casl is now in effect! are you compliant?
DESCRIPTION
CASL is now in Effect! Are you Compliant?TRANSCRIPT
CASL is now in Effect! Are you Compliant?
Inbox Marketer
Today’s Agenda
• CASL Overview & Timing
• Keys terms defined: EBR, CEM, Implied, Express
• Identification & Unsubscribe Requirements
• B2B Exemptions
• Next Steps & Recommendations
Disclaimer: We are not lawyers , this is not legal advice.
What is CASL?
Canada’s Anti-Spam Legislation
Intended to deter the most damaging and deceptive forms of Spam:
Spamming Fraud
Hacking Harvesting
Malware Privacy Invasions
Important Dates
CASL Passed
Dec. 2010
March 2012 CRTC Regs
Finalized
Industry Canada Regs
Finalized Dec. 2013
July 1, 2014Provisions in
force
Computer program
provisions in force Jan. 15,
2015
July 1, 2017 Private Right of Action in force
What is a CEM?
A Commercial Electronic Message that encourages participation in a commercial activity
CASL provisions apply to all Commercial Electronic Messages sent to or from Canada.
Commercial Electronic Messages
Electronic Messages• Email• Text / instant messages• Social Media
Commercial Activity• Offers to sell/lease of product/service• Offers Investment/business opportunity• Promotes individual• Requests for Consent
What is an EBR?
Existing Business Relationship
An existing business relationship is defined as a business relationship that involves or arises from:
• the purchase, lease or bartering of product, goods or service within last 2 years• a written contract within the last 2 years• an inquiry of a recipient within 6 months immediately preceding the date the
Commercial Electronic Message was sent
1. Consent • Do you have Express or Implied consent?
2. Identification• Messages must identify sender(s) & provide contact
information
3. Unsubscribe• Must be clear & prominent, able to be readily performed
and accomplished at no cost to the customer
There are 3 Primary Rules
What is Implied Consent?
Implied Consent – the sender & recipient have an existing business (or non business) relationship
Implied Consent is where the recipient has supplied/published work related email address and they have not included a statement that indicates they do not wish to be communicated via email
Implied Consent is where the recipient has willingly disclosed their email address i.e. business card
fdf
What is Express Consent?
Express Consent – recipients give a positive or explicit indication of consent to receive CEM’s
Your Email SubmitOR
Under PIPEDA, pre-checked box’s are considered Express when the knowledge & consent of the individual is given
They may check a box or type/write in their email address
Consents cannot be bundled
“A request for consent cannot be bundled with, requests for consent to the general terms and conditions of use or sale.”
A user must be able to consent to the general terms of sale while being able to refuse consent to receiving CEMs
Will Express consents under PIPEDA be grandfathered as express consents
under CASL?
If you obtained valid express consent prior to CASL coming into force, you will be able to rely on that expressconsent (as long as you can prove having obtained valid expressconsent)
A Big Win for Digital Marketers
Does your organization have Implied records in its database?
… you will have 3 years to upgrade (July 2017)
Transitional provision for Existing Email Contacts – If you have (or had) an existing business or non-business relationship that already includes communication by commercial electronic message, you will have 3 years to upgrade Implied consents to Express
Begin thinking about how your database will need to be configured to keep track of when customers upgraded
For all existing implied records…
Does your organization actually have to upgrade their Implied consents to Express?
The next question is an interesting one…
After CASL Comes into Force
… YOU CAN RELY ON IMPLIED CONSENT UNDER 3 SCENARIOS
1. Existing business relationship arising from an inquiry, if no further action is taken, you have 6 months to continue to send and upgrade them to Express before you lose them
2. Existing business relationship arising from a purchase, lease, contract, barter (see section 10 for full definition of EBR) then organizations will have 2 years from time of EBR to continue to send & upgrade them to Express before you lose them
After CASL Comes into Force
… YOU CAN RELY ON IMPLIED CONSENT IF
Existing business relationship arising from a purchase that involves an ongoing use or ongoing purchase under a subscription, company will have 2 years from when the relationship terminates to continue to send & upgrade them to Express
A Best Practice to Consider
Do not turn on and/or refresh the email permission every time a member transacts with you if they have unsubscribed.
It is allowed under a strict reading of the legislation
Not an ideal customer experience and therefore not recommended
If you do choose to upgrade to express
• Upgrade message(s) should identify value proposition of your email program; give recipients a compelling reason to confirm their express consent.
Be very clear on what they will be agreeing to receive
• If database is large enough, test different offers.
• Encourage customers to visit a preference center to update their email preferences.
Our recommendation is to consider the value of an Upgrade campaign now vs. 2 years from now.
Industry Example of Upgrade Campaign
How to collect Express Consent under CASL
Requirements for Collecting Express Consent
Ensure clarity of language & branding so that customers are well informed as to what they are agreeing to receive and the purpose(s) for which their consent is being sought.
Yes, I would like to receive emails from CompanyABC with the latest information on your products, services and special offers
Requirements for Express Consent
Pre-checked boxes will not be allowed
Your Subscribe Page/Form must include:
• company postal address & either phone number OR web address OR email address
• link to Privacy Policy
• a statement indicating that recipient can unsubscribe at any time
Fully CASL Compliant Example
Confirmation email is recommended
A confirmation (or welcome) email should be sent after sign-up Recommendation: Send immediately or within 24 hours
Asking recipients to confirm their opt-in is considered “double opt-in” and is the Gold Standard!
Welcome message(s) helps to manage expectations and add clarity to what subscribers will receive as part of the email program
Rule 2: Identification Requirements
Messages must identify sender & provide contact information for the sender and if different, the person on whose behalf it is sent
The mailing address & either a phone number OR email OR web address must be present on the CEM
Also required:
A link to your privacy policy
A link to your unsubscribe page
Messages must not have false or misleading headers, subject lines or content
Rule 3: Unsubscribe Requirements
Must be clear & prominent and accomplished at no cost to the customer
Must be able to be readily performed (should be simple, quick and easy for the consumer to use)
Cannot require a login
Requests must be flagged without delay or no later than 10 business days
Unsubscribe mechanism must remain functional for 60 days post deployment
Unsubscribe Requirements
An unsubscribe link must be present on all transactional emails
A recipient can unsubscribe from receiving transactional emails however if you do not include any marketing/promotional/commercial info, you may continue sending factual information about their account and/or purchases
How is Social Media effected by CASL?
Social Media under CASL
CASL covers all CEMs including social media messaging.
The Good:- Posting your commercial content to your brands social media
accounts are ok- Twitter, Facebook pages, blogs, etc…
The Bad:- Sending a DM if it’s a CEM is captured by CASL- Sending an @ mention message may be non-compliant
Social Media under CASL
Recommended Social Media policies for CASL Compliance:
1. Official accounts: list these on your website and in the profiles of each account
2. Training of staff using these accounts and rules for posting3. Maintain a policy around use of personal social media accounts
vs. corporate or client accounts4. Know the differences between what a reply is vs. Commercial
messages5. Use a commercial social media management account
For B2B Organizations, there are some exemptions to know about
There are some B2B Exemptions
Feedback:
Stakeholders argued that the legislation will prohibit regular business practices that are not among the malicious activities the Act was intended to capture.
These would include sending banking e-statements, warrantee & recall messages, messages sent within or between firms with a current business relationship, etc.
B2B Exemptions
… Section 6 of the Act does not apply to a commercial electronic message
that is sent in response to a business request, inquiry, complaint or is otherwise solicited by the person to whom the message is sent
that is sent to satisfy a legal or juridical obligation
that is sent within a business or sent between businesses that are already in a business relationship where the messages are sent by an employee, rep, contractor or franchisee and are relevant to the business, role or function of the recipients
Also, Express Consent is Not Required if…
The CEM delivers a product or service (including updates) that the recipient is entitled to receive under the terms of a transaction
Third party referrals – only the 1st email can be sent without consent & you must identify the person’s first and last name who has provided the referral
Next Steps & Recommendations
Create a CASL Compliant Database
Streamline your email programs
• Align the data teams • Having multiple teams increases your risk of not being compliant
• Create a centralized communications database and/or a centralized preference center
• Create a centralized unsubscribe policy & database
If companies don’t have the means to consolidate all their data across the different lines of business, at minimum, a central unsubscribe database is
recommended.
Companies need to be able to prove compliance if ever challenged
Proper Documentation Required
The burden of proof is on the sender
Recommended data capture fieldsLevel of Consent (Express vs. Implied)Date & time of the opt-in (for express)Date & time of the Existing Business Relationship (for implied)Source i.e. POS, web page, events, co-registration, list rentalWhy was email address collected? Newsletter? Promotions? IP address (nice to have, not a requirement)
Capture what the subscribe form looks like – archive pages as they get updated
Also consider implementing a “stop send” mechanism to track when implied consents expire and need to be suppressed
Data Best Practice: suppress records, don’t delete
Identify all of your input sources:
• Point of Sale• Call Center• Web Forms• Social Channels• Offline Contests • Events• Third parties• Other?
What level of permission are you collecting (Express or Implied) at each source?
If Express, ensure all prescribed information is present
Identify all of your output sources:
• Email Service Provider • Mobile Marketing Provider • Web pages/triggers • Ecommerce solutions • Corporate emails • Social Networks • Other?
Identify all of your output sources:
Data management will be key to compliance
Review existing data and group consents:
• Explicit *• Implied• Third party• Unknown• None
Who needs to be involved?
Build a multi disciplinary swat team with a check list for each department
1. Privacy/Compliance2. Legal3. Marketing4. Database Analytics team5. Deployment team6. Agents7. Brand Managers8. Sales team9. Vendors & Partners
Additional Recommendations
1. Contact your legal counsel. Get their input and sign-off as well as your Privacy Officer
2. Educate all employees on the appropriate use of email addresses
3. Create a training program for all employees on what it means to be CASL compliant
4. Create a CASL compliance scorecard or checklist
5. Create a due diligence process & document it
6. Update all forms & processes that document consent
Other things you should know…
• A Spam Reporting Center will be set-up and managed by the CRTC
• Consumers & businesses will be able to report emails being sent without consent an emails with false or misleading content
• Heavy fines for non-compliance
- $10 million per violation for a corporation- $1 million per violation for individuals
Permission was a best practice with PIPEDA, soon it will be the law!
Need help becoming CASL compliant?
• Inbox Marketer offers turnkey email marketing solutions that are fully CASL compliant.
• Digital Strategy & Email Best Practices
• Email Design & HTML Development
• Database Management & List Processing
• Campaign Management & Email Deployment
• Detailed Reporting & Analytics
Call us at 519-824-6664 to hear how we can take your email program to the next level!