We have all been the victims of “spam” at some point in our lives. It is almost daily that we receive some form of unsolicited e-mail message attempting to get us to buy something that we are not very interested in.
According to the Cisco 2008 Annual Security Report, Canada was ranked fourth on the spam by originating country list. E-mail messages, as most of us know, is a common vehicle for the delivery of online threats like spyware, phishing, and malware.
Many businesses, both Canadian and American, have an email marketing strategy. Currently, American businesses must ensure that their e-mail marketing efforts comply with the United States’ CAN-SPAM Act of 2003. Currently, Canadian businesses have no such requirement; however, this will change when Bill C-28 (Canada’s Anti Spam Law, or “CASL”) comes into force July 1, 2014.
Essentially, what CASL does is prohibit the sending of unsolicited commercial electronic messages unless “the person to whom the message is sent has consented to receiving it, whether the consent is express or implied.” It is worth noting that it covers electronic messages and not just electronic mail, unlike CAN-SPAM. These messages must also contain identifying information and a way for the recipient to contact the sender. If a business runs afoul of these requirements, they may be subject to sanctions. There will be a maximum $10 million penalty for CASL contravention by businesses, which one should note is significantly higher than those under CAN-SPAM.
For all intents and purposes, if you are using a popular e-mail marketing package, and following best business practices of confirmed opt-in or double opt-in then you are most likely in compliance for e-mail purposes with CASL and CAN-SPAM. However, other areas are not so clear.
A good illustration of the importance of the difference between CASL and CAN-SPAM are those pesky LinkedIn messages where some person in your network (or not) wants to sell some service to you. In my opinion, this would run afoul of CASL, because you had not agreed to be solicited but would most likely be in compliance with CAN-SPAM, since you had not opted out of such an electronic message.
Perhaps the most important distinction between CASL and CAN-SPAM is the difference in consent requirements contained in each piece of legislation.
CASL requires that customers must “opt-in” to accepting the message, whereas CAN-SPAM requires that the user to “opt-out” from receiving any further electronic messages from the sender. In other words, the CASL requires that users explicitly indicate that they wish to receive the message in question. In contrast, CAN-SPAM assumes that recipients of an unsolicited message have implicitly consented to receiving said message until they indicate that they no longer wish to receive it.
This being said, there are circumstances in which the CASL assumes implicit consent to receive unsolicited emails, such as if a user has “conspicuously published” their e-mail address and did not indicate that they do not wish to receive unsolicited e-mails.
In their blog “Opt-in vs. Confirmed Opt-in vs. Double Opt-in,” MailChimp has a very good description of the differences between Opt-out, Opt-in, Confirmed Opt-in, and Double Opt-in (the MailChimp recommended practice). In a nut shell, “opt-out” is where you have a checkbox on your site that is automatically checked which the user has to deselect to opt-out of receiving e-mail communications. With an “opt-in” consent process, you are asking someone to explicitly opt-in to receiving e-mail communications. A “Confirmed opt-in” or “Double Opt-in” consent process means your customer has to explicitly indicate that they want to receive your email not once, but twice. This is the most stringent consent process and is the best indicator that the user does genuinely want to receive your email newsletter.
Practically speaking, if you are a company who uses MailChimp or Constant Contact (two of the most popular email marketing platforms) then you are most likely following best business practices and doing more than is required to be in compliance with the legislation. MailChimp email newsletter signup forms use a double opt-in consent mechanism and ConstantContact explicitly says that it “…does not allow the uploading of purchased or rented lists, lists obtained from third parties or associations, or lists that have been appended. All lists presented to Constant Contact must be “opt-in” or “confirmed opt-in,” (ConstantContact Confirmed Opt-in User Guide).
E-mail marketing has traditionally been and even today is a very effective form of marketing. The passage of CASL will likely be anti-climactic for many businesses.
For those who still send unsolicited e-mail messages using questionable marketing lists, your days will be numbered. What remains to be seen though is how broadly the term “electronic messages” will be interpreted by CRTC. Will it be interpreted narrowly to only include e-mail messages or more broadly to include messages through Facebook, popup-ads, or LinkedIn solicitations?
Until we know how these issues will be decided, it seems to me that following best practices in all areas of online communications is not only a good rule of thumb, but will also keep you in the right side of the law.