Most companies believe that they already comply with CASL. But, of the majority of businesses we’ve met, they are in fact, not compliant, simply because they aren’t aware of the complexities and details of this law. Unfortunately, this ignorance is already costing companies and employees, heavily.
Of the approximately 100 compliance rules and items we validate for our clients, we’ve identified the 6 most common mistakes and how to resolve them. Check and see if your company’s compliance level is what you believe it to be.
N.B.: This is not a substitute for a compliance program as required by the CRTC, but is an easy way to assess whether your business is as compliant as you think it is. A full compliance program, which meets the CRTC’s eight required categories, is the only way to truly protect yourself from costly penalties and prosecution. Section 33 (1) of the Act states that “No person shall be held liable for a violation if they prove that they have taken all reasonable precautions to prevent its commission”.
Mistake #1: No unsubscribe mechanism in individual emails
While most companies ensure that they have an unsubscribe link in their newsletters, there is very little compliance with this requirement for their individual emails.
Simply put, CASL makes no distinction between a promotional newsletter sent to thousands of people and an email sent from one employee to another person. In both cases, these are “commercial electronic messages”, and the Act requires that each message includes mandatory information and a mechanism for unsubscribing.
Make sure that your business email signatures and all of your employees’ email signatures include a statement indicating how one can withdrawal from your business’ communications.
If you receive an email from an employee at Deloitte Canada, you’ll note that their signatures always include the following statement: “If you do not wish to receive future Deloitte business emails, please send this email to ‘[email protected]’‘. Similarly, at Certimail, my colleagues and I consistently include in our email signatures the following sentence, “If you no longer wish to receive commercial messages from Certimail, please indicate this by replying to this message”. Voilà. It’s as simple as that.
Mistake #2: Misworded newsletter sign-up forms
As per Canada’s Anti-Spam Legislation, the concept of consent is not equivocal; it is explicit. That is to say, the wording of consent given determines what one has the right to send and receive.
This means then if your subscription form refers to newsletters, consent, therefore, applies to newsletters and no other type of commercial email or communication. For example, this means that one or a series of emails from sales (news about promos, blog articles, “I think you might find this useful”, etc.) are in violation of the law, and risk fines.
Check the wording on ALL your consent forms, so that they don’t limit your electronic communications, by using broader text, as illustrated in the example below.
On the left, taken from our website, consent is requested for advice and promotions for all electronic communications (see the form for yourself, and don’t be shy to sign up to stay informed of the law). On the right, consent is limited to newsletters, forcing a company to request permission again for other types of electronic messages.
Mistake #3: Records of ALL email communications are not kept
Many SMBs typically erase emails from their inboxes as soon as the content is no longer needed, useful, or relevant. People typically do this to free their attention span, and consequently, disk space.
Such a practice is dangerous under the Canada’s Anti-Spam Legislation. The CRTC requires that businesses retain the text of all their commercial emails should an investigation arise. Without these records, you have no way of defending yourself.
Implement an email protocol to automatically archive messages on a server (IMAP or Exchange) or manually archive messages to folders instead of deleting them.
Mistake #4: Proof and records of consent are not kept
When under investigation by the CRTC, many SMBs justify themselves with the following: “We only send our newsletters to those who have registered on our website“.
In a notice published in July 2016, the CRTC states that a company claiming to have obtained consent for the sending of a commercial electronic message must provide proof of that consent and must retain all evidence of such consent (such as, but not limited to, completed forms, audio recordings, etc.).
Most US platforms such as MailChimp, Campaign Monitor, SalesForce, etc. don’t keep records of consent.
When a person, who once gave you consent in the past, makes changes to his or her profile, that new information replaces the original data. In the event of an investigation, you will not be able to provide proof that you once had that individual’s consent.
Archive all your data by implementing an automatic or manual daily export of all the information and activity regarding your sendout lists.
Mistake #5: Copies of forms and their version histories are not kept
Some SMBs do their due diligence and retain consent data provided through form submissions, such as the date, time and IP address of the user. Unfortunately, this information is not enough to prove consent.
Remember, consent must be explicit and not equivocal. You must, therefore, be able to provide proof that the information displayed on the form, that the user completed, was explicit. Considering the investigation process, if and when the CRTC contacts you, the chances are strong that your website has undergone a redesign or changes, and a form from a year ago is not the same as it is today.
Consider using a Canadian ESP, one that automatically archives copies of forms.
Take a screen shot with a time stamp of each of your consent forms every time you change or update your website or forms.
Mistake #6: No written compliance policy
While you may take all necessary measures to comply, you are never entirely immune to the error of an employee, subcontractor or technical problem that may put you in a violation of the law.
Fortunately, section 33.1 of Canada’s Anti-Spam Law provides some support and “defence” for businesses that have demonstrated good governance; though only if you have taken all the necessary measures to be compliant. The CRTC has stated that these measures must include a formal compliance program that meets eight specific requirements. One of these requirements is to have a written compliance policy that employees know and respect. Failure to do so will result in disciplinary action.
Write your CASL policy following a full risk audit and analysis, and make sure your employees understand and apply it.
Running a business without having a written CASL policy like riding a motorcycle without a helmet: “It’s safe as long as there’s no accident”
What’s your score?
If you’re already aware of and make none of these mistakes, then bravo! You are one of the very few companies that do their due diligence. But there are over 100 rules to respect, so formalising your compliance program should be quick and inexpensive if you haven’t already done so. It would be a shame to be so savvy, yet fined for one of the 100 rules and regulations.
If you’ve found that some of these 6 mistakes apply to your business, it’s proof that you’re not compliant. July 1st has passed, and fines and class actions are multiplying. There are over 100 rules to respect, so now is the time to set up your compliance program to protect yourself, your employees, and your business.
We’re here to assess your situation, and to provide you with an inexpensive yet highly effective way, to set up a compliance program, which meets the CRTC’s requirements.
We know and understand that businesses don’t always have the cash or want to make the time to set up a program immediately, but our solutions are specially adapted to the reality of independent workers, small businesses to medium ones.