UPDATE: On June 7, the Government of Canada announced in a news release that it is suspending the final CASL "Private Right of Action" rollout in response to concerns raised by many businesses. A new rollout date has not been set.
It's that time again — and we're not talking about summer Fridays or your annual family getaway trip. This post is all about Canada's Anti-Spam Legislation (CASL), which will soon implement its final phase July 1. With less than a month away, here's what businesses need to know.
CASL was passed July 1, 2014 with the purpose of protecting Canadians from unsolicited communication (i.e., spam) by setting requirements for all promotional emails sent from businesses. Since its initial rollout, additional measures have been put in place, prohibiting businesses from installing virus and malware without consent.
The latest and final phase will allow individuals to seek legal action against CASL violators.
You might be wondering, "Does this law apply to me?" If your business or organization sends promotional email to recipients based in Canada, the short answer is yes. Don't go thinking this law only applies to businesses based in Canada.
But if you still unsure, take this short quiz below. If your business or organization answers yes to any of the following three questions, then this law affects you:
- Does your business send promotional or marketing messages through electronic channels (email, SMS, social media, instant messaging) to audiences in Canada?
- Does your business install software programs on people's computers or mobile devices in Canada?
- Does your business perform these activities in or from Canada?
So how can businesses prepare for the July 1 deadline?
First, you need to make sure you comply with the requirements in the first two phases of CASL. Since the initial rollout, when sending an electronic message like a text or email, businesses are required to:
Obtain consent: You must obtain either expressed consent (explicitly asking potential contacts for permission to send them email, and they agree) or implied consent (when the recipient has purchased a product/service, or involves themselves with an organization; e.g., donating to a charity, volunteering with an organization). Businesses must keep a record of these, as the onus is on the sender to provide proof of consent.
One thing to note here is that implied consent expires. Contacts collected before July 1, 2014 expire on July 1, 2017 and must be removed from your email lists immediately. All contacts collected after July 1, 2014 will expire in two years unless the contact purchases another product/service or renew its relationship with the business (e.g., contracts, membership).
Provide identification: You must clearly identify the business/organization and include its postal address and either a telephone number or email address in every electronic message.
Include an unsubscribe link: You must include an option to opt out of all electronic messages sent and honor those requests within 10 days.
If you've ever downloaded a program or game to your computer only to find out you also inadvertently downloaded a host of other software, you'll take heart to CASL's second rollout.
In January 2015, CASL released the "Installing Computer Programs" rule, prohibiting businesses from installing software or computer programs on electronic devices (e.g. laptops, smartphones, desktop computers and even gaming consoles) without prior consent from the device owner or an authorized user. Depending on the type of business, there may be additional requirements and exceptions to this rule, so make sure to check those out on the CASL website.
Since its 2014 release, businesses and organizations have had ample time to get brought up to speed with the first two anti-spam laws, but that time is coming to a close. July 1 will mark the end of the three-year grace period and introduce the final phase of CASL called the "Private Right of Action," which allows individuals to bring lawsuits to non-CASL-compliant organizations.
While CASL can't prevent all spam, there are enforcement tools in place, so you don't want to be caught on the wrong side of the law like Kellogg Canada, who in 2016 paid a $60,000 fine for an alleged anti-spam violation. Fines can run up to $1 million for individuals and up to $10 million for businesses.
The good news is that if your business's digital marketing practices are already current with U.S. privacy laws, complying with CASL should require little effort. If not, then it's a good thing you're reading this article now.
