CASL: Canadian anti-spam legislation – Are you truly ready?
Canada’s anti-spam legislation (CASL), also known as C-28, comes into full force on July 1 of this year. If you’re sending emails to Canada and haven’t already taken steps to prepare for CASL, you have a few short days to get ready to comply with what is considered to be the most stringent anti-spam legislation in the world. And there’s a major incentive to do so: fines of up to $10 million for a business, or $1 million for an individual.
CASL and the concept of consent
At the heart of CASL is the need to obtain consent – either explicit or implied – in order to be able to send Commercial Electronic Messages (CEMs) to your customers, prospects or subscribers.
Explicit consent is consent which is given verbally or in writing by a contact, using various means including a web page that provides a check box (which cannot be pre-checked) or a subscribe button.
Implied consent results from a business relationship (or a non-business relationship). This can include a transaction, a request for information or a quotation, or any other action that would indicate that an individual wishes to the contacted using a Commercial Electronic Message.
A Commercial Electronic Messages or CEM is clearly defined in the legislation, but can be summarized as any form of commercial solicitation for the sale of a product or service. It includes emails, but also SMS messages and social media direct messages.
Here are 5 steps you need to take in order to comply with CASL before it comes into effect on July 1st, 2014
1 – Update all your email messages
As of July 1, all CEMs must clearly and simply identify the sender, provide two means of contacting the sender and always include an unsubscribe link.
An email sent by a member of your sales team doing business development is subject to CASL. So you’ll need to ensure that all commercial sollicitations are sent from a common platform that can validate the consent status before the message is sent and that can effectively manage unsubscribes in a timely manner. CASL stipulates that unsubscribes must be handled within 10 days.
2 – Create a Subscription Center
The sender information, contact information (the address and a phone number or contact link) as well as the unsubscribe link are generally baked into a standardized email footer that is automatically added to any CEM, or into a standardized email signature that must appear in all commercial email.
You can also ask your contacts to manage the categories of CEMs they receive from you, by creating a Subscription Central on your website or an email platform landing page. This page will provide your contacts with several subscription choices, which can include Offers and Deals, News and Information and other topics of interest. Than way, a contact who wishes to unsubscribe from offers, for example, can choose to continue to receive newsletters, thereby reducing the risk of a global unsubscribe.
This Subscription Central should also provide a global unsubscribe link to remove the contact from all your CEM lists. You have 10 days to remove the contact from your lists, however most email platforms will process unsubscribes in real time. If you handle unsubscribes using an email reply, this time period will allow you to batch your unsubscribes so you can process them once a week.
3 – Clean up your data!
Do you know exactly where all your data came from? Perhaps most of it is accounted for, but there is usually at least some date that came from unclear or unknown sources. Like people met at an event or a trade show. Or people whose email address was harvested from their website. Or who dropped their business card in a fishbowl to enter a contest. Although some actions are considered implied consent to receive CEMs, it is essential that you be able to identify the source of the consent and most importantly that you can prove that you have some form of consent.
And that’s where you can really get into trouble. Because if there is a complaint, the burden of proof rests squarely on your shoulders. So if you are unable to prove some form of consent, be it explicit or implied, the best course of action is to drop the contact from your database.
4 – Document each and every consent
If you can establish the source of the consent, and this consent is valid as defined by the legislation, you must keep a record of the type, source, date and time, as well as the nature of the consent provided (in other words, what did they consent to receive). You should standardize the consent copy that you use on your sign-up pages and everywhere else it is used in order to avoid multiple variations of consent. That way, it will be easier to establish the nature of the consent that was given by your contacts.
If you decide to accept verbal consent, given by a contact to a sales person or call center agent, for example, ensure that you document the consent that was given, ideally by recording the conversation.
It is also a good idea to send a confirmation email that confirms the nature of the consent given, and which also must provide an unsubscribe link. Or you go one step further and use a double opt-in mechanism which requires that your new subscribers reconfirm their consent by clicking on an activation or confirmation link in the messages.
You’ll need to keep a record of each consent for as long as you continue to communicate with the contact and ideally much longer.
5 – Create an expiration date for all your implied consent
Implied consent is valid only for a specific time period, which depends on the nature of the relationship you enjoy with your contacts.
For customers, the implied consent is valid for two years from the date of the last transaction. You can contact your customers using CEMs during that time-frame, unless consent is withdrawn, in order to get them to buy again, or better still, to obtain explicit consent.
For leads and information requests, requests for quotations, etc, the implied consent ends 6 months following the date of the request. So you’ll need to move quickly to close the sale or secure explicit consent within those 6 months.
If you wish to rely on implied consent to send CEMs, you’ll need to set up a timer algorithm in your database or CRM that calculates an expiry date and then build out a rule that verifies the consent expiration date before sending a email or other CEM.
Get ready, get set, GO!
July 1st is minutes away. The time to act is now. You are obligated to comply with CASL as soon as it comes into force. And you will have three years to secure explicit consent for contacts in your database that have already have valid and documented consent. For all the others, you only have a few short days to request that they give you their explicit consent.
Note: Ces informations sont données à titre indicatif seulement et ne constituent pas un avis légal. La loi C-28 comprend également d’autres dispositions auxquels vous devrez vous conformer. Vous avez tout avantage à discuter de l’impact de la loi anti-pourriels avec votre contentieux. Stratégies n’offre aucune garantie quant à la validité juridique du contenu de ce billet.