Canada’s new anti-spam legislation (“CASL”) will change the way that businesses in Canada communicate electronically (marketing, social media) with current and potential customers/clients. Why should you care? Compliance costs are small by comparison to the penalties under the law – be prepared!
If you send commercial electronic messages (CEMs) – something that encourages someone to do business with you – you will be impacted. CEMs include emails, SMS, or other electronic message that offers to purchase, sell, barter or lease something, offers to provide a business opportunity, or that advertises or promotes business. Among other things, the new law prohibits sending these unless the person receiving it consented, or an exception to consent applies. Consent (or an exemption to consent) + form of the message are the first two things you need to be aware of.
Consent: Implement a process for tracking consent, and for responding to requests for withdrawal of consent. You should review and assess all your commercial communication to first figure out whether CASL applies; if it does, be sure you have proper consent or that your CEM fits within an exception. Otherwise, you need to get consent. Be sure consent is properly obtained, documented, and tracked. Also be aware of time periods and limits for obtaining consent and complying with the law – express consents can’t be obtained after the law comes into effect (July 1, 2014) using CEMs, so obtain consents before that date if possible!
Form: CEMs must comply with requirements for format and content; that is, they must contain a purpose for the message, who’s sending it, contact information, and the option to withdraw. Every CEM has to have two methods for opting out: a web-based means and the same means that were used to receive the message.
Be proactive. Consider preparation and strategies to review existing customer/client correspondence. Determine which messages are CEMs and whether they’re subject to consent requirements. Place ownership of compliance with someone within the organization, who will oversee the compliance process and strategy. Develop a database to track consents and waivers or exemptions; systems exist for monitoring and tracking consent, so investigate which may be the best fit for you.
When don’t you need consent? There are many exemptions, including CEMs within a business; responding to consumers who requested info; to enforce a legal right; third-party referrals; personal and family messages; messages sent from outside Canada without reasonably knowing the message will be received in Canada; messages sent by or for a registered charity with the primary purpose to raise funds for that charity; and CEMs sent by or on behalf of a political party or candidate, if soliciting a contribution. Consent can also be implied in the context of an existing business or non-business relationship, or if recipients conspicuously publish their electronic contact information or voluntarily disclose it without indicating they don’t want to receive communications. Be sure you know what these mean, and don’t assume that you have an exemption without confirming that situation fits the exemption.
Implement policies and train your staff to ensure compliance with CASL – one employee who isn’t aware and sends a CEM without consent, or doesn’t process an unsubscribe request within the 10 day requirement, can have significant consequences for your business. Create templates and forms which are compliant with CASL (such as compliant CEM forms and easy unsubscribe mechanisms) – this makes consent easier. Review your compliance, and any changes to the law, regularly.
Be smart, be aware. Promptly respond to unsubscribe requests or requests for revocation of consent. Customer and client privacy protection has significant impact on your brand, and one breach or infraction can ruin years of work in growing your brand reputation.
CASL doesn’t only apply to CEMs – if you are in an IT business, CASL’s requirements around the installation of computer programs will also likely apply to you, and there are a number of other prohibitions, including against the alteration of transmission data, address harvesting, and botnets.
It remains to be seen how the new law will be enforced, but possible penalties under the law are significant – as much as $10 million per organization and $1 million per individual for violations. CASL also creates a private right of action, which allows compensation of $200 per occurrence, up to $1 million per day of violation. Want to know more? Check out fightspam.gc.ca.
Mandy Woodland owns Mandy Woodland Law. She offers legal solutions for business owners across the province & throughout Canada and can be reached at www.mandywoodlandlaw.com and @mandywoodland or check her out on Linkedin.