This is the first in a series of posts on Canada’s new Anti-Spam Legislation (CASL).
Are you ready for Canada’s new anti-spam law? Bill C-28 – passed in December 2010 – is expected to come into effect later this year. While the exact date has not yet been announced, the Canadian Radio and Telecommunications Commission (CRTC) published final regulations related to the legislation on January 5, 2013, beginning a 30 day consultation period. This signals that the new law is closer to reality. Anyone sending commercial messages electronically in Canada or to Canadian recipients needs to be aware of the new requirements, particularly those related to consent.
In our view, the new law is legal codification of best practices we should all strive for anyway. What is no longer allowed are practices that no reputable company should follow. And the three year transition is a reasonable period for becoming compliant.
Is spam a big problem?
Yes! Global internet security company Symantec reports that in September 2012, three out of four emails sent worldwide were spam. Everyone receives emails they don’t want, from people and organizations they don’t know and with no means to unsubscribe. That’s why the Canadian government is taking action to tighten the rules for commercial email, text messages, instant messages or messages on social media platforms such as Facebook.
To be compliant with the new law your contact details, including your physical address, must be included in the message (usually in the footer), you must provide a means to unsubscribe to your messages and you must have the consent of the recipient. This is very similar to the requirements of the existing laws and if you’re working with a reputable email service provider (ESP) your messages will automatically include your contact details and an unsubscribe mechanism. The most important part of the new law to consider is the issue of consent.
What constitutes consent?
Consent is the key element in defining spam and is at the core of the new law. Definitions of consent and the relationship between sender and recipient are subject to debate. For example, if someone buys something from you are they giving you automatic consent to communicate with them in the future? Does the exchange of a business card suggest consent to add the person to an email prospect list? Are you able to email employees of an organization your company is providing services to, such as insurance benefits? In each of these examples the relationship does imply consent.
The biggest issue facing organizations around consent is proving they have permission to send an electronic message to every individual in their database.
Three year grace period
Fortunately, the law includes a three year transitional period during which consent is implied in the case of pre-existing business and not-business relationships. This gives organizations enough time to become compliant with the new regulations. The next three years is therefore an important period to ensure everyone in your email database provides you with explicit permission to send messages. The full details of how and when permission was granted needs to be stored in your database so that it can easily be retrieved. We will go into more detail about best practices for collecting permission details in future posts.
What is no longer allowed?
A common practice where consent is not provided is the purchasing or borrowing of email lists – this is no longer allowed. This does not preclude sending messages through a list provider that has gained permission to send third party messages to their list but this practice, while still legal, is becoming less and less effective as a marketing tool.
Most web forms include a field for gathering email addresses; however, merely collecting an email address does not constitute consent. The form must also include a mechanism that explicitly requests permission to send future email, such as a check box. Also, the default setting must require individuals to actually change the setting. In other words, you can’t set the permission checkbox to default to the ‘on’ position so that submitting the form automatically assumes consent.
Collecting email address by phone is now especially problematic as permission needs to be verifiable by a third party or by a recording of the phone call when permission was granted.
What do I do now?
In our next post we’ll provide you with some specific next steps you should take now to prepare for the new law and to set yourself up for the three year transition.