Attention! Privacy Law: New Obligations for ALL Businesses

According to the Canadian Chamber of Commerce, in 2016, 53% of Canadian businesses were victims of sensitive data loss. In recent years, millions of Canadians discovered that their personal data had been stolen from Bell Canada, Equifax, Uber, CIBC, Winners, and others.

These breaches have led the government to oblige companies to systematically disclose any incidents that may have affected the personal information they hold on their customers.

On November 1, 2018, the Digital Privacy Act will come into force, adding provisions to the Personal Information Protection and Electronic Documents Act, better known by its acronym “PIPEDA”.

Keeping and maintaining a “register”

The Act requires organizations to keep a record of all “breaches of security measures” for 24 months after the date of the breach, which must be available to the Privacy Commissioner at all times.

“Breach of security measures” means any loss, unauthorized access or unauthorized disclosure of personal information. This could be the loss or theft of a USB key, a hard drive or a computer that had personal information1. Or, the discovery of an attempt to hack a server or a virus that affected a computer or network on which such data was located. It may also be the discovery that an employee accessed such data without following proper procedures.

Companies must, therefore, document every security problem affecting personal information, whether it is computerized, material or human and whether or not there has been any damage.

Informing the authorities

In addition, an organization must notify the Privacy Commissioner as soon as a breach of security measures could result in “serious harm”.

The definition of “serious harm” is much broader than we might think. This includes “bodily injury, humiliation, damage to reputation or relationships, financial loss, identity theft, adverse effect on the credit file, property damage or loss, and loss of employment opportunities or business opportunities or professional activities “2.

Your company must, therefore, perform a risk assessment for each incident to determine the harm by considering, in particular, the sensitivity of the personal information in question and the likelihood that the information will be misused.

For example, if you are an SMB, you will have to proceed with notifications, if any or all of the following situations occurs:

  • you have discovered a virus affecting the server or computer where your database is located;
  • your website has been the victim of a hacking attempt;
  • an employee did not follow a procedure;
  • a former employee took personal data with them

Of course, there are many situations that could lead to “security breaches” in organizations collecting personal information, and a complete enumeration of such information is impossible.

Notifying those affected

When you discover that an incident may have resulted in the disclosure of personal data, you must inform everyone whose data has been compromised. Even if you are not sure if their data has been disclosed.

It is never pleasant to tell customers that one has mismanaged their information and that it may have been compromised. But if it’s done the right way and, most importantly, quickly, your customers will appreciate your diligence in sparing them the consequences.

The content of the notifications

Notices informing the data subject and the Privacy Commissioner of the infringement must contain specific information allowing them to be informed about the measures to be taken to reduce the risk of harm. The notice to your customers must include the following, at the very minimum:

  • the circumstances of the incident;
  • the date or period of the incident;
  • the nature of the personal information affected by the incident;
  • what steps the organization has taken to reduce the risk of harm;
  • measures that any interested party can take to reduce the risk of harm;
  • contact information allowing the individual to inquire further about the incident.

The notice to the Commissioner must have the same content except that it must include the number of individuals affected by the infringement.

Aligning with Europe’s GDPR

These latest amendments are binding on businesses, but by adopting them, Canada is moving closer to the obligations imposed in Europe since May 25 by the GDPR, which will facilitate the transfer of information between European organizations and Canadian ones.

For all things security, prevention has always been the best form of protection. Conducting an audit of your personal information management policies and practices as part of implementing a Canadian Anti-Spam Act compliance program, is both, a practical and cost-effective way to get you up to speed quickly, protected from lawsuits, fines and other obligations that could greatly affect the trust of your clients towards you and your business.


Canadian Companies Face California’s New Privacy Law

Until recently, the United States was lagging behind in the protection of personal information. So it was great surprise that on June 28, California adopted the California Consumer Privacy Act (CCPA), which will come into force in January 2020.

And like all new laws of this type, its application goes beyond borders and therefore concerns Canadian companies that have customers in California. The good news is that companies that do not meet any of the criteria below are not affected at this time.

The CCPA applies to any organization, that has personal information of California residents, and that such organisation:

  • Has gross annual revenues greater than $25 million USD;


  • Buys, receives, sells or shares the personal information of more than 50,000 California residents;


  • Earns 50% or more of its annual revenue by selling information of California residents.


The California law is similar in many respects to Canadian law, the Personal Information Protection and Electronic Documents Act (PIPEDA), but it also distances itself from many others. Compliance with PIPEDA is therefore not sufficient to comply with the CCPA.

Here are the main differences:

Right of access: Both statutes contain the right for consumers to be informed of the existence and use of their personal information and to have access to it. However, unlike Canadian law, California law does not provide an exception to this right that would allow a business to deny access to a consumer.

Right to erasure: Under Canadian law, organizations may retain personal information as long as it is necessary for the purpose for which it was collected, which implies the right of the consumer to request the deletion of the information once the goals are fulfilled. At first glance, the California law offers a broader right to request that information be removed, period. However, it provides for several rather vague exceptions which diminish the scope of the right and thus makes it similar to that of PIPEDA.

Right to portability: unlike the Canadian law, the California law provides for the right to data portability, that is, consumers have the right to receive their information in a structured format, commonly used to transmit data to another entity without interference from the original entity.

Consent: The California law does not place much importance on consent, unlike the Canadian law that bases the lawfulness of consent collection on either implicit (opt-out) or opt-in (consumer) consent. The CCPA, however, gives Californians the right to opt-out of the sale of their personal information. This right, therefore, requires organizations to include on their website a clear link to a form for such an opt-out.

Anti-Discrimination: Both Acts contain provisions prohibiting organizations from requiring consumers to consent to the collection of their information for the purpose of obtaining goods or services or having them at a given price. The California law is more flexible because it allows organizations to offer discounts to individuals consenting to the collection or use of their information.

Applications: While the Canadian law requires organizations to have accessible and easy-to-use complaints procedures, the California law requires at least two forms of communication; a toll-free telephone number and a website.


In Canada, the Privacy Commissioner does not have the power to impose fines for contraventions of PIPEDA and consumers do not have a private right of action.

California, on the other hand, has been much stricter in enforcing its law: Consumers have a private right of action, that is to say, the right to pursue an enterprise for civil or collective liability for breaches of security obligations, without any prejudice.

The CCPA also provides for penalties of up to $7,500 USD per violation.


If your company collects or has personal information of California residents, you may be subject to the CCPA, which puts you at great risk of civil actions by consumers, as they do not have to prove damages to claim compensation. Even if you comply with Canadian law.

As the Internet allows you to trade with consumers and businesses around the world, it’s becoming increasingly important to verify that your data management and e-marketing practices meet regulatory requirements.

Do not hesitate to speak with a Certimail advisor to see if you are affected by this new legislation.

Case study: Newsletters mistakenly flagged as spam… What to do?

If you send out a newsletter, chances are good that at least one recipient has unsubscribed, and in doing so, cited “spam” as their reason for unsubscribing. If you have Hotmail, Yahoo, or Google email addresses in your lists or CRM database, flagging an email as “spam” is even easier for them.

Even if your newsletter or communication is not “spam”, people nowadays get easily irritated and take out their anger on email by hitting that spam button. Sad story, but true.

Now without having to get into the details of email deliverability, each time an email you or your company sends is tagged as spam, there are checks and balances that go on in the background, affecting your email deliverability score. If you score reaches a certain level, or if the email platform you use to send emails receives a certain amount of “spam” hits, you could receive a warning or worse, be banned from sending emails.

This is unfortunately what happened to one of our clients.


Our client’s email address acquisition process was not optimised, and although their communications were definitely not spam, their newsletters were flagged by some. They received warnings and were only a couple of emails away from being blacklisted. And undoubtedly, equally close to receiving a notice from the CRTC.

This was a huge concern for our client as email was crucial to their business model. Without it, they would not have been able to serve their users.


They were in a precarious situation and they needed to act quickly. Our solution for them was simple, set them up with a CASL Compliance Program.

As per CASL:

“A person must not be found to be liable for a violation if they establish that they exercised due diligence to prevent the commission of the violation.”1

And as per the CRTC:

“The development and proper implementation of a documented and effective corporate compliance program is a useful risk-management strategy: it may (i) reduce the likelihood of businesses violating the rules and/or CASL, and (ii) help businesses establish a due diligence defence in the case of a violation of the rules or CASL.2

In our dealings with the CRTC, we know that they are not looking for companies and organizations to be perfect, but they do want them to be responsible.


As part of the process of establishing a Compliance Program, one of the first things that we did and that is required by the CRTC, is to perform a risk analysis.

We assessed our client’s situation according to one hundred items in our compliance grid, while at the same time searched for operational and marketing optimizations regarding electronic communications.

We then supplied them with a report of our audit, complete with recommendations for each issue, as well as optimisation tips and practical advice. Our client also operates in Europe so we provided GDPR recommendations as well.

They then fixed their issues, appointed a Compliance Officer, began documenting in the appropriate CASL registries, implemented a CASL Compliance Policy, and updated their Privacy Policy.

They are now CASL certified and can send electronic communications with peace of mind. They are no longer at risk of being blacklisted or of receiving a hefty fine.

If you’re wondering if any of your emails or newsletters may have been flagged as “spam”, give us a call and we’ll help you out. 514-867-1230

B2B Sales: Simple Email Trick to Quick-Start New Lead Relationships (and be CASL & GDPR Compliant Too)

For those of us that work in B2B, networking is a great opportunity to meet potential clients. Talking with as many targeted individuals as possible and exchanging business cards at these conferences or events are our priorities.

But what’s next? Often we’ll add these cards to our sales pipeline sheets or CRM applications, waiting for the “right moment/opportunity/situation” to contact them. And regularly, these contacts get added to a “newsletter” list.

I often compare B2B sales to dating. You’re not going to move to “first base” with someone before you go on a date. Receiving a newsletter from someone you met at a conference, without sending them a follow-up email first, is kind of like this.

And when the person receives the newsletter, often the first thing that comes to mind is, “I never signed up to receive this” accompanied with feelings of infringement. And now, the chances of that potential client becoming a client have been greatly reduced. Or worse, your newsletter or communications are reported as spam.

But what if there were a way to go about things just slightly differently…

Imagine a simple email that could nurture that lead, and move them forward towards becoming a client instead of deterring them. An email that is also 100% compliant in the eyes of Canada’s Anti-Spam Law (CASL) and the European General Data Protection Regulation (GDPR)?

So let’s start over again…

You’re at a business conference or event and you exchange business cards with a potential client, partner, supplier, etc. You both agree to stay in touch. You add that contact to your sales pipeline sheet or CRM application.

The very next thing you’ll want to do is to send the following email:

Here’s why this email is so effective:

First off, we’re making them feel good by being nice (it was a pleasure meeting you”), giving (“I’d like to learn more about your…”), respectful (“would it be okay with you…?”), and reassuring (“whatever we send your way will be of value”) —All qualities the majority of humans appreciate and act positively towards.

We’re also meeting the legal requirements by being clear in what can be expected by the contact replying to the email (receiving future communications).

Lastly, the email is not a dead-end, as indicated by the anticipation of a future conversation.

Oh and regarding the subject line “Hi First Name…”; in B2B, the words “hi” with the person’s name followed by “…” is opened by over 95% of recipients. That’s a great open rate!

If the contact doesn’t reply back. It’s ok, you still made a good impression.

The next thing you’ll want to do is to add “implied consent – B2B exception” as your CASL consent status to that contact, along with a photo of the business card and the date and name of the event where you met. Add “legitimate interest” as your GDPR Lawful Base.

If the contact replies back positively, great! The contact’s CASL consent status is now “express”.

So there you have it, a simple email that makes all the difference. Be sure to make it your own by using your own words and expressions.

Every single email is an opportunity. Imagine all the possibilities.


Did you like this article? Sign up to receive our communications and receive a 1-hour FREE consultation plus a surprise bonus.


How to Segment Email Contacts for Performance and Compliance

With the arrival of the GDPR and with CASL in full force, we are legally obliged to document and classify our contacts —either by implied/express consent for CASL and/or by citing one of the six lawful bases for GDPR.

This legal obligation is actually a great opportunity to update and revise those existing relationships.

When was the last time you UPDATED and CLEANED UP your CRM or contact lists?

Like the majority of most professionals and companies, it has probably been some time since your contacts were last updated or cleaned up. It’s a time-consuming task, and often other priorities take precedence. Once a contact has been entered into our address book, our profile tables, our CRM, our databases, it just kind of sits there.

But imagine what it would be like if you took the time to consider how those contacts, how those business relationships could evolve. Suddenly, opportunities come to mind.

Imagine what it would be like if that cold lead became a client for one of your new products or services. Imagine what it might be like if those one-time buyers transformed into frequent shoppers.

If we are more pertinent in our offerings to our contacts, clients, customers, leads, etc., through proper segmentation, these opportunities can become realities.

Here’s how to go about it…

#1 – Classify contacts according to “Legal” status

Because of our legal obligations to CASL and GDPR, you’ll want to attribute either an “implied/express consent” status or a “lawful base” to each of your contacts. It may sound time-consuming but this process is quite easy if you know the law or if you work with a professional (wink, wink).

#2 – Attribute business variable tags

Next up, you’re going to want to add tags or group your contacts based on business variables.  For B2B, this can include company type, size, industry, relationship to your business, etc. For B2C, you can use an RFM matrix model, or add items such as “high spender”, “frequent shopper”, etc.

When you segment emails on these variables, your best opportunities suddenly come into focus, and the time spent on marketing efforts is used more effectively.

For example, instead of sending a general promo to your entire list, you’ll send a more specific incentive to just your high-spenders. Resulting in more overall direct sales at a higher cart value.

# 3 – Attribute personal interests

Lastly, you’ll want to attribute personal interests and preferences to your contacts, so that you can personalize content. This can include language, gender, activities, etc.

For example, perhaps you run a tourism company and offer different excursions. Certain customers are going to be more interested in one type of activity than others. By asking them what activities interest them on sign up forms, or based on past purchases, or links clicked in emails, you can determine which activities interest a contact most.

By doing this, email conversations and communications suddenly become more relevant, pertinent and meaningful to your audience.

Your contacts will reward your efforts with increased open and click-through rates and increased sales and revenue.

Remember, every single email is an opportunity. Imagine all the possibilities.


Did you like this article? Sign up to receive our communications and receive a 1-hour FREE consultation plus a surprise bonus.


GDPR: (re)confirming consent, an error to avoid

With the entry into force of the General Data Protection Regulation (GDPR) on May 25th, you’ve probably received dozens of emails asking you to consent (or re-consent) to the processing of your personal data.

Now, you may be wondering if you should do the same for your own business.

The answer is no, and here’s why:

Firstly, the GDPR only concerns you if your company is active on the European market.

If your company doesn’t deal with European consumers, you don’t have to worry about the GDPR. It’s much more important to ensure that you comply with the Canadian Anti-Spam Law (CASL), which is almost as severe as the GDPR but focuses on Canadian companies, and commercial electronic communications to and from Canada.

If, however, you are active in Europe, whether you are physically present there or not, compliance with the GDPR is your concern, but this is not a reason to bombard your contacts with requests for confirmation of consent. It is a harmful and often useless step because there are other ways to put you in good standing.

Counterproductive results

From a marketing perspective, confirmation of consent is probably the worst legal basis to justify the processing, use and storage of personal data.

Indeed, companies having opted for “consent confirmation” campaigns have been able to note the danger of these. For example, many of their contacts took the opportunity to withdraw their consent in frustration following the avalanche of similar messages received. This is a quick and easy way to destroy your marketing database.

The same thing happened in 2014 when CASL came into force. Thousands of messages were received by consumers asking if they would agree to continue receiving business messages. These messages were initially useless because a temporary provision gave the sender an implicit right to send messages until July 2017. Above all, these emails damaged the reputation of several companies and had the opposite result; the loss of consent of the vast majority of their marketing contacts leading some SMBs to bankruptcy.

A request for consent probably not necessary

Firstly, explicit consent by means of a form in accordance with a European Parliament directive on the protection of privacy (Directive 95/46 / EC) is also valid for the GDPR. If your forms comply with the Canadian Anti-Spam Law, then your consents respect the GDPR. It is, therefore, unnecessary to waste your time and that of your clients to ask them for a new consent.

In addition, the GDPR provides five other legal bases to justify the collection and processing of personal data. These five legal bases are: the contractual necessity, the respect of a legal obligation, the safeguarding of the interests of the person concerned or another physical person, the public interest and finally, the legitimate interests (article 6 of the GDPR).


“Legitimate interest” as an ally

From a marketing perspective, “legitimate interest” is definitely the most interesting and easy option to use. Section 6 (1) (f) of the GDPR defines it as treatment “necessary for the legitimate interests of the controller or a third party unless the interests or fundamental rights and freedoms of the person concerned prevail, which require protection of personal data, in particular where the data subject is a child.” 1

In other words, your interest in developing your business justifies that you collect and use the relevant personal information of your contacts for your email marketing campaigns as long as it does not affect the rights of your contacts. For example, if you use the name and email address that someone has provided to you, to send them interesting promotional information and give them the opportunity to unsubscribe, you are in the justified under “legitimate interests”. On the other hand, this would not justify collecting and processing irrelevant personal information such as his Social Insurance Number or his sexual orientation.

Think strategically

It’s not because email sendout providers like MailChimp or Cyberimpact are offering you a consent request email template that it’s relevant to use it. Unfortunately, these companies often have limited knowledge of these regulations and their compliance requirements. It’s better to put yourself in the shoes of the average consumer who has received 23 emails of this type this week and who is expecting you to have more interesting emails.

If you are afraid that some of your consents are not in compliance and you need to get a confirmation, go step by step to reduce the impact on your database.

Start by separating all your European contacts from the other contacts in your database and group them according to the different legal bases that may correspond to them. If some contacts do not fit into any of the six legal bases and you have not obtained them by a consent form, you must send a consent confirmation message only to those contacts, making sure to do so in a tone that corresponds to relationship style that you develop with your customers. A too “legal” tone will bother your customers or at worst scare them.

In short, the GDPR should not push you to make mistakes in panic mode but is an issue that you must take seriously if you do business with Europeans. It’s also an opportunity to structure and enrich your databases and digital marketing strategy by building the trust of your customers.

As with CASL, it is not enough to have “consent” to comply with the GDPR. All other regulatory requirements must be met, which only a formal compliance program can provide.

If you want to comply with the GDPR to strengthen the trust of your European customers or avoid fines and legal proceedings, contact one of our advisers today. The Certimail team offers GDPR compliance programs tailored to the constraints of Canadian SMBs that can even be combined with a CASL compliance process, saving you time and money.


$100,000 in penalties for SMS messages non-compliant with CASL

A commitment to the CRTC

May 1st, 2018, the CRTC announced via news release that companies 9118-9076 QUÉBEC INC. and 9310-6359 QUÉBEC INC., operating as 514-TICKETS, whose principal activity is the resale of sports, cultural, and event tickets, has accepted an undertaking for alleged violations of the Canadian Anti-Spam Legislation (CASL). Under the latter, the companies pledged to pay a financial indemnity of $100,000 ($25,000 paid to the Receiver General for Canada and $75,000 in rebate coupons offered to clients).

This innovative form of sanction, combining customer discounts and fines, demonstrates that the CRTC’s intent is not to punish wrongdoers, but to force them to adopt CASL-compliant practices, which is inherent in the implementation of a CASL compliance program.

CASL’s application to text messages

This sanction is a milestone in the history of CASL compliance: it is the first time the CRTC has fined a company for violating the LAW by sending commercial electronic messages (CEMs) via text messages. 514-TICKETS would have, from July 3rd , 2014 to November 26th , 2016, sent CEMs via text message “without having obtained the consent of the recipients, and by not providing the necessary information to identify the sender, nor the information necessary to contact the sender“. More specifically, the majority of text CEMs were messages requesting consent to receive subsequent commercial offers.

The CRTC reiterated, in its news release, that CASL applies to any message sent —not only to an email address, but also to a telephone number account, or email account on social media— that is intended to encourage participation in a commercial activity.

If you don’t have consent, you cannot request consent

514-TICKETS should have, like any company sending CEMs, had prior consent before communicating with the recipients, but also include in its messages the information necessary to identify the sender, as well as the information to contact the sender. 514-TICKETS should also have included an unsubscribe mechanism, allowing the recipient to signal their desire to no longer receive communications from the company.

The Spam Reporting Centre is as efficient as ever

In this case, the CRTC’s investigation was initiated by reports sent to the Spam Reporting Center (SRC). This government authority transmits information received from consumers and other bodies, to the CRTC, the Competition Bureau, and/or the Office of the Privacy Commissioner of Canada depending on the nature of the alleged violation.

The importance of a compliance program

In their commitment to the CRTC, 9118-9076 QUÉBEC INC. and 9310-6359 QUÉBEC INC., have also been required to implement a CASL compliance program, which includes: “an audit and review of current compliance practices […], as well as various other monitoring and auditing measures, including reporting mechanisms to CRTC staff regarding the implementation of the program.”

If your company has not yet been investigated by any of the CASL enforcement authorities, there is still time to implement your compliance program and protect your business before it’s too late.

GDPR & CASL: When to use “Legitimate Interests” or “Consent” as a lawful base

If you are a Canadian marketer and you send emails to the European Union (E.U.), under GDPR you’ll need to justify why you collect and store data for each of your contacts. And by data, I’m referring to contact information (first name, last name, email address, etc.) and how you use this data (marketing, transactional, etc.).

The lawful bases

Because GDPR governs data security and protection, an individual or organization may reference one of the six lawful bases to justify the collection of data of their clients, leads, partners, members, marketing contacts, etc.

From a purely marketing perspective, there are two lawful bases that one will cite regularly in their records and documentation: “Legitimate Interests” and “Consent”.

  • “Legitimate Interests” as a lawful base can be relied upon for marketing activities if you can show that how you use people’s data is proportionate, has a minimal privacy impact, and people would not be surprised or likely to object.
  • “Consent” as a lawful base is appropriate if you can offer people real choice and control over how you use their data, and want to build their trust and engagement.

Which lawful base to apply for email marketing purposes…

Knowing that:

  • Under CASL, which governs commercial electronic messages, a consent status needs to be attributed to and documented appropriately for each contact, for you to have the legal right to send them electronic commercial messages. Either “express” or “implied” consent.
  • Under GDPR, which governs data security and protection, a lawful base needs to be attributed to and documented appropriately for each contact, for you to have the legal right to store and use a contact’s information.

Hence as a Canadian marketer (sending marketing messages to the E.U. ) , you must take into consideration and comply with the rules of GDPR -AND- CASL , thus adding a certain complexity.

Despite this complexity, there are totally legitimate, quick, and easy solutions for you to use:

For B2C email marketing

“Consent” as a lawful base is one of the ways, and the easiest for email marketers, to prove lawfulness and compliance in the eyes of GDPR.

However, there are strict requirements and you will need to obtain explicit consent (note that there is no such thing as “implied consent” under GDPR) moving forward from all your marketing communication subscribers or from anyone that fills out forms on your web pages to receive communications from you.

If you use “Consent” as a lawful base.

  • Consent must be specific to distinct purposes.
  • Silence, pre-ticked boxes or inactivity does not constitute consent; data subjects must explicitly opt-in to the storage, use, and management of their personal data. A double opt-in procedure is the best and safest way forward.
  • Separate consent must be obtained for different processing activities, which means you must be clear about how the data will be used when you obtain consent. The opt-in message that is used has to state all the ways you could possibly use the personal data you collect and how you are protecting that data. (ex.: state that you take data protection seriously by including a link to your Privacy Policy, and indicate that a person can access, rectify, or erase their data at any time.)
  • Consent must be verifiable and requires a written record of when and how someone agreed to let you process their personal data.

This process, not only enables you to comply with GDPR, but also gives you “express” consent under CASL.

For B2B email marketing

Particularly for those in sales, many of our contacts can be filed and recorded as “Implied Consent” under CASL, and as “Legitimate Interests” under GDPR.

You are required, however, to document the Legitimate Interests Assessment for each contact (LIA):

Whoa, that’s a lot to take in and document! But wait… whether you’re marketing B2C or B2B, or both, the arrival of GDPR is a great opportunity and occasion to convert “implied consent” Canadian contacts to “express consent” contacts, and classify E.U. contacts under “Consent” as a lawful base. See this article, “How to Write Emails to Get Consent for GDPR (and CASL)“.


Understandably, different sized organisations and types of messages need to be taken into consideration. Be sure to adapt accordingly to your organisation’s structure, operations, and unique situation.

Applying both CASL and GDPR legislations responsibly and taking the appropriate action is not at all an easy task. There are many details to pay attention to and to follow. It can be a difficult, time-consuming, and frustrating task if you are not completely versed in both legislations. In addition, mistakes can run costly fines for individual executives and companies alike.

If you need help or have questions, you can leave a comment or contact us at any time.

How to Write Emails to Get Consent for GDPR (and CASL)

The European Union’s General Data Protection Regulation (GDPR) comes into effect May 25th. From that date onwards, an organization must be able to demonstrate they are being lawful and prove compliance with this regulation.

Because GDPR governs data security and protection (unlike CASL with governs commercial electronic messages — for more information on the differences between GDPR and CASL click here) an individual or organization may reference one of the six lawful bases to justify the collection of data of their clients, leads, partners, members, marketing contacts, etc.

Because email is such a key medium for our business transactions and marketing communications, it’s important to note that any organization sending emails to individuals in the European Union is subject to GDPR, regardless of the originating country of the emails.

Now then, specifically for your marketing contacts, you’re going to want to know about Consent as a Lawful Base, to justify the collection and storage of your marketing contacts’ information.

“Consent” as a lawful base is one of the ways, and the easiest for email marketers, to prove lawfulness and compliance in the eyes of GDPR. However, there are strict requirements and you will need to obtain explicit consent (note that there is no such thing as implied consent under GDPRmoving forward from all your marketing communication subscribers or from anyone that fills out forms on your web pages to receive communications from you.

If you use “Consent” as a lawful base.

  • Consent must be specific to distinct purposes.
  • Silence, pre-ticked boxes or inactivity does not constitute consent; data subjects must explicitly opt-in to the storage, use, and management of their personal data. A double opt-in procedure is the best and safest way forward.
  • Separate consent must be obtained for different processing activities, which means you must be clear about how the data will be used when you obtain consent. The opt-in message that is used has to state all the ways you could possibly use the personal data you collect and how you are protecting that data. (ex.: state that you take data protection seriously by including a link to your Privacy Policy, and indicate that a person can access, rectify, or erase their data at any time.)
  • Consent must be verifiable and requires a written record of when and how someone agreed to let you process their personal data.

For those marketing contacts that you already have in your database (that are not clients, partners, members, employees or associates —as other lawful bases are easier to use for those contacts, although you can still send them the following email to ask them for their consent as there’s no harm in being safe than sorry) here is how you are going to want to ask them for consent.

N.B.: For those doing business in Canada, under CASL, if you already have implied consent for your contacts, and if you are still within the allowed time period (ex.: A person, who fills out a web form on your website, is considered to have given you “implied consent”, and you have a 6-month time frame in which you can communicate with them), the following email is valid to obtain explicit/express consent.

From name and subject line

These are the two elements that are the most crucial part of any email, as these items determine whether we’ll open an email or not.

For the “From” name, you’re going to want to make personal (from a real person, because as humans we prefer interacting with other humans) and professional (company name).

Ex. Rebecca Coggan | CompanyName, or Rebecca @ CompanyName, or use your full name and add the company name to the subject line.

For the subject line, you’re going to want to include the words “action required”.

TIP: Typically, when these words are surrounded by square brackets and in all caps, ex. [ACTION REQUIRED], we tend to take it more seriously.

And of course, in the subject line, you’ll also need to add the reason why you are contacting the person.

Example of all the elements together:

Other variations are possible. Be sure to make it your own.

Body copy

The three most important things when it comes to body copy is that it needs 1) to be brief, 2) to clearly demonstrate the “what’s in it me” for the recipient of the email and 3) written using an empathetic tone.

N.B.: By the way, if you respect these three key elements in your body copy, your open rates will steadily increase and your audience will trust you more and more.)

TIP: When it comes to these specific types of communications (updating information, account status etc.), text-based emails tend to be taken more seriously, are read more than scanned, and are acted upon more than ignored.

Example of all the elements together:

The body copy also includes many essential items: person’s name, deadline, the action required, incentive, instructions for future requests, a warm thank-you, and detailed sender information.

Here too, other variations are possible depending on your own situation. You can also send a follow-up email if you don’t get a response or action as quickly as hoped for. Be sure to make it your own.

So there you have it. Simple and easy.

CASL’s first sanction against a foreign company

Sanction for the Irish site

On April 24th, the CRTC announced an undertaking with Ancestry Ireland Unlimited Company (“Ancestry”), which hosts the website. The latter uses emails to communicate with people registered on its online service, which allows the search for genealogical documents (family history, family trees, historical records, information based on genetic analysis, etc.).

The extraterritorial nature of CASL

This is the first time that a foreign company has been subject to a CRTC sanction in connection with the Canadian Anti-Spam Law (hereinafter CASL). Ancestry is an Irish company with no offices or employees in Canada. The provisions of CASL, however, indicate that it applies to any company that sends messages to Canadian subjects, regardless of the source of the messages.

Similarly, contrary to what many people believe, Canadian companies have to comply with CASL both in their sendouts to Canada and for commercial electronic messages, they send to the rest of the world.

A sanction even if the consents were legal

The CRTC was able to find that Ancestry had obtained valid consents to communicate with its contacts, that its messages contained the mandatory identification information as well as an unsubscribe link.

However, the company was still in the wrong according to the CRTC because their different databases did not synchronize the withdrawal of consents. A customer who unsubscribed from one list continued to receive messages from the other list.

The requirement to synchronize withdrawals of consent

CASL provides that a person must be able to unsubscribe from all commercial electronic messages from the company. In the absence of other choices in the unsubscribe process (ex.: to receive certain types of communications only), the person must by default be excluded from the receipt of all commercial communications.

This requirement of the law can become a concern for many. Indeed, in the majority of companies, there is no synchronization between the mailing lists and the sending of emails themselves, the email sending platforms being separated from CRM or databases. Many companies also often have no way of updating their consent for sending emails via Outlook if someone unsubscribes from their newsletter. Thus, a person could continue to receive communications, despite the fact that in principle, they have unsubscribed from all sendouts.

The compliance program is a must

Ancestry is, by this undertaking, obliged to comply with the Act with respect to the synchronization of its consents. It must therefore unsubscribe and remove from all its commercial communications any person who has indicated this desire, either directly or indirectly, within 10 working days of the request.

The company must also implement a compliance program under CASL which includes: “reviewing and revising current compliance practices […], as well as various other monitoring and auditing measures, including reporting mechanisms to CRTC staff regarding the implementation of the program.”1

Do not be the next company to be sanctioned

If you use an email sendout platform that does not synchronize consent withdrawals with other lists or with your internal email system, you’re in violation of CASL and you may be fined up to several hundreds of thousands of dollars.

If your company is not yet under investigation by one of the CASL enforcement authorities, there is still time to put your compliance program in place and protect yourself before it’s too late.