Posts

Case study: Newsletters mistakenly flagged as spam… What to do?

If you send out a newsletter, chances are good that at least one recipient has unsubscribed, and in doing so, cited “spam” as their reason for unsubscribing. If you have Hotmail, Yahoo, or Google email addresses in your lists or CRM database, flagging an email as “spam” is even easier for them.

Even if your newsletter or communication is not “spam”, people nowadays get easily irritated and take out their anger on email by hitting that spam button. Sad story, but true.

Now without having to get into the details of email deliverability, each time an email you or your company sends is tagged as spam, there are checks and balances that go on in the background, affecting your email deliverability score. If you score reaches a certain level, or if the email platform you use to send emails receives a certain amount of “spam” hits, you could receive a warning or worse, be banned from sending emails.

This is unfortunately what happened to one of our clients.

Situation:

Our client’s email address acquisition process was not optimised, and although their communications were definitely not spam, their newsletters were flagged by some. They received warnings and were only a couple of emails away from being blacklisted. And undoubtedly, equally close to receiving a notice from the CRTC.

This was a huge concern for our client as email was crucial to their business model. Without it, they would not have been able to serve their users.

Solution:

They were in a precarious situation and they needed to act quickly. Our solution for them was simple, set them up with a CASL Compliance Program.

As per CASL:

“A person must not be found to be liable for a violation if they establish that they exercised due diligence to prevent the commission of the violation.”1

And as per the CRTC:

“The development and proper implementation of a documented and effective corporate compliance program is a useful risk-management strategy: it may (i) reduce the likelihood of businesses violating the rules and/or CASL, and (ii) help businesses establish a due diligence defence in the case of a violation of the rules or CASL.2

In our dealings with the CRTC, we know that they are not looking for companies and organizations to be perfect, but they do want them to be responsible.

Process:

As part of the process of establishing a Compliance Program, one of the first things that we did and that is required by the CRTC, is to perform a risk analysis.

We assessed our client’s situation according to one hundred items in our compliance grid, while at the same time searched for operational and marketing optimizations regarding electronic communications.

We then supplied them with a report of our audit, complete with recommendations for each issue, as well as optimisation tips and practical advice. Our client also operates in Europe so we provided GDPR recommendations as well.

They then fixed their issues, appointed a Compliance Officer, began documenting in the appropriate CASL registries, implemented a CASL Compliance Policy, and updated their Privacy Policy.

They are now CASL certified and can send electronic communications with peace of mind. They are no longer at risk of being blacklisted or of receiving a hefty fine.

If you’re wondering if any of your emails or newsletters may have been flagged as “spam”, give us a call and we’ll help you out. 514-867-1230

B2B Sales: Simple Email Trick to Quick-Start New Lead Relationships (and be CASL & GDPR Compliant Too)

For those of us that work in B2B, networking is a great opportunity to meet potential clients. Talking with as many targeted individuals as possible and exchanging business cards at these conferences or events are our priorities.

But what’s next? Often we’ll add these cards to our sales pipeline sheets or CRM applications, waiting for the “right moment/opportunity/situation” to contact them. And regularly, these contacts get added to a “newsletter” list.

I often compare B2B sales to dating. You’re not going to move to “first base” with someone before you go on a date. Receiving a newsletter from someone you met at a conference, without sending them a follow-up email first, is kind of like this.

And when the person receives the newsletter, often the first thing that comes to mind is, “I never signed up to receive this” accompanied with feelings of infringement. And now, the chances of that potential client becoming a client have been greatly reduced. Or worse, your newsletter or communications are reported as spam.

But what if there were a way to go about things just slightly differently…

Imagine a simple email that could nurture that lead, and move them forward towards becoming a client instead of deterring them. An email that is also 100% compliant in the eyes of Canada’s Anti-Spam Law (CASL) and the European General Data Protection Regulation (GDPR)?

So let’s start over again…

You’re at a business conference or event and you exchange business cards with a potential client, partner, supplier, etc. You both agree to stay in touch. You add that contact to your sales pipeline sheet or CRM application.

The very next thing you’ll want to do is to send the following email:

Here’s why this email is so effective:

First off, we’re making them feel good by being nice (it was a pleasure meeting you”), giving (“I’d like to learn more about your…”), respectful (“would it be okay with you…?”), and reassuring (“whatever we send your way will be of value”) —All qualities the majority of humans appreciate and act positively towards.

We’re also meeting the legal requirements by being clear in what can be expected by the contact replying to the email (receiving future communications).

Lastly, the email is not a dead-end, as indicated by the anticipation of a future conversation.

Oh and regarding the subject line “Hi First Name…”; in B2B, the words “hi” with the person’s name followed by “…” is opened by over 95% of recipients. That’s a great open rate!

If the contact doesn’t reply back. It’s ok, you still made a good impression.

The next thing you’ll want to do is to add “implied consent – B2B exception” as your CASL consent status to that contact, along with a photo of the business card and the date and name of the event where you met. Add “legitimate interest” as your GDPR Lawful Base.

If the contact replies back positively, great! The contact’s CASL consent status is now “express”.

So there you have it, a simple email that makes all the difference. Be sure to make it your own by using your own words and expressions.

Every single email is an opportunity. Imagine all the possibilities.

—-

Did you like this article? Sign up to receive our communications and receive a 1-hour FREE consultation plus a surprise bonus.

 

$100,000 in penalties for SMS messages non-compliant with CASL

A commitment to the CRTC

May 1st, 2018, the CRTC announced via news release that companies 9118-9076 QUÉBEC INC. and 9310-6359 QUÉBEC INC., operating as 514-TICKETS, whose principal activity is the resale of sports, cultural, and event tickets, has accepted an undertaking for alleged violations of the Canadian Anti-Spam Legislation (CASL). Under the latter, the companies pledged to pay a financial indemnity of $100,000 ($25,000 paid to the Receiver General for Canada and $75,000 in rebate coupons offered to clients).

This innovative form of sanction, combining customer discounts and fines, demonstrates that the CRTC’s intent is not to punish wrongdoers, but to force them to adopt CASL-compliant practices, which is inherent in the implementation of a CASL compliance program.

CASL’s application to text messages

This sanction is a milestone in the history of CASL compliance: it is the first time the CRTC has fined a company for violating the LAW by sending commercial electronic messages (CEMs) via text messages. 514-TICKETS would have, from July 3rd , 2014 to November 26th , 2016, sent CEMs via text message “without having obtained the consent of the recipients, and by not providing the necessary information to identify the sender, nor the information necessary to contact the sender“. More specifically, the majority of text CEMs were messages requesting consent to receive subsequent commercial offers.

The CRTC reiterated, in its news release, that CASL applies to any message sent —not only to an email address, but also to a telephone number account, or email account on social media— that is intended to encourage participation in a commercial activity.

If you don’t have consent, you cannot request consent

514-TICKETS should have, like any company sending CEMs, had prior consent before communicating with the recipients, but also include in its messages the information necessary to identify the sender, as well as the information to contact the sender. 514-TICKETS should also have included an unsubscribe mechanism, allowing the recipient to signal their desire to no longer receive communications from the company.

The Spam Reporting Centre is as efficient as ever

In this case, the CRTC’s investigation was initiated by reports sent to the Spam Reporting Center (SRC). This government authority transmits information received from consumers and other bodies, to the CRTC, the Competition Bureau, and/or the Office of the Privacy Commissioner of Canada depending on the nature of the alleged violation.

The importance of a compliance program

In their commitment to the CRTC, 9118-9076 QUÉBEC INC. and 9310-6359 QUÉBEC INC., have also been required to implement a CASL compliance program, which includes: “an audit and review of current compliance practices […], as well as various other monitoring and auditing measures, including reporting mechanisms to CRTC staff regarding the implementation of the program.”

If your company has not yet been investigated by any of the CASL enforcement authorities, there is still time to implement your compliance program and protect your business before it’s too late.

GDPR & CASL: When to use “Legitimate Interests” or “Consent” as a lawful base

If you are a Canadian marketer and you send emails to the European Union (E.U.), under GDPR you’ll need to justify why you collect and store data for each of your contacts. And by data, I’m referring to contact information (first name, last name, email address, etc.) and how you use this data (marketing, transactional, etc.).

The lawful bases

Because GDPR governs data security and protection, an individual or organization may reference one of the six lawful bases to justify the collection of data of their clients, leads, partners, members, marketing contacts, etc.

From a purely marketing perspective, there are two lawful bases that one will cite regularly in their records and documentation: “Legitimate Interests” and “Consent”.

  • “Legitimate Interests” as a lawful base can be relied upon for marketing activities if you can show that how you use people’s data is proportionate, has a minimal privacy impact, and people would not be surprised or likely to object.
  • “Consent” as a lawful base is appropriate if you can offer people real choice and control over how you use their data, and want to build their trust and engagement.

Which lawful base to apply for email marketing purposes…

Knowing that:

  • Under CASL, which governs commercial electronic messages, a consent status needs to be attributed to and documented appropriately for each contact, for you to have the legal right to send them electronic commercial messages. Either “express” or “implied” consent.
  • Under GDPR, which governs data security and protection, a lawful base needs to be attributed to and documented appropriately for each contact, for you to have the legal right to store and use a contact’s information.

Hence as a Canadian marketer (sending marketing messages to the E.U. ) , you must take into consideration and comply with the rules of GDPR -AND- CASL , thus adding a certain complexity.

Despite this complexity, there are totally legitimate, quick, and easy solutions for you to use:

For B2C email marketing

“Consent” as a lawful base is one of the ways, and the easiest for email marketers, to prove lawfulness and compliance in the eyes of GDPR.

However, there are strict requirements and you will need to obtain explicit consent (note that there is no such thing as “implied consent” under GDPR) moving forward from all your marketing communication subscribers or from anyone that fills out forms on your web pages to receive communications from you.

If you use “Consent” as a lawful base.

  • Consent must be specific to distinct purposes.
  • Silence, pre-ticked boxes or inactivity does not constitute consent; data subjects must explicitly opt-in to the storage, use, and management of their personal data. A double opt-in procedure is the best and safest way forward.
  • Separate consent must be obtained for different processing activities, which means you must be clear about how the data will be used when you obtain consent. The opt-in message that is used has to state all the ways you could possibly use the personal data you collect and how you are protecting that data. (ex.: state that you take data protection seriously by including a link to your Privacy Policy, and indicate that a person can access, rectify, or erase their data at any time.)
  • Consent must be verifiable and requires a written record of when and how someone agreed to let you process their personal data.

This process, not only enables you to comply with GDPR, but also gives you “express” consent under CASL.

For B2B email marketing

Particularly for those in sales, many of our contacts can be filed and recorded as “Implied Consent” under CASL, and as “Legitimate Interests” under GDPR.

You are required, however, to document the Legitimate Interests Assessment for each contact (LIA):

Whoa, that’s a lot to take in and document! But wait… whether you’re marketing B2C or B2B, or both, the arrival of GDPR is a great opportunity and occasion to convert “implied consent” Canadian contacts to “express consent” contacts, and classify E.U. contacts under “Consent” as a lawful base. See this article, “How to Write Emails to Get Consent for GDPR (and CASL)“.

Disclaimer:

Understandably, different sized organisations and types of messages need to be taken into consideration. Be sure to adapt accordingly to your organisation’s structure, operations, and unique situation.

Applying both CASL and GDPR legislations responsibly and taking the appropriate action is not at all an easy task. There are many details to pay attention to and to follow. It can be a difficult, time-consuming, and frustrating task if you are not completely versed in both legislations. In addition, mistakes can run costly fines for individual executives and companies alike.

If you need help or have questions, you can leave a comment or contact us at any time.

How to Write Emails to Get Consent for GDPR (and CASL)

The European Union’s General Data Protection Regulation (GDPR) comes into effect May 25th. From that date onwards, an organization must be able to demonstrate they are being lawful and prove compliance with this regulation.

Because GDPR governs data security and protection (unlike CASL with governs commercial electronic messages — for more information on the differences between GDPR and CASL click here) an individual or organization may reference one of the six lawful bases to justify the collection of data of their clients, leads, partners, members, marketing contacts, etc.

Because email is such a key medium for our business transactions and marketing communications, it’s important to note that any organization sending emails to individuals in the European Union is subject to GDPR, regardless of the originating country of the emails.

Now then, specifically for your marketing contacts, you’re going to want to know about Consent as a Lawful Base, to justify the collection and storage of your marketing contacts’ information.

“Consent” as a lawful base is one of the ways, and the easiest for email marketers, to prove lawfulness and compliance in the eyes of GDPR. However, there are strict requirements and you will need to obtain explicit consent (note that there is no such thing as implied consent under GDPRmoving forward from all your marketing communication subscribers or from anyone that fills out forms on your web pages to receive communications from you.

If you use “Consent” as a lawful base.

  • Consent must be specific to distinct purposes.
  • Silence, pre-ticked boxes or inactivity does not constitute consent; data subjects must explicitly opt-in to the storage, use, and management of their personal data. A double opt-in procedure is the best and safest way forward.
  • Separate consent must be obtained for different processing activities, which means you must be clear about how the data will be used when you obtain consent. The opt-in message that is used has to state all the ways you could possibly use the personal data you collect and how you are protecting that data. (ex.: state that you take data protection seriously by including a link to your Privacy Policy, and indicate that a person can access, rectify, or erase their data at any time.)
  • Consent must be verifiable and requires a written record of when and how someone agreed to let you process their personal data.

For those marketing contacts that you already have in your database (that are not clients, partners, members, employees or associates —as other lawful bases are easier to use for those contacts, although you can still send them the following email to ask them for their consent as there’s no harm in being safe than sorry) here is how you are going to want to ask them for consent.

N.B.: For those doing business in Canada, under CASL, if you already have implied consent for your contacts, and if you are still within the allowed time period (ex.: A person, who fills out a web form on your website, is considered to have given you “implied consent”, and you have a 6-month time frame in which you can communicate with them), the following email is valid to obtain explicit/express consent.

From name and subject line

These are the two elements that are the most crucial part of any email, as these items determine whether we’ll open an email or not.

For the “From” name, you’re going to want to make personal (from a real person, because as humans we prefer interacting with other humans) and professional (company name).

Ex. Rebecca Coggan | CompanyName, or Rebecca @ CompanyName, or use your full name and add the company name to the subject line.

For the subject line, you’re going to want to include the words “action required”.

TIP: Typically, when these words are surrounded by square brackets and in all caps, ex. [ACTION REQUIRED], we tend to take it more seriously.

And of course, in the subject line, you’ll also need to add the reason why you are contacting the person.

Example of all the elements together:

Other variations are possible. Be sure to make it your own.

Body copy

The three most important things when it comes to body copy is that it needs 1) to be brief, 2) to clearly demonstrate the “what’s in it me” for the recipient of the email and 3) written using an empathetic tone.

N.B.: By the way, if you respect these three key elements in your body copy, your open rates will steadily increase and your audience will trust you more and more.)

TIP: When it comes to these specific types of communications (updating information, account status etc.), text-based emails tend to be taken more seriously, are read more than scanned, and are acted upon more than ignored.

Example of all the elements together:

The body copy also includes many essential items: person’s name, deadline, the action required, incentive, instructions for future requests, a warm thank-you, and detailed sender information.

Here too, other variations are possible depending on your own situation. You can also send a follow-up email if you don’t get a response or action as quickly as hoped for. Be sure to make it your own.

So there you have it. Simple and easy.

CASL’s first sanction against a foreign company

Sanction for the Irish site Ancestry.com

On April 24th, the CRTC announced an undertaking with Ancestry Ireland Unlimited Company (“Ancestry”), which hosts the Ancestry.com website. The latter uses emails to communicate with people registered on its online service, which allows the search for genealogical documents (family history, family trees, historical records, information based on genetic analysis, etc.).

The extraterritorial nature of CASL

This is the first time that a foreign company has been subject to a CRTC sanction in connection with the Canadian Anti-Spam Law (hereinafter CASL). Ancestry is an Irish company with no offices or employees in Canada. The provisions of CASL, however, indicate that it applies to any company that sends messages to Canadian subjects, regardless of the source of the messages.

Similarly, contrary to what many people believe, Canadian companies have to comply with CASL both in their sendouts to Canada and for commercial electronic messages, they send to the rest of the world.

A sanction even if the consents were legal

The CRTC was able to find that Ancestry had obtained valid consents to communicate with its contacts, that its messages contained the mandatory identification information as well as an unsubscribe link.

However, the company was still in the wrong according to the CRTC because their different databases did not synchronize the withdrawal of consents. A customer who unsubscribed from one list continued to receive messages from the other list.

The requirement to synchronize withdrawals of consent

CASL provides that a person must be able to unsubscribe from all commercial electronic messages from the company. In the absence of other choices in the unsubscribe process (ex.: to receive certain types of communications only), the person must by default be excluded from the receipt of all commercial communications.

This requirement of the law can become a concern for many. Indeed, in the majority of companies, there is no synchronization between the mailing lists and the sending of emails themselves, the email sending platforms being separated from CRM or databases. Many companies also often have no way of updating their consent for sending emails via Outlook if someone unsubscribes from their newsletter. Thus, a person could continue to receive communications, despite the fact that in principle, they have unsubscribed from all sendouts.

The compliance program is a must

Ancestry is, by this undertaking, obliged to comply with the Act with respect to the synchronization of its consents. It must therefore unsubscribe and remove from all its commercial communications any person who has indicated this desire, either directly or indirectly, within 10 working days of the request.

The company must also implement a compliance program under CASL which includes: “reviewing and revising current compliance practices […], as well as various other monitoring and auditing measures, including reporting mechanisms to CRTC staff regarding the implementation of the program.”1

Do not be the next company to be sanctioned

If you use an email sendout platform that does not synchronize consent withdrawals with other lists or with your internal email system, you’re in violation of CASL and you may be fined up to several hundreds of thousands of dollars.

If your company is not yet under investigation by one of the CASL enforcement authorities, there is still time to put your compliance program in place and protect yourself before it’s too late.

GDPR Compliance & Emails: What Canadian SMBs Need to Know

The European Union’s General Data Protection Regulation (GDPR) comes into effect May 25th, and although details of the law are still being worked out, when it comes into effect, in the eyes of European law, an organization must demonstrate they are being lawful and must be able to prove compliance.

Who is subject to GDPR?

For those of us here in North America who do business with European countries, we are subject to GDPR because of international collaboration between authorities. Specifically, though, GDPR applies to:

  • Any organization that collects, changes, transmits, erases, or otherwise uses or stores the personal data of EU citizens. (Personal data is any piece of data that, used alone or with other data, could identify a person).
  • Any person or organization which, alone or jointly with others, determines the purposes and means of the processing of personal data, known as the “Controller”, is accountable under GDPR.
  • Any organization sending emails to individuals in the European Union is subject to GDPR, regardless of the originating country of the emails.

What are the two main DIFFERENCES between CASL and GDPR?

  1. Commercial Electronic Message vs. Data Protection

The biggest differentiator between CASL and GDPR is that CASL governs Commercial Electronic Messages (CEMs) while GDPR governs data security and protection.

  1. Compliance Program vs. Lawful Bases

When proving compliance, a CASL Compliance Program that meets the CRTC’s eight requirements is one’s only defense in Canada. For GDPR, an individual or organization may reference one of the six lawful bases, as long as one can prove and demonstrate that they respected all the details and took all the action required of the lawful base cited.

About Consent

Some lawful bases don’t apply to all businesses and marketers, but if you send emails, you’ll want to know about Consent as a Lawful Base.

Remember, a company must be able to fully justify why they are collecting the information of an individual or organization, to what means they are using it, and how that information is being protected.

Consent is one of the ways, and the easiest for email marketers, to prove lawfulness and compliance in the eyes of GDPR. However, there are strict requirements and you will need to obtain explicit consent moving forward from all your subscribers or from anyone that fills out forms on your web pages to receive communications from you, if you use Consent as a lawful base.

Important: unlike CASL there is no implied consent in the eyes of GDPR nor are there B2B exceptions. There is only explicit consent. Note that:

  • Consent must be specific to distinct purposes.
  • Silence, pre-ticked boxes or inactivity does not constitute consent; data subjects must explicitly opt-in to the storage, use, and management of their personal data. A double opt-in procedure is the best and safest way forward.
  • Separate consent must be obtained for different processing activities, which means you must be clear about how the data will be used when you obtain consent. The opt-in message that is used has to state all the ways you could possibly use the personal data you collect and how you are protecting that data. (ex.: state that you take data protection seriously by including a link to your Privacy Policy, and indicate that a person can access, rectify, or erase their data at any time.)
  • Consent must be verifiable and requires a written record of when and how someone agreed to let you process their personal data.

Access, Rectify, and Erase

Additionally, as you collect an individual’s data through your online forms (ex.: first name, last name, email, etc.) under GDPR an individual must able be to access, rectify and erase their data at any given time. Thus, we suggest that you include a section in your Privacy Policy as to how an individual may go about this (ex.: by sending an email with the request to [email protected]).

Record keeping and a centralized database

Within the rules and regulations of both CASL and GDPR, good record-keeping practices is not only necessary to establish a due diligence defense in the event of complaints against your business, but good recording keeping helps businesses (i) identify potential non-compliance issues, (ii) investigate and respond to consumer complaints, (iii) respond to questions about the business’s practices and procedures, (iv) monitor their corporate compliance program, (v) and identify the need for corrective actions and demonstrate that these actions were implemented.

Additionally, in order to meet the requirements of GDPR regarding Data Privacy and Consent, a centralized database for contact management, processing and documentation are helpful, not only for client relationships, smooth and efficient operations, but also for proving lawfulness and compliance.

As an individual or organization that sends emails, for marketing or business purposes, what’s your best bet?

A CASL compliance program is considered the gold-standard and best in breed where it comes to protecting yourself against hefty fines. Remember CASL applies to individual emails as much as group emails and newsletters regardless of whether there is promotion content or not.

Implementing a CASL compliance program, that meets all the requirements of the CRTC, is not only required by the law in Canada, but by doing so, you’ll increase your protection with regards to GDPR.

 

 

Learn How CASL’s Parliamentary Review Will Effect Your Email Marketing In 2018

Last year was a landmark year for CASL. There was a lot of activity; notably the end of the grace period, several huge fines, and parliamentary reviews. We’ve followed and tracked all the changes and modifications, particularly how it affects businesses like yours and its impact on email marketing.

Here’s a recap of the last year, what you can expect in 2018, and a few recommendations.

HIGHLIGHTS FROM 2017:

WHAT TO EXPECT IN 2018:

  • More requests for information and notices to businesses from the CRTC regarding the proper documentation of implied consent
  • More requests for information and notices regarding proper identification information, unsubscribe and complaint mechanisms in SMS messages
  • An increase in the number of fines issued
  • More outreach and education by the CRTC with respect to the law
  • Modifications to the actual name and title of the law
  • Modifications to certain articles in the law, especially with regards to those items that are ambiguous has already started this past December

KEY RECOMMENDATIONS FOR THIS YEAR:

  • Properly organize and document all the various consent types for all your contacts. A centralized database or CRM is key. Remember to also take into account the expiration of your various consent types (there are several).
  • We can’t stress it enough, but a CASL compliance program that meets the 8 requirements of the CRTC, is your sole protection in case you receive a request for information or notice from the CRTC.
  • Another way to help reduce complaints is to not only develop a solid email strategy with a focus on your business objectives, but develop a communication strategy that is of pertinence to your audience. The “what’s in it for them” (instead of you) never goes out of style.
  • When sending emails, be sure to make the most of segmentation, personalization (based on segmentation and not just a first and last name), and frequency (irregular timing gets higher open rates).

Stay tuned, another update from Parliament is due in the coming weeks.

 

 

 

$1,25M fine for Enterprise, National, and Alamo

A negotiated fine

Enterprise Rent-A-Car Canada Company, which manages the Enterprise, National, and Alamo car rental companies, has recently agreed to pay, to the Competition Bureau, a $1,25 million fine for sending emails containing misleading promotions, a practice covered by the Canadian Anti-Spam Law (CASL).

The entire industry is targeted

In its press release, the Bureau states as a reminder to companies, that already $5.25 million has been fined to and paid by three other major companies in this industry: $3M paid by Avis Budget following an investigation concluded in March 2015; and Hertz Canada, which also manages Thrifty, was fined $1,25 million in the spring of 2017.

This reminder clearly shows that the Competition Bureau will continue investigating car rental companies, as misleading promotions seems to be a systemic practice. This targeting, of a specific industry, is reminiscent of the CRTC’s investigation with vocational training companies.

Again, consent is not enough

While most companies continue to believe that having consent with regards to their promotional messages is enough be compliant with the Canadian Anti-Spam Law, this fine, once again demonstrates that CASL is much more complex and demanding. In fact, there are around one hundred risks that must be analyzed to ensure that a company is in compliance with CASL. Not only because this law has many articles, but also because CASL touches upon certain articles of the Personal Information Protection and Electronic Documents Act (PIPEDA) and the Competition Act.

Moreover, while the fines imposed by the CRTC for issues of “consent” or “unsubscribe” are of the order of a few tens or hundreds of thousands of dollars per company, the fines given by the Competition Bureau due to “message content” is consistently greater than $ 1 million.

The importance of a compliance program

In the Tribunal agreement, Enterprise was required to implement a compliance program under the supervision of the Competition Bureau. While waiting to be investigated to implement its compliance program, Enterprise not only had to pay a hefty fine, but it also had to incur significant legal fees in collaboration with the investigation and to negotiate a settlement, satisfactory to the CRTC.

If your company is not the subject of such an investigation, there is still time to set up your compliance program and protect your business before it’s too late.

Parliamentary Report: The Canadian Anti-Spam Law Is Here to Stay

The government must maintain and reinforce the application of the Canadian Anti-Spam Law (CASL), but it must also clarify vague notions of the Act and its regulations, as ascertained by the thirteen recommendations in the CANADA’S ANTI-SPAM LEGISLATION: CLARIFICATIONS ARE IN ORDER.

The report, recently published by the House of Commons Standing Committee on Industry, Science, and Technology cites forty-one expert testimonies with analyses from approximately thirty memoirs over the course of ten weeks.

CASL is effective

Despite highly polarized interventions between lobbyists and business lawyers, who described CASL as a catastrophic situation, and consumer representatives, who believe that the fines are insufficient, parliamentary members relied on information provided by Certimail to conclude that, despite the constraints, CASL offers a good balance between consumer protection and business competitiveness, but that aspects of the law require clarification.

CASL must change its name

The first and last recommendations of the Committee are to change the short name “Canadian Anti-Spam Law (CASL)” to “Electronic Commerce Protection Act (ECPA)”. Members noticed that many companies do not feel concerned by the Law because they are not aware that CASL governs all commercial electronic communications, and not just spam or email marketing.

CASL must be clarified

Recommendations 2 to 8 call on the government to clarify and detail certain elements of CASL and its regulations to ensure that non-profit businesses and organisations better understand what is allowed or not.

The elements that the Committee recommends to clarify are:

  • the definition of “commercial electronic messages
  • the status of administrative and transactional messages
  • the status of messages between companies
  • notions of implied and express consent
  • the definition “email address”
  • messages that are exempt to section 6.6 of the Act
  • management of referral messages
  • the application of the Law as it applies to charities and non-profits organisations

These clarifications of the Law and its regulations will address some of the vague regulations, but it does not or will not change the CRTC’s compliance requirements.

The CRTC must take care of small businesses

In its ninth recommendation, the Committee wants the CRTC to make a significant effort to raise awareness, particularly among small businesses. This recommendation is based on a thorough evaluation of the CRTC’s work. The Committee emphasized in the report that all stakeholders were unanimous in saying that the CRTC must review its awareness activities and guidance documents to ensure that they are sufficient and effective—(very happy to see that part of my intervention was even quoted directly in the report, page 14) —indicating that the compliance requirements are hidden on the CRTC’s website and are not even listed on the fightspam.gc.ca website. The CRTC is therefore invited to redouble its awareness-raising efforts, particularly with small businesses.

Postponement of Civil and Class Actions

The Committee considers that the Private Right of Action (PRA), which allows civil or class actions to be launched after receiving a non-compliant message, must be maintained but suspended pending clarification and awareness-raising efforts. The Committee’s tenth recommendation also suggests that the Government assess whether the damages that may be claimed in this regard should be demonstrated.

The CRTC’s cooperation with the RCMP

During their testimony before the Committee, the CRTC indicated that it is currently less limited in its dealings with authorities in other countries than with the RCMP and other Canadian security agencies. The Committee heard the message and dedicates its eleventh recommendation to fostering cooperation between the CRTC and police authorities across the country.

Transparency in complaints, investigations, and fines

The CRTC and government are encouraged to find ways to make the investigation and fine-setting process more transparent while promoting access to data on complaints received and trends in problems.

I was happy to read that Certimail’s contribution was quoted a dozen times in the report. This not only made me proud of my first lobbying experience but glad to have helped our MPs to understand SMBs’ reality in regard to email marketing and CASL compliance. Upon reading the recommendations, it’s clear that Certimail’s pragmatic approach has served the interests of our clients much better than the dogmatism of the official lobbies like CFIB and Canadian Chamber of Commerce, that don’t really seem to know and understand the undertakings of being compliant or even email marketing at all.