So It's Settled Then – Canadian Anti-Spam Law Finalized

Greg Robinson

On November 28th, while many Americans were busy stuffing themselves with a Thanksgiving feast, the Canadian government approved Canadian Anti-Spam Legislation (CASL) in its final form. I’ve spoken about this legislation with clients on many occasions, but until now we didn’t know exactly when CASL would go into effect.

I am FINALLY able to say that you will have until July 1, 2014 to make sure your organization is in compliance. I urge you to set aside sufficient time now to review the law with your legal, marketing and compliance teams. That’s just over 6 months from now!!

Several CASL requirements are similar to those of other anti-spam laws, such as the CAN-SPAM Act of 2003 in the US, including the need for accurate header info, disclosure of the sending entity’s address and a conspicuous unsubscribe link.

Likely the most significant requirement set forth by CASL is that which says you must obtain express consent from the subscribers on your list. This also means no more pre-checked opt-ins on subscription forms. A few exemptions exist, including some business to business communications, but a tremendous amount of messaging will be governed by CASL.

While you should be performing permission-based marketing already (ahem – see our rules of use), I implore you to revisit your processes and look for any avenue through which subscribers may be added to your list without having provided direct consent. Those channels should be corrected or cut off altogether. Privacy policies should be updated, too.

Additionally, you cannot “grandfather-in” your existing lists. It will be necessary to re-permission your current subscribers prior to the July 1, 2014 effective date. Communications sent requesting permission will also be governed by CASL, so you must get permission prior to July 1.

The law extends beyond email, covering all CEMs (Commercial Electronic Messages) such Email (obviously), Instant Messaging, Text/SMS and possibly voice communications. Consider all the ways you might push commercial content to your subscribers when you are reviewing the legislation.

CASL applies to entities sending CEMs both FROM and TO Canada, so those of you outside of Canada, who have perhaps not taken this seriously until now, should be in compliance as well. The CRTC, who is tasked with CASL’s enforcement, will likely be working in cooperation with the US Federal Trade Commission and other regulators when going after violators sending from outside of Canada.

Those who violate CASL face hefty fines of up to $10M, along with the opportunity for private action by those on the receiving end of the offending messages (coming into force in 2017).

While there has been and will continue to be a lot of noise surrounding CASL, those following best practices for communications shouldn’t have too much to worry about. The potential for significant fines is reason enough to do your due diligence and review the new law with the appropriate staff at your organization NOW, so you are ready before July.

Watch this space for more information on CASL and for tips on how your organization can ready itself.

*I am simply bringing awareness and cannot provide legal advice*

About the Author
Greg Robinson

As the Deliverability Manager at Informz, Greg Robinson oversees all client deliverability inquiries, maintains relationships with ISPs and anti-spam entities, and enforces anti-spam policy. Greg educates clients on best practices and strategy, working to correct existing and avoid future delivery issues to maximize deliverability rates.

  • Kevin

    thanks for the review Greg, this is helpful.

    One question related to explicit consent. You referenced an example of no pre-checked boxes. If we have downloadable content (i.e. whitepaper) and in order to download the user must fill out a form that has text under the email form field that says
    “By supplying my email address, I authorize [Company]to contact me about [Company] its products and services, including product releases, updates, seminars, events, surveys, trainings and special offers.”

    Would that be in compliance with this law, or does a user need to confirm by checking a box in addition?

    Thanks again for your insight!

    • Greg Robinson

      Based on my review on the legislation, I think it is necessary to reconfigure your page to have a check box for consent. Slightly altering your current text, it could look something like the following:

      “By checking this box, I authorize [Company] to contact me via the email address supplied about [Company] its products and services, including product releases, updates, seminars, events, surveys, trainings and special offers.”

      The aim of this part of the legislation is to ensure that the individual cannot be subscribed if they neglect to read the notification you’ve provided (be it intentional or an oversight). Providing a check box that the individual must manually select themselves will eliminate the gray area associated with this type of opt-in.

      Thanks for a great question!

  • “Additionally, you cannot “grandfather-in” your existing lists. It will be necessary to re-permission your current subscribers prior to the July 1, 2014 effective date.”

    Does INFORMZ have samples of copy that clients can use in requesting re-permissions?

    • Greg Robinson

      Hi Wendy!

      Unfortunately I don’t have previously used sample language on hand at the moment. This is partly because everyone’s list has been built differently, and also because the campaigns I have been involved with to date were crafted in language similar to that which is used in their opt-in process and subsequent campaigns. I can, however, tell you a few things to keep in mind when creating a re-permission campaign:

      Keep it familiar – don’t change your banner image and color palette to one that subscribers don’t recognize

      Be positive – don’t bore them with legalese about spam law (unless your members are lawyers, who may enjoy that sort of thing, perhaps?)

      Make it eye-catching – try to get their attention with, so the message doesn’t go unseen

      Provide a clear call to action – provide two linked images (buttons); one to confirm their interest and one to unsubscribe

      Refresh their memory – tell them why they might want to remain subscribed and remind them of what you offer

      If I were to put together some general purpose language for asking to confirm permission (assuming it was given in the first place), it would be similar to the following:


      Remember how you signed up for our email list, and we promised to keep you up to date with all kinds of great news about [WHATEVER IT IS THAT YOUR ORGANIZATIONS DOES]? Well, we’re just checking in to make sure that we’re making good on our promise!

      We’d like to know if you still want to receive email updates from [YOUR ORGANIZATION] about [WHATEVER FANTASTIC AND UNIQUE THINGS THAT YOUR ORGANIZATIONS DOES], and you can let us know by choosing from the options below:

      [hyperlinked button: “COUNT ME IN!”] – Yes, I want to continue to receive [YOUR ORGANIZATION]’s email newsletter

      [hyperlinked unsubscribe button: “Count me out”] – No thanks, I have changed my mind and would like to unsubscribe for now

      Don’t forget to include social media links somewhere in the message, too. If someone chooses not to stay on your list, that doesn’t necessarily mean that they have lost interest! They may want to see your updates on Facebook or Linkedin, for example.

      I hope this helps!

  • Greg – what about when you have members in Canada. For example, if someone joined our society from Canada would we have to have them opt in during the join process. Or would the act of joining the society opt them in and then they can opt out from e-mail?

  • As Greg points out, some lists that organizations use for prospecting or rent to third parties will need to be carefully vetted to determine which permissions need to be upgraded to express consent.

    But it’s very important to note that where there is an Existing Business Relationship (transaction in past 2 years or inquiry/quote in past 6 months), you have implied consent to send Commercial Electronic Messages, as long as the required unsubscribe mechanism is made available in the messages.

    And for transition purposes, where there was any past EBR (the 2yrs/6months restriction does not apply here) that involved any electronic messaging before CASL takes effect, then an organization has implied consent to contact that person for up to 3 years, unless or until the person unsubscribes.

    Finally, for B2B CEM’s, consent is also implied where the contact address was provided by the recipient or was “conspicuously published” (website, directory) without a notice requesting no unsolicited CEMs, and where “the message is relevant to the person’s business, role, function or duties…”

    • Greg Robinson

      Hey Anthony, that’s question that is relevant to many senders, and Wally has provided some great detail to go along with it (thanks for the insight Wally!).

      To revisit Wally’s comment, your members will typically fall into the classification of the ERB (Existing Business Relationship), where you would most likely have 2 years of implied consent. Therefore, at the time when an individual’s membership is established (or renewed), you have implied consent for the following two years. You must still comply with the other requirements of CASL (such as inclusion of contact info and the unsubscribe link).

      The possible difficulty with reliance on implied consent doesn’t necessarily show itself until sometime in the future. Implied consent can expire long after your relationship with an individual comes to an end, and it may be difficult for your organization to reliably track when that 2-year period of implied consent has expired.

      If you cease communications to former members at the time when their membership is terminated, you shouldn’t have to worry about keeping track of the expiration of implied consent (2 years later). However, if you continue to communicate with this group as non-members and you rely solely on implied consent, you will need to maintain data on the expiration of that implied consent.

      Obtaining express consent should save you the trouble of keeping track of the future expiration of implied consent for your subscribers. Express consent, once acquired, will not expire until that individual decides to would like to unsubscribe.

  • Matt

    Don’t want to beat a dead horse, but I’m hung up on the re-permission. If we already practice permission based marketing you are saying we need to re-permission again? But according to Wally any past EBR negates this. Which is it? Google is not helping me out here.

    If the answer is, we need to re-permission regardless, what is the time frame? Meaning, everyone that subscribed to my permission based email list before (DATE) needs re-permission or be unsubscribed.

    • Greg Robinson

      The statements saying that re-permissioning is necessary are aimed at a broad audience, who might have mixed lists with varying degrees of permission. Certainly there will be exceptions, with some organizations already having legitimate permission for their entire list, who will probably not need to re-permission anyone. I find this group to be a very small minority, as most senders operate with some degree of assumed consent. Without being familiar with everyone’s list building practices, however, I can’t say for certain who falls into which category. This is one of the reasons why I strongly urge senders to have their legal representatives review the law while keeping their organization’s opt-in sources and practices in mind. You will then you have someone who knows your process intimately and can help guide your decisions on how to proceed.

      On a more immediate, DIY level, check your unsubscribe reasons for the last couple of years. Look for any that state or imply that the individual who unsubscribed doesn’t know who you are, finds the content wholly irrelevant to their job and/or did not ask to receive the message from which they unsubscribed. If any of these exist, then it is likely that you have email addresses being added to your list with questionable consent, and the source of such addresses should be analyzed.

  • Instead of each Informz client individually trying to make sure they are in compliance with the laws, why can’t Informz just set-up a generic, automatic hyperlink button for all its clients’ subscriber lists or those clients who opt-in?

    • Alex

      Hi Jackie! Your eMarketing Advisor, Angie, should be able to assist you with this. Give her a call!

  • Pingback: CASL and e-communications in Canada: in pursuit of the Dark Ages | InsightaaS - Insight as a Service()