Canada’s Anti-Spam Law (CASL) FAQ
FAQ regarding Canada’s Anti-Spam Law (CASL). Commercial Electronic Messages (CEM): consent, compliance and protection of personal information.
Canada's Anti-Spam Law (CASL) is one of the toughest laws of its kind in the world, making its application and interpretation particularly thorny. Here we answer some of your frequent questions about both the new law and Industry Canada’s revised regulations. How will CASL impact your business? To discuss this challenge, feel free to contact us.
About Canada’s Anti-Spam Legislation (CASL)
1. What is CASL?
CASL is a new anti-spam law that will apply to all electronic messages (i.e. email, texts) organizations send in connection with a “commercial activity.” Its key feature requires Canadian and global organizations that send commercial electronic messages (CEMs) within, from or to Canada to receive consent from recipients before sending messages. CASL does not apply to CEMs that is simply routed through Canada.
2. What’s the definition of a “commercial electronic message” (CEM)?
A CEM is any electronic message that encourages participation in a commercial activity, such as an email that contains a coupon or tells customers about a promotion or sale. That said, a message that includes hyperlinks to a website or contains business-related information does not make it a CEM.
CEMs must be sent to an electronic address to be caught by CASL. Confirmations of successful unsubscribes, courtesy SMS sent to roaming customers, and publication of blog posts on micro-blogging and social media sites are out of scope.
3. What constitutes consent?
To send a CEM, organizations need express consent from recipients—either orally or in writing. Written consent can be electronic.
4. How can we get consent from our recipients?
When requesting consent, you must provide recipients with:
- The name of the person or organization seeking consent
- A mailing address and either a phone number, voice message system, email address or website where recipients can access an agent for more information
- A statement identifying the person on whose behalf consent is being sought
- The identity and contact information of any third-party or affiliate used to obtain consent
- A free unsubscribe mechanism that lets recipients electronically opt-out of communications
- The ability to opt-out of all types of communications sent by either your organization or a third-party partner
5. Can consent be implied?
Yes. Organizations don’t need express consent to send a CEM in the context of an existing business or non-business relationship, or if recipients conspicuously publish their electronic contact information or voluntarily disclose it without indicating they don’t want to receive communications.
6. What happens if we don’t comply with CASL?
Organizations that don’t comply risk serious penalties, including criminal charges, civil charges, personal liability for company officers and directors, and penalties up to $10 million.
7. When will CASL come into force?
CASL will come into force in three stages:
- July 1, 2014: the anti-spam provisions come into force and the three year transitional period begins
- January 15, 2015: the consent and notice rules for installation of computer programs come into force and the three year transitional period for computer programs begins
- July 1, 2017: the private right of action comes into force, the transitional period for commercial electronic messages ends and the three year mandatory review for CASL will be triggered
8. What types of business communications are fully exempt (e.g. don’t have to identify the sender or include an unsubscribe mechanism)?
- CEMs sent between family and friends (related through marriage, common law or any legal parent-child relationship, or if there is a voluntary two-way communication between the individuals)
- CEMs sent within or between organizations with an existing relationship (B2B)
- CEMs solicited or sent in response to complaints, inquiries, requests
- CEMs sent due to a legal obligation or to enforce a right
- Telecommunications service providers (TSPs): Under CASL, TSPs need consent to install certain computer programs, including programs that prevent unauthorized or suspicious legal activities (such as the installation of cookies) or programs unrelated to system-wide upgrades or updates. Under the proposed new regulations, TSPs will be permitted to install computer programs without consent for two purposes only
- Preventing illegal activities that pose an imminent risk to network security or
- Updating or upgrading devices across an entire network
9. What new exemptions did Industry Canada introduce?
The new Industry Canada regulations introduced five new full exemptions:
- CEMs sent from instant messaging platforms (e.g. BBM messenger, LinkedIn InMail) where the required identification and unsubscribe mechanisms are clearly published on the user interface
- Limited-access, secure, confidential accounts (e.g. banking portals)
- CEMs sent to listed foreign countries, where it is reasonable to believe that the message will be opened in a listed foreign country that has similar rules as CASL
- CEMs sent by registered charities for the primary purpose of fundraising
- CEMs sent by political parties seeking contributions
10. What is the partial exemption for third-party referral messages?
Under this partial exemption, businesses can send one single message to obtain consent for future messages. This means a CEM sent for the first time following a referral doesn’t require consent, as long as an existing business, personal or family relationship exists and the sender includes the full name of the individual(s) who made the referral, the identity of the sender and an unsubscribe mechanism. Any CEM sent following the first referral must comply with the form and content requirements of CASL (e.g. identify the sender and include an unsubscribe mechanism).
11. Can we rely on third-party consents when sending CEMs?
What you need to know
12. How can we prepare for CASL?
Although the steps each organization must take to update their electronic databases to manage consents and unsubscribe requests will differ, to prepare for CASL you should:
- Determine if you are sending CEMs
- Identify the channels through which you send CEMs
- Assess if you have implied or express consent to send CEMs or if an exemption applies
- Develop a plan to obtain any required consents
- Make sure your CEMs contain the content required by CASL
- Determine how CASL may affect your policies, processes, customer relationship management (CRM) and other IT systems, and staff training and awareness programs
- Revise your policies, processes and systems as required
•Keep an audit trail, since CASL contains a “due diligence” defense
13. What does CASL mean to our various officers and executives?
- CMO/marketing executives need to assess the impact of CASL on their digital marketing campaigns, especially those run through email and social media. They must also assess how to obtain consent from prospects to communicate with them.
- Chief legal counsel must review the Act’s requirements, changing regulations and commentary from industry associations, and monitor any regulatory guidance and interpretive guidelines released by the government.
- Risk officers need to assess the risks of CASL non-compliance on the business and work with compliance and business teams to mitigate these risks.
- Internal auditors must evaluate CASL compliance once it is in force, independent of the business.
14. When should we start our compliance process?
CASL involves significant work for most organizations—from reviewing the legal implications of the Act and identifying which resources across the enterprise are affected, to addressing any gaps in people, process, technology and governance. For large organizations with multiple business lines and channels, this could take months. To avoid scrambling to comply at the last minute, it makes sense to begin compliance activities now.
15. What do we need to understand to comply?
- The Act (CASL)
- The CRTC regulations
- Two sets of CRTC Interpretation Guidelines
- New Industry Canada regulations (issued December 4, 2013)
- The Industry Canada Regulatory Impact Analysis Statement (issued December 4, 2013).
- FAQs (expected to be released December 18, 2013)
16. What can Deloitte do to help us?
As you prepare to comply with CASL, Deloitte can help you:
- Examine your current consents, unsubscribe methods, electronic communication practices and cross-marketing initiatives with affiliates to identify compliance gaps
- Conduct marketing due diligence and market analysis to develop compliant customer experience and revenue growth strategies
- Ensure your mobile and digital marketing strategies, customer loyalty programs and ongoing marketing initiatives comply with CASL
- Develop an implementation plan that can be used by all stakeholders, including business unit employees, legal counsel, risk and compliance teams and your internal audit function
- Assess potential non-compliance risks and develop risk assessment and reporting frameworks to mitigate them
- Revise your policies, processes and IT systems as required
- Implement a staff training and awareness program to ensure ongoing compliance with CASL
For more information on CASL, or how Deloitte can help your organization with CASL compliance, contact:
Partner, Enterprise Risk Services
Senior Manager, Enterprise Risk Services
Senior Manager, Enterprise Risk Services