Non-compliance with Canada’s anti-spam legislation could cost businesses $10 million. Now legislators are seeking a balance between communication and spam.
Canada is known by marketers to have some of the most comprehensive anti-spam laws in the world, making it challenging to safely navigate communication that is sent in connection with “commercial activity”. However, those regulations recently came under fire when the government under Prime Minister Justin Trudeau decided to relax some of the rules that currently allow Canadian citizens to sue organizations who send them communication that is classified as spam. While some individuals are lambasting the decision stating that it is a “major victory for the business lobby groups”, business owners and marketers appreciate the relief from what many perceive would have led to frivolous lawsuits.
Current Canadian Anti-Spam Legislation
Canada’s current anti-spam legislation, known as CASL, is quite vigorous and requires that all electronic communication receive full consent from individuals before the message is sent — and that applies to messages that originate within and outside Canada as well as those that travel within the country’s borders. CEM, or Commercial Electronic Messages, are any message that encourages individuals to take commercial activities such as utilizing a coupon or taking advantage of a sale. Organizations are required to receive express consent from individuals before the message is lawful, but consent can be challenging to obtain and retain. Canada’s laws consider that consent has been gained when you have documentation of the following, either orally or in writing (electronic copy is acceptable):
- Name of organization or individual
- Physical mailing address
- Contact information such as a voice messaging system, phone number, or email address
- Statement of identification from the individual
- Contact information and identity of any third-party affiliates
The good news is that organizations are able to wiggle through a few little loopholes because consent can be implied instead of expressly stated, and published electronic information is also fair game even without consent.
There are extensive exemptions for Canadian and other organizations under the CASL regulations. For example, individuals who are related by marriage or friendship are exempted, organizations with an existing business relationship will not be penalized and contacts that originated as part of a request, inquiry or complaint are also exempt from the strict CASL standards.
Just as the requirements for CASL are among the strictest in the world, the penalties for non-compliance are also quite rigorous. As of July 1, 2017, the regulations were set to take full effect, but the government has paused full implementation for the time being for a parliamentary committee review. There are three Federal agencies in Canada tasked with jointly enforcing the stringent requirements: the Office of the Privacy Commissioner of Canada, the Competition Bureau and the Canadian Radio-television and Communications Commission (CRTC). The fines that these organizations can levy against offending organizations can go into the millions of dollars, with organizations facing fines of up to $10 million. While the laws haven’t yet gone into full effect, the CRTC executed its first warrant under the Privacy policies against a computer service based in Canada that was delivering spam software.
Preparing for CASL
While the legislation is currently on hold, there’s no guarantee that the hold will stick — so it’s important to ensure that your business is fully compliant with the updated standards when they take full effect. There are a variety of steps that you should take to become compliant, including:
- Define any CEMs that you may be sending
- Outline whether CEMs are going via email, SMS text messaging or other direct digital communication methods
- Determine whether the level of consent is express or implied and that all the required contact information is being properly captured
- Post-compliance audit, define next steps to gather required information before additional CEMs are sent
- Ensure that any CEMs that would be subject to CASL rules contain the legally required information
- Determine impact of CASL on your customer relationship management software, marketing automation tools and other digital mechanisms for content dissemination
- Update procedures and policies to capture audit trail and all required information
As Canada’s government seeks to determine the right balance between allowing organizations access to Canadians and protecting the rights of those living in the country, the rules around CASL are likely to shift. However, the compliance requirements have already been through a full three-year holding period, and have been public knowledge since July 1, 2014. For the time being, businesses and non-profits are still able to send digital communications without limits to Canadians, but that could change at a moment’s notice with the reversal of this temporary hold on CASL.
While these general standards are good to keep in mind, it’s important to note that each organization will have slightly different requirements for capturing and maintaining a database that easily allows you to filter out individuals who have not indicated full compliance with CASL. If you have questions, or need assistance in Toronto determining if your business practices are fully compliant, contact PACE Technical Services today at 905.763.7896 Ext. 214 or via email to email@example.com. Our security and communication professionals will work with you to determine any steps necessary to avoid the massive fines imposed by Canada’s Anti-Spam Legislation.