CASL: Canada's Anti-Spam Legislation

Canada's Anti-Spam Legislation (CASL) is not to be taken lightly.

Recent investigations and subsequently discovered violations are helping define what is required of businesses for them to be legally compliant with CASL, and what businesses should and should not do when it comes to communications with their users.

The first violator of CASL, compu.finder Inc. received a $1.1 million fine from the Canadian Radio-Television and Telecommunications Commission for supposedly sending emails without the recipient's permission and without a way for recipients to unsubscribe that works properly.

They had 30 days to pay this fine or face a further penalty.

This company fell foul of CASL's prohibition of the collection of email addresses without the permission of the users.

The Chief Compliance and Enforcement Officer for the CRTC, Manon Bombardier claims that Compu-Finder:

Flagrantly violated the basic principles of the law by continuing to send unsolicited commercial electronic messages after the law came into force to email addresses it found by scouring websites.

Two recent landmark cases involving alleged CASL violations include a case against Plentyoffish Media Inc. and Porter Airlines.

In the case against Plentyoffish Media Inc., commercial emails were sent to registered users of the Plenty of Fish dating service, but the unsubscribe mechanism in these emails was not displayed in a clear or prominent way, and unsubscription could not easily be performed by those who received the emails.

This violates a requirement of CASL, and Plentyoffish Media Inc. was fined accordingly.

The case against Porter Airlines is very similar and also revolved around sending commercial messages to people without a method for unsubscribing, or one that was labeled very unclearly.

While both of these violations deal with the unsubscribing requirement of CASL, there are other requirements that must be met as well.

Before discussing requirements of CASL, let's figure out who must comply with these requirements in the first place.

Who must comply with CASL

While CASL is a Canadian-based law, the law applies to any business or individual that uses electronic channels to promote or market an organization, product, or service to recipients who are in Canada, regardless of where the communication originates.

For example, a U.S.-based company that sends an email marketing message out must follow CASL requirements if that message will be sent to even one Canadian citizen.

Therefore, CASL is similar to CalOPPA (California Online Privacy Protection Act), in that the law effectually ends up applying to anyone and everyone.

Consider the fact that because CalOPPA applies to anyone who may reach a California resident, and because the nature of internet communications is global, even businesses far from California are likely to reach California residents and should follow CalOPPA requirements.

The same concept applies here for CASL requirements.

Email is the most commonly used medium for sending commercial electronic messages, but CASL also covers text messages, instant messages, and automated cell phone messages that would be sent to computers or cell phones in Canada.

Canada's Anti-Spam law will apply to your business if:

• If you send or help to send a CEM to a user in Canada
• If a CEM sent by you is sent from Canada or accessed from a device in Canada

In basic terms, CASL sets 3 main requirements for businesses who engage in electronic communications.

Each of these requirements will be broken down and explained throughout the rest of this article.

1. All businesses must obtain either express or implied consent before sending commercial electronic messages (CEMs) to individuals.

Note: For purposes of CASL, a CEM is any message sent by a business that intends or aims to encourage the recipient to engage in or participate in a commercial activity.

Examples of a CEM are messages promoting a person, product, or service, or an advertising message. Basically, any form of communication that seeks to pull in customers.

The following image is an example of content that would be considered a CEM if sent to people by a company via email:

An example of a CEM text message:

2. All CEMs must clearly and prominently identify who the sender of the message is, and include contact information for the sender. People must be able to quickly and easily discern where the CEM has come from.

Note how in the text message image example above, it is very clear that the message is from Cafe Italiano.

3. A functioning unsubscribe mechanism must be provided and made clearly noticeable in the CEM.Below is an example of how a text message CEM can have a clear and easy method of unsubscribing:

Here's another one from an email campaign by Warby Parker that allow all email users to unsubscribe by clicking the "Unsubscribe" link:

How to comply with CASL

Obtain consent

In general, CASL requires that explicit consent is obtained from an individual before and CEMs can be sent to that individual. However, there are a few exceptions to the explicit consent requirement that allow for implied consent.

Implied Consent vs. Explicit Consent

For clarity, explicit consent is when it there is no doubt that an individual clearly and fully consents, while implied consent is when it can be assumed to a high level of certainty based on actions of an individual and surrounding circumstances that an individual fully consents.

First, let's cover the relevant business-related exceptions for when implied consent will satisfy the consent requirement of CASL. There are 3 of them.

Implied consent is satisfied when:

1. An active business relationship exists between the business and the recipient of the CEM.For example, if you run a delivery service, an active business relationship would exist between the delivery service and everyone with an active delivery route or schedule.
2. The email address/phone number where the CEM will be sent has been made available to the public world by the individual and no caveats have been included in the publication of the information. For example, if someone puts a contact email on a personal blog or website and does not include language like "no solicitations, please" or "no spam messages are to be sent to this phone number" then consent to contact the individual with a CEM can be implied.
3. Someone who has business activities that are relevant to the message in your CEM has given you his contact information and has not indicated that he does not want to receive marketing messages. For example, if someone has signed up to receive messages from your business in the past, it can be implied that the individual consents to receive messages from your business.

4. Note: Until June 30, 2017, consent can be implied if:The recipient of the CEM has not ever explicitly withdrawn consent to be contacted, and if either of the following requirements is met:

   • The individual has purchased something from your business in the past, or
   • The individual has sent an inquiry to your business in the past.

If none of the above exceptions apply to an individual you wish to communicate with via CEMs, you will need to obtain explicit consent.

Obtaining explicit consent

To obtain explicit consent, you must include four things in your consent request:

1. Why you are requesting consent.Specify exactly why you are requesting this consent. For example, say something like, "We want to send you information about new products and promotions."

In the example below from Juliet Fay, notice how the intro text clearly states that by signing up for e-News, "regular articles on marketing, and information on workshops and products" will be delivered. This is a very concise and clear way to communicate what you are requesting consent to send:

You can also link directly to your Privacy Policy in the web form:

2. Your business information.Include your contact and identifying information.

For example, include your business name, your mailing address, and a contact phone number.

Make it very clear who is sending this request for consent.

The image below shows what Warby Parker includes at the bottom of every email they send out. Note how this makes it clear who the email came from, and where the business is located.

3. Information on revoking consent.Make it clear to recipients that even if they give consent now, they can revoke it in the future.

Let users know how they can go about revoking consent.

The example below from Grow Online Marketing does a great job of letting people know that "you can opt out at any time."

This, combined with an unsubscribe link in all communications that happen after a user would subscribe to this email marketing pros content, would be a great combination of providing information on revoking consent.

4. Manual opt-in method.Pre-checked boxes and other passive methods of obtaining consent are not allowed.

An individual must actively check a box associated with giving consent or do something active such as typing their email address into a form and clicking a submit button.

See the example above as an example of a successful way of obtaining active consent by using a web form where users can enter their email address to receive emails from you.

It must be clear to the individual that you are requesting consent, and what you are requesting consent for. It must be clear to the business requesting consent that consent has absolutely been given.

Once consent has been established or obtained and CEMs are allowed to be sent to an individual, CASL defines other requirements in terms of what must be included in the communications.

The next section covers requirements #2 and #3 of CASL: the requirements of including clear and prominent business identification information, as well as sufficient unsubscribe information, in all communications.

What to include in a CEM

When you send an electronic marketing message to an individual, you must include the following three components in each and every communication to be compliant with CASL.

1. Who you are: Identify who you are in the message. For example, in a text message, start the message off by saying "This is a message from (your business name here)" to make it immediately clear to individuals who sent the message to them.

This example again from Warby Parker communications shows a perfect way to let people know who sent them the email message:

2. Your contact information: Include your business contact information in every single communication.Make it easy for an individual receiving your message to be able to contact you. For example, include a mailing address, email address, and phone number if available.

The image below shows how Guru.com successfully provides users with a physical address, as well as links to areas where a user can interact with Guru, such as a "Help Center," a "Contact Us" section, and a connection to social media accounts:

This makes it very easy for anyone who receives this communication from Guru to be able to quickly contact the company in a number of different ways.

3. How to unsubscribe: You absolutely must provide a free way for an individual to unsubscribe to your communications.Any unsubscribe requests must be honored within 10 days of being submitted.

For example, provide an unsubscribe link at the bottom of all emails you send out. Make sure the link you provide is valid and working.

For text message CEMs, include either a link to unsubscribe, or an action such as replying with "stop" to turn off CEMs. See the example below from Facebook text notifications:

Email messages can include an unsubscribe link at the bottom in the footer to satisfy this requirement.

The image below is from an email from Amazon and demonstrates a very successful way to include a clearly placed and easily noticeable unsubscribe link in an email footer:

Here's an example where the user can revoke their consent by entering their email address and clicking the Unsubscribe button, as described by Benchmark:

The most popular way of how users can revoke their consent is by clicking the "Unsubscribe" link in each commercial email you send. This is how Yahoo Alerts provides an unsubscribe mechanism for its users:

Here's another example, where the user must select "Yes" or "No" and then click "Confirm" to unsubscribe from a specific mailing list or they can click the link to unsubscribe from all mailing lists:

This is another example from Groupon. The user has the option to variant check boxes in order choose what they wish to subscribe to and then click "Save".

Or, like in the examples shown above, they can click on the link at the bottom to unsubscribe from everything:

Once you have or obtain consent, remember to include information about who you are, how you can be reached, and how people can unsubscribe or revoke consent to your messages in each and every commercial marketing message you send, whether an email, text message, or another form of electronic communication.

This will ensure you remain compliant with CASL, thus avoiding large fines for your business.