Canada Anti Spam Law (CASL) Compliance – What you need to know

There are extensive processes required in order to manage the requirements of the Canada Anti Spam Law effectively.

The basics of CASL compliance include the following elements:

• Collecting email addresses based upon the legal rules
• Managing the consent types properly; both implied and express consent based upon the CASL rules
• Sending out Commercial Electronic Messages (CEMs) according to the CASL rules
• Process unsubscribes based upon the CASL rules
• Have the ability to prove that you are following all of the above rules properly with an Audit trail.

Each one of these areas requires a good understanding of the Canadian Anti-Spam Lam to ensure that the rules are followed and that your company email processes are compliant.

Companies are required to capture and store the original source and date of an email address whether it is from a web form, inbound call, contest entry or any other different source.

Updates to the source of an email contact can and should be tracked as well if the consent expiry dates change. As an example, if an existing email address with an implied consent calls into a company and makes a purchase for a product or service and their email address is verified, the company can update the expiry date of implied consent for another 24 months if they track and can report on this transaction properly.

Depending upon the source, date and method of when an email is/was collected a different form of consent is assigned to the email contact and whether or not the email address has a consent expiry date. All existing email addresses collected in a company’s email database prior to the introduction of the CASL law on July 1st, 2017 have a 36-month expiry date unless express consent has been properly captured on an email prior or after that date. Another example is an email address captured on a call after July 1st, 2014. Unless the call was recorded and could be accessed for audit purposes or if company has a process to automatically follow up to collect express consent after this call the email contact would have an ‘inquiry’ expiry date of 6 months from the date of collection.

The bottom line is that your CASL compliant processes must take into consideration all of the different ways your organization collects, manages and uses email addresses.

Having detailed information on the source of your email contacts and where consent was captured is critical in demonstrating CASL compliance. The lack of proving CASL compliant consent collection was a factor in a major Canadian airline having to pay a significant settlement to the government. By capturing and storing a screenshot of your current or previous online registration forms where email and consent was originally captured or updated you can clearly show that your company has captured consent properly instead of leaving any doubt if your business is audited.

Should your business ever receive to an audit request to prove CASL compliance it is best to be prepared then to have to scramble resources and data together at the last minute. The basics of CASL audit reporting would include counts on implied vs. express consent but more detailed information will likely be required. Consider including consent by source, breaking down the implied consents by expiry dates and whether they are inquiry based (6-month expiry) or regular implied. (24-month expiry) Comprehensive summary reporting with the ability to drill down to individual records as well as review all CASL compliant processes is ideal to clearly demonstrate your company is following all CASL rules. Also, it is wise to have reporting and understanding of contacts expiring over time so that you know what impact it will have on your marketing campaigns/programs and overall email strategy.

When the Canadian Anti-spam law was just coming into effect in July of 2014 many companies executed mass consent collection campaigns that provided little value to recipients and were largely ignored with very low response rates. Since that time many businesses have forgotten or ignored the importance to set up and try and convert their email contacts to express consent. This could mean the loss of many emails that they paid to acquire over years of marketing. It obviously does not make sense for companies to continue to sent email messages to individuals that do not look at or respond but if and when a customer does re-engage with a company it would be wise to take the opportunity and ask for an updated consent status. Also, recent product or service purchases of existing implied email contacts automatically renew consent for another 24-month period and this type of data process should help to curtail the loss of expiring consents. Lastly, there is an undeniable risk for companies that manage their CASL compliance processes manually through human error and employee turnover that some companies fail to recognize. By implementing automated CASL compliance data management processes with your business systems, CRM and marketing applications this risk can be completely mitigated.

The ability to update and report on CASL compliance information on individual customer records as well as large lists or tables of email contacts should be straight forward and provide the most flexibility for organizations that manage consent capture through multiple channels. Whether you are updating an email contact through a customer call, in-person meeting or online the email contact and permission data should display and update information properly and in a timely manner. Disparate systems, application and data processes tend to make this difficult to manage in many medium to large businesses but if set up properly Canadian Anti-Spam Law compliance management headaches go away and are worry-free.

Keeping up to date consent status is a crucial part of CASL compliance management. The onus for small businesses to manage their CASL compliance is significant but less complicated then medium to large business that manage multiple departments and brands where email lists and databases are independent of each other. The business with multiple brands could receive an unsubscribe request from an individual for one brand that another brand or division should update within their lists or email database. This problem should be addressed with a centralized permission and consent database that is referenced and linked to whereby and individual has the option to unsubscribed from one or more brand communications or globally unsubscribe from all emails from the company. In addition, this up-to-date consent database should be referenced and used as a filter for all outbound communications to ensure that individuals are excluded from communications if they recently changed their communication preference, consent or if their consent status has expired.

It is a myth that the Canadian Anti-Spam Law only applies to companies that send mass email messages to large lists of individuals. The fact is that CASL applies to all company Commercial Electronic Messages or also known as CEMs. That being said CASL compliance is also required for one to one messages sent from company Sales representatives or even Customer Service Representatives and other business roles sending CEMs. Sales people tend to manage their own contact lists and it is common for them to not capture the source and/or date of when they added them to prospect files. Whiles sales management software is becoming more common to manage leads through a cycle of activity the email clients that they use tend to be independent desktop applications such as MS Outlook. This issue is easier to manage with lower risk in very small companies however larger organizations with multiple departments, locations and hundreds or sometimes thousands of employees need to ensure that email permission and consent data is managed consistently and is checked before any CEM is delivered to an individual. This can be a monumental effort for some businesses to tackle internally given other business priorities but there are applications solutions available that can alleviate complex proprietary development projects through straight forward integrations and data processes that can align marketing email CASL consent management with one-to-one CEM messages from across a business.

Having one centralized preference center to manage not only individual content interests but more importantly permission is vital for any business to be CASL compliant. Setting up and creating this is relatively straight forward but definitely more complex in larger companies that have previously managed their email marketing and commercial electronic messages (CEMs) independently across different brands, divisions or departments. In addition to having a Global preference/permission management center all CEMs sent must contain an unsubscribe link that references it. A company address is also required on all outbound CEMs. Some companies have taken a manual approach to asking their employees to add this into their email client signatures but a more effective approach is into insert this link and information automatically into all messages that are delivered from a company’s email servers. This reduces the risk of any employees not following company policy for adding the unsubscribe link on their own.

With the introduction of the Canadian Anti-Spam Legislation on July 1st, 2014 businesses were given a 36-month timeframe to convert all of their implied email contacts to express consent. Many companies have conducted email campaigns specifically to obtain express consent with very low results. The reality is that individuals do not provide consent with out reason or perceived value. Email relationships with customers or individuals are fickle and mostly influenced by timing and relevancy. Businesses need to realize the ideal timing to capture or re-capture consent is when they are still top of mind or relevant to an individual. It is for this reason that the CASL rules stipulate a business can renew the implied consent status for individuals that have completed a purchase of a product or service. Some companies may understand this but many companies have not created processes to update their email databases due to a number of reasons. This should really be a priority as it is one the most effective means to ensure that a company email database is up-to-date with implied consent expiry dates and it ensures that you are maintaining proper consent status with your most important contacts; your customers.

Though it is not really effective to obtain express consent status from an individual on a database through a one-off marketing campaign it is still advisable to identify and execute a number of programs through different channels to convert your existing implied email consents to express consent. For example, if a recent email sent to an individual has generated some interest in content or a product on business website some applications make it possible to recognize and populate an instant request to capture consent from the individual in the moment. Another opportunity may exist through a call center interaction whereby a confirmation or transactional message could also include link to collect express consent from an individual. Timing and relevancy is important as is the number of tactics that a company executes across multiple channels to ensure that a comprehensive strategy leads to a healthy and CASL compliant email database.