casl: are you prepared?

Download CASL: Are you prepared?

Post on 18-Oct-2014




0 download

Embed Size (px)


Stage one of Canada’s new Anti-Spam Law came into effect on July 1, 2014, creating a new regulatory framework for any organization sending Commercial Electronic Messages (CEMs) to or from Canada. Designed to reduce spam, spyware/malware, email address harvesting and network rerouting, CASL contains some of the toughest measures of its kind in the world, with severe penalties for non-compliance including fines, criminal charges, civil charges and personal liability. It’s a complex framework with strict requirements for all CEMs, myriad rules on consent as well as numerous full and partial exemptions. Are you confident your organization is ready for CASL? Is your technology? What about proving compliance?


CASLAre you prepared?

An overview of Canadas Anti-Spam Law

90%of global email traffic is spam

Spam statistics

Spam statistics

over one trillionspam emails sent globally per day

Spam statistics

1 in 24emails contains malware

1 in 24emails contains malware

Spam statistics

1 in 445emails are phishing emails

Spam statistics

One Canadian FSI reported that it deletes around

SPAM emails per hour during peak email times


Spam statistics

The same Canadian FSI deletes approximately

spam messages in a typical day

2 million

Canadas Anti-Spam Law (CASL) is a new regulation designed to reduce spam, spyware/malware, email address harvesting and network rerouting.

So, what is CASL?

CASL applies to all commercial electronic messages (CEMs) in Canada.

These include: Commercial emails Text messages Social media messages

Which communications does CASL cover?

What constitutes a CEM?

Simply put, for a piece of communication to be considered a CEM, it has to have two components:

It must be sent to or from an electronic address

Its content, hyperlinks or contact information must be designed to sell, promote or advertise a product orservice

CASL also applies to global organizations that send CEMs to Canada.



CASL applies to any organization that sends commercial emails, text messages and social media messages from or to an electronic device in Canada.

These include: Businesses Non-profits Trade associations Schools, universities

Which organizations does CASL impact?

What are the timelines for CASL?

CASL will be rolled out in three stages: July 1, 2014 All CEMs must meet CASLs

anti-spam requirements January 15, 2015 Consent is required to

install spyware or software on another persons computer

July 1, 2017 Organizations that violate CASL can be sued for actual or statutory damages under a private right of action

Do penalties exist for non-compliance?

Penalties for non-compliance are severe and include: Hefty fines Criminal charges Civil charges Personal liability

CASL rules, simplified

Consent. The sender must have implied or express consent to send a CEM.

Identification.CEMs must identify the sender and include contact information.

Unsubscribe. Every CEM must include an option to unsubscribe or opt-out.

Unless exempt, all CEMs accessed on a computer system or electronic device must include all of the above.


CASL demands that all CEMs meet three basic requirements. These are:



Are there exemptions?

The list of exemptions is long and its always best to read the fine print. There are both full and partial exemptions that exist under CASL.

The following pages detail summaries of both the full and partial exemptions that exist under CASL.

Full exemptions

Full exemptions fall into five categories: Family or business relationships Business inquiries Legal Closed loop or secure messaging Designated groups

Family or business relationship exemptions

Full exemptions for: CEMs exchanged between family and friends CEMs exchanged within or between

organizations, provided they have an existing relationship and the CEM concerns the activities of an organization

Business inquiry exemption

Full exemptions for:

CEMs providing a response to a request, inquiry or complaint (provided there is no upselling)

Legal exemptions

Full exemptions for: CEMs sent to satisfy or enforce a legal obligation CEMs sent to listed foreign countries, where it

is reasonable to believe that the message will be opened in a listed foreign state

Closed loop or secure messaging exemptions

Full exemptions for: CEMs sent from messaging platforms (e.g.

BBM messenger, LinkedIn) where the required identification and unsubscribe mechanisms are clearly published on the user interface

CEMs sent and received within limited-access secure accounts (e.g. banking portals)

Designated group exemptions

Full exemptions for: CEMs sent by or on behalf of a registered charity

for the primary purpose of fundraising CEMs sent by or on behalf of political parties

seeking contributions

Partial exemptions

Partial exemptions can be classified in three parts including: Customer-initiated interactions Information about an existing business

relationship Third-party referrals

Customer-initiated interactions

Partial exemptions:

You do not need consent for a CEM that is sent to fulfil the request of a recipient, such as: Providing a quote Facilitating a commercial transaction Delivering a product or service

For more information on the electronic commerce protection regulations and its exemptions, read our FAQ

Partial exemptions:

CEMs can be sent if they provide information about an ongoing business relationship, such as: Warranty, product recall or safety alerts Factual information about the ongoing use of a

product/service Information about an existing employment


For more information on the electronic commerce protection regulations and its exemptions, read our FAQ

Information about an existing business relationship

Third-party referrals

Partial exemptions:

A single CEM can be sent to a prospective customer without prior consent on the basis of a third-party referral (e.g. refer a friend or suggest us emails), so long as: The referral is by a person who has an existing

personal, business or family relationship with the sender and recipient

The message discloses the full name of the person who made the referral

The message clearly identifies the sender and person making the referral, and includes both contact information and an unsubscribe option

What is implied consent?

In certain situations, organizations dont require express consent to send a CEM implied consent is enough. Consent is implied if: There is an existing business or non-business

relationship The recipient is part of a published directory The recipient has voluntarily disclosed their email

address, such as by handing out a business card

In all situations, the CEM must be relevant to the recipients business or role. If the recipient indicates, that they do not want to receive electronic communication, consent is no longer implied.

Obtaining express consent

For all non-exempt CEMs, recipients must offer express consent by actively and positively indicating that they want to receive your CEMs. Recipients can express consent in a number of ways, including: Checking a box to indicate consent in the form of

opting in Typing an email address into a field Providing unbundled consent that is separate from

the general terms and conditions of use or sale

Please note: while pre-checked consent boxes are no longer permitted as a form of consent, those that existed on email communications before July 1, 2014 will be grandfathered in.

Requesting consent

Just as CASL includes rules for sending CEMs, all outgoing requests for consent must include a few basic elements.

These are: The name of the sender and the third party

seeking consent (if different) A physical mailing address A telephone, email or web address A statement indicating that consent may be


Preparing for CASL: Immediate steps

Designate a CASL working group to review your current CEM processes and identify compliance gaps.

Develop an implementation plan.

Reach out to contacts in your database in an effort to turn implied consent into express consent.




CASL compliance: Questions to note How will you manage your unsubscribes if you

share content lists? How will you prospect if you rely on the B2B

exemption? Will you rely on a centralized unsubscribe model

or federated model to build a CASL-compliant database?

Will you rely on the transitional period to convert all implied consent to express consent?

The technology perspective

Ensuring compliance with CASL both immediately and over time requires designing and implementing technology platforms that perform a variety of functions, including: Managing and tracking opt-outs and consents Recording subscribe and unsubscribe histories Producing reports

All of the above information is needed for you to illustrate your due diligence.

Customizing technology

Your companys platform will need to take your specific situation into account. For example, simply building an unsubscribe mechanism requires consideration of factors such as: Should the process be manual? Will you keep a federated unsubscribe database

or a web page that allows unsubscribes from certain services?

After July 1

While CASLs Anti-Spam provisions take effect on July 1, here are a few helpful tips to keep in mind after the deadline:

There is a grace periodBusinesses that have existing relationships benefit from a three-year grace period to verify and confirm implied consents.

You can no longer send an email to ask for consentAfter July 1, senders can only offer check boxes to acquire a recipients express consent.

Proving compliance

You must keep strong records of all consents and unsubscribes so that they are: Documented Amalgamated Stored

Remember, if youre sending CEMs, the proo