The long awaited Canadian Anti Spam Legislation (CASL) went into effect on July 1, 2014. Originally passed in December 2010, the legislation defines tough new rules for email marketers targeting Canadian citizens and businesses. CASL is more stringent than CAN-SPAM regulations enforced in the United States and includes serious financial penalties for abuse. As always, the devil is in the details, so we’ve put together a list of things you should know about CASL to help your company comply.
Key points of CASL include:
- Covers Commercial Electronic Messages (CEM) including Email, IM, SMS, Social Media and Voice
- Opt-In not Opt-Out required to send CEM
- No true implied consent; 2 Years to get express consent
- Administrative monetary penalties (AMPS): up to $1 million for individuals and $10 million in all other cases per violation
- Private Right Of Action (PRA): Available to any person affected by a violation – actual and statutory damages
- Protection for ‘honest mistakes’
In order to better understand the impact of CASL, let’s dive into some of the details starting with Primary Rules.
Primary Rules of CASL
CASL establishes three primary rules covering Consent, Identification, and Unsubscribe Mechanism.
Consent: Under CASL, the default rule is that a sender must have consent from the recipient before a CEM is sent. Consent may either be express or implied, depending on circumstances.
Identification: Senders must be clearly identified in each message
Unsubscribe Mechanism: Every CEM must contain a functional unsubscribe mechanism that enables the recipient to unsubscribe at no cost and applied immediately.
Commercial Electronic Message
CASL defines Consumer Electronic Messages as any electronic message that encourages participation in a commercial activity, regardless of expectation of profits. This definition applies to any email, SMS text message, and instant messaging and social network messages such as Twitter and Facebook. There are exemptions to the application of the CEM definition. For example, you do not need consent to:
- Send quotations upon requests
- Provide warranty, recall, safety or security information
- Complete a transaction
However, you still need to include prescribed information and an unsubscribe mechanism.
CASL defines Implied Consent to include the following:
- Existing business relationship (where the sender and recipient have done some business together in the two years before a message is sent, or an inquiry was made by the recipient in the six months before the message is sent)
- Existing non-business relationship (charity, club or political)
- Recipient conspicuously published their electronic address, did not explicitly state they did not want CEM and content is related to recipient’s professional capacity
- Recipient has disclosed their electronic address directly to the sender, did not explicitly state they did not want CEM and consent is related to recipient’s professional capacity.
It is important to note that Referrals do not have implied consent. Implied consent lasts 2 years in order to provide the opportunity to acquire Express Consent.
In order to claim Express Consent, the recipient must opt-in to receive commercial electronic mail (CEM.) What the recipient is opting into must be clearly stated. It is also important to note that pre-checked boxes are valid under CASL. In fact, pre-checked boxes are considered an opt-out.
Under CASL, senders must be clearly identified in each message. Clear instructions for contacting the sender must be included in the message. If a message is sent on behalf of another person, that person along with the sender must be clearly identified. In addition, the practice of giving incentives to forward a message can result in liability.
Every CEM must contain a functional unsubscribe mechanism that enables the recipient to unsubscribe at no cost. Unsubscribe requests must be processed “without delay” no later than 10 business days after the request has been sent. The unsubscribe mechanism must remain functional for 60 days after the message is sent. Unsubscribe landing pages are acceptable provided they allow the user to unsubscribe for some or all messages and include a single click option.
Unlike other anti-Spam regulations, CASL puts real teeth into enforcement through the application of monetary penalties. Violations can result in fines up to $1 million per violation for individuals and $10 million per violation for other persons (e.g. businesses.)
CASL also includes a private right of action that enables any person affected by a violation of CASL and related amendments to PIPEDA and the Competition Act to sue for and recover actual and statutory damages. Officers and directors can be held liable for violations committed by a corporation. Organizations are also vicariously liable for violations committed by employees or agents acting within the scope of their authority.
Enforcement of CASL penalties is based on where the email is read, from where it was sent. That means United States based companies sending to Canadian residents can be charged with violation.
The Canadian Radio and Telecommunications Commission (CRTC) issued a clarification of CASL rules in October 2012. the clarification notes that:
- Express Consent: Boxes cannot be “pre-checked” – CRTC considers pre-checked boxes to be an “opt-out”
- Unsubscribe landing pages are acceptable (preference pages) but must provide option to unsubscribe from all or some
- Request for consent must be separate from general T&C’s and cannot bury consent in Term and Conditions, even if check box is require for T&C
- Consent may be obtained orally but requires verification via 3rd party or recording
Recommendations for Compliance
As you can see, CASL introduces a wide range of stringent new rules and serious penalties that make compliance essential. Zeta Interactive recommends following “Email Best Practices” to help ensure compliance.
Consent (New Recipients)
- Opt-in only
- Must be clear why they are opting in
- Recommend NOT using pre-checked boxes
- Collect country information
- Implied consent for 2 years
- Create a re-permission program for any records that did not expressly opt-in
- Clearly state who you are
- If a FTF, need to identity both parties
- Include postal contact address
- Ensure requests are honored immediately
- Keep all mechanisms active for at least 60 days after last email is sent
- If using a preference center, must provide option to unsubscribe from all
Please note that these recommendations do not constitute legal advice. We urge you to review this new law with your legal counsel to determine how it impacts your company.