Canada’s Anti-Spam Law (CASL) FAQ
Canada's Anti-Spam Law (CASL) is one of the toughest laws of its kind in the world, making its application and interpretation particularly thorny. Here we answer some of your frequent questions about both the new law and Industry Canada’s revised regulations. How will CASL impact your business? To discuss this challenge, feel free to contact us.
About Canada’s Anti-Spam Legislation (CASL)
A CEM is any electronic message that encourages participation in a commercial activity, such as an email that contains a coupon or tells customers about a promotion or sale. That said, a message that includes hyperlinks to a website or contains business-related information does not make it a CEM.
CEMs must be sent to an electronic address to be caught by CASL. Confirmations of successful unsubscribes, courtesy SMS sent to roaming customers, and publication of blog posts on micro-blogging and social media sites are out of scope.
When requesting consent, you must provide recipients with:
- The name of the person or organization seeking consent
- A mailing address and either a phone number, voice message system, email address or website where recipients can access an agent for more information
- A statement identifying the person on whose behalf consent is being sought
- The identity and contact information of any third-party or affiliate used to obtain consent
- A free unsubscribe mechanism that lets recipients electronically opt-out of communications
- The ability to opt-out of all types of communications sent by either your organization or a third-party partner
CASL will come into force in three stages:
- July 1, 2014: the anti-spam provisions come into force and the three year transitional period begins
- January 15, 2015: the consent and notice rules for installation of computer programs come into force and the three year transitional period for computer programs begins
- July 1, 2017: the private right of action comes into force, the transitional period for commercial electronic messages ends and the three year mandatory review for CASL will be triggered
- CEMs sent between family and friends (related through marriage, common law or any legal parent-child relationship, or if there is a voluntary two-way communication between the individuals)
- CEMs sent within or between organizations with an existing relationship (B2B)
- CEMs solicited or sent in response to complaints, inquiries, requests
- CEMs sent due to a legal obligation or to enforce a right
- Telecommunications service providers (TSPs): Under CASL, TSPs need consent to install certain computer programs, including programs that prevent unauthorized or suspicious legal activities (such as the installation of cookies) or programs unrelated to system-wide upgrades or updates. Under the proposed new regulations, TSPs will be permitted to install computer programs without consent for two purposes only
- Preventing illegal activities that pose an imminent risk to network security or
- Updating or upgrading devices across an entire network
The new Industry Canada regulations introduced five new full exemptions:
- CEMs sent from instant messaging platforms (e.g. BBM messenger, LinkedIn InMail) where the required identification and unsubscribe mechanisms are clearly published on the user interface
- Limited-access, secure, confidential accounts (e.g. banking portals)
- CEMs sent to listed foreign countries, where it is reasonable to believe that the message will be opened in a listed foreign country that has similar rules as CASL
- CEMs sent by registered charities for the primary purpose of fundraising
- CEMs sent by political parties seeking contributions
What you need to know
Although the steps each organization must take to update their electronic databases to manage consents and unsubscribe requests will differ, to prepare for CASL you should:
- Determine if you are sending CEMs
- Identify the channels through which you send CEMs
- Assess if you have implied or express consent to send CEMs or if an exemption applies
- Develop a plan to obtain any required consents
- Make sure your CEMs contain the content required by CASL
- Determine how CASL may affect your policies, processes, customer relationship management (CRM) and other IT systems, and staff training and awareness programs
- Revise your policies, processes and systems as required
- Keep an audit trail, since CASL contains a “due diligence” defense
- CMO/marketing executives need to assess the impact of CASL on their digital marketing campaigns, especially those run through email and social media. They must also assess how to obtain consent from prospects to communicate with them.
- Chief legal counsel must review the Act’s requirements, changing regulations and commentary from industry associations, and monitor any regulatory guidance and interpretive guidelines released by the government.
- Risk officers need to assess the risks of CASL non-compliance on the business and work with compliance and business teams to mitigate these risks.
- Internal auditors must evaluate CASL compliance once it is in force, independent of the business.
- The Act (CASL)
- The CRTC regulations
- Two sets of CRTC Interpretation Guidelines
- New Industry Canada regulations (issued December 4, 2013)
- The Industry Canada Regulatory Impact Analysis Statement (issued December 4, 2013).
- FAQs (expected to be released December 18, 2013)
As you prepare to comply with CASL, Deloitte can help you:
- Examine your current consents, unsubscribe methods, electronic communication practices and cross-marketing initiatives with affiliates to identify compliance gaps
- Conduct marketing due diligence and market analysis to develop compliant customer experience and revenue growth strategies
- Ensure your mobile and digital marketing strategies, customer loyalty programs and ongoing marketing initiatives comply with CASL
- Develop an implementation plan that can be used by all stakeholders, including business unit employees, legal counsel, risk and compliance teams and your internal audit function
- Assess potential non-compliance risks and develop risk assessment and reporting frameworks to mitigate them
- Revise your policies, processes and IT systems as required
- Implement a staff training and awareness program to ensure ongoing compliance with CASL
For more information on CASL, or how Deloitte can help your organization with CASL compliance, contact:
Partner, Enterprise Risk Services
Senior Manager, Enterprise Risk Services
Senior Manager, Enterprise Risk Services