Case study: Newsletters mistakenly flagged as spam… What to do?

/0 Comments/in , , /by

If you send out a newsletter, chances are good that at least one recipient has unsubscribed, and in doing so, cited “spam” as their reason for unsubscribing. If you have Hotmail, Yahoo, or Google email addresses in your lists or CRM database, flagging an email as “spam” is even easier for them.

Even if your newsletter or communication is not “spam”, people nowadays get easily irritated and take out their anger on email by hitting that spam button. Sad story, but true.

Now without having to get into the details of email deliverability, each time an email you or your company sends is tagged as spam, there are checks and balances that go on in the background, affecting your email deliverability score. If you score reaches a certain level, or if the email platform you use to send emails receives a certain amount of “spam” hits, you could receive a warning or worse, be banned from sending emails.

This is unfortunately what happened to one of our clients.

Situation:

Our client’s email address acquisition process was not optimised, and although their communications were definitely not spam, their newsletters were flagged by some. They received warnings and were only a couple of emails away from being blacklisted. And undoubtedly, equally close to receiving a notice from the CRTC.

This was a huge concern for our client as email was crucial to their business model. Without it, they would not have been able to serve their users.

Solution:

They were in a precarious situation and they needed to act quickly. Our solution for them was simple, set them up with a CASL Compliance Program.

As per CASL:

“A person must not be found to be liable for a violation if they establish that they exercised due diligence to prevent the commission of the violation.”1

And as per the CRTC:

“The development and proper implementation of a documented and effective corporate compliance program is a useful risk-management strategy: it may (i) reduce the likelihood of businesses violating the rules and/or CASL, and (ii) help businesses establish a due diligence defence in the case of a violation of the rules or CASL.2

In our dealings with the CRTC, we know that they are not looking for companies and organizations to be perfect, but they do want them to be responsible.

Process:

As part of the process of establishing a Compliance Program, one of the first things that we did and that is required by the CRTC, is to perform a risk analysis.

We assessed our client’s situation according to one hundred items in our compliance grid, while at the same time searched for operational and marketing optimizations regarding electronic communications.

We then supplied them with a report of our audit, complete with recommendations for each issue, as well as optimisation tips and practical advice. Our client also operates in Europe so we provided GDPR recommendations as well.

They then fixed their issues, appointed a Compliance Officer, began documenting in the appropriate CASL registries, implemented a CASL Compliance Policy, and updated their Privacy Policy.

They are now CASL certified and can send electronic communications with peace of mind. They are no longer at risk of being blacklisted or of receiving a hefty fine.

If you’re wondering if any of your emails or newsletters may have been flagged as “spam”, give us a call and we’ll help you out. 514-867-1230

GDPR: (re)confirming consent, an error to avoid

/0 Comments/in , , , /by

With the entry into force of the General Data Protection Regulation (GDPR) on May 25th, you’ve probably received dozens of emails asking you to consent (or re-consent) to the processing of your personal data.

Now, you may be wondering if you should do the same for your own business.

The answer is no, and here’s why:

Firstly, the GDPR only concerns you if your company is active on the European market.

If your company doesn’t deal with European consumers, you don’t have to worry about the GDPR. It’s much more important to ensure that you comply with the Canadian Anti-Spam Law (CASL), which is almost as severe as the GDPR but focuses on Canadian companies, and commercial electronic communications to and from Canada.

If, however, you are active in Europe, whether you are physically present there or not, compliance with the GDPR is your concern, but this is not a reason to bombard your contacts with requests for confirmation of consent. It is a harmful and often useless step because there are other ways to put you in good standing.

Counterproductive results

From a marketing perspective, confirmation of consent is probably the worst legal basis to justify the processing, use and storage of personal data.

Indeed, companies having opted for “consent confirmation” campaigns have been able to note the danger of these. For example, many of their contacts took the opportunity to withdraw their consent in frustration following the avalanche of similar messages received. This is a quick and easy way to destroy your marketing database.

The same thing happened in 2014 when CASL came into force. Thousands of messages were received by consumers asking if they would agree to continue receiving business messages. These messages were initially useless because a temporary provision gave the sender an implicit right to send messages until July 2017. Above all, these emails damaged the reputation of several companies and had the opposite result; the loss of consent of the vast majority of their marketing contacts leading some SMBs to bankruptcy.

A request for consent probably not necessary

Firstly, explicit consent by means of a form in accordance with a European Parliament directive on the protection of privacy (Directive 95/46 / EC) is also valid for the GDPR. If your forms comply with the Canadian Anti-Spam Law, then your consents respect the GDPR. It is, therefore, unnecessary to waste your time and that of your clients to ask them for a new consent.

In addition, the GDPR provides five other legal bases to justify the collection and processing of personal data. These five legal bases are: the contractual necessity, the respect of a legal obligation, the safeguarding of the interests of the person concerned or another physical person, the public interest and finally, the legitimate interests (article 6 of the GDPR).

 

“Legitimate interest” as an ally

From a marketing perspective, “legitimate interest” is definitely the most interesting and easy option to use. Section 6 (1) (f) of the GDPR defines it as treatment “necessary for the legitimate interests of the controller or a third party unless the interests or fundamental rights and freedoms of the person concerned prevail, which require protection of personal data, in particular where the data subject is a child.” 1

In other words, your interest in developing your business justifies that you collect and use the relevant personal information of your contacts for your email marketing campaigns as long as it does not affect the rights of your contacts. For example, if you use the name and email address that someone has provided to you, to send them interesting promotional information and give them the opportunity to unsubscribe, you are in the justified under “legitimate interests”. On the other hand, this would not justify collecting and processing irrelevant personal information such as his Social Insurance Number or his sexual orientation.

Think strategically

It’s not because email sendout providers like MailChimp or Cyberimpact are offering you a consent request email template that it’s relevant to use it. Unfortunately, these companies often have limited knowledge of these regulations and their compliance requirements. It’s better to put yourself in the shoes of the average consumer who has received 23 emails of this type this week and who is expecting you to have more interesting emails.

If you are afraid that some of your consents are not in compliance and you need to get a confirmation, go step by step to reduce the impact on your database.

Start by separating all your European contacts from the other contacts in your database and group them according to the different legal bases that may correspond to them. If some contacts do not fit into any of the six legal bases and you have not obtained them by a consent form, you must send a consent confirmation message only to those contacts, making sure to do so in a tone that corresponds to relationship style that you develop with your customers. A too “legal” tone will bother your customers or at worst scare them.

In short, the GDPR should not push you to make mistakes in panic mode but is an issue that you must take seriously if you do business with Europeans. It’s also an opportunity to structure and enrich your databases and digital marketing strategy by building the trust of your customers.

As with CASL, it is not enough to have “consent” to comply with the GDPR. All other regulatory requirements must be met, which only a formal compliance program can provide.

If you want to comply with the GDPR to strengthen the trust of your European customers or avoid fines and legal proceedings, contact one of our advisers today. The Certimail team offers GDPR compliance programs tailored to the constraints of Canadian SMBs that can even be combined with a CASL compliance process, saving you time and money.

 

$100,000 in penalties for SMS messages non-compliant with CASL

/0 Comments/in , , , , /by

A commitment to the CRTC

May 1st, 2018, the CRTC announced via news release that companies 9118-9076 QUÉBEC INC. and 9310-6359 QUÉBEC INC., operating as 514-TICKETS, whose principal activity is the resale of sports, cultural, and event tickets, has accepted an undertaking for alleged violations of the Canadian Anti-Spam Legislation (CASL). Under the latter, the companies pledged to pay a financial indemnity of $100,000 ($25,000 paid to the Receiver General for Canada and $75,000 in rebate coupons offered to clients).

This innovative form of sanction, combining customer discounts and fines, demonstrates that the CRTC’s intent is not to punish wrongdoers, but to force them to adopt CASL-compliant practices, which is inherent in the implementation of a CASL compliance program.

CASL’s application to text messages

This sanction is a milestone in the history of CASL compliance: it is the first time the CRTC has fined a company for violating the LAW by sending commercial electronic messages (CEMs) via text messages. 514-TICKETS would have, from July 3rd , 2014 to November 26th , 2016, sent CEMs via text message “without having obtained the consent of the recipients, and by not providing the necessary information to identify the sender, nor the information necessary to contact the sender“. More specifically, the majority of text CEMs were messages requesting consent to receive subsequent commercial offers.

The CRTC reiterated, in its news release, that CASL applies to any message sent —not only to an email address, but also to a telephone number account, or email account on social media— that is intended to encourage participation in a commercial activity.

If you don’t have consent, you cannot request consent

514-TICKETS should have, like any company sending CEMs, had prior consent before communicating with the recipients, but also include in its messages the information necessary to identify the sender, as well as the information to contact the sender. 514-TICKETS should also have included an unsubscribe mechanism, allowing the recipient to signal their desire to no longer receive communications from the company.

The Spam Reporting Centre is as efficient as ever

In this case, the CRTC’s investigation was initiated by reports sent to the Spam Reporting Center (SRC). This government authority transmits information received from consumers and other bodies, to the CRTC, the Competition Bureau, and/or the Office of the Privacy Commissioner of Canada depending on the nature of the alleged violation.

The importance of a compliance program

In their commitment to the CRTC, 9118-9076 QUÉBEC INC. and 9310-6359 QUÉBEC INC., have also been required to implement a CASL compliance program, which includes: “an audit and review of current compliance practices […], as well as various other monitoring and auditing measures, including reporting mechanisms to CRTC staff regarding the implementation of the program.”

If your company has not yet been investigated by any of the CASL enforcement authorities, there is still time to implement your compliance program and protect your business before it’s too late.

GDPR & CASL: When to use “Legitimate Interests” or “Consent” as a lawful base

/0 Comments/in , , , /by

If you are a Canadian marketer and you send emails to the European Union (E.U.), under GDPR you’ll need to justify why you collect and store data for each of your contacts. And by data, I’m referring to contact information (first name, last name, email address, etc.) and how you use this data (marketing, transactional, etc.).

The lawful bases

Because GDPR governs data security and protection, an individual or organization may reference one of the six lawful bases to justify the collection of data of their clients, leads, partners, members, marketing contacts, etc.

From a purely marketing perspective, there are two lawful bases that one will cite regularly in their records and documentation: “Legitimate Interests” and “Consent”.

  • “Legitimate Interests” as a lawful base can be relied upon for marketing activities if you can show that how you use people’s data is proportionate, has a minimal privacy impact, and people would not be surprised or likely to object.
  • “Consent” as a lawful base is appropriate if you can offer people real choice and control over how you use their data, and want to build their trust and engagement.

Which lawful base to apply for email marketing purposes…

Knowing that:

  • Under CASL, which governs commercial electronic messages, a consent status needs to be attributed to and documented appropriately for each contact, for you to have the legal right to send them electronic commercial messages. Either “express” or “implied” consent.
  • Under GDPR, which governs data security and protection, a lawful base needs to be attributed to and documented appropriately for each contact, for you to have the legal right to store and use a contact’s information.

Hence as a Canadian marketer (sending marketing messages to the E.U. ) , you must take into consideration and comply with the rules of GDPR -AND- CASL , thus adding a certain complexity.

Despite this complexity, there are totally legitimate, quick, and easy solutions for you to use:

For B2C email marketing

“Consent” as a lawful base is one of the ways, and the easiest for email marketers, to prove lawfulness and compliance in the eyes of GDPR.

However, there are strict requirements and you will need to obtain explicit consent (note that there is no such thing as “implied consent” under GDPR) moving forward from all your marketing communication subscribers or from anyone that fills out forms on your web pages to receive communications from you.

If you use “Consent” as a lawful base.

  • Consent must be specific to distinct purposes.
  • Silence, pre-ticked boxes or inactivity does not constitute consent; data subjects must explicitly opt-in to the storage, use, and management of their personal data. A double opt-in procedure is the best and safest way forward.
  • Separate consent must be obtained for different processing activities, which means you must be clear about how the data will be used when you obtain consent. The opt-in message that is used has to state all the ways you could possibly use the personal data you collect and how you are protecting that data. (ex.: state that you take data protection seriously by including a link to your Privacy Policy, and indicate that a person can access, rectify, or erase their data at any time.)
  • Consent must be verifiable and requires a written record of when and how someone agreed to let you process their personal data.

This process, not only enables you to comply with GDPR, but also gives you “express” consent under CASL.

For B2B email marketing

Particularly for those in sales, many of our contacts can be filed and recorded as “Implied Consent” under CASL, and as “Legitimate Interests” under GDPR.

You are required, however, to document the Legitimate Interests Assessment for each contact (LIA):

Whoa, that’s a lot to take in and document! But wait… whether you’re marketing B2C or B2B, or both, the arrival of GDPR is a great opportunity and occasion to convert “implied consent” Canadian contacts to “express consent” contacts, and classify E.U. contacts under “Consent” as a lawful base. See this article, “How to Write Emails to Get Consent for GDPR (and CASL)“.

Disclaimer:

Understandably, different sized organisations and types of messages need to be taken into consideration. Be sure to adapt accordingly to your organisation’s structure, operations, and unique situation.

Applying both CASL and GDPR legislations responsibly and taking the appropriate action is not at all an easy task. There are many details to pay attention to and to follow. It can be a difficult, time-consuming, and frustrating task if you are not completely versed in both legislations. In addition, mistakes can run costly fines for individual executives and companies alike.

If you need help or have questions, you can leave a comment or contact us at any time.

How to Write Emails to Get Consent for GDPR (and CASL)

/0 Comments/in , , , /by

The European Union’s General Data Protection Regulation (GDPR) comes into effect May 25th. From that date onwards, an organization must be able to demonstrate they are being lawful and prove compliance with this regulation.

Because GDPR governs data security and protection (unlike CASL with governs commercial electronic messages — for more information on the differences between GDPR and CASL click here) an individual or organization may reference one of the six lawful bases to justify the collection of data of their clients, leads, partners, members, marketing contacts, etc.

Because email is such a key medium for our business transactions and marketing communications, it’s important to note that any organization sending emails to individuals in the European Union is subject to GDPR, regardless of the originating country of the emails.

Now then, specifically for your marketing contacts, you’re going to want to know about Consent as a Lawful Base, to justify the collection and storage of your marketing contacts’ information.

“Consent” as a lawful base is one of the ways, and the easiest for email marketers, to prove lawfulness and compliance in the eyes of GDPR. However, there are strict requirements and you will need to obtain explicit consent (note that there is no such thing as implied consent under GDPRmoving forward from all your marketing communication subscribers or from anyone that fills out forms on your web pages to receive communications from you.

If you use “Consent” as a lawful base.

  • Consent must be specific to distinct purposes.
  • Silence, pre-ticked boxes or inactivity does not constitute consent; data subjects must explicitly opt-in to the storage, use, and management of their personal data. A double opt-in procedure is the best and safest way forward.
  • Separate consent must be obtained for different processing activities, which means you must be clear about how the data will be used when you obtain consent. The opt-in message that is used has to state all the ways you could possibly use the personal data you collect and how you are protecting that data. (ex.: state that you take data protection seriously by including a link to your Privacy Policy, and indicate that a person can access, rectify, or erase their data at any time.)
  • Consent must be verifiable and requires a written record of when and how someone agreed to let you process their personal data.

For those marketing contacts that you already have in your database (that are not clients, partners, members, employees or associates —as other lawful bases are easier to use for those contacts, although you can still send them the following email to ask them for their consent as there’s no harm in being safe than sorry) here is how you are going to want to ask them for consent.

N.B.: For those doing business in Canada, under CASL, if you already have implied consent for your contacts, and if you are still within the allowed time period (ex.: A person, who fills out a web form on your website, is considered to have given you “implied consent”, and you have a 6-month time frame in which you can communicate with them), the following email is valid to obtain explicit/express consent.

From name and subject line

These are the two elements that are the most crucial part of any email, as these items determine whether we’ll open an email or not.

For the “From” name, you’re going to want to make personal (from a real person, because as humans we prefer interacting with other humans) and professional (company name).

Ex. Rebecca Coggan | CompanyName, or Rebecca @ CompanyName, or use your full name and add the company name to the subject line.

For the subject line, you’re going to want to include the words “action required”.

TIP: Typically, when these words are surrounded by square brackets and in all caps, ex. [ACTION REQUIRED], we tend to take it more seriously.

And of course, in the subject line, you’ll also need to add the reason why you are contacting the person.

Example of all the elements together:

Other variations are possible. Be sure to make it your own.

Body copy

The three most important things when it comes to body copy is that it needs 1) to be brief, 2) to clearly demonstrate the “what’s in it me” for the recipient of the email and 3) written using an empathetic tone.

N.B.: By the way, if you respect these three key elements in your body copy, your open rates will steadily increase and your audience will trust you more and more.)

TIP: When it comes to these specific types of communications (updating information, account status etc.), text-based emails tend to be taken more seriously, are read more than scanned, and are acted upon more than ignored.

Example of all the elements together:

The body copy also includes many essential items: person’s name, deadline, the action required, incentive, instructions for future requests, a warm thank-you, and detailed sender information.

Here too, other variations are possible depending on your own situation. You can also send a follow-up email if you don’t get a response or action as quickly as hoped for. Be sure to make it your own.

So there you have it. Simple and easy.

CASL’s first sanction against a foreign company

/0 Comments/in , , , /by

Sanction for the Irish site Ancestry.com

On April 24th, the CRTC announced an undertaking with Ancestry Ireland Unlimited Company (“Ancestry”), which hosts the Ancestry.com website. The latter uses emails to communicate with people registered on its online service, which allows the search for genealogical documents (family history, family trees, historical records, information based on genetic analysis, etc.).

The extraterritorial nature of CASL

This is the first time that a foreign company has been subject to a CRTC sanction in connection with the Canadian Anti-Spam Law (hereinafter CASL). Ancestry is an Irish company with no offices or employees in Canada. The provisions of CASL, however, indicate that it applies to any company that sends messages to Canadian subjects, regardless of the source of the messages.

Similarly, contrary to what many people believe, Canadian companies have to comply with CASL both in their sendouts to Canada and for commercial electronic messages, they send to the rest of the world.

A sanction even if the consents were legal

The CRTC was able to find that Ancestry had obtained valid consents to communicate with its contacts, that its messages contained the mandatory identification information as well as an unsubscribe link.

However, the company was still in the wrong according to the CRTC because their different databases did not synchronize the withdrawal of consents. A customer who unsubscribed from one list continued to receive messages from the other list.

The requirement to synchronize withdrawals of consent

CASL provides that a person must be able to unsubscribe from all commercial electronic messages from the company. In the absence of other choices in the unsubscribe process (ex.: to receive certain types of communications only), the person must by default be excluded from the receipt of all commercial communications.

This requirement of the law can become a concern for many. Indeed, in the majority of companies, there is no synchronization between the mailing lists and the sending of emails themselves, the email sending platforms being separated from CRM or databases. Many companies also often have no way of updating their consent for sending emails via Outlook if someone unsubscribes from their newsletter. Thus, a person could continue to receive communications, despite the fact that in principle, they have unsubscribed from all sendouts.

The compliance program is a must

Ancestry is, by this undertaking, obliged to comply with the Act with respect to the synchronization of its consents. It must therefore unsubscribe and remove from all its commercial communications any person who has indicated this desire, either directly or indirectly, within 10 working days of the request.

The company must also implement a compliance program under CASL which includes: “reviewing and revising current compliance practices […], as well as various other monitoring and auditing measures, including reporting mechanisms to CRTC staff regarding the implementation of the program.”1

Do not be the next company to be sanctioned

If you use an email sendout platform that does not synchronize consent withdrawals with other lists or with your internal email system, you’re in violation of CASL and you may be fined up to several hundreds of thousands of dollars.

If your company is not yet under investigation by one of the CASL enforcement authorities, there is still time to put your compliance program in place and protect yourself before it’s too late.

GDPR Compliance & Emails: What Canadian SMBs Need to Know

/0 Comments/in , , , /by

The European Union’s General Data Protection Regulation (GDPR) comes into effect May 25th, and although details of the law are still being worked out, when it comes into effect, in the eyes of European law, an organization must demonstrate they are being lawful and must be able to prove compliance.

Who is subject to GDPR?

For those of us here in North America who do business with European countries, we are subject to GDPR because of international collaboration between authorities. Specifically, though, GDPR applies to:

  • Any organization that collects, changes, transmits, erases, or otherwise uses or stores the personal data of EU citizens. (Personal data is any piece of data that, used alone or with other data, could identify a person).
  • Any person or organization which, alone or jointly with others, determines the purposes and means of the processing of personal data, known as the “Controller”, is accountable under GDPR.
  • Any organization sending emails to individuals in the European Union is subject to GDPR, regardless of the originating country of the emails.

What are the two main DIFFERENCES between CASL and GDPR?

  1. Commercial Electronic Message vs. Data Protection

The biggest differentiator between CASL and GDPR is that CASL governs Commercial Electronic Messages (CEMs) while GDPR governs data security and protection.

  1. Compliance Program vs. Lawful Bases

When proving compliance, a CASL Compliance Program that meets the CRTC’s eight requirements is one’s only defense in Canada. For GDPR, an individual or organization may reference one of the six lawful bases, as long as one can prove and demonstrate that they respected all the details and took all the action required of the lawful base cited.

About Consent

Some lawful bases don’t apply to all businesses and marketers, but if you send emails, you’ll want to know about Consent as a Lawful Base.

Remember, a company must be able to fully justify why they are collecting the information of an individual or organization, to what means they are using it, and how that information is being protected.

Consent is one of the ways, and the easiest for email marketers, to prove lawfulness and compliance in the eyes of GDPR. However, there are strict requirements and you will need to obtain explicit consent moving forward from all your subscribers or from anyone that fills out forms on your web pages to receive communications from you, if you use Consent as a lawful base.

Important: unlike CASL there is no implied consent in the eyes of GDPR nor are there B2B exceptions. There is only explicit consent. Note that:

  • Consent must be specific to distinct purposes.
  • Silence, pre-ticked boxes or inactivity does not constitute consent; data subjects must explicitly opt-in to the storage, use, and management of their personal data. A double opt-in procedure is the best and safest way forward.
  • Separate consent must be obtained for different processing activities, which means you must be clear about how the data will be used when you obtain consent. The opt-in message that is used has to state all the ways you could possibly use the personal data you collect and how you are protecting that data. (ex.: state that you take data protection seriously by including a link to your Privacy Policy, and indicate that a person can access, rectify, or erase their data at any time.)
  • Consent must be verifiable and requires a written record of when and how someone agreed to let you process their personal data.

Access, Rectify, and Erase

Additionally, as you collect an individual’s data through your online forms (ex.: first name, last name, email, etc.) under GDPR an individual must able be to access, rectify and erase their data at any given time. Thus, we suggest that you include a section in your Privacy Policy as to how an individual may go about this (ex.: by sending an email with the request to [email protected]).

Record keeping and a centralized database

Within the rules and regulations of both CASL and GDPR, good record-keeping practices is not only necessary to establish a due diligence defense in the event of complaints against your business, but good recording keeping helps businesses (i) identify potential non-compliance issues, (ii) investigate and respond to consumer complaints, (iii) respond to questions about the business’s practices and procedures, (iv) monitor their corporate compliance program, (v) and identify the need for corrective actions and demonstrate that these actions were implemented.

Additionally, in order to meet the requirements of GDPR regarding Data Privacy and Consent, a centralized database for contact management, processing and documentation are helpful, not only for client relationships, smooth and efficient operations, but also for proving lawfulness and compliance.

As an individual or organization that sends emails, for marketing or business purposes, what’s your best bet?

A CASL compliance program is considered the gold-standard and best in breed where it comes to protecting yourself against hefty fines. Remember CASL applies to individual emails as much as group emails and newsletters regardless of whether there is promotion content or not.

Implementing a CASL compliance program, that meets all the requirements of the CRTC, is not only required by the law in Canada, but by doing so, you’ll increase your protection with regards to GDPR.

 

 

Learn How CASL’s Parliamentary Review Will Effect Your Email Marketing In 2018

/0 Comments/in , /by

Last year was a landmark year for CASL. There was a lot of activity; notably the end of the grace period, several huge fines, and parliamentary reviews. We’ve followed and tracked all the changes and modifications, particularly how it affects businesses like yours and its impact on email marketing.

Here’s a recap of the last year, what you can expect in 2018, and a few recommendations.

HIGHLIGHTS FROM 2017:

WHAT TO EXPECT IN 2018:

  • More requests for information and notices to businesses from the CRTC regarding the proper documentation of implied consent
  • More requests for information and notices regarding proper identification information, unsubscribe and complaint mechanisms in SMS messages
  • An increase in the number of fines issued
  • More outreach and education by the CRTC with respect to the law
  • Modifications to the actual name and title of the law
  • Modifications to certain articles in the law, especially with regards to those items that are ambiguous has already started this past December

KEY RECOMMENDATIONS FOR THIS YEAR:

  • Properly organize and document all the various consent types for all your contacts. A centralized database or CRM is key. Remember to also take into account the expiration of your various consent types (there are several).
  • We can’t stress it enough, but a CASL compliance program that meets the 8 requirements of the CRTC, is your sole protection in case you receive a request for information or notice from the CRTC.
  • Another way to help reduce complaints is to not only develop a solid email strategy with a focus on your business objectives, but develop a communication strategy that is of pertinence to your audience. The “what’s in it for them” (instead of you) never goes out of style.
  • When sending emails, be sure to make the most of segmentation, personalization (based on segmentation and not just a first and last name), and frequency (irregular timing gets higher open rates).

Stay tuned, another update from Parliament is due in the coming weeks.

 

 

 

[Study] Marketing Professionals’ knowledge of CASL – Spoiler: It’s not good…

/0 Comments/in , , , , /by

Today, the AMR (Quebec’s Association of Relationship Marketing) unveiled its first study asking Quebec marketing professional how well they know (or think they know) CASL (Canada’s Anti-Spam Law) and its compliance requirements. While the Canadian ministry, responsible for CASL, will soon respond to recommendations made by Parliament in the law’s first review and amendments, it was important to measure the understanding and application by Quebec professionals that are most impacted by it.

This study was conducted in collaboration with LJT, a law firm renowned for its expertise in marketing law, and Certimail, the Canadian leader in CASL compliance for SMBs.

Companies are not familiar with CASL

While 96% of respondents send commercial electronic messages (emails specifically), less than 6% correctly answered 7 simple questions about CASL and its application. Of the respondents (71%) who said they were familiar with CASL, 85% failed this basic test.

One in two believes that the Canadian Anti-Spam Legislation only regulates promotional items (i.e. newsletters), however, governs ALL commercial electronic communications (individual, group, batch, sales, transactional, regardless of whether there is promotional content or not).

10% of respondents are unaware that CASL applies to their organization and business practices.

It’s been three years since CASL has come into full enforcement, and yet professionals still don’t know its constraints and scope,” says Marc Roussin, president of the AMR. “Our association is, therefore, launching a series of activities to demystify the requirements of this law, that governs all commercial electronic messages.

A big misunderstanding of compliance

60% of respondents said their businesses are fully compliant with CASL. Yet, less than 10% have incorporated a withdrawal mechanism into employee email signatures, a CASL obligation. Barely 11% completed an audit, as recommended by the CRTC. Only 40% have a written compliance policy and 75% of companies have not yet trained their employees with regards to this law.

If one doesn’t know the real dangers to which they are exposed, a company can’t properly execute good risk management and governance,” says Sophie Deschênes-Hébert, a lawyer specializing in advertising and technology at LJT. “The results of the study show that in digital marketing, many make strategic decisions based on incomplete or inaccurate information and expose themselves to costly and easily avoidable consequences.

A misunderstanding of CASL directly affects one’s marketing effectiveness

Since the launch of CASL, approximately 9% of respondents stopped using email marketing altogether, while 11% reduced their use of this marketing channel.

This sort of practice is flawed because CASL and all its regulations equally applies to emails sent by employees. Several fines issued by the CRTC (ex.: William Rapanos and POF Media cases) show that sometimes only a few complaints are required for a company to be investigated.

Eliminating or reducing email marketing is also a bad business decision because, with a return on investment of 44 to 1, email still remains the most profitable digital marketing tool for companies and organizations.

Too many companies are afraid of this legislation, and it’s too bad because it’s an excellent opportunity to improve one’s marketing,” says Philippe Le Roux, president of Certimail. “Implementing a CASL compliance program not only protects you against fines but it improves marketing and operational effectiveness.

Since the introduction of CASL, email marketing indicators have improved significantly in Canada, according to a recent IBM global study.

AMR launches an outreach program

In light of the results of the study, AMR will be launching a program of activities to help marketers learn about CASL’s regulatory requirements and provide guidance to help them achieve business compliance. This program will launch on May 3rd, 2018 during a conference dedicated to email and compliance. During the event, the CRTC will present its CASL enforcement methods. Several experts will also share their knowledge and experiences regarding compliant and effective email marketing. Additionally, a series of webinars will allow professionals to deepen their knowledge and to benefit from tried and true advice.

Consult the complete study (in French only).

Parliamentary Report: The Canadian Anti-Spam Law Is Here to Stay

/0 Comments/in , /by

The government must maintain and reinforce the application of the Canadian Anti-Spam Law (CASL), but it must also clarify vague notions of the Act and its regulations, as ascertained by the thirteen recommendations in the CANADA’S ANTI-SPAM LEGISLATION: CLARIFICATIONS ARE IN ORDER.

The report, recently published by the House of Commons Standing Committee on Industry, Science, and Technology cites forty-one expert testimonies with analyses from approximately thirty memoirs over the course of ten weeks.

CASL is effective

Despite highly polarized interventions between lobbyists and business lawyers, who described CASL as a catastrophic situation, and consumer representatives, who believe that the fines are insufficient, parliamentary members relied on information provided by Certimail to conclude that, despite the constraints, CASL offers a good balance between consumer protection and business competitiveness, but that aspects of the law require clarification.

CASL must change its name

The first and last recommendations of the Committee are to change the short name “Canadian Anti-Spam Law (CASL)” to “Electronic Commerce Protection Act (ECPA)”. Members noticed that many companies do not feel concerned by the Law because they are not aware that CASL governs all commercial electronic communications, and not just spam or email marketing.

CASL must be clarified

Recommendations 2 to 8 call on the government to clarify and detail certain elements of CASL and its regulations to ensure that non-profit businesses and organisations better understand what is allowed or not.

The elements that the Committee recommends to clarify are:

  • the definition of “commercial electronic messages
  • the status of administrative and transactional messages
  • the status of messages between companies
  • notions of implied and express consent
  • the definition “email address”
  • messages that are exempt to section 6.6 of the Act
  • management of referral messages
  • the application of the Law as it applies to charities and non-profits organisations

These clarifications of the Law and its regulations will address some of the vague regulations, but it does not or will not change the CRTC’s compliance requirements.

The CRTC must take care of small businesses

In its ninth recommendation, the Committee wants the CRTC to make a significant effort to raise awareness, particularly among small businesses. This recommendation is based on a thorough evaluation of the CRTC’s work. The Committee emphasized in the report that all stakeholders were unanimous in saying that the CRTC must review its awareness activities and guidance documents to ensure that they are sufficient and effective—(very happy to see that part of my intervention was even quoted directly in the report, page 14) —indicating that the compliance requirements are hidden on the CRTC’s website and are not even listed on the fightspam.gc.ca website. The CRTC is therefore invited to redouble its awareness-raising efforts, particularly with small businesses.

Postponement of Civil and Class Actions

The Committee considers that the Private Right of Action (PRA), which allows civil or class actions to be launched after receiving a non-compliant message, must be maintained but suspended pending clarification and awareness-raising efforts. The Committee’s tenth recommendation also suggests that the Government assess whether the damages that may be claimed in this regard should be demonstrated.

The CRTC’s cooperation with the RCMP

During their testimony before the Committee, the CRTC indicated that it is currently less limited in its dealings with authorities in other countries than with the RCMP and other Canadian security agencies. The Committee heard the message and dedicates its eleventh recommendation to fostering cooperation between the CRTC and police authorities across the country.

Transparency in complaints, investigations, and fines

The CRTC and government are encouraged to find ways to make the investigation and fine-setting process more transparent while promoting access to data on complaints received and trends in problems.

I was happy to read that Certimail’s contribution was quoted a dozen times in the report. This not only made me proud of my first lobbying experience but glad to have helped our MPs to understand SMBs’ reality in regard to email marketing and CASL compliance. Upon reading the recommendations, it’s clear that Certimail’s pragmatic approach has served the interests of our clients much better than the dogmatism of the official lobbies like CFIB and Canadian Chamber of Commerce, that don’t really seem to know and understand the undertakings of being compliant or even email marketing at all.