Canada’s Anti-Spam Law (CASL) FAQ
Canada's Anti-Spam Law (CASL) is one of the toughest laws of its kind in the world, making its application and interpretation particularly thorny. Here we answer some of your frequent questions about both the new law and Industry Canada’s revised regulations. How will CASL impact your business? To discuss this challenge, feel free to contact us.
About Canada’s Anti-Spam Legislation (CASL)
When requesting consent, you must provide recipients with:
- The name of the person or organization seeking consent
- A mailing address and either a phone number, voice message system, email address or website where recipients can access an agent for more information
- A statement identifying the person on whose behalf consent is being sought
- The identity and contact information of any third-party or affiliate used to obtain consent
- A free unsubscribe mechanism that lets recipients electronically opt-out of communications
- The ability to opt-out of all types of communications sent by either your organization or a third-party partner
While Industry Canada has not yet provided a specific date, it has unofficially indicated that CASL will come into force in late 2013 or July 2014 at the latest. For three years after that, a transitional period will apply during which time businesses can imply consent for contacts with whom they already have an existing business relationship.
This gives organizations time to convert implied consents into express consent for customers with an existing business relationship, without regard to the two year window, allowing businesses to turn their inactive customers into active customers.
Updates from January’s revised regulations
According to new draft regulations released in January, exempt from CASL will be CEMs sent to:
- Friends or family: CEMs exchanged between family (i.e. by blood, marriage, common law or adoption) or friends (i.e. engaged in direct, voluntary, virtual or in person two-way communications and relationship is personal based on shared interests, experiences, etc.), as long as the recipient has not indicated that he/she does not wish to receive CEMs or any specified class of such CEMs.
- Respond to a request/inquiry/complaint.
- Business-to-business: CEMs sent by an employee, representative, contractor or franchisee within an organization or between businesses that have an existing business relationship, where the CEMs are relevant to the business, role, function or duties of the recipients.
- Enforce legal rights: CEMs sent due to a legal obligation or to enforce a legal right, including a pending legal right (e.g. debt collection, licensing, enforcing contractual obligations, enforcing court orders/foreign legal rights and non-transactional business communications, such as electronic bank statements).
- Foreign recipients roaming in Canada: While CASL applies to CEMs sent or accessed by a computer system located in Canada, foreign organizations will be exempt if they send a CEM to a foreign recipient, even if the message is accessed by the recipient while roaming in Canada. The proposed exemption would only apply if the sender could not reasonably know the message would be accessed in Canada. On the flip side, CASL would continue to apply if a foreign organization, or an internationally-based Canadian organization, sends a similar CEM to its Canadian customers, even if the message is sent through foreign-based servers.
- Telecommunications service providers (TSPs): Under CASL, TSPs need consent to install certain computer programs, including programs that prevent unauthorized or suspicious legal activities (such as the installation of cookies) or programs unrelated to system-wide upgrades or updates. Under the proposed new regulations, TSPs will be permitted to install computer programs without consent for two purposes only
- Preventing illegal activities that pose an imminent risk to network security or
- Updating or upgrading devices across an entire network
- Follow up on third-party referrals: There is a partial exemption for third-party referral messages (e.g. one single message is allowed to obtain consent). This means that a CEM sent for the first time following a referral doesn’t require consent, as long as an existing business, personal or family relationship exists and the sender includes the full name of the individual(s) who made the referral, the identity of the sender and an unsubscribe mechanism. Any CEM sent following the first referral must comply with the form and content requirements (e.g. identify the sender and include an unsubscribe mechanism).
Under CASL, clubs, associations and voluntary organizations can send CEMs without consent to people with whom they have an existing non-business relationship. To clarify this exemption, the new regulations define many of these terms.
- An “existing non-business relationship” includes membership in a club, association or voluntary organization
- “Membership” means having applied for, met the formal requirements to belong to and having been accepted as a member of the organization
- “Club,” “association” or “voluntary organization” are defined as non-profit organizations organized and operated exclusively for social welfare, civic improvement, pleasure or recreation or for any other purpose than profit, if no part of the income is payable to, or otherwise available for, the personal benefit of any proprietor, member or shareholder of those organizations unless the primary purpose of the organization is the promotion of amateur athletics in Canada
What you need to know
Although the steps each organization must take to update their electronic databases to manage consents and unsubscribe requests will differ, to prepare for CASL you should:
- Determine if you are sending CEMs
- Identify the channels through which you send CEMs
- Assess if you have implied or express consent to send CEMs or if an exemption applies
- Develop a plan to obtain any required consents
- Make sure your CEMs contain the content required by CASL
- Determine how CASL may affect your policies, processes, customer relationship management (CRM) and other IT systems, and staff training and awareness programs
- Revise your policies, processes and systems as required
- Keep an audit trail, since CASL contains a “due diligence” defense
- CMO/marketing executives need to assess the impact of CASL on their digital marketing campaigns, especially those run through email and social media. They must also assess how to obtain consent from prospects to communicate with them.
- Chief legal counsel must review the Act’s requirements, changing regulations and commentary from industry associations, and monitor any regulatory guidance and interpretive guidelines released by the government.
- Risk officers need to assess the risks of CASL non-compliance on the business and work with compliance and business teams to mitigate these risks.
- Internal auditors must evaluate CASL compliance once it is in force, independent of the business.
As you prepare to comply with CASL, Deloitte can help you:
- Examine your current consents, unsubscribe methods, electronic communication practices and cross-marketing initiatives with affiliates to identify compliance gaps
- Conduct marketing due diligence and market analysis to develop compliant customer experience and revenue growth strategies
- Ensure your mobile and digital marketing strategies, customer loyalty programs and ongoing marketing initiatives comply with CASL
- Develop an implementation plan that can be used by all stakeholders, including business unit employees, legal counsel, risk and compliance teams and your internal audit function
- Assess potential non-compliance risks and develop risk assessment and reporting frameworks to mitigate them
- Revise your policies, processes and IT systems as required
- Implement a staff training and awareness program to ensure ongoing compliance with CASL
For more information on CASL, or how Deloitte can help your organization with CASL compliance contact:
Partner, Enterprise risk
Senior Manager, Enterprise risk
Senior Manager, Performance enhancement advisory