This post is a partial overview of the new Canadian Anti-Spam Legislation. There is much more to this complex legislation than I address here (plus, I’m not a lawyer). Also, the law is not even in market yet, meaning no one knows yet exactly how it will work in practice. So, buyer (and marketer) beware! The recommendations herein are based on a layperson’s research into the CASL and on modern marketing best practices. If you have more detailed questions, please consult an actual lawyer, and visit the Canadian Anti-Spam Legislation website prepared by the Canadian government to explain this law.
WHAT IS CASL?
CASL (Canadian Anti-Spam Legislation) goes into effect July 1, 2014. It is intended to protect Canadians from unsolicited CEMs (commercial electronic messages), while also ensuring that businesses can continue to compete in the global marketplace. Think of a CEM as any commercial message sent by email, social post or text message.
Much angst has ensued in email marketing and modern marketing circles about the effects of CASL. But other than requiring new explicit consent for all Canadian leads, its provisions align pretty directly with permission-based marketing best practices that you may already have in place.
The law has two major components, one addressing electronic marketing and one addressing unsolicited installation of computer software. If you are in the business of installing malware or spyware on another person’s computer, please just crawl back under whatever rock you were hatched under and never come out again. This blog is focused mainly on that first component, which deals with electronic and automated marketing.
Once in effect, the law will prohibit or severely restrict (list courtesy of CASL’s Fight Spam site):
- Sending commercial electronic messages without the recipient’s consent (express written or verbal permission), including messages to email addresses and social networking accounts, and text messages sent to cell phones
- Altering transmission data in an electronic message which results in the message being delivered to a different destination without express consent (rerouting or redirecting)
- Installing computer programs without the express consent of the owner of the computer system or its agent, such as an authorized employee (cookies are regulated, but allowed)
- Using false or misleading representations online in the promotion of products or services
- Collecting personal information by accessing a computer system in violation of federal law (that is, the Criminal Code of Canada)
- Collecting electronic addresses by using computer programs or using such addresses without permission (address harvesting)
DOES THIS MEAN I CAN’T MARKET TO CANADIANS?
No. The law provides for two categories of consent: implied and expressed. If you already have a legitimate business relationship with a “lead” (meaning they have purchased something from you), you have 36 months to obtain new, explicit permission to continue marketing to them. Explicit consent requires three things:
- Consent (express permission; also called opt-in)
- Specific identification information for the lead
- An unsubscribe mechanism
For all other Canadian leads, you must re-opt them in. Consent may be provided either in writing (including via online means) or orally. In either case, the marketer must keep records verifying consent.
WHAT ARE THE PENALTIES?
For any person involved in the decision-making, planning or execution of CEMs that are in violation, the law calls for penalties up to $1 million PER INDIVIDUAL and PER VIOLATION. Further penalties of up to $10 million also apply to the companies involved, PER COMPANY and PER VIOLATION. The law explicitly includes executives and owners of companies found to be in violation. The Canadian government has set up websites where those who receive nonconforming CEMs can document the alleged violation.
In addition to the above criminal penalties, individuals and companies alleged to have sent nonconforming CEMs may be subject to additional civil complaints.
WHAT DO I NEED TO DO NOW?
Develop a Corporate Compliance Program
Visit here for more information about a Corporate Compliance Program, straight from the Royal Canadian Mountie’s horse’s mouth. Basically, this is a plan, documenting how your organization intends to comply with CASL. This can show your intent and may be taken into account in your favor in the event of future prosecution.
Implement a CASL Re-Opt-In Campaign
- “Quarantine and triage” all Canadian leads (use the .ca top-level domain identifier or the lead’s address, postal code or telephone number).
- Immediately remove all harvested leads (defined as any electronic address collected by a computer program or used without permission) from all campaigns and any active segment or list. It will NEVER be okay to send these leads a CEM.
- Suppress all currently opted-in Canadian leads. Put them into their own segment or file and remove them from all active campaigns.
- Create a CASL Re-Opt-In email with no commercial content (see below) and with clear, explicit opt-in or opt-out instructions.
- Send the email to all Canadian leads except those in #2 above.
- Based on the response to the email, put each lead into one of the following segments or lists:
- Opted out
- Opted back in
- Took no action
- Remove any opt-outs from your active database.
- Return opt-ins to your marketing programs.
- Repeat steps 5 through 8 for the “took-no-actions” up to 2 or 3 times, being careful to send on different days of the week and at different times of day. If at the end of the final send, a lead is still in the “took-no-action” category, remove them from your active database. No action is fully equivalent to opting out.
Also, do not use commercial content in your opt-in emails. You can brand emails with a logo, but you may not promote your products or services. “Commercial” is the “C” in CEM, so don’t use a CEM to get permission to send CEMs.
Build a Solid Communications Preference Center
The law requires the creation of an unsubscribe mechanism. You may not embed marketing opt-in within other terms or conditions—opt-in must be clear, explicit and discreet. For example, you may not offer a free software trial and have a section of the trial terms and conditions specify that the lead agree to receive marketing messages.
It is in your interest not to offer only a “binary” (either opt-in to all or opt-out from all) capability. It is better to offer explicit individual subscription options for each type of communication you send (for example, automated marketing emails, special offers or events, newsletters, technical product updates, etc.). This is best accomplished by creating a Communications Preference Center. This is sometimes called an Email Subscription Center.
The best practice is to always provide an unsubscribe link on your emails that links to a subscriptions management page where the lead can choose specific kinds of communication to opt into or out of.
The following is an example from the Canadian government CASL site:
WHAT TO DO LATER
- Double opt-in all Canadian leads using no pre-checked boxes, and ensure that no Canadian leads are passively opted in. Double opt-in is not explicitly required by CASL, but it is the kind of marketing best practice that can help you to avoid inadvertent violations and that will work to your advantage in case of future prosecution. You cannot assume permission. Non-action is the full equivalent of opt-out.
- Keep records. Make sure you can provide proof of consent for all Canadian leads. You’ll need opt-in confirmation within your data, opt-in timestamp, and specific identification of each opted-in lead.
- Especially if you use marketing automation or CRM software, during opt-in, explain clearly to leads all web domains to which they may ever be directed or from which they might ever receive email. For example, that nurture email they get from “firstname.lastname@example.org” might actually be sent from an Eloqua server, not from acme.com. Even though this is common automation practice, it could be construed as misleading under provisions of the CASL.
- Be extra vigilant about sources for Canadian leads. Do not buy lists. And NEVER send emails to a harvested lead.
WHAT DOES IT ALL MEAN?
About 35 Million people live in Canada, roughly the population of California, so it is a major market for North American marketers. A couple of questions to ask yourself going forward:
Is it worthwhile to perpetually treat Canadians differently, creating separate US, Canadian, and US segments, campaigns, scoring and qualification rules, etc.? Or does this new law mean we should build strong permission-based best practices into ALL our marketing campaigns?
Actively opted-in leads yield far better marketing results. This is sometimes difficult to accept for organizations that have always measured success by a (big) number of raw leads. Modern marketing best practices are best practices because they work. Ideas like explicit permission, double opt-in, and clear lead-driven communications preferences management were marketing best practices long before they became centerpieces of the new Canadian Anti-Spam Legislation.
So what do you think? Do these new rules come as a surprise or have you already been practicing this kind of email marketing?
If you have any additional questions about CASL or how to implement the above recommendations – or you just want to chat email best practices – reach out to us at email@example.com.