Canada's Anti-Spam Law (CASL) Is Now a Reality
After nearly ten years in planning, Canada’s long awaited email privacy law will finally come into effect next year. DMA member and digital privacy expert Dennis Dayman, CIPP-US, CIPP-IT, and Chief Privacy Officer at Oracle/Eloqua gives DMA members the scoop. Dennis is also Chair of the DMA Email Experience Council Advocacy Subcommittee and a member of the DMA Ethics Committee.
On Thursday November 28th 2013, the Treasury Board of Canada President (and champion of CASL) Tony Clement approved Industry Canada regulations in their final form. Today, December 4, 2013, the Minister of Industry the Right Honourable James Moore announced CASL will come into force on July 1, 2014. That’s right folks, six (6) month from now.
After almost ten (10) years of work, Canada has finally put into place an anti-spam law which continues their long-standing Canadian tradition of having opt-in consent. Most online marketers doing business in Canada today are already familiar with their “Personal Information Protection and Electronic Documents Act” (PIPEDA) which is their privacy regulations that require opt-in for processing of PII, but now is enforceable specific to the use of digital channels like email and SMS.
The law imposes onerous opt-in and other responsibilities on marketers doing business online in Canada. It covers items such as the sending of Commercial Electronic Messages (CEM), prohibition of installing computer programs without consent, and sending messages with false or misleading information in the content or header. You can read more about their specifics here at the Oracle | Eloqua site Topliners.
Please note though that CASL is not restricted to residents or companies in Canada, it applies to all marketers sending email To: and From: Canada. The CRTC will work with the Federal Trade Commission (FTC) in the US, and other regulatory commissions to enforce this new law.
Under the new law, a definitive set of requirements and enforcement actions are laid out and penalties for violation of the law can be severe. Unlike CAN SPAM, which covers only email, CASL covers CEM, which is defined as any commercial “message sent by any means of telecommunication, including a text, sound, voice or image message.” Effectively, this includes:
- CASL requires express consent. This means NO pre-checked boxes.
- Again, CASL is not just an email law.
- It covers installation of computer programs without the end user’s consent
- It covers any Commercial Electronic Message (CEM). A CEM is defined as any electronic message that encourages participation in a commercial activity. Simply including a link to your website in an otherwise non-commercial message could potentially cause it to be covered by the law. A CEM could for example be:
- Instant message
- Some social media messages.
- It covers any CEM sent TO or FROM Canada. The CRTC will work with international regulatory bodies such as the FTC to ensure compliance by parties based outside of Canada’s borders. Note that there is a provision for instances where a recipient is travelling to Canada and the sender would not reasonably be expected to know that recipient was in Canada at the time of transmission.
- Prescribed information is to be included in every CEM as well as any request for consent. Requests for consent are also covered by the law, which means that they cannot be sent without first obtaining express consent.
- Existing contacts cannot be ‘grandfathered’ in most cases and will therefore require marketers to gain affirmative consent from their Canadian contacts before the law comes into force.
- Fines are steep, up to 10 million dollars per violation and private rights of action are permitted.
Businesses will need to scrub their lists and remove any covered address for which there is no affirmative opt-in to receive email and other CEM. It is expected that many email lists will be significantly reduced in size as a result. Privacy Policies and form collection on websites should be updated to ensure proper consent. In the case of forms, this includes moving from an opt-out (pre-checked) to an opt-in (not pre-checked) methodology.