Open Mon - Fri 11:00-7:00
Email info@lioneater.com Tel: 905-518-1199
Get a quote

What is CASL?

, ,
, ,
0

Jump to Maintaining Compliance

Canada’s Anti-Spam Law (CASL) is designed to keep digital marketers and data collection in connection with commercial activities regulated to protect the rights of consumer privacy in Canada. Designed as one of the most stringent anti-spam laws in the history of Federal internet regulation, making CASL’s application particularly bothersome for businesses caught participating in bad practices.

Accessibility and data privacy policies that concern public safety need to be taken into consideration before deploying digital assets that do not meet the compliance requirements for CASL consent.

CASL Consent

When sending Commercial Electronic Messages (CEM) to members of a newsletter or mailing list, professional corporations must meet strict compliance requirements. Most importantly, any commercial activity (such as an email that contains a coupon or promotion offer) requires meeting user consent compliance from all recipients to meet CASL requirements. This includes oral or written consent, must include the name of the person or organization requesting user consent, a valid physical mailing address, phone number, email, website, and automated message systems where users can reach an agent or business representative.

Core Components of CASL Compliant Messages

  • The ability to opt-out, unsubscribe or request an organization from ceasing any future communications
  • Provide identity, contact details, phone number, mailing address, email, and process to contact an agent of the organization requesting user consent
    • This includes any third-party partners
    • The information must be up to date and reliable
    • Exemptions can be made (such as communications with existing relationships, complaints, inquiries, or legal obligations)

CASL Updated Exemptions

  • CEMs used by political parties seeking contributions
  • Limited-access, confidential secure portals (i.e banking confirmation)
  • Registered Non-Profits using CEMs for the primary purpose of charity fundraising
  • Instant Message, Social Media, SaaS platforms that use SMS, and e-mail communications with clear EULA that outline the terms of use

Obtaining Consent for CASL Compliance

  • Determine if your organization needs to worry about CASL, and do any communications meet the threshold of Commercial Electronic Messages (CEMs)
  • Public Facebook or Twitter accounts do not apply unless there are private messages being communicated between the organization and the individual

It’s important to understand that the legislation does not protect against unsolicited telecommunications such as live voice or automated telemarketing calls as they fall under a different act. The Canadian Radio-television and Telecommunications Commission (CRTC) provide an interpretation of CASL in regards to general information.

CASL includes several accompanying regulators, such as the Competition Bureau, the Office of the Privacy Commissioner, and Innovation, Science and Economic Development Canada. Similar to PHIPA, there are multiple organizations involved in the policing of privacy protection laws.

CRTC Interpretation Guidelines for Consent

  • Under the CRTC guidelines, there are three general requirements for sending commercial electronic messages (CEMs)
  • The first is to obtain consent
  • The second is to provide reliable identification information
  • The third is to provide a clearly accessible unsubscribe mechanism
  • There are two types of consent under CASL:
    • Express consent
    • Implied Consent

Exemption Considerations for CEMs (CASL)

  • Any CEMs solicited or sent in response to inquiries, complaints or requests
  • Any CEMs sent due to a legal obligation, enforce a right
  • Any CEMs sent within or between organizations with existing relationships (B2B)
  • Any CEMs sent by registered non-profits for the purpose of charity fundraising

Record Keeping

It’s important to understand where the data is located, who has access to the data and how long it can be stored before breaching any CASL violations. By asking the right questions to obtain consent, most CEMs do not expire until the user reinitiates the subscription process to cancel consent. Keeping records of every user consent event will protect an organization from potential CRTC investigations or compliance checks if a complaint is filed.

This record recording process should include the nature of the business, usage of electronic marketing tools, number of customers being contacted as well as any other factors related to record retention. The development of a documented corporate compliance policy can help reduce questions when complying with CASL or other privacy laws in Canada. When dealing with compliance challenges such as CASL, there is an opportunity to adapt and meet user consent goals.

Application of CASL on Average Website

The legislation only applies to the request and record-keeping processes of private data that fall under the category of CEMs within the legal boundaries of Canada. For the average website, CASL deems a person to have provided express consent for any installation of computer programs. If it is reasonable to believe the person provided consent to the installation based on user behaviour, not limited to:

  • HTML,
  • JavaScript,
  • a cookie,
  • an operating system,
  • a program that is only executable through another program to which consent was already expressed, or
  • anything further specified in CASL regulations

eCommerce Requirements for CASL

For most websites, CASL is not something to be concerned about however eCommerce websites often collect personal data during the checkout process. This data is later used for remarketing campaigns or follow-ups for future engagements with the customer. If eCommerce websites are found to be breaking the laws when contacting customers by failing to provide reliable contact information or breaking the rules of engagement, there are several outcomes that the Commission can take:

Enforcement for Notice of Violations for CASL complaints that reveal compliance breaches

  • A Notice of Violation (NOV), is served if it is believed on reasonable grounds that the entity has committed a CASL violation. May also be accompanied by monetary penalties.
  • An undertaking is when an agreement is made to define the compliance obligations that will be put in place following an alleged breach of CASL and may include AMP fees.
  • A warning letter is typically used to inform a person when the Commission has concerns about possible violations. Legitimate complaints must be received and the initial course of action can include education about CASL obligations, auto-corrective action or further investigation if needed.
  • An Administrative Monetary Penalty (AMP) is required for anyone who contravenes sections 6 to 9 of CASL, committing a violation which may be liable to an administrative monetary penalty when the NOV is issued. Penalties can include up to $1M per violation for an individual and up to $10M per violation for corporations.

Quick Checklist when Creating CASL-Compliant Forms

1. Determine Data Collection Needs:

  • Identify what personal data you need to collect and why.
  • Ensure compliance with CASL (Canadian Anti-Spam Legislation) by obtaining proper consent.

2. Choose a CASL-Compliant Form Builder:

  • Select an online form builder that offers features to create CASL-compliant forms.
  • Look for options that include consent checkboxes and customizable fields.

3. Design Your Form:

  • Create a clear and concise form layout.
  • Include fields for required information and optional fields if necessary.
  • Add checkboxes for obtaining consent for data collection and future communications.

4. Customize Consent Options:

  • Clearly explain what the user is consenting to.
  • Provide options for users to opt-in or opt-out of specific types of communication.
  • Ensure language is easy to understand and transparent.

5. Implement CASL Compliance Measures:

  • Enable double opt-in verification if applicable.
  • Include an unsubscribe option in compliance with CASL regulations.
  • Keep records of consent for future reference.

6. Test Your Form:

  • Test the form functionality on different devices and browsers.
  • Verify that all required fields and consent checkboxes work correctly.
  • Ensure the form submission process is smooth and user-friendly.

7. Publish Your Form:

  • Embed the form on your website or share the link where users can access it.
  • Ensure the form is easily accessible and prominently displayed.

8. Monitor Compliance:

  • Regularly review your form and data collection practices to ensure ongoing compliance with CASL.
  • Update your form as needed to reflect any changes in regulations or your organization’s policies.

9. Seek Legal Advice if Needed:

  • Consult with legal experts familiar with CASL regulations for any specific concerns or questions.
  • Stay informed about updates or changes to compliance requirements.

Maintaining Compliance

In order to respond to an NOV, representations must be made to the Commission in regards to the acts or omissions that constituted the alleged violation, as well as any penalty amounts. The policies of CASL are designed to protect perpetual spam or illegal data collection of website visitors. Big brands and corporations have accountability to meet CASL standards or respond to the Commission within 30 days after any NOV is served. In order to appeal the Commission’s decision, you must apply with the Federal Court of Appeal within 30 days after the day on which the decision was made. Registered charities are particularly complex as they have exemptions for CEMs that can be tricky to navigate when sending commercial messages for fundraising. The CRTC is especially strict with charities that attempt to circumvent the stringent rules around CASL.

CASL Implementation & Technical Considerations

From a technical standpoint, implementing CASL compliance involves various measures to ensure compliance with its provisions. Organizations must establish robust consent management systems to capture, store, and manage consent records effectively. This includes recording the details of consent, such as the date, time, method of consent, and any associated terms or conditions. These systems often integrate with customer relationship management (CRM) or email marketing platforms to streamline compliance efforts.

Ensuring accurate sender identification requires technical solutions to embed sender information within CEMs effectively. This may involve modifying email templates or integrating with email marketing software to automatically populate sender information, including the sender’s name, organization, physical address, and contact details. Additionally, organizations must maintain up-to-date sender information to reflect any changes in contact details or organizational structure.

Implementing unsubscribe mechanisms in CEMs requires technical expertise to design and deploy functional opt-out mechanisms. Unsubscribe links or buttons must be prominently displayed and easily accessible within the message content. Organizations typically leverage email marketing platforms or custom-built solutions to manage unsubscribe requests efficiently. Upon receiving an unsubscribe request, organizations must promptly process the request and cease sending further communications to the recipient.

CASL also prohibits the use of automated harvesting tools to collect electronic addresses without consent, commonly known as email address harvesting. Technical measures, such as CAPTCHA challenges and other anti-bot mechanisms, can help mitigate the risk of unauthorized address collection. Organizations must also ensure the security and integrity of their electronic address lists to prevent unauthorized access or distribution.

In addition to proactive compliance measures, organizations must maintain comprehensive records of their CASL compliance efforts. This includes documenting consent records, unsubscribe requests, and any other relevant communications or actions taken to ensure compliance. These records serve as a crucial resource in demonstrating compliance in the event of regulatory inquiries or audits.

Non-compliance with CASL can result in significant penalties, including fines of up to $10 million for businesses and $1 million for individuals. Therefore, investing in robust technical solutions and compliance processes is essential for mitigating regulatory risks and maintaining trust with consumers.

CASL represents a significant regulatory framework that imposes strict requirements on the sending of commercial electronic messages in Canada. Achieving and maintaining CASL compliance requires a combination of technical solutions, robust consent management processes, and ongoing diligence to ensure adherence to its provisions. By prioritizing CASL compliance, organizations can foster trust, enhance consumer protection, and mitigate regulatory risks in their electronic marketing activities.

Looking for assistance with compliance? Contact our team for affordable help.