The Canadian Anti-Spam Legislation (#CASL): The Bane of the Canadian Communication Industry

June 11th by Hessie Jones 0 0

I attended the Canadian Anti-Spam Legislation (CASL) Session last week in Toronto. The new legislation, effective July 1, 2014 is stirring up the marketing industry, with marketers struggling to really grasp the essence of the new law and what it means to their individual businesses.

Bravo to the DMA for getting all the marketers out. Not surprisingly, a session entitled with such scare and urgency would draw audience within an entire industry.

Here’s the gist of the legislation:

Canada’s Anti-Spam Legislation (CASL), which was passed in 2010, establishes rules for sending commercial electronic messages (CEMs) as well as the installation of computer programs, and prohibits the unauthorized alteration of transmission data. Although CASL is not yet in force, the government announced in December 2013 that CASL will be implemented in three phases; the majority of CASL comes into force July 1, 2014, the rules that apply to computer programs will come into force January 15, 2015, followed by the private right of action on July 1, 2017.

The Competition Act has been amended to prohibit false or misleading representations in the sending of a CEM, whether in the content, subject line, or sender information of a message.

CASL extends beyond email. It also covers texts, SMS, Twitter, Facebook ie any message coming in to an electronic inbox via computer or phone that is commercial in nature.

The Cost of Non-Compliance is Significant

Visible opt-out or unsubscribe policies were part of an established norm set about when Permission Marketing was introduced in the late 90’s. Seth Godin had written some best practices about the use of this-then-new-medium known as email:

Permission marketing is the privilege (not the right) of delivering anticipated, personal and relevant messages to people who actually want to get them.

It recognizes the new power of the best consumers to ignore marketing. It realizes that treating people with respect is the best way to earn their attention.

Almost 14 years later, the digital industry has evolved and the very rules that Permission Marketing established have been dismissed and exploited by “hard-core” Spammers. #CASL and the CRTC are coming to the forefront to crack down on this unrelenting practice and by and large, impose significant penalties for non-compliance. Each violation can mean fines up to $1 million for individuals and up to $10 million for companies. What’s more by 2017, this leaves organizations vulnerable to class action lawsuit.

At first blush, the legislation, while intended to give power back to the consumer, may also hamper business to a large degree. My friend, who has asked to remain nameless, works for a company that not only utilizes database promotions, but also evolved digital communications. Here was his take on what CASL means for this industry:

CASL is about to send Canadian Digital Business back to the stone ages…the intent was spam…but this blunt, overreaching, overkill and unimaginative piece of legislation will impact every attempt to deliver smart and engaged digital media and neuter Canadian businesses ability to compete…

The Radical Change: Explicit Consent

OPT-IN is now the new norm. CASL specifies the following requirements for obtaining express consent:

The purpose of consent
For whom or what organization for which it’s being obtained
Include a statement that can dismiss consent at any time ie unsubscribe
Include contact information – mailing address, telephone number, email of web address

What’s important is a that a party must prove (as of July 1, 2017) they’ve obtained consent from all individuals to whom they are communicating. This proof must be disclosed “clearly and simply” ie tangible proof through paper, or electronic message. It will be important for business to keep a copy of all forms and to track the version from which customers have opted in.

For business, the biggest challenge will be converting verbal consent at the point of sale to an audio proof of consent.

Lists are at Risk

The biggest impact #CASL has is within list industry.

Rented Lists are compliant as long as the original list owner obtains user consent on behalf of the list renters and may be stated in this way: “We will, from time to time, send you promotions on behalf of partners and sponsors. Please click here if you consent to receiving these emails.”

As well, the list owner must deploy emails on behalf of the list renters.

Compiled Lists that are purchased have a much rockier road ahead. This industry’s death is imminent. For parties that have purchased lists, it will be imperative to obtain express consent since there is no implied relationship with the base members.

We have a grace period: Transition to July 1, 2017

July 1, 2017 is a critical date. This means that for 3 years up until July 1, 2017 companies can leverage this transitional period to acquire explicit permission from existing business and non-business relationships. That means that if a business has been sending CEMs to a customer prior to July 1, 2014, consent is implied and will continue to be implied up until July 1, 2017 (or until the customer unsubscribes).

In the last few weeks, I have received emails from large organizations (in anticipation of the July 1st legislation) sending out the following emails to their databases:

When I spoke to Matthew Vernhout, Chief Privacy Officer from Inbox Marketer, he noted that companies who send out an email like this en masse risk losing a large percentage of their customers in one fell swoop. To mitigate this loss, Matthew suggests embedding consent within an existing promotional email. Marketers can, as a matter of practice going forward, include a link at the bottom of promotional emails that allows the consumer to “click to agree to consent”. This should link to a form that captures the date and customer consent.

It’s important to note that no action ie “not” clicking the consent or “not” unsubscribing does NOT constitute consent. Proof of explicit submission must be obtained.

Implied Consent: defined

If a company has emailed an individual prior to July 1, 2014 and that individual has not given explicit consent, the business may assumed implied consent under #CASL rules up until July 1, 2017. What this means:

the sender and recipient have an existing business relationship (e.g., the recipient has made a purchase within the past two years, or an inquiry within the past two months);
the sender and recipient have an existing non-business relationship;
the recipient has conspicuously published their electronic address(e.g., on a website), has not expressly stated that they do not wish to receive unsolicited messages, and the message is related to the recipient’s professional capacity; or,
the recipient has disclosed their electronic address directly to the sender, has not expressly stated that they do not wish to receive unsolicited messages, and the message is related to the recipient’s business or official capacity.

#CASL Exceptions

Note there is an extensive list to which #CASL does not apply including:

those with whom the individual or business has a personal/family relationship
private networks e.g. online banking
those currently engaged in business activity
those employees, consultants, franchises connected to the organization, where messages concern the activities of that organization
the full list can be found here.

Social Media continues to be the Gray Area

For those of us who practice within this new media space, there was less clarity defining the rules governing real time conversions and B2B social platforms like LinkedIn. Legal opinions concerning these areas were largely contradictory.

On one hand, a Privacy officer noted that CRTC have exempted public feeds within #CASL. Only DMs (direct messages) apply. A contrary view from a Privacy lawyer noted that as long as CEMs are sent to an electronic mailbox (where Twitter can provide notifications about “public” activity), this is inclusive of #CASL.

Does #CASL in Social Media imply that “Every Electronic” Communication in 140 characters must include a consent link?

I questioned Matthew Vernhout, Chief Privacy Officer and requested clarity in the following areas:

Give the prevalence of social how does the CRTC effectively police CASL on Twitter and the millions of discussions happening every day on other social platforms?

Conversation threads between individuals can include promotional messages, even those between friends/followers.
Do we assume any communication on Twitter in a public feed has to contain all the consent requirements if there is future potential or promoting a message to that individual? While this is the plan for email, should there be another plan for Twitter and more real-time messages?
For people who use LinkedIn and have paid for the premium service and have accepted InMail and other services as a way of networking, does this apply to CASL? Also, the premium service allows companies to promote on your LinkedIn Box. Is this compliant?

Matthew responded:

I can’t exactly comment on how the CRTC will be enforcing things like Social Media compliance as we have yet to see any type of infractions under the legislation. At best I can hypothesize that their methods, will be mostly directed by user complaints to the spam reporting center and those organizations with a large number of complaints will be reviewed by one of the CRTC’s investigators. Should the CRTC find sufficient evidence of violation under CASL they will begin the process of taking action against the person/business sending the CEMs.

Based on the three scenarios here is what I think the responses are:

Personal Relationships (as per regulations below) have a number of exclusions under CASL for permissions and form of the message. Promotional messages between these “personal relationships” on Twitter should be able to meet these requirement for exemption from the legislation.
CASL states that where it is impractical to include the information you may link to an external source to supply this information; i.e. a bit.ly link in an SMS message with identification and contact information being made available to the recipient. This could work on Twitter as well, and potentially making this part of the background or bio on a Twitter account could qualify for this as well. CASL is technology neutral and the rules are the same regardless of the medium being used.
CASL has a number of B2B exemptions, each message sent via an inMessage would need to be evaluated against these exclusions. Just based on that screen shot those messages could potentially violate CASL as they are sent without and express or implied consent by the sender.

#CASL needs to Evolve

It’s clear from the updated legislation that #CASL and the CRTC need to establish more clarity around the rules concerning the new media. In all three cases where I have asked Privacy lawyers and Privacy officers to provide more granularity in compliance from a social media perspective have all come back to say they themselves don’t use social media so they were unable to give solid response to the nuances of conversation and context on social networks. Aye, there’s the rub! Without truly understanding the nuances of this medium has the CRTC written legislation without giving thought to what the impact means for marketers.

Does the CRTC think that organic public conversation on social networks will allow the inclusion of a “consent” link into every post?
Can they easily enforce communications between what they deem personal relationships vs. just followers?
If someone who receives a promotional message from a follower but does not have a personal relationship, is this a #CASL violation?
Can LinkedIn scream “exemption” because they offer a paid service that implies Opt-in for those users who have purchased subscriptions?

While email seems cut and dry, there are still too many unanswered questions when it comes to social networks. This clearly needs to be revisited and addressed in the very near future.

If this provides some guidance, a Privacy lawyer noted: “Err on the side of empowering the recipient with the intended message”.

For those that continue to have questions regarding #CASL here are some resources to reference:

Canadian Anti-Spam Legislation
Innovation LLP – Interpretation of CASL
Final Regulations for CASL

Hessie Jones

Founder at ArCompany, and Director, International Council on Global Privacy and Security by Design Hessie is a seasoned digital strategist, and intelligence analyst having held senior positions for top ad agencies including Ogilvy, Rapp Collins, ONE and Isobar Digital. She also has extensive start-up experience in AI technologies, social tech, online publishing and artificial intelligence like Yahoo! Answers, Overlay.TV, Jugnoo and Cerebri AI. Hessie is the co-author of EVOLVE: Marketing (as we know it) is Doomed! She is also an active writer for Forbes, Cognitive World, Towards Data Science and Marketing Insider Group.