By Ross Armstrong, Executive Advisor, Info-Tech Research
As many IT leaders are already aware, the Canadian Anti-Spam Legislation (CASL) came into effect on July 1, 2014. When it does, our proud nation officially becomes the last G20 member to enact a federal law to curb unwanted mass emails. Despite being (un)fashionably late to the party, or perhaps in spite of it, CASL promises to be the toughest anti-spam law amongst all industrialized nations.
What Is CASL?
The law means that any company communicating electronically with new, existing, or prospective customers will have to prove that they have obtained consent from these recipients to do so. According to CASL’s official website (appropriately named www.fightspam.gc.ca) the new legislation applies to all professional individuals, businesses, or organizations that:
- Make use of commercial electronic messages (CEM) when conducting business
- Are involved with the alteration of transmission data
- Produce or install computer programs
In some respects, there is very little that’s new in CASL compared to other anti-spam laws in G20 countries. Predictably, in order to comply with CASL you must include the following when sending any kind of CEM:
- Expressed or implied consent from the recipient to send a CEM.
- Clear and simple identification of yourself or of others on whose behalf the CEM is sent.
- A mechanism that allows recipients to unsubscribe from receiving future CEMs.
Fit for Service
The also-appropriately-named section 8 of CASL deals with obtaining consent from a recipient to install a computer application or program on their PC, smartphone, or other computer-based device. It also deals with notifying device owners about whether the program intends to collect personal information, change the user’s computer settings, and so on. Under such circumstances, section 8 of CASL demands that businesses do the following:
a) Obtain the consent of the device owner to install any application or program.
b) Disclose information about what the application will do to the owner’s device.
c) Describe the actual elements of the program that will perform changes to the device.
d) Inform owners if the program could make their device communicate with another device.
e) Let owners know if an app will change or interfere with any data stored on his/her device.
f) Advise owners if a program can be activated by a third party without their knowledge.
In other words, you have to comply with section 8 if you operate a website that requires the loading of JavaScript or cookies onto a visitor’s computer, or if you offer mobile apps for download, or make software programs available to customers in pretty much any way, shape, or form. If you fail to meet even one of the disclosure requirements listed above, you must help the device owner remove or disable the application at no cost to them. And if you neglect to do even that, then you face some pretty stiff financial penalties.
Impact of CASL on Organizations
After July 1, 2014 any business found in violation of CASL will face criminal charges and possible fines ranging from $1 million for an individual up to $10 million for a company. Now that’s tough. Obviously, CASL will have the greatest impact on companies that use emails and/or texts to promote/sell their products and services.
As is always the case with legislation that directly affects IT, it will be more difficult for smaller companies to comply since they tend to have fewer resources for compliance. It will be all the more difficult since, under CASL, “implied consent” has an expiry date: specifically, two years after an existing business relationship ends.
CASL is meant to stop unwanted emails; if your customers want to hear from you, then they can. Yet many businesses are concerned that the stringent IT controls required for CASL compliance could disrupt legitimate communications with their customers. However, this can only happen if the company actively disregards the criteria laid out in the CASL requirements.
What to Do About CASL
Obtaining consent – and being able to track and record that in customer databases – will be key to CASL compliance. Having a pre-checked box for consent to CEMs is no longer acceptable under CASL, nor can consent be grandfathered or “passed forward.” With this in mind:
- Review the CASL regulatory impact analysis statement. Published by the Government of Canada, this document summarizes the impact of the legislation on businesses, and it also provides realistic interpretation of CASL and guidance on how to comply with its requirements.
- Understand the differences between expressed consent and implied consent. Expressed consent means you have explicitly asked for a contact’s permission to send them CEMs, to which they agree. Implied consent occurs when a previous business relationship already exists between your company and the contact.
- For expressed consent, you need to include certain information about who is sending CEMs to the contact, such as: sender’s name, company name, company address, company website, company phone number, and company postal address.
- For implied consent, the criteria for “pre-existing relationship” has been met if there has been an exchange of business cards, a sign-up or registration was completed, verbal consent was given over the phone, and so on.
i. If implied consent has been gained under these circumstances, then the company has 2 years from the last customer CEM to gain expressed consent. ii. The Government of Canada has temporarily extended the 2-year implied consent deadline to 3 years, at least for the time being.
- Also note that there is no grandfathering of consent that was originally obtained under PIPEDA, since PIPEDA allowed for unconditional implied consent. Under CASL, implied consent is only allowed under very specific circumstances.
- Get to know CASL’s definitions. CASL has some very broad interpretations of terms such as “electronic message,” “transmission data,” or even “person.” A superb example of legalese, the Government of Canada Justice Laws Website contains various definitions as understood in CASL.
- Prepare for the CASL requirements that are IT-oriented in nature. IT must work with Marketing to put systems and controls in place (especially around the corporate website and customer databases) that will:
- Obtain consent from new, existing, or prospective customers
- Prove that implied consent already exists with current customers
- Record which consents have been obtained for each customer contact
- Record when implied consent comes to an end
- Record evidence of expressed consent
- Ensure all business CEMs are sent in the proper format
- Ensure all CEMs are sent only to people who have expressed or implied consent
- Provide the unsubscribe mechanism
- Ensure all unsubscribes are implemented in 10 business days within all databases
- Ensure that implied consent expires within 2 (or 3) years of the relationship ending
- Ensure that expressed consent is gained within 2 (or 3) years of when implied ends
- Download this CASL database checklist from Vigorate Digital Solutions. Since CASL has an effect on how customer databases and records must be set up, a checklist for database requirements is strongly advised. There’s also a good high-level CASL checklist published by Inbox Marketer that goes through compliance at the project level.
- Check out “How to Prepare for CASL.” This is an online CASL survival guide written by Elite Email. In this guide are covered numerous IT-related CASL issues, such as organizing your database(s), dealing with implied consent, inbound data processes, confirmation campaigns, and other relevant subjects.
- When in doubt, go to the source. The CRTC’s CASL web page also includes a fairly in-depth FAQ section that will help you understand what ‘consent’ actually means, what types of CEMs fall under this rule, messages being sent outside of Canada, the applicability of CASL to certain situations, and so on. The University of Alberta has also published a handy CASL FAQ document in MS Word format
Conclusion
A lot of the spam that arrives in Canadian inboxes comes from foreign countries, but because of the G20 agreements already in place, the idea is that both foreign and domestic spam will decrease dramatically. It remains to be seen if Canada really has the reach to go after foreign companies and successfully fine them, despite what the feds say about the “multi-jurisdictional agreements” and “international cooperation” that stem from G20 treaties.
That said, the law is the law, for better or for worse. IT leaders must therefore get in front of CASL before it gets on top of them, as it could take up to six months or more for some companies to achieve full compliance. You don’t have a whole lot of time left.
Note: Be advised that this article is for information purposes only and does not constitutes legal advice, nor does Info-Tech assume any responsibility for our clients’ state of compliance or non-compliance with any law or regulation. Any IT professional seeking to comply with legislation should always seek out the advice of their legal counsel or in-house compliance officer.