Featured image for “Understanding Canada’s Anti-Spam Legislation”

Understanding Canada’s Anti-Spam Legislation

By: Matthew Vernhout

Sending commercial electronic messages (CEMs) to customers and prospects is about to get a little more complicated for most businesses. Canada’s Anti-Spam legislation (CASL) is set to come into force on July 1, bringing with it potential fines that could reach into the millions. With this new legislation, new challenges will be presented to businesses that want to connect with their customers and prospects over digital messaging channels like social media, email, install applications, and programs that alter data during transmission.

CASL introduces a number of required elements to digital communications that range from collecting consent to send marketing communications and installing software on a computer or mobile device. These requirements are set to regulate how consent is acquired and withdrawn when used for commercial activities. The days of pre-checked boxes and consent buried in the terms and conditions of your website or contracts with your clients are limited.

Under the anti-spam legislation a CEM is defined as a digital message sent to any electronic address (i.e. email address, Twitter account, or text message) that promotes or advertises a product, person, event, investment, or business. In more general terms, if there is any commercial activity tied to the message, it would be considered a CEM under CASL. Even sending a request for consent to send additional CEMs will be considered a CEM under CASL and requires consent.

Under CASL there are two main types of consent for messages – express consent and implied consent. Express consent is defined as a positive action taken by a user to provide consent (i.e. checks an unchecked box granting permission) and remains valid until the user withdraws consent by asking to be unsubscribed from future CEMs. In contrast, an implied consent is only considered valid for a period of two years after the consent is granted.

In order to collect an express consent, the recipient must be presented with a clear statement of the purposes for collection, identification of the requesting party, contact information, and other prescribed information. An affirmative action must also be presented to the user that indicates a desire to receive messages; an example would be checking a box to agree to receive CEMs from your organization. The Canadian Radio-television and Telecommunications Commission (CRTC) clarified that pre-checked boxes will not meet the requirements for express consent under the legislation.

Implied consent can be collected during a business transaction (defined in the act as an Existing Business Relationship (EBR)) such as booking a room and staying at a hotel, a donation of time or money (defined as an Existing Non-Business Relationship (ENBR)) to support an association or Not for Profit, or by supplying an email address via a subscription form from the recipient.

Users requesting information on products, room rate requests, or providing feedback (positive or negative) also have a short time frame of implied consent, lasting six months, where messages are sent in response. This provides the needed time to establish an ERB/ENBR, express consent, or address the concerns of the user. Tracking the dates and time of these implied consents will be key to managing the various expiry of consent for these records.

Identification of the data collector and sender of the message play an important part of CASL compliance. CASL lists a number of required items be present at the time of subscription and in each CEM sent to subscribers. These include the senders; postal address, contact information (one of phone number, email, or contact form), a statement about unsubscribing, and a link to your privacy policy. Should users select to unsubscribe, it must be free, easy to execute, and readily performed “without delay, and in any event no later than 10 business days after the indication has been sent.”

CASL provides a number of exemptions for businesses in order to send transactional messages that complete a transaction (e.g. room confirmation, cancellations, and billing emails), deliver a product or service, address safety, or warrantee information and messages that may be legally mandated by a court order. These exemptions may not require consent, but they will require the other parts of the prescribed identification information be included in the messages. Also, unlike some other anti-spam laws, these messages must not include any commercial content or they will need to comply with the consent requirements for sending CEMs.

Many businesses also rely on referrals for business growth. CASL addresses this by allowing a single CEM to be sent to an individual that is referred to an organization and where the prescribed information and the full name of the person initiating the referral be listed within the body of the message.

Realizing that there is a lot of work ahead for many businesses, the enforcement process for CASL will take part in three phases throughout a transition period designed to bring portions of the law into force over the next three years.

Phase One: Addresses the consent clauses and digital messaging portions of the legislation – July 1, 2014.

Phase Two: Addresses computer programs and data alteration portions of the legislation – January 15, 2015.

Phase Three: The final part of CASL will bring into force the private right of action and will come into force after the three-year transition period on July 1, 2017.

During this transition period your existing list members with express consent under the privacy legalisation will also be grandfathered in as express consent under CASL. Any implied consent members can continue to be messaged and should be targeted for a consent upgrade as they renew their business relationships or the transition period ends.

For more information on CASL, please visit the official website at http://Fightspam.gc.ca, or Inbox Marketer’s CASL resource centre at http://www.inboxmarketer.com.

Matthew is a digital messaging industry veteran and Certified International Privacy Professional with more than 10 years of experience in email marketing. Matthew shares his thoughts on industry trends via an email newsletter and his social marketing blog EmailKarma.net, which was recognized in 2010 as one of Canada’s top 40 marketing blogs. Follow Matthew on twitter: @emailkarma