Demystifying CASL – the New Anti-Spam Law and Its July 1 In-Force Date - David Young

Demystifying CASL – the New Anti-Spam Law and Its July 1 In-Force Date
David Young
April 2014
CASL, the acronym for Canada’s new Anti-Spam Legislation, is causing a lot of anxiety. Looming is the July 1 in-force date and many organizations are scrambling to meet it.

While the law on its face appears daunting, its impact can be reduced to two key elements: minimum content requirements and the consent rules. Understanding these and how they relate to the July 1 in-force date can simplify what organizations need to do by that time and should lessen their anxiety for non-compliance.
To be clear, much of this anxiety is due to the relatively short lead time between finalization of the law (December 2013) and the July 1 in-force date. Most observers had expected a 9 – 12 month delay. However, the law contains a number of tools that can ease transition to full compliance.
Without doubt, CASL’s rules and its accompanying regulations are a bit of a mash-up – including what must go into an email, how consent must be requested, and where consent is not required. However organizations can focus on the key actions needed prior to July 1 and then map out their post-July 1 strategies for full compliance.

Email Content

You are receiving this email because you have subscribed for our monthly e-newsletter. If you no longer wish to receive these emails, click here, or Contact Us.

To satisfy this rule, all post-July 1 emails must contain prescribed contact information of the sender and an “unsubscribe mechanism”. If not practicable to include within the email both items may be provided by way of link.
Many organizations who communicate by email with stakeholders likely already comply with these requirements. For others, adjustments will be required to align with CASL’s rules.

Consent Requirement
The consent requirement clearly is a more difficult challenge, but if CASL’s “tool-box” for transition is understood, it is one that can be managed.
The Act is consent-based. However, unlike the privacy laws, CASL does not permit “opt-out” consent, and only permits limited “implied” consents.
Broadly, CASL has three options for consent compliance:

1. Express consent, which may be grandfathered

Please subscribe me for your email bulletins and other updates.

(PIPEDA and CASL-compliant consent)

or requested in accordance with CASL

If you wish to receive our e-bulletins and other updates, click here. You may withdraw your consent at any time by unsubscribing or Contact Us.

2. Reliance on a consent exemption

Hello! Your friend, John Friendly, our long-time customer, has referred us to you as someone who may be interested in our services. (Referral exemption)

or an implied consent

As a valued customer you receive our email product and service updates. (Existing Business Relationship)

As a regular donor, you receive our monthly e-bulletins (Existing Non-Business Relationship)

3. A combination of the above

As a valued customer in the past, you have been receiving our email product and service updates. To continue to receive these e-bulletins, please click here.

Using the Transition Period
A complication of CASL’s exempt and implied consent rules is that while a particular contact in a database may qualify today, changing circumstances may cause that qualification to disappear (e.g. more than two years passes since their most recent purchase, membership, subscription). This is a challenge for organizations hoping to rely exclusively on an exemption or implied consent to maintain “evergreen” compliance. By contrast, express consent is permanent unless withdrawn. As a result, organizations may conclude that express, “opt-in”, consent will be the only clear, anxiety-free option – the “gold standard”.

However, while express consent may be the gold standard, it is unlikely to be fully achievable by July 1. Therefore organizations need to focus on the alternatives that can be relied on during the three-year transition period, which only starts on July 1.
For this strategy to work effectively, organizations need to understand the exemptions and implied consents available under the law and determine whether, or what portion of, their databases can qualify.
An attraction of the transition period is that it ignores the otherwise-limiting time period for qualifying an implied consent relationship – two years in most circumstances but only six months for a business activity-related inquiry. In essence, by eliminating the time period, an organization can qualify, for the duration of the transition period, all contacts with whom at any time in the past there was a commercial, fundraising or volunteer relationship, or from whom they received an “inquiry”, provided there was at least some electronic communication. It can use this qualification to continue to seek express consent.

Hello. As a previous customer, we have been sending you our new product e-bulletins. If you wish to continue to receive our e-bulletins, please click here.

Obtaining Consent
Obtaining express consent, where it does not already exist, clearly will be the most challenging aspect of compliance under CASL. The CRTC has indicated some restrictions on how consent can be requested. Furthermore, as any marketer knows, response rates for any opt-in are always a challenge. Therefore it is important for express consent to be seen as a longer-term strategy, not one that must be completed by July 1.
Obtaining consents can be executed through a range of techniques, including:
▪      email and other electronic messaging
▪      web site/social media (e.g. clicks to opt-ins)
▪      other non-digital stakeholder communications (e.g. newsletters)
▪      conference registrations, business cards and similar stakeholder contacts.
The overall objective is to build towards the gold standard – the opt-in consent qualified database.
CRTC’s Compliance Approach
A final comment on the July 1 anxiety concern. The CRTC has stated in its information sessions that its enforcement approach will be on a “compliance continuum”. This means that it will only actively pursue “spammers” – as opposed to legitimate marketers – unless it receives complaints. Limited resources preclude an across the board enforcement approach. Furthermore, the government is conscious of the short time allowed before the Act comes into force and will respect diligent efforts by organizations to comply. If an organization in good faith strives to comply but still finds itself not fully compliant post-July 1, the CRTC’s approach will focus on obtaining compliance as opposed to seeking fines.
Key Action Strategies
In sum, the two key action strategies should be:
▪      assessing databases for exempt/implied/consent qualification, with strong reliance on the statute’s transitional rule, to identify what parts of the database can continue to be active post-July 1
▪      initiating a consent qualification strategy that will build progressively on existing consents, with those newly obtained, commencing now and throughout the three-year transition period.
Organizations need to understand the law and its implications and should be able to simplify their compliance strategies, for both the immediate and longer term. July 1 is important but is not a “drop-dead” date.
For more information please contact:
David Young            416-968-6286         david@davidyounglaw.ca
Note:     The foregoing provides only an overview and does not constitute legal advice. Readers are cautioned that for application to specific situations, legal advice should be obtained.