The Shoe Drops As Canada Starts Enforcing New Anti-Spam Law
Email marketers wanting to know how Canada will enforce its new Anti-Spam law got a big clue earlier this month. Contributor Steve Dille explains what we've learned.
Ever since the Canada Anti-Spam Law (CASL) went into effect on July 1, 2014, the email marketing community has been a bit on edge to see what kinds of regulatory enforcement actions and fines might be imposed on entities caught infringing on the law.
The Canadian Radio-television and Telecommunications Commission (CRTC), the regulatory agency tasked with enforcing the law, has stressed from the get-go that the agency only intends to levy fines against the most egregious offenders, not companies that make small missteps.
So when earlier this month the CRTC slapped a $1.1 million fine on Compu-Finder, a Quebec-based company that offers business training courses, reactions ranged from sighs of relief to quiet under-the-breath “uh-ohs.”
On the one hand, marketers were spooked because the first judgment came down not on some shady offshore entity hawking Cialis tabs, but a legitimate company with established roots in the Canadian marketplace.
On the other hand, it quickly became evident that Compu-Finder was engaging in seriously flawed email practices. In the announcement of the ruling, the CRTC said it found Compu-Finder guilty of four violations of CASL, and it noted that 26% of the industry-specific complaints to its Spam Reporting Centre were related to the company.
Manon Bombardier, Chief Compliance and Enforcement Officer for the CRTC, made the seriousness of the violations clear in his statement to the press:
[blockquote]Prior to the coming into force of the anti-spam law, the CRTC conducted numerous outreach initiatives to increase the awareness of businesses on the new requirements. Despite the CRTC’s efforts, Compu-Finder flagrantly violated the basic principles of the law by continuing to send unsolicited commercial electronic messages after the law came into force to email addresses it found by scouring websites.[/blockquote]
[blockquote]Complaints submitted to the Spam Reporting Centre clearly indicate that consumers didn’t find Compu-Finder’s offerings relevant to them. By issuing this Notice of Violation, my goal is to encourage a change of behavior on the part of Compu-Finder such that it adapts its business practices to the modern reality of electronic commerce and the requirements of the anti-spam law.[/blockquote]
My reading of this first CASL enforcement action is that it’s likely to not only send shockwaves through the industry (which it has) but also force senders to reexamine their mailing policies and practices much more closely.
The CRTR uncovered four separate CASL violations. Interestingly, the enforcement was taken against a B2B rather than B2C mailer as Laura Atkins, founder of Word to the Wise, points out on her company’s blog. This sends a strong message that anyone sending email, regardless of their audience or business plan, has been put on notice. Are there real teeth to the law? Obviously yes.
Marketers wondering whether they’re doing everything they need to do to stay CASL compliant should keep the following nine principles in mind:
1. Confirmed Opt-In
Using confirmed opt-in does not make a company’s email collection data CASL-compliant. It’s an important part of being compliant, but there are other mandates: recipients need to be provided with a postal address, an unsubscribe statement and other contact info, such as an email address or phone number. All need to be clearly visible at the point of subscription.
A confirmed opt-in form, under CASL, isn’t enough to ensure compliance, but it provides an important audit trail in case of a challenge.
2. Express Consent
An express consent received before CASL went into effect is valid. Anyone who asked for express consent after July 1, 2014 or asks in the future will have to meet CASL’s new requirements, but consents received before that date that met prior privacy rules are still good.
That’s obviously a major relief for any marketers worried about the possibility of having to re-confirm their existing lists. They should, though, be able to prove the validity of the express consent, if asked by regulators.
3. Implied Consent
Implied consent such as purchases from a website, ongoing B2B relationships, contracts, etc., are permitted, so long as they meet CASL guidelines. Implied consents that spring from a business relationship or transaction are valid for a maximum of 2 years from the date of the original communication that implied consent.
Moreover, a 6-month implied consent limit applies for anyone simply asking a question or requesting information, giving you that long to win that person over to a higher tier of implied or express consent.
4. Transactional Messages
Any message, even transactional, containing any amount of commercial or advertising content is considered a commercial electronic message (CEM), so CASL applies. If an email is simply a confirmation or receipt, it doesn’t require express consent, but apparently still needs to contain sender contact info and an unsubscribe option.
However, that last part resides in a gray area, and companies should consult an expert before making any assumptions.
5. Citizenship & Geolocation
CASL applies to CEMs sent to all Canadian citizens, regardless of residence. If the Canadian on vacation in Miami gets spammed, that’s a violation. But Canadian or U.S. companies do not need to apply CASL to Americans in other jurisdictions that may be on their lists.
6. Mobile Apps
CASL also creates rules that impact app developers and are focused on preventing malware. Notably, CASL provisions apply to the installation of computer programs, legislate disclosures and user approvals about functions that consumers might find unexpected, such as GPS tracking, rootkits (sneaky programs that evade normal methods of detection), etc. It also prohibits the unauthorized alteration of transmission data — this is to stymie exploits like redirects through proxies that might be swiping consumer data.
7. Auditing / Documenting Compliance
It’s important for companies to build extensive, auditable databases to demonstrate compliance with CASL, including collecting strong quality data on exactly when people have provided consent, what sort of consent they’ve provided, the IP address from which they’ve allowed consent, archiving using proper time-stamping and so forth.
8. Mobile Text
CASL applies to mobile and text applications too, but it has some latitude: a text message sender should include a link to a page containing contact and an unsubscribe options, for example, since that much content would be unfeasible in the body of a message.
9. Partners & Third Parties
If anyone in the message chain – a list provider, an email agency, another third party – isn’t CASL-compliant, that noncompliance extends to the other parties in the chain, too. Moreover, the CRTC has guidelines in place allowing that data to be shared with third parties only if the consumer has provided express consent.