Even though Canada’s Anti-Spam Legislation (CASL) is coming into force on July 1, there are still a lot of questions about how the new legislation will work.
CASL will change how businesses send emails and other kinds of electronic communications to their customers, causing a sea change in some business practices in both marketing and IT. So it’s not surprising businesses have a lot of questions about how it will affect them and what they can do to be compliant with the new legislation.
On Thursday, Adam Kardash, a lawyer with Osler, Hoskin and Harcourt LLP, gave a workshop explaining the ins and outs of its wording, sharing best practices so businesses can ensure they’re doing CASL right. IT World Canada organized the event.
Here’s a quick list of some of the most frequently asked questions about CASL, answered by Kardash during the workshop.
Who does CASL apply to?
CASL applies to anyone sending commercial electronic messages, which are text, sound, voice, or images sent via telecommunication and encouraging people to participate in a commercial activity. It applies to businesses sending other businesses messages (in a B2B context) or businesses sending messages to consumers (for example, sending emails about sales at a store).
In terms of commercial electronic messages, you might think of these as emails, text messages, refer-a-friend messages, and any message that contains hyperlinks directing people to a commercial activity.
The general rule is that for a business to send out a commercial electronic message, it must have either express or implied consent from the recipient, Kardash said. He added what often confuses people is that they don’t see their own messages as spam – at least, not as messages just sent to a wide range of people, asking them to buy a product unrelated to their industries.
But that doesn’t matter, he said.
“What we understood as spam for this legislation doesn’t matter. We need to pause, think about compliance, and take three steps back,” Kardash said. “The question is as simple as this. Do I have the authority as an organization to send this message?”
CASL does not apply to telemarketers or marketers sending messages by mail.
How do you obtain express consent?
To gain express consent from a recipient, you need to ask recipients if it is OK to continue sending them messages. That calls for either asking orally or in writing, and obtaining a positive, explicit indication that they have given their consent – meaning pre-checked boxes don’t count.
There are also rules around how the request for express consent is phrased, including asking for the purpose of the request, as well as the name of the person asking for consent. The contact information of the person asking for consent must also be provided – for example, his or her mailing address, telephone number, email address, and web address.
There must also be separate requests for any third-parties who might want to send messages – for example, a third-party marketing partner, or an affiliate. For example, a business might list every subsidiary by name to get consent for all of them.
“Even a request for express consent – that’s considered a commercial electronic message,” Kardash said. “When you add people to a list, there’s a couple of i’s to dot and t’s to cross.”
So if businesses want to get consent, they have to go through a business process, like waiting for customers to phone into a call centre and then asking if they can have consent during the call.
However, once express consent has been given, there is no time limit on it – that means businesses can continue sending messages until the recipient has said he or she wants them to stop or asks to be taken off a list.
How do you obtain implied consent?
No doubt about it, it’s difficult to get express consent. But the other way to continue to send commercial electronic messages under CASL would be to get implied consent.
That exists when a sender and recipient have an “existing business relationship” – for example, if a consumer goes to a retail store and purchases something, that’s an existing business relationship. Buying or leasing a product, good or service counts, as does having a written contract.
However, this is limited, unlike express consent. A business relationship expires two years after a purchase, two years after a contract ends, and six months after a customer makes an inquiry or submits an application.
Alternatively, if an individual posts her email address online, especially in a conspicuous place like a corporate website, there is implied consent to be contacted, as long as the message she receives is relevant to her industry or business.
Or, as another real-life example, if someone gives you his business card at a trade show and does not say, “Please don’t contact me,” it’s reasonable to expect that’s implied consent.
The key with getting consent under CASL is to educate everyone in the workplace, Kardash said.
“We need training, awareness, and clear written policies,” he said. “It’s important to be educating people on what is not OK under CASL.”
Are there any exceptions to CASL?
There are a few places where CASL doesn’t apply – for example, if a sender is either a family member or friend of the recipient. There’s also room for a personal relationship – like when a sender has a direct, voluntary, two-way relationship with the recipient, and it’s reasonable to say they have a personal relationship of some kind.
There is also some room for consideration with commercial electronic messages on messaging services, where the platform is closed and messages go to a secure, confidential account. For example, BlackBerry Messenger might be one of these platforms.
There is also a list of 116 countries, including the U.S., where Canadian senders can direct messages, and as long as their messages don’t conflict with those countries’ laws on spam, that is also permitted.
“The exemptions are pretty broad. You’re going to get to the point where you push their bounds and get aggressive with it,” he told the workshop attendees, adding the key is to think about how much they want to risk with sending messages.
“Think about doing your risk analysis. What is the likelihood of getting a complaint?” he said. “At the end of the day, there are lot of penalties. But you’ll only get hit with them if you haven’t done your due diligence.”
