Canada’s anti-spam law (CASL) went into effect on July 1. While existing laws in Canada indirectly covered email spam in some cases, CASL is the first law in the Great White North designed first and foremost to combat spam. It also has the distinction of being among the strictest anti-spam laws in the world.
Even if you’re not based in Canada, private right of action and cross-border enforcement provisions in the law may mean international senders can be found liable if they fail to meet these requirements.
Here’s a handy checklist to help senders ensure your email marketing program is in compliance:
1. Confirm if your list needs to be CASL compliant. If you have any Canadian-based subscribers on your list (whether you’re aware of them or not), or if you’re a sender who resides in Canada, you are subject to the legislation. There are a few exceptions—keep reading.
2. Determine which messages you’re sending are covered under CASL, and which may be exempt. Most commercial email messages will be covered, but a message may be exempt if:
- The sender has a family or personal relationship with the recipient.
- The message is sent to a person who is engaged in a commercial activity and consists solely of an inquiry or application related to that activity.
- The message relates to an organization’s activities, and is sent within an organization or to another organization with which there is an existing business relationship.
- The message is a response to a request, inquiry, or complaint, or is otherwise solicited by the person to whom the message is sent.
- The message is sent to a recipient in a foreign state that is listed in the law, and the message conforms to the anti-spam law of that state.
- The message is a fundraising message for a charity, political organization, or political candidate.
- The message serves one of several types of legal notices or obligations, as listed here.
If you send exempt messages, these will need to be separate from your normal mailings. However, some senders may find that it’s easier to bring an entire email marketing program into compliance rather than manage separate compliance rules for individual lists.
3. Identify team members and resources that need to be made aware of compliance for CASL. For instance: legal teams for privacy policy and user agreement development, and marketing teams to understand the law as it pertains to their subscriber lists and how data is permissioned, etc.
4. Review your existing permission/subscriber acquisition processes and data. Identify all of your collection points for email addresses and work to identify the consent type for each using a consent checklist.
5. Ensure you have consent from all of your subscribers. There are two primary types of consent, implied and express consent:
Express consent requires that the recipient take a specific action to provide permission for your organization to send ongoing marketing communications. When obtaining express consent, you should consider the following:
- Provide a clear and explicit statement of permission at the point of consent. This statement should inform recipients of the type of mail being sent and who they’ll be sent from (e.g. brand/ business). Ensure that this statement of permission is separate from terms and conditions (and other fine-print legal documentation), and that it’s obvious to the subscriber.
- Require that recipients check a box or agree to the aforementioned statement of permission in some proactive way.
- Provide a link to your organization’s privacy policy at the point of consent.
- Ensure that your organization is storing adequate records of consent. This should include information such as email address, opt-in date/time, opt-in source/URL, opt-in language used, opt-in type (explicit or implicit; if implicit, the date when the subscriber’s consent expires). Also recommended, but not required, are the IP address where the opt-in originated and country of origin.
Implied consent is consent based on an existing business or non-business relationship that was initiated in the last two years. This can also include a publicly-published address to an openly available Web resource – please note, however, that this is a risky form of consent and is only valid if there is no statement on the site indicating non-consent and the resource/site is related to your business. Records gathered through implied consent still need to go through a reconfirmation process under CASL. However, the law provides a grace period for you to accomplish this task. Here’s a brief summary of the forms of implied consent and their respective deadlines for reconfirmation:
- Existing business relationship before CASL goes into effect (e.g. recipient purchased or accepted a business opportunity) – July 1, 2017
- Existing business relationship after CASL goes into effect – before expiry of 24-month period from the initiation date of the business relationship
- Existing non-business relationship before CASL goes into effect (e.g. donors, volunteers, members, etc.) – July 1, 2017
- Existing non-business relationship after CASL goes into effect – before expiry of 24-month period from the initiation date of the relationship
6. Ensure you have a CASL-compliant unsubscribe process for each of your lists and that the message content itself is compliant. All unsubscribe methods must be functional and remain so at least 60 days after the message has been sent. Here are a few additional considerations:
- Process unsubscribe requests within 10 days of the request being made. Unsubscribe requests should be processed as immediately as possible; many ESPs allow for them to be processed in real time.
- Establish a functional method for the recipient to be able to contact the sender, included in each message and at the point of collection/permission.
- Message content must include a physical address and contact information for the sender.
- Include a link to your organization’s privacy policy in the email footer.
7. Continue to follow best practices and incorporate CAN-SPAM provisions into your marketing program(s).
Some basic principles from CAN-SPAM and other anti-spam legislation that should be adhered to:
- Do not use deceptive or misleading subject lines or ‘from’ names.
- U.S. companies sending to Canada must follow CASL legislation.
- Similarly, Canadian companies sending to the U.S. should follow CAN-SPAM legislation.
- Every marketer is going to have specific situations and circumstances that may not be directly addressed by this checklist. Be sure to review your email marketing program with legal counsel to ensure that you’re making every effort to meet CASL requirements.
Evan Burke is the global head of deliverability at Lyris.