8 Easy Steps To Comply with (Canada`s) New Anti-Spam Law
You don’t need to be a Canadian email marketer to take Canada’s new anti-spam law seriously. You don’t even have to have paying customers in Canada.
If you maintain an email marketing list with addresses that end in .ca — or if you send bulk private messages via Facebook or LinkedIn — or if you have text message/SMS campaigns running that include Canadian telephone numbers — or if you’re a nonprofit, charity or organization with Canadian members — then the new Canadian Anti-Spam Legislation (CASL) applies to you.
Don’t assume that you’re OK because you already comply with the terms of the European anti-spam laws or the U.S. CAN-SPAM Act. The CASL is more strict than the laws of any other country, and it covers more than just email marketing. Canada created dozens of documents, guides and even websites to help marketers understand CASL and get compliant by July 1, 2014, the date it went into effect.
But what about going forward? How will your company or clients stay in compliance?
Canada created a 17-point guide to help corporations develop good compliance programs. We have distilled these into 8 easy steps that any size business should take. (No, we’re not lawyers; this isn’t legal advice; you should read through the legislation yourself; and you should seek legal counsel.) Consider sharing this list with your executives, managers or clients.
1. Pick a point person.
Someone needs to be in charge. At large companies, this should be a member of senior management. At a small or medium-sized business, pick someone trustworthy and likely to be around for a long time. In both cases, that person is “responsible and accountable for compliance,” according to CASL documents. Since that person can get in trouble for noncompliance, it seems fair to make it part of the job description or title. That also demonstrates that your business cares about compliance.
2. Fix current violations.
If you’re not already complying with the law, you could get in trouble now. Canada has a range of enforcement tools from warnings to public denunciation to fines, which max out at $ 1 million for individuals and $ 10 million for businesses. So fix any problems ASAP!
The “fundamental underlying principle” is explicit, up-front consent, according to CASL guidelines. That’s different from the U.S. CAN-SPAM Act and most European anti-spam laws, which lean on an implied, opt-out consent type of system. You need to understand three things:
- What Canada considers a ‘commercial electronic message’ (CEM): Don’t play dumb here. Yes, marketing messages apply. But think more broadly. Are you trying to sell someone something? Are you trying to get them to participate in your business activity? Is your email tagline designed to move someone to commercial action? Consider that commercial communication.
- What Canada considers an ‘electronic address’: This law defines an electronic address as an email account, a telephone account (think SMS or text messages), an instant messaging account (think AIM or Yahoo Messenger) and any other similar account. Private Facebook messages and LinkedIn messages are methods of sending CEMs, too, and fall in that “similar account” territory. Public Facebook or Twitter posts, online advertisements, blog articles or faxes aren’t electronic addresses.
- What Canada requires to send a CEM to a Canadian electronic address: The CASL requires only three things — consent, identification information and a way for people to unsubscribe.
Of course, those three things cover a lot of territory. What constitutes consent, for example, is narrowly defined, and, remember, it’s required up front and has to be explicit. Here are more resources to educate yourself about the specifics of the law:
3. Assess your risks.
During the process of making fixes, you’ll probably find out exactly how things could go wrong in the future. Perhaps marketers who don’t specialize in email marketing tend to ignore “legal stuff.” Perhaps your designer or developer has been checking opt-in boxes by default for years, which is not OK under CASL. Perhaps your stakeholders or clients might ask you to do something that violates the law. This is called risk assessment. Do it. Think of every scenario you can.
4. Write a policy.
Explain the basics in writing — no fancy words needed. Create a standard procedure and workflow. Use visual examples if that’s helpful. Address the risky scenarios and what to do in those circumstances. Then make sure that every employee has easy access to your policy. Update it as the law changes or as new risky scenarios develop. CASL guidelines also suggest that your written policy:
- address related training that covers the policy and internal procedures;
- establish auditing and monitoring mechanisms to make sure you stay in compliance;
- establish procedures for dealing with third parties (for example, partners and subcontractors) to make sure they’re compliant;
- address keeping good records, especially ones related to consent; and
- make sure that employees have a way to give feedback
5. Keep thorough records.
The burden falls heavily on the sender of the CEM to prove that they have express consent. As the more formal-language CASL FAQs puts it, “The onus is on the person who claims that they have consent to prove that they have such consent.”
Onus is an understatement. Let’s say that a potential sales lead hands you a business card at a networking event. Can you send them a CEM? Sure, if the lead gave you specific permission. But if that lead’s express consent ever comes into question, the burden of proof is on you. An independent third party must verify their consent, or you must provide a complete and unedited audio recording of the consent. That’s how thorough and specific your records need to be!
You can’t send CEMs from your personal email account or call that sales lead a “personal relationship” as a way to avoid the consent rules. Consider everything that goes into determining a personal relationship:
CASL guidelines suggest that you keep hard paper copies of:
- your commercial electronic message policies and procedures;
- all unsubscribe requests and actions;
- all evidence of express consent (e.g. audio recordings or forms) by consumers who agree to be contacted via a commercial electronic message;
- commercial electronic message recipient consent logs;
- commercial electronic message scripts; and
- actioning unsubscribe requests for commercial electronic messages.
6. Train everyone.
Even people who aren’t explicitly in charge of your program can get in trouble, if they knowingly violate the law. It’s in your best interests to make sure your marketing team, executives and/or clients know what’s allowed and what isn’t. And as guidelines for the law point out, “for the training to be effective, links should be made between the business’s policies and procedures, and the situations that employees may face in their daily activities.”
Be sure to train employees about what to do if they witness someone else knowingly violate the CASL — some people might not want to be a “tattletale,” especially if the violator is a boss.
7. Check in regularly.
Every once in a while, check in on your program. Has the Have new people started at your company who need to know the law? Are there clarifications to your internal procedures that you need to make? Has your email service provider made any changes? Regularly reviewing your program protects you two ways. First, you’re making sure that you remain in compliance, which prevents you from getting into trouble. Second, if you do end up in trouble because of someone’s rogue actions or serious mistake, you can show that your intent was to follow the law.
8. Discipline offenders.
Complaints could come from two sources: people contacted by your CEM or your own team members. Listen to everyone carefully, and correct any problems that they identify promptly. Whatever form your discipline takes, be sure to enforce it quickly and consistently. Again, that protects you if you end up in trouble. You can defend yourself by showing that you took the law seriously.
Follow these eight steps, and you’ll be on the way toward sustained compliance with the new Canadian anti-spam law.