CASL Compliance: Q & A About Canada’s Anti-Spam Law

Avatar Act-On
Email Marketing

Canada is where it's at (sign)Recently David Fowler, Act-On’s Chief Deliverability and Privacy Officer, delivered a webinar about the impact of Canada’s Anti-Spam Legislation (CASL), which went into effect July 1, 2014. During the Q&A session, webinar attendees asked great questions about the details of compliance. Here’s a transcript of those questions and answers, in hopes that they may answer some of your own questions.

If you’re not familiar with the new law, you might want to begin with an overview of the key tenets of CASL. If you have questions that aren’t covered here, please let us know in the Comments section at the bottom of the post. Emilee Johnson, Senior Marketing Manager at Act-On, moderated this session.

NB: This discussion is an exchange of opinions, and cannot be considered legal advice. We encourage marketers’ organizations to consult with legal professionals for guidance on CASL compliance.

EMILEE:        The first question comes from Jeremy. He wants to know, “What is the impact to uploading or importing lists with Canadian email addresses into Act-On?”

DAVID:           Great question, Jeremy. Those Canadian addresses need to have implied consent – at the minimum. Think about how to take your recipient from the lower level of consent, which I think of as “implied consent” to express consent. That’s a confirmed opt-in kind of relationship.

So the question is, how do you get your email recipients from implied consent to express consent? You should make that transition now. Start reaching out to any segment of your mailing list of subscribers that you may feel need to have proactive outreach. And gently request permission again with any person in the file during the next transaction you have with them.

You have time to do it – it’s not like starting July 1, that’s it. But definitely start implementing new strategies or best practices as required under the new legislation.

How to identify an email as “commercial”

EMILEE:        Our next question comes from Colleen. She wants to know, “What’s an example of how you would put in a notice that the message is for commercial purposes?”

DAVID:           You could certainly put a line item in the body of the message. You could put a note in the subject line. Some form of disclosure is required. And the reality is, if I receive an email and the subject line and the From address all sync up with the body of the message, then I’ll determine that it’s a commercial note. I think the challenge becomes when you have a hybrid message. What’s the primary purpose of it? You don’t have the primary purpose rule in Canada, so one must assume that this is a commercial message. You could put that somewhere in the body of the message itself.

EMILEE:        Thank you. Question from Veronica: “Is a blog post considered a commercial message? For example, if someone subscribes to our blog and receives an email each time there is a new content posted, do those emails require a message that commercial content is included?”

DAVID:           I would interpret that as not expressed consent. That’s probably implied consent, in my opinion. You should get a legal view on that. But what you could do is assume that it’s implied consent, and then make a proactive effort to convert it into an express-consent relationship. You have the attention of the person, you know who they are. They’ve reached out to you via their blog subscription. It’s the same thing as a pre-checked box – it does not designate express consent. And pre-checked boxes under CASL are not allowed.

I consider it implied consent because they’ve already signed up and voluntarily taken the necessary step to sign up for it. But you need to take it one step further and button up that relationship in the email side of that business.

Are pre-checked boxes CASL compliant?

EMILEE:        A question came in from Valerie: “Pre-checked opt-in boxes – are they legal or illegal?”

DAVID:           Under CASL pre-checked boxes are not allowed. When you have a pre-checked box, you’ve assumed that the individual has granted consent to you. There’s no affirmation from the recipient to opt in. When you have a box that’s not pre-checked, and they have checked something, there’s a positive action that’s occurred to grant you consent.

And that is why pre-checked boxes, whether in Canada or down in the US, indicate a very low level of consent action. Because the recipient technically has to opt out of the message if they don’t want to receive it, as opposed to opting in. You’ve already taken the step to opt them in based on your perceived preference of what they’ve seen or what they would like to receive. It’s kind of a gray area, but I think under the ruling it’s definitely not compliant.

EMILEE:         Angela asks that you define “positive action” for opt in.

DAVID:           It means doing something that’s one step ahead of a normal opt in. So positive action would be something like a confirmed opt in or double opt-in request. I opt in, you send me a note to confirm the request, and I opt in twice. That’s a great example of positive opt in or positive action. Pre-checked boxes are not a good example of positive action and are also not allowed under CASL.

There are a lot of tricks that you can do. A welcome program’s a great way to do it. Onboarding programs, where I send you a series of notes over a period of time, and by building that rapport and building that relationship with you, I’m getting you more engaged in my program. I let you set the expectation or frequency of mail. I allow you to drive the relationship with me. I put the power in the hands of the recipients, instead of vice-versa. That’s a great example of positive engagement.

EMILEE:        A question from Colleen: “How does CASL define a business relationship?”

DAVID:           Okay, let’s assume I buy a product from you in January. Obviously I’ve opted in, and I have given you express consent to send me commercial messages. That consent lasts until your customer opts out. At the point of inception the business relationship begins.

From this moment, on it’s really up to you to implement the retention based strategies to cultivate the recipients brand experience to ensure that your customer is sent relevant, engaging and timely content.

How does buying or renting lists affect CASL compliance?

EMILEE:        Thank you, David. Veronica wants to know, “Does this mean that we cannot purchase email lists for marketing?”

DAVID:           Great question. It really depends on which side of the fence you sit on and where your thought process lies. Now down here in the US, it’s not illegal to buy or rent data, although the practice can be frowned upon as a way to build your database.

Under CASL, it’s not illegal to rent data or purchase data, but it is illegal to purchase data that has been permissioned via pre-checked box strategies. So you have to be comfortable with the vendor that you’re dealing with, and again this is just my opinion. If it was me asking the same question, I’d be doing the same things. I’d have those conversations with list providers. And if your spider-senses start tingling, then hey, maybe this isn’t an up-and-up relationship, or your providers or your vendors aren’t willing to sign documentation that state this is CASL-compliant permission data, then it may be a good time to sever that relationship and find someone else.

Different business models

EMILEE:        Thanks, David. Mitch is hoping you can comment on this statement: “So Canada makes no differentiation between a Russian criminal organization sending emails with the purpose of engaging in identity theft, and a small Canadian-based software company trying to reach out to some targeted prospects?”

I think he just wants to make sure that these operations are the same when it comes to compliance with the new CASL laws.

Open hand raised, Canada flag paintedDAVID:           If you’re in the business of downloading software to other people’s devices and that’s your product model, then that’s different. Your level of compliance is different, and you’re simply sending commercial messages. The thing is, we have a lot of the same issues down here when we’re dealing with CAN-SPAM. The good news is, as I said before, that July 1, for those of us who are senders of commercial email or purveyors of digital technologies, the curtain doesn’t come down for us.

There will be a period of time where the market and the regulators will figure out that some things will need to be fine-tuned. I’m not sure how that process works in Canada, but obviously down here, we saw that in 2008, the Federal Trade Commission efforts around amending CAN-SPAM, which addressed very specific issues under the interpretation of the fine print of the bill itself.

So I would expect the same to occur in Canada. We really won’t know the impact until we start to see activity around the bad actors. If you’re a good actor in a landscape where there are a lot of bad actors, you’re in a good spot because you’ll be perceived that way. We’ve seen a lot of activity down here in terms of enforcement that have been very focused on crime, very focused on the negative side of the business, the negative side of the web, doing the things they shouldn’t be doing, like illegal botnets and so on.

How about trade shows and events?

EMILEE:        Thank you, David. Daphne wants to know if you had any suggestions on how to gather consent from trade show leads: “Should we be getting people’s business cards?”

DAVID:           So let me turn that around. Let’s say I visit your booth and I stick a card in the jar and hopefully I win the goldfish during the drawing. That’s an example of implied consent. I’ve walked into the booth, I’m obviously interested in your brand or getting something. That’s okay. The question then becomes, how do you get me to give you express consent? And that’s got to do with the strategy, your program, and the tools that you use.

The good news is that under CASL, the way that I understand it, that’s perfectly fine. But it’s an implied-consent relationship. It is not an express-consent relationship. You still have two plus years to get me from implied to the consent level. But you have the name, you have the contact, and it’s just about the nurturing and the development of that contact.

EMILEE:        Thanks, David. Jamie wants to know, “If we aren’t selling anything, but inviting them to a free educational event, do we require the express-consent opt in?”

DAVID:           That’s a great question. I’m assuming these are contacts that are probably not in your database currently. If that’s the case, then I’m of the school of thought that some permission is better than no permission. Under CASL exemptions, if your interpretation is that these folks that fall into that bucket, that may be applicable to you. But I would encourage you to get a legal opinion on that. Your legal team may see something differently than we would. We can’t provide legal advice.

Consent is not required for quotes or estimates, messages that confirm or facilitate transactions, provide warranty, recall, safety or security information, information about ongoing use or ongoing purchase, and so on. So if I say, “Hey, come attend my webinar.” Great, that sounds good. You attend the webinar. But if I want to have a deeper relationship after that, then a commercial component kicks in and I have more of a consent obligation than I did in the initial pass.

Getting people from implied to express consent

EMILEE:        Thank you, David. This next one is from Kelty: “Could we send a consent request email blast to verify people before July 1, asking them to opt in or they get dropped?”

DAVID:           Yes, you can. You can certainly do that. Because the reality is, you probably have folks in your file that are either implied or have come on via an implied methodology or an expressed methodology. The question is, how do you segment them out? One way would be to look at your engaged contacts versus your unengaged contacts. I would assume, and again this is my thinking– this is not the way that I understand the law, but this is my opinion – I would take the folks who are unengaged, meaning they haven’t converted on your program for a period of time, and assume that they have implied consent. And I’d implement a strategy to get them to the express-consent level of permission.

Do that with things like reengagement campaigns. “Hey I haven’t heard from you in a while, hopefully you still love me, and so on. Here’s a great coupon.” Or reaffirm your permission practices: “Would you like to change the frequency of your messaging?” A subscriber manager is an ongoing building block of any great email program.

So I think the way you establish consent, and the way you establish engagement, and turn it around for the user experience, is going be so beneficial for your program in the long term because you’ve given the individual the ability to make that decision based on what they want and how they want to interact with you, rather than the other way around.

EMILEE:        Thank you, David. One more question from Theresa: “If a company is a customer, but we’ve added new contacts after July 1, do we still need to get opt in permission from these new contacts?”

DAVID:           Yes. Yes, you do. Any contact added after July must have express consent. All contacts in your database on July 1 will have implied consent. You have two years to convert your database into a 100 percent express consent listings.

Final thoughts

I think the days of non-opted in, un-permissioned emails are over. In the US, we are the only country in the world that has a non-permission requirement for our marketing efforts. So if you just take that one statement alone, reverse it and apply it to any program globally, the permission paths of that recipient is something that you need to obtain at some level. And under CASL, you have a couple years to get that done, but it’s definitely something that you need to be thinking about.

I can’t stress enough the fact that there are a lot of questions, and the way you interpret these questions is going to be how you apply that interpretation into your program. Seek out additional resources and legal opinions. We’ve done the same thing here at Act-On. We’ve having the same conversation with our suppliers and our vendors as well. I’m giving you some of the insight of what we’re doing as a company to prepare ourselves for potential issues that could be down the road.

Permission is the key in anything. Permission, disclosure, consent – all those things. If you have that buttoned up, then you shouldn’t have any issues as you move forward. If there are any holes in that process, that’s where you could get into trouble.

Questions? Let us know in the comment box below.