GDPR Compliance & Emails: What Canadian SMBs Need to Know

The European Union’s General Data Protection Regulation (GDPR) comes into effect May 25th, and although details of the law are still being worked out, when it comes into effect, in the eyes of European law, an organization must demonstrate they are being lawful and must be able to prove compliance.

Who is subject to GDPR?

For those of us here in North America who do business with European countries, we are subject to GDPR because of international collaboration between authorities. Specifically, though, GDPR applies to:

  • Any organization that collects, changes, transmits, erases, or otherwise uses or stores the personal data of EU citizens. (Personal data is any piece of data that, used alone or with other data, could identify a person).
  • Any person or organization which, alone or jointly with others, determines the purposes and means of the processing of personal data, known as the “Controller”, is accountable under GDPR.
  • Any organization sending emails to individuals in the European Union is subject to GDPR, regardless of the originating country of the emails.

What are the two main DIFFERENCES between CASL and GDPR?

  1. Commercial Electronic Message vs. Data Protection

The biggest differentiator between CASL and GDPR is that CASL governs Commercial Electronic Messages (CEMs) while GDPR governs data security and protection.

  1. Compliance Program vs. Lawful Bases

When proving compliance, a CASL Compliance Program that meets the CRTC’s eight requirements is one’s only defense in Canada. For GDPR, an individual or organization may reference one of the six lawful bases, as long as one can prove and demonstrate that they respected all the details and took all the action required of the lawful base cited.

About Consent

Some lawful bases don’t apply to all businesses and marketers, but if you send emails, you’ll want to know about Consent as a Lawful Base.

Remember, a company must be able to fully justify why they are collecting the information of an individual or organization, to what means they are using it, and how that information is being protected.

Consent is one of the ways, and the easiest for email marketers, to prove lawfulness and compliance in the eyes of GDPR. However, there are strict requirements and you will need to obtain explicit consent moving forward from all your subscribers or from anyone that fills out forms on your web pages to receive communications from you, if you use Consent as a lawful base.

Important: unlike CASL there is no implied consent in the eyes of GDPR nor are there B2B exceptions. There is only explicit consent. Note that:

  • Consent must be specific to distinct purposes.
  • Silence, pre-ticked boxes or inactivity does not constitute consent; data subjects must explicitly opt-in to the storage, use, and management of their personal data. A double opt-in procedure is the best and safest way forward.
  • Separate consent must be obtained for different processing activities, which means you must be clear about how the data will be used when you obtain consent. The opt-in message that is used has to state all the ways you could possibly use the personal data you collect and how you are protecting that data. (ex.: state that you take data protection seriously by including a link to your Privacy Policy, and indicate that a person can access, rectify, or erase their data at any time.)
  • Consent must be verifiable and requires a written record of when and how someone agreed to let you process their personal data.

Access, Rectify, and Erase

Additionally, as you collect an individual’s data through your online forms (ex.: first name, last name, email, etc.) under GDPR an individual must able be to access, rectify and erase their data at any given time. Thus, we suggest that you include a section in your Privacy Policy as to how an individual may go about this (ex.: by sending an email with the request to [email protected]).

Record keeping and a centralized database

Within the rules and regulations of both CASL and GDPR, good record-keeping practices is not only necessary to establish a due diligence defense in the event of complaints against your business, but good recording keeping helps businesses (i) identify potential non-compliance issues, (ii) investigate and respond to consumer complaints, (iii) respond to questions about the business’s practices and procedures, (iv) monitor their corporate compliance program, (v) and identify the need for corrective actions and demonstrate that these actions were implemented.

Additionally, in order to meet the requirements of GDPR regarding Data Privacy and Consent, a centralized database for contact management, processing and documentation are helpful, not only for client relationships, smooth and efficient operations, but also for proving lawfulness and compliance.

As an individual or organization that sends emails, for marketing or business purposes, what’s your best bet?

A CASL compliance program is considered the gold-standard and best in breed where it comes to protecting yourself against hefty fines. Remember CASL applies to individual emails as much as group emails and newsletters regardless of whether there is promotion content or not.

Implementing a CASL compliance program, that meets all the requirements of the CRTC, is not only required by the law in Canada, but by doing so, you’ll increase your protection with regards to GDPR.



[Study] Marketing Professionals’ knowledge of CASL – Spoiler: It’s not good…

Today, the AMR (Quebec’s Association of Relationship Marketing) unveiled its first study asking Quebec marketing professional how well they know (or think they know) CASL (Canada’s Anti-Spam Law) and its compliance requirements. While the Canadian ministry, responsible for CASL, will soon respond to recommendations made by Parliament in the law’s first review and amendments, it was important to measure the understanding and application by Quebec professionals that are most impacted by it.

This study was conducted in collaboration with LJT, a law firm renowned for its expertise in marketing law, and Certimail, the Canadian leader in CASL compliance for SMBs.

Companies are not familiar with CASL

While 96% of respondents send commercial electronic messages (emails specifically), less than 6% correctly answered 7 simple questions about CASL and its application. Of the respondents (71%) who said they were familiar with CASL, 85% failed this basic test.

One in two believes that the Canadian Anti-Spam Legislation only regulates promotional items (i.e. newsletters), however, governs ALL commercial electronic communications (individual, group, batch, sales, transactional, regardless of whether there is promotional content or not).

10% of respondents are unaware that CASL applies to their organization and business practices.

It’s been three years since CASL has come into full enforcement, and yet professionals still don’t know its constraints and scope,” says Marc Roussin, president of the AMR. “Our association is, therefore, launching a series of activities to demystify the requirements of this law, that governs all commercial electronic messages.

A big misunderstanding of compliance

60% of respondents said their businesses are fully compliant with CASL. Yet, less than 10% have incorporated a withdrawal mechanism into employee email signatures, a CASL obligation. Barely 11% completed an audit, as recommended by the CRTC. Only 40% have a written compliance policy and 75% of companies have not yet trained their employees with regards to this law.

If one doesn’t know the real dangers to which they are exposed, a company can’t properly execute good risk management and governance,” says Sophie Deschênes-Hébert, a lawyer specializing in advertising and technology at LJT. “The results of the study show that in digital marketing, many make strategic decisions based on incomplete or inaccurate information and expose themselves to costly and easily avoidable consequences.

A misunderstanding of CASL directly affects one’s marketing effectiveness

Since the launch of CASL, approximately 9% of respondents stopped using email marketing altogether, while 11% reduced their use of this marketing channel.

This sort of practice is flawed because CASL and all its regulations equally applies to emails sent by employees. Several fines issued by the CRTC (ex.: William Rapanos and POF Media cases) show that sometimes only a few complaints are required for a company to be investigated.

Eliminating or reducing email marketing is also a bad business decision because, with a return on investment of 44 to 1, email still remains the most profitable digital marketing tool for companies and organizations.

Too many companies are afraid of this legislation, and it’s too bad because it’s an excellent opportunity to improve one’s marketing,” says Philippe Le Roux, president of Certimail. “Implementing a CASL compliance program not only protects you against fines but it improves marketing and operational effectiveness.

Since the introduction of CASL, email marketing indicators have improved significantly in Canada, according to a recent IBM global study.

AMR launches an outreach program

In light of the results of the study, AMR will be launching a program of activities to help marketers learn about CASL’s regulatory requirements and provide guidance to help them achieve business compliance. This program will launch on May 3rd, 2018 during a conference dedicated to email and compliance. During the event, the CRTC will present its CASL enforcement methods. Several experts will also share their knowledge and experiences regarding compliant and effective email marketing. Additionally, a series of webinars will allow professionals to deepen their knowledge and to benefit from tried and true advice.

Consult the complete study (in French only).

15 Recommendations to Strengthen and Simplify CASL

Following our testimony before the Standing Committee on Industry, Science and Technology of the House of Commons, and the rich and numerous exchanges we had with members of Parliament during the question period, we published a brief containing a series of recommendations to be taken into account in their review process of the Canadian Anti-Spam Law.

Here are the 15  recommendations that you can also download in its original PDF format:


This brief presents a series of recommendations to supplement the presentation given by our president, Philippe Le Roux, at the Committee’s 79th meeting. The following recommendations support two main objectives:

  • Enhance the benefits of Canada’s anti-spam legislation (CASL) for consumers and businesses
  • Facilitate CASL compliance for businesses

1) Educate consumers about CASL

Consumers are aware of CASL’s existence, but they are not aware of the primary rules regarding consent. As a result, many complaints are being filed about messages that are fully compliant with the regulatory requirements but perceived by certain recipients as unsolicited. This places an unnecessary burden on enforcement agencies and creates needless friction between businesses and consumers.

R1: We recommend that a CASL education and outreach campaign be launched across the country to educate consumers about the kinds of messages and situations that are regulated as well as the defence mechanisms available, such as the Spam Reporting Centre (SRC) and the private right of action.

2) Educate businesses about CASL compliance

The main obstacle to CASL compliance is total or partial ignorance of the regulatory requirements. The latest studies show that less than 20% of Canadian businesses know that a compliance program is needed to make use of the due diligence defence. For small and medium enterprises, which account for 97% of Canadian businesses, this falls to less than 5%.

R2: We recommend that a campaign be launched to educate small businesses about the many regulatory requirements and the importance of compliance programs. This campaign should be carried out in cooperation with agencies that deal with small businesses, such as chambers of commerce, industry associations, and advocacy organizations such as the Canadian Federation of Independent Business (CFIB).

R3: We also recommend that the CRTC produce CASL awareness webinars based on the conferences given by the investigations and compliance team during the awareness campaign last spring in Toronto, and that these webinars be posted on its site.

3) Improve the website

The authoritative website for information about CASL is only updated a few times a year, leaving the perception that it is not really a topic of concern for businesses. As well, the site does not provide an objective-based user experience, but instead presents categories of information, making it very difficult for an inexperienced user to find what they are looking for. Lastly, the site hides the regulatory requirements for recordkeeping, the basis for most fines.

R4: We recommend that the website be redesigned based on a dual architecture: one section educating consumers about how CASL protects them, how to determine whether or not a message is compliant, and the various courses of action available if they receive a non-compliant message; and another section educating businesses about the requirements and the CRTC’s interpretations with respect to compliance.

4) Remove uncertainty surrounding the most common issues

During its two appearances before the Committee, the CRTC referred to some of the directives it has released over the past three years. We have identified about 100 common compliance issues affecting small businesses. The CRTC is clearly too slow to release information, adding stress and a needless burden on companies that wish to comply.

As well, the CRTC’s published decisions show that in each case, it has taken a narrow interpretation of CASL, each time creating an unreasonable requirement for small businesses that wish to comply. This way of dealing with businesses that make honest mistakes discourages small businesses from investing in compliance.

R5: We recommend that the CRTC establish an advisory committee made up of key stakeholders (consumer advocates, legal experts, email marketing experts, compliance experts) to identify and analyze the most common compliance issues and quickly release its compliance requirements and guides on these issues, in line with the advisory committee’s recommendations.

5) Oversee compliance services

CASL compliance service providers such as Certimail, Newport Thomson, AAM, Deloitte and KPMG are strategic allies for the CRTC in encouraging Canadian businesses to develop documented compliance programs. Despite our very limited resources, this year Certimail has educated more small businesses in Quebec than the CRTC has across Canada.

Companies would be more motivated to invest in a compliance program if they were assured that these programs are effective, which is not currently the case.

R6: We recommend that the CRTC publish codes of conduct that oversee, recognize and endorse industry-developed compliance programs, as is the case with the GDPR in Europe.

6) Range of fines

It is surprising that Canada’s biggest spammer, Compu-Finder, which generated up to 25% of the complaints filed with the CRTC at the time of investigation and consistently refused to cooperate throughout the process, was fined the same amount as Rogers Media, which acted in good faith and fully cooperated during the investigation.

As well, threatening a small business of 10–30 employees with $10 million in fines appears to be so disconnected from the reality of these businesses that they do not take CASL and its enforcement seriously and are not motivated to comply.

Although the $10 million cap needs to stay in place so that fines continue to serve as a deterrent and prevent multinationals from seeing fines as simply a cost of doing business, a graduated range of fines depending on the business, the offence and the context would make the threat more real and therefore more effective.

R7: We recommend that the CRTC set a range of fines taking into account the size of the business, its annual revenues, the number of complaints received, the seriousness of the offence, the intent and past history of the business. A minimum and maximum fine for each offence category could be set.

7) Private right of action (PRA)

As long as the number of fines remains negligible compared to the number of complaints (6 vs. 1.1 million), consumers and businesses need another avenue to protect their rights.

The PRA has a deterrence power that the CRTC has not been able to obtain in three years. We received 10 times the number of requests for information on compliance in spring 2017 than in spring 2014. This number plunged immediately following the government’s June 7 announcement that the measure was being postponed.

R8: We recommend that implementation of the private right of action be announced quickly with a deadline of July 1, 2018, so that businesses can be educated about the above recommended compliance requirements.

8) Limit withdrawals to the reference entity

The CRTC is currently interpreting “withdrawal of consent” more broadly than the consent itself. The following is an example given by the CRTC during a recent presentation in Toronto. If a consumer signs up for newsletters from Dove (a Johnson & Johnson brand), Johnson & Johnson cannot send that consumer commercial email messages (CEMs) about its other brands. However, if the consumer withdraws consent, by default this withdrawal must be applied to all CEMs sent by Johnson & Johnson, including those pertaining to brands for which there may be implicit or explicit consent, even though the consumer may not be aware that both brands belong to the same company.

R9: We recommend that withdrawal be limited to the brand in question, not the parent company’s entire line of brands, whose existence and breadth may be unknown to consumers

9) Transactional and service messages

Under section 6.6, transactional and service messages that do not require consent must now include withdrawal mechanisms, which imposes a burden on companies and creates confusion and frustration for consumers who receive them.

R10: We recommend that section 6.6 be simply repealed so that only identification information is required in such messages.

10) Differentiating the various types of commercial electronic messages

Currently, virtually all CEMs fit into three categories:

  • batch messages
  • automated marketing messages sent individually, but without human intervention
  • individual messages written and sent explicitly by someone for each mail out

However, CASL provides that, by default, withdrawal of consent in response to any of these messages must be interpreted as a withdrawal of consent for all commercial electronic messages of all types.

R11: We recommend that CASL be amended to reflect these different message categories and that the regulatory requirements take them into account, such as by limiting the scope of withdrawals to the category of message that initiated the withdrawal request by default.

11) Expand complaint forms and make them public

The current complaint form does not allow complainants to provide additional context when filing a complaint. This is extremely frustrating for some consumers, and it deprives investigators of information that could help validate and process complaints.

Furthermore, the SRC is a black box, and this lack of transparency is very frustrating to consumers who want to know if they are the only ones complaining about a company, and to companies interested in finding out how many complaints have been filed against them.

R12: We recommend that the complaint form be expanded to include fields that allow complainants to provide context about the offending messages, and that the complaints index be made accessible through an open data file as well as a web interface allowing searches on multiple criteria, including company names and brands. Of course, this information would be accompanied by a notice indicating the basis of the complaint has not been validated.

12) Speed up investigations to keep up with complaints

With just under 500 investigations and six fines issued in three years over more than 1.1 million complaints, the CRTC is leaving the impression that there is practically zero chance of getting caught. In fact, small businesses see CASL as little more than a game of Russian roulette with six bullets in a revolver with 1 million blanks, rather than a set of regulations that apply to everyone.

R13: We recommend that the CRTC develop mechanisms to automate complaint analysis and processing combined with a graduated range of fines to reduce the investigation workload required for each case.

R 14: We also recommend that companies subject to a first validated complaint receive a warning letter to raise awareness and to inform them that they could face investigations or fines.

13) Promote the benefits of CASL

Not only has CASL resulted in a sharp drop in spam in Canada, but it has also had a positive impact on the effectiveness of email marketing. The email marketing performance of Canadian companies has increased over 20% since CASL came into force. Promoting the competitive advantage of CASL compliance will help the government motivate businesses.

R15: We recommend that the government launch an education campaign about the effectiveness of email marketing when it complies with CASL best practices. This will allow companies to see the cost of compliance as an investment in marketing.

Those are our main recommendations based on four years working with dozens of small businesses of all sizes and in all fields to ensure they are compliant, as well as on over 20 years of expertise in effective email marketing. We are available to the Committee and its members to discuss these recommendations in greater detail.


Horrifying Email Marketing Requests and their Saintly Solutions

Although Halloween is soon upon us, scary email marketing strategies regularly occur throughout the year. Fellow email marketing professionals at MediaPost’s Email Marketing Daily recently published the commentary “Horrifying Email Marketing Requests.” It’s hard to imagine that companies still engage in such nefarious practices. But even our colleagues here at Certimail, are no stranger to similar requests, even with CASL in full force.

Let’s look at each one with regards to CASL and marketing efficiency.

1. Why can’t I spam my clients?

Although businesses may not necessarily say this out-rightly, many still do want to mass-communicate to a single list. If you have consent, it’s not necessarily spamming in the eyes of CASL, but mass email communication is SPAM-like. Simply because such a practice doesn’t take into account the preferences of the receiver; the value for them, the relevancy, the “what’s in it for me?”.

A one-size-fits-all approach can have you looking like a ghoul and will eventually lead to unsubscribes and complaints to the CRTC.

Instead, focus your main content and segment your emails based on customer, client, and contact interest clusters.

(For example, if you are a Vampire blood supply company, you can segment by blood types, antibody types, fresh harvest, aged harvest, etc.)

The BENEFITS of segmentation are plentiful in the short, medium and long-term, they include: higher open rates, higher click-through rates, higher to click-to-purchase rates, lower churn rates, lower unsubscribe rates, etc.

2. But I need to move this product!

Of course, you do! But that doesn’t mean that your entire email list is interested in that particular product. Remember, a one-size-fits-all approach will lead to unsubscribes and complaints to the CRTC.

Smart goblins segment on a combination of the following criteria: past purchases, cart abandonment, and past campaign clicks on the said product.

(For example, if you are a clothing company for monsters, based on past purchases, you don’t want to send emails about Witch outfits to Vampires. If a Vampire has left a velvet cape in her cart but didn’t purchase it, an email out velvet capes to her would be a good idea).

If you want to take it one step further, further segment based on RFM (recency, frequency, and monetary value) matrices. For quick wins, prioritize those high value/income generating segments.

This way you can still email groups of people, but you’ll be more efficient and see better results to your bottom line. Understand that there’s no need to communicate to someone who is not listening. It’s a waste of time and money.

3. We should capture 100 million email addresses.

Whoa OK! Remember that you need to have either EXPRESS or IMPLIED consent for each contact. Each has its conditions and limitations. And records of consent for each contact are required.

It also takes time and money to get those emails, and they won’t be of high quality if you are mass-harvesting them. Additionally, most Email Sendout Providers charge per batch of X number of contacts. So it’s a waste of time and money if you are trying to communicate to someone who is not listening.

Don’t be that fire-breathing hoarding dragon Smaug, instead, focus on smaller clusters, but that are of higher value. When it comes to getting email addresses, your website landing pages are your best sources. Make sure they are properly worded and placed.

Do you want to know if your email marketing program is raking it in like Gringotts? Here’s a quick algorithm to see if it’s performing as well as it should:  1$ spent on email = 38$ in revenue.

If you’re not sure about your email marketing program or have questions and concerns, one of the best places to start is with an email marketing diagnostic. Doing so will identify the problems and solutions to implement.

In the meantime, have a Happy Halloween and try to shelf those scary strategies.

CASL: What’s changed since July 1st?

After three long years, the grace period has ended, and companies must have established and implemented a compliance program. Businesses can no longer defend themselves by explaining that they weren’t aware of all the criteria necessary to be compliant.

From now on, to whom can you send messages to?


From now on, you may only send electronic business messages to:

  • persons who have given explicit consent,
  • clients who have made at least one transaction in the last two years,
  • individuals who have requested, within the last six months, to receive business information.

ATT: For all other contacts, you can no longer send them communications. This includes sending a consent request. The CRTC was very clear on this subject: an email requesting consent is a commercial electronic message and can not be sent without prior consent! 

What to do about leased or purchased lists?

The CRTC argued that when you obtain lists from a third party, you must verify that your supplier has obtained the appropriate consent for each contact. This includes consent for the type of communication (medium & content) one can send to an individual.

The CRTC clarified that in order to discharge your liability you must demonstrate that you’ve taken action to verify the legality of the consents obtained by your supplier. Otherwise, or if the CRTC deems that your actions are insufficient, you will be held responsible.

This practice also applies to directories. Before using the information from a repertory, you must verify that you have the right to do so and that the publisher of the directory obtained the proper consents. Otherwise, you will be held responsible.

Can agencies, ESPs and CRM suppliers be held responsible?

The CRTC has explained, in reference to the responsibility of agencies and technology platforms, that if the suppliers are involved in the content of the message, they may be held jointly liable for violations of Canada’s Anti-Spam Legislation.

For example, this applies to agencies that write copy and design emails (and other electronic messages) for their clients, as well as ESPs and CRMs that offer dynamic content customization or dynamic segmentation.

We’ll be consulting with our partner lawyers shortly for more information. Stay tuned for a detailed article on this subject.

Polls & Surveys

With regards to emails inviting individuals to participate in a poll, if the survey is just a study, it does not fall within the definition of a commercial electronic message and therefore does not require prior consent.

However, if the poll or survey refers to a product or promotes it, even subtly, it must meet all the requirements of CASL.

A good rule of thumb is to ask yourself if the individual who completes the survey can guess the name of the company or brand. If so, your survey is likely to be in violation of the law.

SMS and MMS messages

Although there are less commercial text messages sent in Canada than in other countries, consumer complaints about them are on the rise and these messages are in the CRTC’s viewfinder.

The CRTC explained that if companies send text messages for commercial (not necessarily promotional) purposes, or plan to do so, they must ensure that their compliance program covers these types of messages.

ATT: If a person is not on the National Do Not Call List (NDNCL), this does not mean you have consent to send them text messages.

Whereas the NDNCL uses an opt-out procedure (a person has to contact them to be removed from their list), Canada’s Anti-Spam Law uses an opt-in principle (individuals must give you permission to be contacted).

Transactional messages

The CRTC has clarified that transactional messages such as the confirmation of a transaction, change of password, scheduled alert, etc.) are not considered a commercial electronic message, as long as it does not contain a commercial offer. Also, transactional messages can be sent even if the person has withdrawn their consent.

However, the CRTC has made it clear that these transactional messages must comply with all the provisions of CASL, including those articles referring to “mandatory information” and “unsubscribe mechanisms”.

Brands and parent companies

When the CRTC discussed this point during an IAB presentation, the crowd told them they were crazy. Take note: Any withdrawal of consent applies to the whole company by default (affiliates and parent companies included), and not the just the brand or business indicated in the unsubscribe form.

Let’s take Loblaws and Shopper’s Drug Mart as an example: if a consumer unsubscribes from the Loblaws supermarket newsletter, consent is automatically withdrawn from the entire company and not just from supermarket communications. If the consumer was subscribed to the Shopper’s Drug Mart newsletter at the time when they withdrew their consent to Loblaws, under the law, they should no longer receive Shopper’s Drug Mart newsletters.

The only way to manage this situation legally is to propose an unsubscribe form in which the consumer can choose the brands from which he or she wishes to remain subscribed to.

When the CRTC was told that this was a bit crazy, their response was “We don’t know how you operate, guys! So come and talk to us so that we can understand you better”.

In conclusion, the law is tricky. For those not who are not vigilant or proactive, they will eventually be heavily fined and required to complete their compliance program.

The solutions and compliance programs offered by Certimail, built in collaboration with researchers from the Faculty of Law at Université de Montréal, meet the new requirements of the CRTC.

If you already have a program set up by us, you have nothing to change. You’re covered.

If you don’t have a compliance program, our experts are at your disposal to assess your situation and can offer you an efficient and inexpensive program that meets the CRTC’s requirements.


CASL Compliance: How badly informed are Canadian and QC firms?

Seven years after its approval by Parliament and three years after it came into force, a Canada-wide survey shows that businesses, small and large, are still confused about CASL compliance, the types of messages it regulates, and the means to protect oneself from fines and lawsuits.

Canadian companies

The study, which was conducted recently by the Direct Marketing Association of Canada (DMAC) and law firm Fasken Martineau DuMoulin LLP, surveyed over 200 individuals directly responsible for CASL compliance of their organisation. Here are some of the highlights from the study:

  • 64% didn’t understand how to make their message CASL compliant beyond consent and an unsubscribe link
  • 46% were unaware that an organisation could be ordered to pay damages
  • 40% of them didn’t know that they can be held personally liable
  • 64% stated that their organisation did not (or didn’t know if their organisation had) a formal compliance policy
  • 63% believed that employees and staff don’t require CASL compliance training
  • 60% indicated that their company never performed a compliance audit

This is quite disconcerting, especially considering that the last 3 points are items required by the CRTC, to be able to defend oneself, should you face an investigation or prosecution.

No better for Quebec SMBs

Although this study was conducted amongst medium to large business in English Canada, a similar study was just recently published surveying Quebec SMBs.

  • Less than 5% of Quebec SMBs comply with CASL
  • More than 75% were unaware that companies could be fined, even if they have explicit consent
  • Only 35% knew that from July 1st, 2017 onwards, companies will be subject to civil or collective redress
  • 40% were surprised to learn that SMBs, as well as individuals, can face the same charges as large companies
  • 38% didn’t know that many QC companies have already been investigated and received fines
  • 1 out of 4 were unaware that CASL regulates individual emails, as well as text and social media messages

The CRTC’s shortcomings

Although the CRTC enforces CASL, informing and educating businesses is their greatest shortcoming. An article exists to help companies defend themselves, but it must meet the CRTC’s eight required categories. However, finding these requirements on an official website is very difficult.

The regulatory body does give presentations, but for the moment, it is almost exclusively to large law firms in Toronto. Unfortunately, 97% of Canadian companies are small businesses that can’t afford to do business with these big firms.

What can you do for yourself?

Canadian law states that “no one is supposed to ignore the law“.

A compliance program is also the only way to protect you and your business, and your employees, from tens or even hundreds of thousands of dollars in fines and legal fees.

So what do you do? You don’t want to stop your email marketing activities because it’s the top digital performer when it comes to ROI. We’ve done the calculations and penny for penny, all things considered, even a small investment in a compliance program is better than no investment at all.



CASL: The 6 most common mistakes you weren’t aware of

Most companies believe that they already comply with CASL. But, of the majority of businesses we’ve met, they are in fact, not compliant, simply because they aren’t aware of the complexities and details of this law. Unfortunately, this ignorance is already costing companies and employees, heavily.

Of the approximately 100 compliance rules and items we validate for our clients, we’ve identified the 6 most common mistakes and how to resolve them. Check and see if your company’s compliance level is what you believe it to be.

N.B.: This is not a substitute for a compliance program as required by the CRTC, but is an easy way to assess whether your business is as compliant as you think it is. A full compliance program, which meets the CRTC’s eight required categories, is the only way to truly protect yourself from costly penalties and prosecution. Section 33 (1) of the Act states that “No person shall be held liable for a violation if they prove that they have taken all reasonable precautions to prevent its commission”.

Mistake #1: No unsubscribe mechanism in individual emails

While most companies ensure that they have an unsubscribe link in their newsletters, there is very little compliance with this requirement for their individual emails.

Simply put, CASL makes no distinction between a promotional newsletter sent to thousands of people and an email sent from one employee to another person. In both cases, these are “commercial electronic messages”, and the Act requires that each message includes mandatory information and a mechanism for unsubscribing.


Make sure that your business email signatures and all of your employees’ email signatures include a statement indicating how one can withdrawal from your business’ communications.

For example:

If you receive an email from an employee at Deloitte Canada, you’ll note that their signatures always include the following statement: “If you do not wish to receive future Deloitte business emails, please send this email to ‘[email protected]‘. Similarly, at Certimail, my colleagues and I consistently include in our email signatures the following sentence, “If you no longer wish to receive commercial messages from Certimail, please indicate this by replying to this message”. Voilà. It’s as simple as that.

Mistake #2: Misworded newsletter sign-up forms

As per Canada’s Anti-Spam Legislation, the concept of consent is not equivocal; it is explicit. That is to say, the wording of consent given determines what one has the right to send and receive.

This means then if your subscription form refers to newsletters, consent, therefore, applies to newsletters and no other type of commercial email or communication. For example, this means that one or a series of emails from sales (news about promos, blog articles, “I think you might find this useful”, etc.) are in violation of the law, and risk fines.

Check the wording on ALL your consent forms, so that they don’t limit your electronic communications, by using broader text, as illustrated in the example below.

For example:

On the left, taken from our website, consent is requested for advice and promotions for all electronic communications (see the form for yourself, and don’t be shy to sign up to stay informed of the law). On the right, consent is limited to newsletters, forcing a company to request permission again for other types of electronic messages.

Good and bad newsletter sign-ups

Good and bad newsletter sign-ups

Mistake #3: Records of ALL email communications are not kept

Many SMBs typically erase emails from their inboxes as soon as the content is no longer needed, useful, or relevant. People typically do this to free their attention span, and consequently, disk space.

Such a practice is dangerous under the Canada’s Anti-Spam Legislation. The CRTC requires that businesses retain the text of all their commercial emails should an investigation arise. Without these records, you have no way of defending yourself.

Implement an email protocol to automatically archive messages on a server (IMAP or Exchange) or manually archive messages to folders instead of deleting them.

Mistake #4: Proof and records of consent are not kept

When under investigation by the CRTC, many SMBs justify themselves with the following: “We only send our newsletters to those who have registered on our website“.

In a notice published in July 2016, the CRTC states that a company claiming to have obtained consent for the sending of a commercial electronic message must provide proof of that consent and must retain all evidence of such consent (such as, but not limited to, completed forms, audio recordings, etc.).

Most US platforms such as MailChimp, Campaign Monitor, SalesForce, etc. don’t keep records of consent.

When a person, who once gave you consent in the past, makes changes to his or her profile, that new information replaces the original data. In the event of an investigation, you will not be able to provide proof that you once had that individual’s consent.

Solution 1:

Consider using a Canadian ESP, such as Cyberimpact or Cakemail. They are optimised for CASL and automatically archive and keep records of consent.

Solution 2:

Archive all your data by implementing an automatic or manual daily export of all the information and activity regarding your sendout lists. 

Mistake #5: Copies of forms and their version histories are not kept

Some SMBs do their due diligence and retain consent data provided through form submissions, such as the date, time and IP address of the user. Unfortunately, this information is not enough to prove consent.

Remember, consent must be explicit and not equivocal. You must, therefore, be able to provide proof that the information displayed on the form, that the user completed, was explicit. Considering the investigation process, if and when the CRTC contacts you, the chances are strong that your website has undergone a redesign or changes, and a form from a year ago is not the same as it is today.

Solution 1:

Consider using a Canadian ESP, one that automatically archives copies of forms.

Solution 2:
Take a screen shot with a time stamp of each of your consent forms every time you change or update your website or forms.

Mistake #6: No written compliance policy

While you may take all necessary measures to comply, you are never entirely immune to the error of an employee, subcontractor or technical problem that may put you in a violation of the law.

Fortunately, section 33.1 of Canada’s Anti-Spam Law provides some support and “defence” for businesses that have demonstrated good governance; though only if you have taken all the necessary measures to be compliant. The CRTC has stated that these measures must include a formal compliance program that meets eight specific requirements. One of these requirements is to have a written compliance policy that employees know and respect. Failure to do so will result in disciplinary action.

Write your CASL policy following a full risk audit and analysis, and make sure your employees understand and apply it.

Running a business without having a written CASL policy like riding a motorcycle without a helmet: “It’s safe as long as there’s no accident”

What’s your score?

If you’re already aware of and make none of these mistakes, then bravo! You are one of the very few companies that do their due diligence. But there are over 100 rules to respect, so formalising your compliance program should be quick and inexpensive if you haven’t already done so. It would be a shame to be so savvy, yet fined for one of the 100 rules and regulations.

If you’ve found that some of these 6 mistakes apply to your business, it’s proof that you’re not compliant. July 1st has passed, and fines and class actions are multiplying. There are over 100 rules to respect, so now is the time to set up your compliance program to protect yourself, your employees, and your business.

We’re here to assess your situation, and to provide you with an inexpensive yet highly effective way, to set up a compliance program, which meets the CRTC’s requirements.

We know and understand that businesses don’t always have the cash or want to make the time to set up a program immediately, but our solutions are specially adapted to the reality of independent workers, small businesses to medium ones.


Hertz & Thrifty to Pay Over One Million in Fines

$1,25 Million Fine

The Competition Bureau of Canada recently announced that car rental companies, Hertz Canada Limited (Hertz) and Dollar Thrifty Automotive Group Canada Inc. (Thrifty), have agreed to pay a $250,000 fine plus additional fees for sending emails with deceptive promotions—advertised prices in said emails did not include certain mandatory service fees.

Mea Culpa

Upon hearing that the Competition Bureau of Canada was investigating similar practices from their competitors Avis and Budget, Hertz and Thrifty executives voluntarily approached the Bureau to address their own situation. This is probably why the fine of $1.25M is well below the $3M fine plus $250,000 of fees paid by Avis and Budget.

Once Again, Consent & An Unsubscribe Link Are Not Enough

This fine, once again, confirms that simply having the consent of recipients and including an unsubscribe link in one’s newsletters are not enough to be in good standing and to protect one’s self.

In fact, there are nearly a hundred risks that must be analyzed to ensure that a company complies with the Canadian Anti-Spam Law (CASL). CASL amends certain articles of the Personal Information Protection and Electronic Documents Act (PIPEDA) and the Competition Act. Thus one has to take these laws into consideration when sending commercial electronic messages.

The Importance of a Compliance Program

Hertz and Thrifty, in their agreement with the Competition Tribunal and in addition to their fines, had to commit to implementing a compliance program under the supervision of the Competition Bureau.

There’s no doubt that, had they been proactive in the implementation of a compliance program before being found at fault, they would have avoided paying such hefty fines (plus all the legal costs associated with their case).

If your business is not yet under investigation, there’s still time to set up your compliance program and protect yourself before it’s too late.



Amazon complies but is still fined $1,1M!

Amazon’s emails complied with three essential principles of the Anti-Spam Act:

  1. Amazon sent messages only to those with whom it had consent,
  2. Each email contained a straightforward and efficient unsubscribe mechanism,
  3. Information to identify and contact the business (company name, mailing address and phone) was indicated.

So, why did Amazon agreed to pay a penalty of $1 million and the sum of $100,000 for certain investigative expenses incurred by a government regulator?

The devil is in the details

Although Amazon complied with the three top items of Canada’s Anti-Spam Law, there are still 53 pages of details and guidelines in the Act. In fact, after analysing the Act with marketing communications specialists and researchers at Université de Montréal’s Faculty of Law over the course of several months, we’ve identified more than 150 compliance risks for businesses.

For example, 99% of emails sent by a business are commercial, so they must comply with the Anti-Spam Act. This includes individual business emails. Do your emails have an unsubscribe mechanism? Your newsletters I’m sure do, but probably not your individual ones. Yet, it’s mandatory.

Canada’s Anti-Spam Law applies to four pieces of Legislation

The act is defined as follows: “An Act to promote the efficiency and adaptability of the Canadian economy by regulating certain activities that discourage reliance on electronic means of carrying out commercial activities, and to amend the 1) Canadian Radio-television and Telecommunications Commission Act, 2) the Competition Act, 3) the Personal Information Protection and Electronic Documents Act and 4) the Telecommunications Act” (S.C. 2010, c. 23).

Many SMBs are simply not aware of the reach of this legislation. It’s not just an anti-spam act; it’s a true code of “electronic” conduct for businesses. Additionally, journalists and commentators, regularly talk about the CRTC’s role in enforcing this act, but often omit the Competition Bureau’s (and other regulatory bodies’) involvement.

For example, if you violate one of the Competition Bureau’s articles through an email communication, you will be fined, and heavily. Note carefully; fines can reach up to $10 million when a violation is done via email.

The case of Amazon

Canada’s Competition Bureau stated, “With the adoption of Canada’s Anti‑Spam Legislation, provisions were added to the Competition Act to provide additional tools for addressing false or misleading representations in all forms of electronic messages. The Bureau’s investigation into Amazon’s price advertising was made per these provisions.”

So, because Amazon was promoting prices, by referring to savings in relationship to list prices, they were fined.

Amazon complies but is still fined $1,1 MIL!

Amazon complies but is still fined $1,1M for misleading pricing.

As indicated by the Competition Bureau, “Amazon often compared its prices to a regular price—or “List Price”— signaling attractive savings to consumers. The Bureau’s investigation concluded that these claims created the impression that prices for items offered on were lower than prevailing market prices. The Bureau determined that Amazon relied on its suppliers to provide list prices without verifying that those prices were accurate.

Although it’s primarily on that these type of promotions are found, the Competition Bureau was able to convict Amazon because the company had communicated these promotions by email.

Not a first for the Competition Bureau

The case of Amazon is not the Competition Bureau’s first fine under CASL. They’ve already gone after car rental companies Avis and Budget for hiding certain mandatory fees in posted promotional pricing.

Additionally, the Competition Bureau said that it’s been documenting these situations since 2009 and fighting for years to prevent these types of practices. But it was only with the arrival of CASL that it finally had the means to do so.

The case of Avis and Budget pending before the Competition Tribunal was settled by the companies’ consent to pay $3M in fines and $250,000 in compensation to the Bureau. 

The mandatory compliance program is your only real protection

As these examples here illustrate, it’s almost impossible to be confident that you’ll never violate CASL, especially since many details of the Act are very vague and will only be clarified by actual cases in years to come.

It’s for this particularity that Parliament has provided in the Act a means to protect ones-self: if a business (or individual) can demonstrate that it has acted diligently to comply with the Act, it will be immune from sanctions. To “act diligently” means to have a compliance program that meets the CRTC’s eight requirements.




Kellogg to Pay $60,000 for Mishandlings by a Third-Party & Lack of Records

Last week the CRTC published an undertaking made by Kellogg Canada Inc. to pay a $60,000 fine after violating Canada’s Anti-Spam Law (CASL). A third party sent promotional email messages to recipients on behalf of Kellogg’s from October 1 to December 16, 2014. Apparently, Kellogg did have consent but was unable to provide records and proof. Without the proper documentation, the CRTC determined that these messages were sent without express or implied consent.

This case is a caution that companies need to ensure that their service providers comply fully with CASL. This judgement also stresses the importance of a company to have a compliance program in place, that meets the CRTC’s eight requirements, including proper record-keeping.

This means you must be able to, at all times, provide to the authorities a list of all the persons to whom you have sent electronic communications to during the last three years. You must supply proof of consent, that includes the date of consent for each one of your contacts, as well as transcripts of all the messages you sent to each contact.

Through the implementation of a proper compliance program, Kellogg has committed to review and revise its written policies and procedures, update its training programs to address CASL obligations, track CASL complaints and their resolution, and update its auditing mechanisms to assess compliance.

In a statement to, Kellogg said, “We are aware and disappointed in our company’s alleged violation of Canada’s anti-spam legislation as it relates to commercial electronic messages sent by our third-party suppliers on behalf of Kellogg Canada in late 2014. … At Kellogg, consumers are at the heart of all we do, and we will continue to earn their trust and demonstrate a commitment to integrity and ethics each and every day.”

Note that service providers can be held accountable. Although it was not the case with Kellogg’s, the third party in this situation could have been fined for not respecting CASL, and/or Kellogg’s could have sued their third party supplier.

Update May 16th, 2017: This morning, IAB Canada invited two CRTC enforcement officers to Toronto, Kelly-Anne Smith, Legal Counsel, and Dana-Lynn Wood, Senior Enforcement Officer, to present the status of CASL enforcement. 

The CRTC has explained, in reference to the responsibility of agencies and technology platforms, that if the providers are involved in the content of the message, they may be held jointly liable for violations of Canada’s Anti-Spam Legislation. Learn more about what changes July 1st, 2017 here.

Violations of CASL can result in penalties up to $1 million per violation for individuals and up to $10 million per violation for organisations. Businesses, representatives, employees, officers, directors, and administrators can all be held personally liable and forced to pay a fine. A compliance program is your only defence. Click here to learn more about all the requirements.