut2015.htm
Notices of Violation 2016 http://www.crtc.gc.ca/eng/DNCL/dnclc_2016.htm
• CASL Overview – Wikipedia
http://en.wikipedia.org/wiki/Fighting_Internet_and_Wireless_Spam_Act
41

42. Sources
• 2013 Global Spam volumes
http://krebsonsecurity.com/2013/01/spam-volumes-past-present-global-local/
• Kaspersky Spam evolution report 2013
http://www.securelist.com/en/analysis/204792322/Kaspersky_Security_Bulletin_Spam_evolution_2013
• TrendMicro Global spam map
http://www.trendmicro.com/us/security-intelligence/current-threat-activity/global-spam-map/
• Statista
http://www.statista.com/statistics/420391/spam-email-traffic-share/
• Abuseat.org
http://www.abuseat.org/totalflow.html
42