sherpa - casl handbook

Download Sherpa - CASL Handbook

Post on 28-Dec-2015




0 download

Embed Size (px)


Guidebook and best practices for ensuring your business is compliant with Canada's Anti-Spam Law.


  • marketing








    M L



    OVERVIEW Canadas Anti-Spam Law (CASL) comes into effect on July 1, 2014. The Canadian government has defined spam as any Commercial Electronic Message (CEM) sent without the express consent of the recipient(s).

    The Canadian government hopes to reduce unsolicited commercial messages in addition to threats such as spyware, phishing and malware.


    Unsolicited CEMs designed to encourage participation in a commercial activity. The following types of communications are considered CEMs that the government will be targeting:

    Emails Text Messages Instant Messages (IM) Messages sent through

    social networks

    The government has announced an independent non-government agency will act as a Spam Reporting Centre which will receive reports of spam and related threats and work alongside the Canadian-Radio-Television and Telecommunications Communications Commission, the Competition Bureau and the Office of the Privacy Commissioner to investigate and prosecute offences.

    Effective July 1, 2014 - CASL will require consumers to opt-in to a companys promotional campaigns by giving consent if they want to receive CEMs. Moving forward from that date, businesses will need to obtain express or implied consent from contacts to whom they wish to send electronic promotional material.

    Figure 1. CEM Figure 2. Non-CEM

    Dear John Doe,

    Sherpa Marketing would like to keep you updated with our service offerings. Please download our app to see offerings and prices.

    Thanks,Jane Doe

    Dear John Doe,

    It was great playing hockey with you last weekend. Are you available to grab lunch this week?

    Regards,Fred Smith

  • marketing


    Spyware - Spyware describes software that performs certain behaviors, generally without appropriately obtaining your consent first, such as:

    Advertising Collecting personal information Changing the configuration of

    your computer

    Spyware is often associated with software that displays advertisements (called adware) or software that tracks personal or sensitive information.

    Phishing - A term used to describe email messages, websites, and phone calls that are designed to steal money. Cybercriminals can do this by installing malicious software on your computer or stealing personal information off of your computer. Cybercriminals also use social engineering to convince you to install malicious software or hand over your personal information under false pretenses. They might email you, call you on the phone, or convince you to download something from of a website.

    Malware - Malware is short for malicious software. Malware is any kind of unwanted software that is installed without your consent. Viruses, worms, and Trojan horses are examples of malicious software that are often grouped together and referred to as malware.

    WHAT IS CONSENT?Your business can secure two types of consent:

    Express consent means that an individual has explicitly agreed (verbally, electronically or in writing) to receive CEMs from the sender. This is the ideal form of consent as it never expires (unless the recipient requests the sender to stop sending CEMs (E.g. by clicking the unsubscribe button in an email)), and it covers the sender legally. Examples:

    Verbal Agreements The specific verbal agreement may not be possible to document. In this case, ensure that you document other faxes, emails and written correspondence you may have had with the other party where they indicate a willingness to receive CEMs from you.

    Electronic Agreements Have a subscribe button with support wording like by clicking the subscribe button, you are agreeing to receive future electronic communications from us.

    Figure 3. Subscribe email





    M L



    Written Agreements Create a physical document to be filled out and signed by your customers and prospective clients. One of Sherpas clients keeps a logbook at point of sale that they ask clients to sign with their name and email address if they would like to receive promotional CEMs. The email addresses are then manually entered into their CRM system.

    All requests for consent must include the following information:

    i. The business name of the person seeking consent or such persons actual name (if a business name is not used); Example: Sherpa Marketing (business name) or John Doe (personal name) if business name is not used.

    ii. If the consent is sought on behalf of another person, the name of the person on whose behalf consent is

    sought (the persons business name or, if a business name is not used, the actual name); Example: John Doe wants to secure consent form Person A. Jane Doe will be the one contacting Person A for consent on behalf John Doe. Jane Doe must state John Does name and information in the inquiry as he is the one asking for consent.

    iii. If consent is sought on behalf of another person, a statement clarifying who is seeking consent and on whose behalf consent is sought; Example: This is Jane Doe seeking consent on behalf of John Doe.

    iv. With respect to the person seeking consent (or the person on whose behalf consent is sought), the mailing address, and either a telephone number (providing access to an agent or a voice messaging system), an e-mail address or a web address;

    WHAT IS CONSENT? Continued

  • marketing


    v. The purpose or purposes for which consent is sought; Example: Sherpa Marketing would like to send you the latest product and sales information.

    vi. A statement indicating that the person whose consent is sought can withdraw their consent. Example: An unsubscribe button at the end of an email.

    Implied Consent occurs when an individual has not yet provided express consent, however, based on the nature of your relationship with them, you are able to send the individual CEMs. Implied consent can be secured in the following scenarios:

    You have an existing business relationship with the recipient. An existing business

    relationship exists when the business and recipient have completed a business transaction within the past two years of receiving a specific email. A business transaction must be proven with an invoice, bid or quote on a specific project.

    InvoiceDate: 14/04/2014

    Invoice #: 6812

    University of ManitobaSupplier Services - Mario LebarRoom 412 Administration Bldg.Winnipeg, MB R3T 2N2

    P.O. Number: C40506

    Terms: Net 30

    Due Date: 14/05/2014Ship Via:


    Project Number: UM003sc - scope creep website redevelop

    Balance Due:


    We appreciate your business.

    GST Registration #: 867708935RT0001

    Interest Charged at 2.5% Per Month On Overdue Accounts.

    Description AmountTaxLearner type landing page link fixing 75.00GSTRedo art work for registration boxes 102.50GSTRedirect setup 50.00GSTAdd back code removed by UMEE staff (Feb 28) and setup page to avoid errorin the future


    Permalink setup 375.00GSTLegal Name: Martron Inc. O/A Sherpa Marketing

    GST@5.0% 45.13

    Total Tax 45.13



    Figure 4. Unsubscribe button

    Figure 5. Sample invoice





    M L



    You have non-business relationship with the recipient. Personal Relationship

    A personal friendship or association derived from participation in an organization or cause.

    Family Relationship

    The electronic messages are relevant to the recipients business, role, function or duties, and the electronic address has been conspicuously published or disclosed, without a statement that the person does not wish to receive CEMs.

    This essentially means that if an individuals email address is published on their website without stating that they do not wish to receive CEMs, you can contact them. With that being said, it is certainly not our recommendation to scrape email addresses off of websites to build your businesss database, as that is not in the spirit of the law.

    If your business operates through a third-party yet your company still sends electronic messages to the end user, you have implied consent. Example Company A is a

    distributor who sells goods to a retailor (Company B). Company A has obtained the emails of end-users buying its goods through Company B. Company A has implied consent to send CEMs to the end user.

    WHAT IS CONSENT? Continued

    Figure 6. Publically displayed email

  • marketing



    Immediate and unlimited ability to send CEMs if:

    You obtain express consent.

    Implied consent until July 2016 if:

    You complete a business transaction (that can be proved with an invoice, bid or quote)

    You have a personal or family relationship.

    Unlimited implied consent if:

    You have ongoing business dealings with a client. (i.e. you have an active business relationship that can be proved with invoices, bids or quotes)

    You have an ongoing personal or family relationship.

    Your business hasnt received notification from a third-party you conduct business with that the end user of your products does not wish to receive CEMs.

    Implied consent allowing you to send a single CEM if:

    You have received a