GDPR: (re)confirming consent, an error to avoid

With the entry into force of the General Data Protection Regulation (GDPR) on May 25th, you’ve probably received dozens of emails asking you to consent (or re-consent) to the processing of your personal data.

Now, you may be wondering if you should do the same for your own business.

The answer is no, and here’s why:

Firstly, the GDPR only concerns you if your company is active on the European market.

If your company doesn’t deal with European consumers, you don’t have to worry about the GDPR. It’s much more important to ensure that you comply with the Canadian Anti-Spam Law (CASL), which is almost as severe as the GDPR but focuses on Canadian companies, and commercial electronic communications to and from Canada.

If, however, you are active in Europe, whether you are physically present there or not, compliance with the GDPR is your concern, but this is not a reason to bombard your contacts with requests for confirmation of consent. It is a harmful and often useless step because there are other ways to put you in good standing.

Counterproductive results

From a marketing perspective, confirmation of consent is probably the worst legal basis to justify the processing, use and storage of personal data.

Indeed, companies having opted for “consent confirmation” campaigns have been able to note the danger of these. For example, many of their contacts took the opportunity to withdraw their consent in frustration following the avalanche of similar messages received. This is a quick and easy way to destroy your marketing database.

The same thing happened in 2014 when CASL came into force. Thousands of messages were received by consumers asking if they would agree to continue receiving business messages. These messages were initially useless because a temporary provision gave the sender an implicit right to send messages until July 2017. Above all, these emails damaged the reputation of several companies and had the opposite result; the loss of consent of the vast majority of their marketing contacts leading some SMBs to bankruptcy.

A request for consent probably not necessary

Firstly, explicit consent by means of a form in accordance with a European Parliament directive on the protection of privacy (Directive 95/46 / EC) is also valid for the GDPR. If your forms comply with the Canadian Anti-Spam Law, then your consents respect the GDPR. It is, therefore, unnecessary to waste your time and that of your clients to ask them for a new consent.

In addition, the GDPR provides five other legal bases to justify the collection and processing of personal data. These five legal bases are: the contractual necessity, the respect of a legal obligation, the safeguarding of the interests of the person concerned or another physical person, the public interest and finally, the legitimate interests (article 6 of the GDPR).


“Legitimate interest” as an ally

From a marketing perspective, “legitimate interest” is definitely the most interesting and easy option to use. Section 6 (1) (f) of the GDPR defines it as treatment “necessary for the legitimate interests of the controller or a third party unless the interests or fundamental rights and freedoms of the person concerned prevail, which require protection of personal data, in particular where the data subject is a child.” 1

In other words, your interest in developing your business justifies that you collect and use the relevant personal information of your contacts for your email marketing campaigns as long as it does not affect the rights of your contacts. For example, if you use the name and email address that someone has provided to you, to send them interesting promotional information and give them the opportunity to unsubscribe, you are in the justified under “legitimate interests”. On the other hand, this would not justify collecting and processing irrelevant personal information such as his Social Insurance Number or his sexual orientation.

Think strategically

It’s not because email sendout providers like MailChimp or Cyberimpact are offering you a consent request email template that it’s relevant to use it. Unfortunately, these companies often have limited knowledge of these regulations and their compliance requirements. It’s better to put yourself in the shoes of the average consumer who has received 23 emails of this type this week and who is expecting you to have more interesting emails.

If you are afraid that some of your consents are not in compliance and you need to get a confirmation, go step by step to reduce the impact on your database.

Start by separating all your European contacts from the other contacts in your database and group them according to the different legal bases that may correspond to them. If some contacts do not fit into any of the six legal bases and you have not obtained them by a consent form, you must send a consent confirmation message only to those contacts, making sure to do so in a tone that corresponds to relationship style that you develop with your customers. A too “legal” tone will bother your customers or at worst scare them.

In short, the GDPR should not push you to make mistakes in panic mode but is an issue that you must take seriously if you do business with Europeans. It’s also an opportunity to structure and enrich your databases and digital marketing strategy by building the trust of your customers.

As with CASL, it is not enough to have “consent” to comply with the GDPR. All other regulatory requirements must be met, which only a formal compliance program can provide.

If you want to comply with the GDPR to strengthen the trust of your European customers or avoid fines and legal proceedings, contact one of our advisers today. The Certimail team offers GDPR compliance programs tailored to the constraints of Canadian SMBs that can even be combined with a CASL compliance process, saving you time and money.


$100,000 in penalties for SMS messages non-compliant with CASL

A commitment to the CRTC

May 1st, 2018, the CRTC announced via news release that companies 9118-9076 QUÉBEC INC. and 9310-6359 QUÉBEC INC., operating as 514-TICKETS, whose principal activity is the resale of sports, cultural, and event tickets, has accepted an undertaking for alleged violations of the Canadian Anti-Spam Legislation (CASL). Under the latter, the companies pledged to pay a financial indemnity of $100,000 ($25,000 paid to the Receiver General for Canada and $75,000 in rebate coupons offered to clients).

This innovative form of sanction, combining customer discounts and fines, demonstrates that the CRTC’s intent is not to punish wrongdoers, but to force them to adopt CASL-compliant practices, which is inherent in the implementation of a CASL compliance program.

CASL’s application to text messages

This sanction is a milestone in the history of CASL compliance: it is the first time the CRTC has fined a company for violating the LAW by sending commercial electronic messages (CEMs) via text messages. 514-TICKETS would have, from July 3rd , 2014 to November 26th , 2016, sent CEMs via text message “without having obtained the consent of the recipients, and by not providing the necessary information to identify the sender, nor the information necessary to contact the sender“. More specifically, the majority of text CEMs were messages requesting consent to receive subsequent commercial offers.

The CRTC reiterated, in its news release, that CASL applies to any message sent —not only to an email address, but also to a telephone number account, or email account on social media— that is intended to encourage participation in a commercial activity.

If you don’t have consent, you cannot request consent

514-TICKETS should have, like any company sending CEMs, had prior consent before communicating with the recipients, but also include in its messages the information necessary to identify the sender, as well as the information to contact the sender. 514-TICKETS should also have included an unsubscribe mechanism, allowing the recipient to signal their desire to no longer receive communications from the company.

The Spam Reporting Centre is as efficient as ever

In this case, the CRTC’s investigation was initiated by reports sent to the Spam Reporting Center (SRC). This government authority transmits information received from consumers and other bodies, to the CRTC, the Competition Bureau, and/or the Office of the Privacy Commissioner of Canada depending on the nature of the alleged violation.

The importance of a compliance program

In their commitment to the CRTC, 9118-9076 QUÉBEC INC. and 9310-6359 QUÉBEC INC., have also been required to implement a CASL compliance program, which includes: “an audit and review of current compliance practices […], as well as various other monitoring and auditing measures, including reporting mechanisms to CRTC staff regarding the implementation of the program.”

If your company has not yet been investigated by any of the CASL enforcement authorities, there is still time to implement your compliance program and protect your business before it’s too late.

GDPR & CASL: When to use “Legitimate Interests” or “Consent” as a lawful base

If you are a Canadian marketer and you send emails to the European Union (E.U.), under GDPR you’ll need to justify why you collect and store data for each of your contacts. And by data, I’m referring to contact information (first name, last name, email address, etc.) and how you use this data (marketing, transactional, etc.).

The lawful bases

Because GDPR governs data security and protection, an individual or organization may reference one of the six lawful bases to justify the collection of data of their clients, leads, partners, members, marketing contacts, etc.

From a purely marketing perspective, there are two lawful bases that one will cite regularly in their records and documentation: “Legitimate Interests” and “Consent”.

  • “Legitimate Interests” as a lawful base can be relied upon for marketing activities if you can show that how you use people’s data is proportionate, has a minimal privacy impact, and people would not be surprised or likely to object.
  • “Consent” as a lawful base is appropriate if you can offer people real choice and control over how you use their data, and want to build their trust and engagement.

Which lawful base to apply for email marketing purposes…

Knowing that:

  • Under CASL, which governs commercial electronic messages, a consent status needs to be attributed to and documented appropriately for each contact, for you to have the legal right to send them electronic commercial messages. Either “express” or “implied” consent.
  • Under GDPR, which governs data security and protection, a lawful base needs to be attributed to and documented appropriately for each contact, for you to have the legal right to store and use a contact’s information.

Hence as a Canadian marketer (sending marketing messages to the E.U. ) , you must take into consideration and comply with the rules of GDPR -AND- CASL , thus adding a certain complexity.

Despite this complexity, there are totally legitimate, quick, and easy solutions for you to use:

For B2C email marketing

“Consent” as a lawful base is one of the ways, and the easiest for email marketers, to prove lawfulness and compliance in the eyes of GDPR.

However, there are strict requirements and you will need to obtain explicit consent (note that there is no such thing as “implied consent” under GDPR) moving forward from all your marketing communication subscribers or from anyone that fills out forms on your web pages to receive communications from you.

If you use “Consent” as a lawful base.

  • Consent must be specific to distinct purposes.
  • Silence, pre-ticked boxes or inactivity does not constitute consent; data subjects must explicitly opt-in to the storage, use, and management of their personal data. A double opt-in procedure is the best and safest way forward.
  • Separate consent must be obtained for different processing activities, which means you must be clear about how the data will be used when you obtain consent. The opt-in message that is used has to state all the ways you could possibly use the personal data you collect and how you are protecting that data. (ex.: state that you take data protection seriously by including a link to your Privacy Policy, and indicate that a person can access, rectify, or erase their data at any time.)
  • Consent must be verifiable and requires a written record of when and how someone agreed to let you process their personal data.

This process, not only enables you to comply with GDPR, but also gives you “express” consent under CASL.

For B2B email marketing

Particularly for those in sales, many of our contacts can be filed and recorded as “Implied Consent” under CASL, and as “Legitimate Interests” under GDPR.

You are required, however, to document the Legitimate Interests Assessment for each contact (LIA):

Whoa, that’s a lot to take in and document! But wait… whether you’re marketing B2C or B2B, or both, the arrival of GDPR is a great opportunity and occasion to convert “implied consent” Canadian contacts to “express consent” contacts, and classify E.U. contacts under “Consent” as a lawful base. See this article, “How to Write Emails to Get Consent for GDPR (and CASL)“.


Understandably, different sized organisations and types of messages need to be taken into consideration. Be sure to adapt accordingly to your organisation’s structure, operations, and unique situation.

Applying both CASL and GDPR legislations responsibly and taking the appropriate action is not at all an easy task. There are many details to pay attention to and to follow. It can be a difficult, time-consuming, and frustrating task if you are not completely versed in both legislations. In addition, mistakes can run costly fines for individual executives and companies alike.

If you need help or have questions, you can leave a comment or contact us at any time.

How to Write Emails to Get Consent for GDPR (and CASL)

The European Union’s General Data Protection Regulation (GDPR) comes into effect May 25th. From that date onwards, an organization must be able to demonstrate they are being lawful and prove compliance with this regulation.

Because GDPR governs data security and protection (unlike CASL with governs commercial electronic messages — for more information on the differences between GDPR and CASL click here) an individual or organization may reference one of the six lawful bases to justify the collection of data of their clients, leads, partners, members, marketing contacts, etc.

Because email is such a key medium for our business transactions and marketing communications, it’s important to note that any organization sending emails to individuals in the European Union is subject to GDPR, regardless of the originating country of the emails.

Now then, specifically for your marketing contacts, you’re going to want to know about Consent as a Lawful Base, to justify the collection and storage of your marketing contacts’ information.

“Consent” as a lawful base is one of the ways, and the easiest for email marketers, to prove lawfulness and compliance in the eyes of GDPR. However, there are strict requirements and you will need to obtain explicit consent (note that there is no such thing as implied consent under GDPRmoving forward from all your marketing communication subscribers or from anyone that fills out forms on your web pages to receive communications from you.

If you use “Consent” as a lawful base.

  • Consent must be specific to distinct purposes.
  • Silence, pre-ticked boxes or inactivity does not constitute consent; data subjects must explicitly opt-in to the storage, use, and management of their personal data. A double opt-in procedure is the best and safest way forward.
  • Separate consent must be obtained for different processing activities, which means you must be clear about how the data will be used when you obtain consent. The opt-in message that is used has to state all the ways you could possibly use the personal data you collect and how you are protecting that data. (ex.: state that you take data protection seriously by including a link to your Privacy Policy, and indicate that a person can access, rectify, or erase their data at any time.)
  • Consent must be verifiable and requires a written record of when and how someone agreed to let you process their personal data.

For those marketing contacts that you already have in your database (that are not clients, partners, members, employees or associates —as other lawful bases are easier to use for those contacts, although you can still send them the following email to ask them for their consent as there’s no harm in being safe than sorry) here is how you are going to want to ask them for consent.

N.B.: For those doing business in Canada, under CASL, if you already have implied consent for your contacts, and if you are still within the allowed time period (ex.: A person, who fills out a web form on your website, is considered to have given you “implied consent”, and you have a 6-month time frame in which you can communicate with them), the following email is valid to obtain explicit/express consent.

From name and subject line

These are the two elements that are the most crucial part of any email, as these items determine whether we’ll open an email or not.

For the “From” name, you’re going to want to make personal (from a real person, because as humans we prefer interacting with other humans) and professional (company name).

Ex. Rebecca Coggan | CompanyName, or Rebecca @ CompanyName, or use your full name and add the company name to the subject line.

For the subject line, you’re going to want to include the words “action required”.

TIP: Typically, when these words are surrounded by square brackets and in all caps, ex. [ACTION REQUIRED], we tend to take it more seriously.

And of course, in the subject line, you’ll also need to add the reason why you are contacting the person.

Example of all the elements together:

Other variations are possible. Be sure to make it your own.

Body copy

The three most important things when it comes to body copy is that it needs 1) to be brief, 2) to clearly demonstrate the “what’s in it me” for the recipient of the email and 3) written using an empathetic tone.

N.B.: By the way, if you respect these three key elements in your body copy, your open rates will steadily increase and your audience will trust you more and more.)

TIP: When it comes to these specific types of communications (updating information, account status etc.), text-based emails tend to be taken more seriously, are read more than scanned, and are acted upon more than ignored.

Example of all the elements together:

The body copy also includes many essential items: person’s name, deadline, the action required, incentive, instructions for future requests, a warm thank-you, and detailed sender information.

Here too, other variations are possible depending on your own situation. You can also send a follow-up email if you don’t get a response or action as quickly as hoped for. Be sure to make it your own.

So there you have it. Simple and easy.

CASL: A challenge for museums and cultural organisations

This summer, we were mandated by Montreal’s Museum of Contemporary Art to implement a compliance program.

In addition to the pleasure of working with such a prestigious institution and collaborating with Espace Courbe, the team in charge of the museum’s technology changes, we witnessed first-hand just how much more complex Canada’s Anti-Spam Law is for museums and most cultural institutions than it is for businesses.

Below are some of our findings that, hopefully, can help your organisation improve the effectiveness of your electronic communications, all the while respecting the Canadian Anti-Spam Act.

A law that applies to all

First, let’s demystify a common myth:

Non-profit organisations and charities are NOT exempt from CASL. Compliance applies to all types of organisations.

Many believe that their status as an NPO, or even as a charity exempts them from CASL. This is false! The law applies to all natural and legal individuals and companies who send commercial electronic messages to or from Canada.

Additionally, non-profit organisations, charities and foundations that engage in commercial transactions (such as the sale of tickets, objects or production contracts) are subject to the CASL. Only some of their commercial messages are exempt.

Even municipal governments and Crown corporations such as Hydro-Québec, VIA Rail or Place des Arts must comply. In fact, only the federal and provincial governments are exempt from CASL.

A complexity specific to cultural institutions

The Canadian Anti-Spam Act imposes precise rules regarding the people that we can communicate with electronically. Most companies need to consider two types of relationships: customers and potential customers.

In the case of museums and many other cultural institutions, patrons, members, donors, guests of premieres, as well as volunteers and individuals providing support (past, present, and future) are all potential people with whom we can communicate to.

All these sub-types of customers and potential customers create a complexity, that causes many cultural institutions to limit their communications to only those who have given their explicit consent by completing a website form. This solution may appear simple but it’s costly in the end.

Savvy marketers and organisations know that it takes much less time and money to convince a former patron to return than to attract a new one. Your past invitees, patrons, members, donors, etc. are a gold mine. The good news is that you can profit from this gold mine as the Canadian Anti-Spam Act and its regulations have specific clauses for cultural organisations.

The two-year rule for patrons and members

Paragraphs 10, 13 and 14 of section 10 of CASL allows you to send unrestricted commercial electronic messages to all your customers, that have completed a transaction within the last two years. For patrons or members of a service, this two-year period begins on the end-date of a membership or programming period. This right, of course, becomes null and void if the person has indicated to you in the meantime their refusal to receive such communications from you.

This means that you can contact most of your donors, patrons, and members of the past two years to persuade them to rediscover your exhibitions or programs, even if they have never filled out an explicit consent form. Our experience with several cultural organisations has taught us that former patrons are often the easiest ones to reconquer if approached in the right way. You might be surprised to discover how many of them you can easily reconvert with a series of gradual re-engagement emails.

An exception for soliciting donations

As austerity becomes a dogma to which most of our politicians seem to prostrate, the development and sustainability of cultural organisations increasingly depends on donations made to them directly or through a foundation.

It should be noted that any message whose primary purpose is to raise funds for charity is exempt from Canada’s Anti-Spam Law. So you can send these messages to all your contacts as long as it’s the primary purpose of your message, not a backdoor way of putting your business activities forward.

N.B.: A message inviting the recipient to contribute to the fundraising campaign, may include a reference to your other activities as long as this reference remains marginal. However, if these activities contribute to the organisation’s profits, your message suddenly becomes a commercial message and no longer benefit from the exemption.

Always try to get explicit consent

While the Canadian Anti-Spam Act offers many opportunities to send messages based on implicit consent, every message you send should be seen as an opportunity to seek explicit consent, by inviting people to complete a form (donation, subscription, profile update, etc.) in which the request for explicit consent is present.

Whatever you do, do not send a message asking for explicit consent. Because 1), in certain situations it is illegal to do so, and 2) most of the time these messages get consent rates below 20%. Also, a lack of response or consent could be interpreted as a unsubscribe request and prevent you from continuing to send messages to these people.

Make sure you consent request is well worded

CASL states that consent must be clear, that is to say, the right to send electronic communications is limited to the type of communications to which the recipient has consented to. Many cultural organisations continue to ask for consent concerning their “newsletters”. Worded this way, you are not allowed to send any other type of electronic communication. An easy solution is to change “newsletters” to “electronic communications”.

Transforming threat into opportunity

For many organisations, CASL is perceived as a threat. Nobody wants to be investigated, receive a heavy fine, or be publically shamed by the media. Unfortunately, too many organisations decide to reduce or even worse, stop their email marketing activities altogether. A move that can hurt an organisation financially in the long-run.

Instead, transform this threat into an opportunity. Implementing a compliance program is an excellent opportunity to revise and update your organisation’s electronic communication practices. For most of our customers, this review has allowed them to maintain or increase the number of people they can send commercial messages to, and increase the effectiveness of their communications.

If you want to discuss your specific situation and see what would be the most economical, simple and effective way to make your organisation CASL compliant all the while improving your marketing effectiveness, speak with one of our experts.

SMB Plenty of Fish to pay $48K for a form!

In no less than three weeks after issuing its first fine, the CRTC announced that PlentyOfFish Media Inc., a Vancouver SMB, has also been fined under Canada’s Anti-Spam Act.

PlentyOfFish Media Inc. is a 75-employee Vancouver-based company that manages the popular free dating site Plenty of Fish, a destination with over 90M users.

Consent was not an issue

The facts compiled by the CRTC cover the period from July 1, 2014 (when CASL first came into effect) to October 8, 2014 (when the CRTC informed the company that it was subject to an investigation).

Over this period, the CRTC criticised Plentyoffish Media for not having a clear enough unsubscribe link and a form too complex to complete the process.

N.B.:  The complaints received by the CRTC concerned emails sent to registered members of the site, and therefore to persons who had given their consent to receive them. So, consent was never an issue.

This fine is a case in point that even with consent as well as an unsubscribe link and form; businesses can still pay fines. One must be diligent. And PlentyOfFish showed their diligence by immediately paying their $48,000 fine and correcting the problem.

The CRTC makes its point clear

By giving a relatively small fine compared to the $1.1M one imposed at the beginning of the month to Compu-Finder, the CRTC is showing that it understands CASL, how to enforce it, and adjusts their fines based on the situation at hand.

It’s clear though, acting blindly in goodwill is not enough to avoid penalties.

In fact, as the CRTC stated in an Information Bulletin, that the only way to protect yourself against fines is to conduct a complete audit of your company and have a compliance policy which corrects those weaknesses identified by the audit.

If Plentyoffish had taken such action with Certimail or a consultant, they wouldn’t have had to pay this penalty and endure the bad-press that came with it.

And now what about you? Have you done an audit set up your program to avoid this kind of situation?

Even With Consent Avis & Budget To Pay $3M

(Update March 23, 2017) In a joint agreement before the Competition Tribunal, the Avis Budget Group (ABG) agreed to pay a $3 million penalty along with a $250,000 fee. Let’s also add the lawyers’ expenses on top of this, which has probably been very costly for ABG considering how long these parties have been fighting it out in court.


The Competition Bureau, issued a news release, stating that under the Canadian Anti-Spam Act (CASL), it is asking the Competition Tribunal to impose $10 million fines (each) to the Avis Budget Group, and its two subsidiaries Aviscar and Budgetcar, in addition to forcing them to reimburse consumers fines of up to $35 million. These fines are the first to be imposed by the Competition Bureau under CASL. 

Consent was not an issue

While most journalists and observers have emphasised the importance of consent when referring to CASL, this exemplary penalty demonstrates the complexity and reach of Canada’s Anti-Spam Law. The Competition Bureau asked the Competition Tribunal to impose the maximum amount allowed by law to each of the three companies, not because of a problem of consent, but because of misleading promotional content in their emails.

It should be noted that the Canadian Anti-Spam Legislation goes much further than prohibiting spam. The Act contains 70 different rules for each commercial electronic message sent. Furthermore, it also amends the Competition Act by allowing the Competition Bureau to issue fines under CASL when a company violates Section 74.011 of the Competition Act.

And so this is the basis for the case of the Avis Budget Group violation. The Competition Bureau believes that the promotions advertised by the group were misleading because the listed prices were 35% lower than the actual price the consumer paid.

In its Notice of Application, the Competition Bureau examined the promotions in their various formats, from websites to mobile applications to radio and print advertisements. But it was because these promotions were also sent by email, that fines of $10M could be imposed plus $35M to consumers that had been wronged.

The importance of carrying out a complete compliance audit

Many companies and industry observers erroneously believe that Canada’s Anti-Spam Law only imposes obligations regarding consent. The CRTC itself contributes to this false perception through its Business FAQs (How can businesses ensure they are in full compliance with CASL?)

This false perception is what led to the flurry of emails around July 1st, 2014 requesting consumers for their consent (an action that was completely unnecessary for businesses and in certain cases illegal).

CASL is complicated, there are many rules a commercial electronic message must adhere to, and some of the regulations can be unclear at times due to weak jurisprudence. The best way to protect your business is to conduct a comprehensive compliance audit (you are required to do so to be compliant according to the CRTC) and to implement a compliance policy that corrects any weaknesses identified during the audit.

This is what the CRTC recommends for all businesses that want to avoid penalties.