On July 1, 2014 – less than two months from now – the anti-spam sections of Canada’s Anti-Spam Legislation (CASL) take effect. Individuals and organizations it affects now have less than two months to create, implement or update their CASL compliance program.
CASL will implement a significant shift in electronic-based communications: it will move Canada from an opt-out regime to an opt-in regime (commonly called “permission-based”) for all electronic-based commercial communications. After July 1, 2014, if a person or business wants to send a “commercial electronic message” (a “CEM”) within or into Canada, with few exceptions the sender will need the recipient’s prior consent.
CASL is broad, complicated – and coming soon. Here are 10 steps you should take now to prepare for CASL.
- CASL Impact. First you must determine whether CASL affects any of your electronic communications or those of your organization, and if so, which ones. To find out, take our 10 Question CASL Spammer Quiz.
- Audit. If CASL does affect any of your electronic communications or those of your organization – and chances are good that it does – review your current electronic communications processes – any commercial electronic communications you or your organization sends and any related systems, like client relationship management (CRM) systems – and determine whether they comply with CASL requirements for:
- Mandatory Consent, whether express or implied
- Mandatory Content for information disclosure
- Mandatory Unsubscribe mechanism and functionality
- Revise. If your current electronic communications and/or processes don’t comply with CASL – and chances are good that they don’t – you will need to revise them so they do.
- Existing Consent. Start by understanding and documenting where your existing customer and contact lists came from, and what consents you might have already obtained – and what consents you need.
- Start Gathering Consent. Once you’ve identified the consents that you need, start the process of getting them – but do it before July 1, 2014: an electronic message asking for consent to a CEM is itself a CEM, and every CEM sent on or after July 1,2014 must comply:
- Fresh Consent. Seek fresh, express consent from customer and contact lists.
- Restart the Clock on Existing Relationships. CASL implies consent in certain cases, including in “Existing Business Relationships” and “Existing Non-Business Relationships” (both as CASL defines). To qualify, the relationship must have existed for a defined prior length of time (6 mos or 2 years, depending on the specific relationship). You can restart the CASL consent clock on these relationships by sending CEMs to customers and contacts with whom you have an Existing Business Relationship or an Existing Non-Business Relationship.
- Consent Process. Next, adopt procedures for obtaining and documenting CASL compliant consent, Existing Business Relationships and Existing Non-Business Relationships (both within the meaning of CASL) on a go-forward basis.
- Databases. Consider whether you need to restructure your contact, customer or electronic marketing databases, like customer relationship management (CRM) systems, to document the following on a go-forward basis:
- Existing Business Relationships within the meaning of CASL
- Existing Non-Business Relationships within the meaning of CASL
- CEM Content. Modify the form of all of your CEMs to meet the CASL content requirements for disclosure of information about the sender(s).
- Unsubscribe Mechanism. Modify or create an unsubscribe feature with the mandatory functionality CASL requires, and a process to implement consent withdrawals within the 10 days that CASL requires.
- Documents and Agreements. Review and update other documents and agreements as necessary, such as:
- Third party service agreement provisions like address harvesting and appropriate representations, warranties and indemnities
- Internal privacy and Email marketing policies and procedures
- Published policies and statements
CASL will take effect in less than two months. It’s important to act now:
- What a “commercial electronic message” (CEM) is
- What “express” and “implied” consent are and when they apply
- The mandatory content and unsubscribe requirements
Consequences. CASL has significant consequences for individuals and organizations that don’t comply:
- Monetary Penalties of up to $1M on individuals and $10M on other entities for a CASL contravention
- Potential Liability of employers for certain employee violations, and personally for corporate directors and officers for a corporation’s violation
- Criminal charge of obstruction of a CASL investigation
- Private Right of Action for a person or corporation affected by a CASL contravention effective July 1, 2017