By Adrienne Rutherford, Barrister and Solicitor

Stop living with the stress of CASL—it is easier to be in compliance than you think.

What is CASL?

In July 2014 CASL was enacted to reduce the sending of commercial electronic messages without consent. Electronic messages can be email or text (or forms of social media), which means CASL doesn’t affect communication by mail or telephone. CASL also requires consent for downloading software—e.g. software updates for app users.

While there are several exemptions within the Act, resulting in confusion regarding the application in some circumstances, for most businesses it is sufficient to know that most emails and texts would be governed by CASL, so must include the proscribed information about the sender, provide a readily available unsubscribe mechanism and must be sent with the provable consent of the recipient.

Why is compliance low?

CASL has become a familiar word in business because the consequences of non-compliance are significant and everyone can relate to receiving email, text or even software that they don’t want. The CRTC receives thousands of complaints every week and several organizations have faced heavy fines or settlements. Yet statistics show businesses are slow to bring themselves into compliance.

This is partly because the obligations are new ones without built-in business budgets. It’s also because the legislation seems complicated and full of pitfalls. It is often because there is insufficient education on what to do. Too often, it is because of push back from those concerned about thinning the list of contacts the business has acquired.

Does compliance harm business?

CASL compliance has been shown to improve the quality of the lists of contacts for a business because it is forces the removal of those who are not receptive to communications from you. In fact, with the right lists and good engagement practices, many publishers are finding email and text as a renewed cost-effective resource for building business.

What is the risk of non-compliance?

Due to heightened consumer awareness and the ease of lodging a complaint under CASL, the risk of being reported is real. While most of the focus of risk is on the millions of dollars of potential fines and the direct criminal and monetary exposure of individuals who directed the communications, the cost and inconvenience of an investigation alone should be sufficient risk to motivate compliance. As consumer demand grows in the area of privacy, the risk to reputation has become a bigger driver in promoting compliance.

Is compliance difficult?

Certainly large businesses with decentralized collection, storage and use practices face a lot of heavy lifting to bring themselves into compliance. But for most businesses, a little focused effort can greatly reduce the risk under CASL and a little education on CASL (and Privacy in general) can ensure that practices and systems are developed in compliance.

Can third parties be compliance solutions?

Many businesses use third parties for email. Some of these take the CASL obligations very seriously with audited/certified practices and therefore present a good way to manage your CASL risk. Yet some are less knowledgeable or careful about CASL, which presents a risk that they will often transfer to you through the service agreement. A careful review of vendors and of the legal terms is needed to outsource your CASL compliance. Remember that CASL makes the sender responsible for compliance, so using third-party lists doesn’t alleviate your responsibility. Even when relying on a third party, you will still need some internal education and practices to ensure newly acquired contacts are brought in with the appropriate consent.

What are the basics of compliance?

CASL compliance mandates three things: (1) that you have consent to send messages by email or text or to update software, (2) that you always are clear about who is sending the message with the proscribed information and (3) that you provide an easy way to unsubscribe.

CASL doesn’t apply: CASL does not apply to electronic messages sent within an organization or between organizations in a relationship, where the message concerns the recipient. Of course, CASL doesn’t affect emails or texts by people in your organization that have a “family” or “personal” relationship with the recipient.

CASL consent exemptions: With many of your business communications, CASL applies to mandate sender information and unsubscribes, but consent is not required. This could allow you to send email or text without express consent if it is in furtherance of an existing transaction, including warranty, product recall, safety information, delivery of products, updates, or upgrades that the recipient is entitled to receive.

Implied consent: In other business communications, CASL applies to mandate sender information and unsubscribes, but consent is implied because the recipient and sender have an “existing relationship.” But be careful to keep track of communication sent under this category because your “implied consent” expires two years after a product is purchased or a membership/subscription has expired. CASL also allows you to rely upon implied consent for emails sent to recipients who have conspicuously published or provided his or her email address but, again, be careful because it is only valid as long as the email is still conspicuously published without restriction. Cull your lists or convert these recipients to express consent, which never expires.

What is consent under CASL?

While there may be circumstances in which you wish to rely upon an exemption to consent or implied consent, the most reliable approach to CASL compliance is to ensure you have proof of express consent, which does not expire unless it is removed by the recipient.
Express consent requires that at the point of collection you advise:

1. of the purpose of requesting consent (let them know you will use it to send them offers or updates; let them know whether the email would be shared with anyone else);
2. of the name of the entity requesting consent (e.g. be clear if it is on behalf of the parent organization);
3. of a mailing address plus phone number, email, or web address; and
4. that consent can be withdrawn.

Also be sure to make it an affirmative opt-in mechanism, which means checking a box or having to input an email address to sign up for these communications. Be careful with a process that has the email already provided (for sign in or other purpose) and just a notice that it will be used for communications. This would likely not constitute express consent, forcing you to rely upon an exemption or implied consent that may not be available in the circumstances.

The onus is on your to prove consent if it is contested by a recipient or you are investigated, so be sure to keep accurate, updated records of the consent you are relying on for each email or text that you send.

Do a CASL compliance test:

1. Does your business send email or texts to customers?
2. Does your business update software—e.g. through an app?
3. Do your emails or texts include an unsubscribe option that can remove someone from your list within 10 days (and do you regularly test it)?
4. Do your emails or texts include the proscribed information about the sender?
5. Do you have express consent, implied consent or an exemption to consent that you can rely upon?
6. Do you have a fair allocation of risk with your vendors that are relevant to your CASL obligations, whether it services for your email, IT services, storage, list sharing, customer service, etc.?
7. Do you have senior management involvement, a written policy, risk assessments, record keeping, staff training and a complaint-handling process?

If you have questions about this fact sheet or wish to review some of the concepts as it applies to your business, you can contact me at adriennerutherford@me.com.

Magazines Canada Hotsheets deliver current information on a single topic, each written by an expert in the field. Return to Magazines Canada Hotsheets.