There are three components requiring attention in order to meet CASL compliance.
They are:
- the commercial electronic message (email/text/software)
- contact information collection methods
- contact list maintenance
Please note: Included are Linkedin and Facebook messages (because with notifications, they can land in the email inbox.
Remember, you are only permitted to send Commercial Electronic Messages (CEMs) to people where the recipient has already consented to receive the CEM and the CEM contains specific information.
CASL Compliant Commercial Email Message
Each email must:
- Have the sender clearly identified, including the organization
- Include a telephone number, email address, or website address (and they must be valid for 60 days after the email is sent)
- The mailing address of the sender
- A clear opt-out mechanism, opt-outs must be processed within 10 days.
Email List Building
The sender must have consent.
There are two types of consent: implied or express, both types require proof of consent. Explicit consent is absolute proof. Implied is harder to prove and keep track of.
Express Consent:
Use an HTML email platform, such as Mailchimp, Constant Contact, etc. to send emails and manage lists. They offer a double opt-in method that provides a great way to track explicit consent email recipients. Here is a great explanation outlining how double opt-in works, and why it’s best for your marketing efforts too.
Have your leads/clients sign themselves up by directing them to your website or Facebook page (where you have installed an email collection widget). Full Serve Web clients all have the Mailchimp double opt-in email collection organized on their website and/or Facebook Page. If you would like to have the Mailchimp email collection widget installed on your website or Facebook Page, please let us know!
If you have a location or are attending events, use a tablet to have your leads sign up themselves, again by having them enter their email address on your website. You can also use the paper method.
You will need to be able to provide proof that they have opted-in with the above requirements. Keep a record of oral and paper opt-ins. HTML email platforms, such as the ones mentioned above, keep records of opt-ins on the CSV files. Export your list regularly and file it in a folder “CASL Compliance”, along with all your other CASL documents (as suggested below)
Implied Consent:
Implied consent is much more difficult to manage because it is time-sensitive:
People for which you get implied consent after July 1, 2014, you have 2 years to send them relevant CEMs, 2 years from the last time you have had a business interaction.
You need to be able to prove the relationship meets the implied criteria.
You need to keep track of when the implied relationship expires.
You will need to keep these people on a separate list in your HTML email program
We strongly recommend using a centralized Customer Relationship Management (CRM) system to track Implied Consent and that your primary email list building focus is on obtaining Express Consent.
If you are using or considering using a CRM system, find one that is integrated with the HTML email platform you are using.
Take a Good Look at your current List:
- Create 1 newsletter list and tag your “Implied Consent” contacts.
- The rest of the contacts in that list will be “Express Consent”
Keep track of your consent lists:
- Mailchimp and the like will keep track of your opt-ins and opt-outs for you. This takes care of your express consent list. If you are considering changing platforms, please make sure you export and import all that data. If you are not using a CRM system, you will need to find a way to track your implied consent group. Remember, to export this list regularly and store it in your “CASL compliance” folder.
- Do not delete your opt-outs, “unsubscribe” them, this is important information to keep track of.
- Compliance Documents Outlining Procedure: A Due Diligence Defence
- The best way to organize for this Legislation is to outline your compliance procedure and disseminate the information to your team at a staff meeting. The legislation makes it so that the CRTC will be able to investigate and hand out fines up to 1 million dollars per recipient, up to 10 million dollars per instance. The perpetrator is liable in addition to the company directors. Compliance documents are the directors’ first defense.
- The procedures must include:
- Requesting, maintaining, and utilizing consent
- Tracking implied consents
- Acting on the “unsubscribe” requests
- Include CASL compliance and indemnification clauses in third-party contracts.
- It is important that a training program is developed and deployed, track your team’s training
- Include training on new hiring on-boarding
- Consider CASL insurance
- Have Compliance documents reviewed by legal counsel
According to CRTC (the regulating body), you can send out an email to your Implied Consent list asking for Express Consent.
Final note:
CEMs are only one part of CASL; the following other areas are controlled by CASL regulators
- Installation of computer programs without consent
- Unauthorized collection of personal information online
- Email address harvesting
- Misleading marketing and advertising in any electronic format.
How Full Serve Web can help:
- Design comprehensive compliance and systems audits – current and planned
- Advice on developing and implementing CASL compliance
- Drafting and review of compliance policies, processes, and documentation
- Computer systems and process design
- Drafting and review of third-party contracts
- Compliance training
- Legal counsel referral for representation before regulators and courts