Website Design, Marketing and Inspiration Blog

Canadian Anti-Spam Legislation CASL (Bill C28)

March 26, 2014

The new Anti Spam Legislation comes into play on July 1, 2014. Canada is the last of the G20 countries to put forward this type of legislation, which is part of international agreements.Experts describe CASL as the broadest legislation of its kind in the world. 

NOTE:

-  This post is general information on this subject and should not be regarded as legal advice.  Please consult your own attorneys for specific legal guidance.  

- You should review the Act in it's entireity if you are a business owner.

What does this mean for business owners?

Basically, if you're not securing permission before sending email, you've got some work do to ensure you're compliant.

The US CAN-SPAM Act relies on opt-out consent (i.e., a functioning unsubscribe mechanism), while the Canadian version CASL requires express 'opt-in' consent.

Express consent is required before sending any email.  That means that people have to explicitly say they want to receive email, by either checking a box or putting in an email address in a place that clearly states you will be receiving email.

There are some exceptions:

- Personal or family relationship
- A direct response to an inquiry
- Delivers a good or service
- Provides a quote or estimate
- Provides warranty information
- Employment relationship benefit information
- A few other very specific instances

How To Prepare for the New Anti Spam Legislation

1) Mark July 1, 2014 on your calendars and make sure your business/organization is compliant before that date to avoid hassles and headaches.

2) Update everyone in your organization on the details.

3) Get everyone up to speed: CASL has broad rules and will impact different parts of your organization or business.  If you're a small company or independent contractor, you're probably wearing many business hats.  However, in larger organizations, this could involve sales, marketing, HR, and so on. 

4) Ask and document persmission then ensure every action you take is based on the permission-based approach will keep you out of hot water and build your brand trust and reputation.

5) Look at every aspect of your organization to pinpoint areas where CASL might impact.

The list of items you identify here will ultimately form key things on your to-do list.

- Online data capture (e.g. mailing list signup forms, landing page forms, lead generation forms, etc.)
- Offline data capture (e.g. trade shows, phone leads, received business cards, etc.)
- Offline forms (e.g. registration forms, etc.)
- Existing mailing lists
- CRM (customer) databases
- Current triggered emails (e.g. welcome email, confirmation email)
- Current email campaigns (including engagement metrics)
- Current manually sent emails

6) Take a good look at your existing subscriber databases.

Business owners that have been following email marketing best practices already might have a large base of subscribers that have already given you express consent as defined by CASL.

Industry Canada has clearly stated that express consent that is compliant with PIPEDA will also be compliant with CASL. The interpretation of this is still a bit murky, so if you want to be extra cautious you can treat everyone on your database like they have not given you express consent.

But, if you want to try to shuffle some people into the “express consent” group, here is an example of what a typical email customer would look for:

- You have put a mailing list sign up form on your website.
- The form is clear that people are signing up to receive emails from you and it clearly identifies that your organization is going to be the sender.
- The form in no way tricks people to join your mailing list by having a sneaky pre-checked checkbox that opts them in.
- Upon form submission a welcome email is sent to the supplied address.
- The welcome email contains a confirmation link (for double opt-in) that the new subscriber must click.
- Throughout this process, your email marketing system has captured the date/time of the new sign up, along with the subscriber’s IP address.
- At no point did this subscriber unsubscribe (automatically by clicking a link or by emailing you) or request to be removed from your database.
- If at this point, you feel you have concrete evidence that a subscriber explicitly requested your emails, then you can treat those people as CASL-compliant.
- Create a new segment of your mailing list for these subscribers and make sure they are removed from the “everyone else” group of addresses that are not compliant.

7) Implied Consent

You want express consent from everyone, but identifying implied consent is important because it means you can continue emailing them even while you work towards getting express consent.

With CASL’s special transitional period, you can have three full years before the implied consent expires. That’s a very long time and isn’t something you want to miss out on!  If you track customer's last purchase (or contract) then you're on your way.  Implied consent is based on this date with CASL.

You also need to look at whether or not emails are currently being sent to these customers. The transitional period only applies if messages are being sent before CASL comes into effect, otherwise it’s the normal two-year rule.  Your goal is to have a clear picture of which customers qualify as having implied consent. These are the folks you can keep emailing even if you don’t have express consent.

8) Email Your Implied Consent Contacts Before July 2014

Ready to get a little crafty?

The CASL transition rule that gives you three years for implied consent instead of the typical two years is only valid if you’ve been emailing those contacts before CASL goes live.

So, find everyone in Step 7 who you identified as having implied consent but who you are not currently emailing. Then, go over to your marketing people and tell them that you absolutely need to find something (...something of value!) to email these people. The objective is to get the messages flowing now, so you can secure an extra year to get express consent.

Keep in mind, the focus here is not on going back to every customer you’ve ever had since you really do not want to bother people that you know truly don’t care to hear from you. But rather to find the customers you’ve gotten in the “not too distant past” and start communicating with them.

Once you’ve got those emails going, your CASL timeline now extends further for these contacts, because it’s three years from July 2014.

9) Whip Every Inbound Data Process Into Shape

In Step 5 you did a high level summary of all the areas of your organization that feed in data both online and offline. Now it’s time to make sure every one of those processes follows the new CASL rules.

If you go back in this guide to the section about “Express Consent”, it will show you a clear checklist of items you must have in order for express consent to be valid. Be meticulous because once you come out of Step 9, every new subscriber you get should be CASL-compliant.

This is also the step where you’re going to want to get everyone you identified in Step 4 so that you can double check (...and triple check) that every process has been thoroughly audited. Leave no stone unturned!

Take a good long look at every signup form you have online and make sure you don’t have any pre-checked boxes because that is often a common mistake. Also, look at messages that trigger after the form is submitted (such as a welcome email) to make sure the content lends itself to full compliance.

For processes that happen orally, this is a lot trickier because you have less of a paper trail. If you’re capturing email addresses over the phone, it is generally a good idea to send those subscribers a welcome email right away because then you can capture their click on a confirmation link and that acts as your evidence of express consent. If you’re recording and archiving every call, then having a well-crafted express consent script that the subscriber agrees to will also be valid, but then you have to store and catalog a whole lot of recordings.

Before moving on, take a moment and grab a screenshot of all your online forms. This way you can do one final check that you’ve hit every item on the requirements list and also so you have further evidence of the exact form people would have filled out.

10) Salvaging the Majority of your Mailing Lists

This is a very important step because if done effectively, it will salvage the majority of your mailing lists even once CASL is in full force.

In Step 6 you identified those subscribers that have already given you express consent and those that haven’t. Right now you’re going to focus on those that haven’t in an effort to get them shifted over to the other column.

The goal is to send these subscribers an email and get them to click a link that confirms they wish to continue receiving your emails. When they click this link, the date, time and IP address must be tracked, as that becomes your hard evidence for express consent.

Keep in mind, opening your emails or clicking on other links does not qualify as express consent. The subscribers needs to click a link that clearly identifies that they are very clearly requesting to receive your emails.

Looking at some example link text:
“Visit Our Website” == Not even close to express consent
“Click here to confirm your interest in receiving our emails” == BINGO!

There are two core types of re-confirmation messages:

- Dedicated Confirmation Campaigns
- Embedded Requests in Typical Campaigns

- Dedicated Confirmation Campaigns
This is a campaign where the sole focus is on acquiring confirmation. The email should be very clean and simple with a clear call to action of clicking the confirmation link. There should be very little competing content, which can act as a distraction from clicking that ever-important confirmation link.
While these campaigns can be very effective, you don’t want to overuse them because there’s very little intrinsic value from the subscriber's point of view. One of the reasons they’ll want to continue receiving your emails is because they are of value to them (ie. discounts, information, news, etc.), and yet in an ironic twist, this specific confirmation email doesn’t add all that much value to their day.

If you continually try to hammer these confirmation campaigns at your subscribers, they may not only choose not to confirm, but they may unsubscribe even sooner.

This type of mailing should be treated as a tool in your arsenal, but not one that should be abused.

- Embedded Requests in Typical Campaigns
This is a campaign where you are sending out your usual content, but within that message you have an additional call to action for confirmation.

The reason this type of campaign works is because you have time before CASL takes effect to still email everyone on your database without worrying about specific CASL compliance. The goal is to seize the opportunity on every email to move people from lacking express consent to having express consent.

The advantage with these embedded requests is that your email still has the same value it always does in the eyes of your subscriber. You’re not pestering them with a message in their inbox that exclusively asks them to click the confirmation link. This means you don’t have to schedule extra campaigns on your content calendar because every planned campaign between now and July 2014 is acting as a confirmation email as well.

The disadvantage is that since your email is filled with a lot of competing content and calls to action, it makes it more difficult to get the subscriber to click the link you want.

In terms of strategy, a mix of both dedicated confirmation emails and embedded requests works best. You don’t have to just choose one or the other. Take a look at your planned campaigns and map out when you want to send your dedicated confirmation emails. Also, keep track of the frequency at which you are asking people to reconfirm. While that reconfirmation is important to you, it’s also important you don’t frustrate your subscribers.

Remember, from this point forward a key success metric of each campaign is how many confirmations you secured. Don’t neglect your other engagement metrics, but add this one into the mix.

CASL is coming, there is no longer any doubt. With only four months left (from the time of publication of this guide) before the law comes into affect, businesses should start preparing now.

11) Purge Non-Compliant Subscribers Before CASL Goes Live

If you’ve always wanted to be a doctor, now would be the time to say “scalpel please” because you’re about to slice and dice your way through your organization’s databases.

Anyone who has not yet given you express consent and does not meet the criteria for implied consent needs to go.

While this may make you sad, and you should pause to shed a tear, you need to remember that it is for the greater good. Plus, after all your efforts to reconfirm these contacts, if they still didn’t express interest, then there’s a good chance these were not your high value subscribers anyway.

Once you’re done with this step, all of your organizations databases should only have people that are CASL-compliant and all new data coming in is going through a process that will satisfy CASL. In short, this is a milestone moment.

 12) Document Your Efforts

Take a little bit of time and document everything you have done to become compliant.

If you get into trouble with CASL, but can demonstrate that you made very strong efforts (due diligence) to comply with all the rules and have done everything to obtain proper consent, then that will play a factor in the event a lawsuit comes up.

It’s for this reason that it’s important to track and document everything so you can cover yourself later with a stronger case if things get messy.

This might also be a good time to take a look at your organization’s privacy policy to see if it needs updating.

13) No Deceptive Messages Going Forward

At this point, your organization is in great shape on the consent side of things, but CASL also has rules to prevent sending deceptive messages.

Make sure the people who are responsible for crafting your organization's email campaigns know that there’s a new rulebook to follow which really frowns upon shady activity that tricks people.

14) Keep an Eye on Things

Getting CASL-compliant is one thing, but staying CASL-compliant is another.

You worked hard to get your organization to this point. You definitely don’t want someone to do something that makes things fall out of compliance.

People in your organization may try to work around your new policies, but don’t let them. Be strict! If they question why you are being so strict, remind them of the million dollar fines that exist for violating CASL. They probably don’t want to cover those fines for your organization, so they’ll probably understand why you want to strictly play by the rules.

:::::::::::::::::::::