CASL: What’s changed since July 1st?
After three long years, the grace period has ended, and companies must have established and implemented a compliance program. Businesses can no longer defend themselves by explaining that they weren’t aware of all the criteria necessary to be compliant.
From now on, to whom can you send messages to?
From now on, you may only send electronic business messages to:
- persons who have given explicit consent,
- clients who have made at least one transaction in the last two years,
- individuals who have requested, within the last six months, to receive business information.
ATT: For all other contacts, you can no longer send them communications. This includes sending a consent request. The CRTC was very clear on this subject: an email requesting consent is a commercial electronic message and can not be sent without prior consent!
What to do about leased or purchased lists?
The CRTC argued that when you obtain lists from a third party, you must verify that your supplier has obtained the appropriate consent for each contact. This includes consent for the type of communication (medium & content) one can send to an individual.
The CRTC clarified that in order to discharge your liability you must demonstrate that you’ve taken action to verify the legality of the consents obtained by your supplier. Otherwise, or if the CRTC deems that your actions are insufficient, you will be held responsible.
This practice also applies to directories. Before using the information from a repertory, you must verify that you have the right to do so and that the publisher of the directory obtained the proper consents. Otherwise, you will be held responsible.
Can agencies, ESPs and CRM suppliers be held responsible?
The CRTC has explained, in reference to the responsibility of agencies and technology platforms, that if the suppliers are involved in the content of the message, they may be held jointly liable for violations of Canada’s Anti-Spam Legislation.
For example, this applies to agencies that write copy and design emails (and other electronic messages) for their clients, as well as ESPs and CRMs that offer dynamic content customization or dynamic segmentation.
We’ll be consulting with our partner lawyers shortly for more information. Stay tuned for a detailed article on this subject.
Polls & Surveys
With regards to emails inviting individuals to participate in a poll, if the survey is just a study, it does not fall within the definition of a commercial electronic message and therefore does not require prior consent.
However, if the poll or survey refers to a product or promotes it, even subtly, it must meet all the requirements of CASL.
A good rule of thumb is to ask yourself if the individual who completes the survey can guess the name of the company or brand. If so, your survey is likely to be in violation of the law.
SMS and MMS messages
Although there are less commercial text messages sent in Canada than in other countries, consumer complaints about them are on the rise and these messages are in the CRTC’s viewfinder.
The CRTC explained that if companies send text messages for commercial (not necessarily promotional) purposes, or plan to do so, they must ensure that their compliance program covers these types of messages.
ATT: If a person is not on the National Do Not Call List (NDNCL), this does not mean you have consent to send them text messages.
Whereas the NDNCL uses an opt-out procedure (a person has to contact them to be removed from their list), Canada’s Anti-Spam Law uses an opt-in principle (individuals must give you permission to be contacted).
The CRTC has clarified that transactional messages such as the confirmation of a transaction, change of password, scheduled alert, etc.) are not considered a commercial electronic message, as long as it does not contain a commercial offer. Also, transactional messages can be sent even if the person has withdrawn their consent.
However, the CRTC has made it clear that these transactional messages must comply with all the provisions of CASL, including those articles referring to “mandatory information” and “unsubscribe mechanisms”.
Brands and parent companies
When the CRTC discussed this point during an IAB presentation, the crowd told them they were crazy. Take note: Any withdrawal of consent applies to the whole company by default (affiliates and parent companies included), and not the just the brand or business indicated in the unsubscribe form.
Let’s take Loblaws and Shopper’s Drug Mart as an example: if a consumer unsubscribes from the Loblaws supermarket newsletter, consent is automatically withdrawn from the entire company and not just from supermarket communications. If the consumer was subscribed to the Shopper’s Drug Mart newsletter at the time when they withdrew their consent to Loblaws, under the law, they should no longer receive Shopper’s Drug Mart newsletters.
The only way to manage this situation legally is to propose an unsubscribe form in which the consumer can choose the brands from which he or she wishes to remain subscribed to.
When the CRTC was told that this was a bit crazy, their response was “We don’t know how you operate, guys! So come and talk to us so that we can understand you better”.
In conclusion, the law is tricky. For those not who are not vigilant or proactive, they will eventually be heavily fined and required to complete their compliance program.
The solutions and compliance programs offered by Certimail, built in collaboration with researchers from the Faculty of Law at Université de Montréal, meet the new requirements of the CRTC.
If you already have a program set up by us, you have nothing to change. You’re covered.
If you don’t have a compliance program, our experts are at your disposal to assess your situation and can offer you an efficient and inexpensive program that meets the CRTC’s requirements.