CASL: what are you supposed to do?
CASL – Canada’s Anti-Spam Legislation – is just around the corner: it becomes effective July 1st, 2014. If you or any of your email recipients reside in Canada, CASL applies to you (which means that it applies to most companies in North America). CASL covers much more than email messaging, but in this article we’re focusing on email.
The reason why many are paying close attention is that – as the American Bar Association puts it – “a violation of CASL attracts significant administrative monetary penalties […]”. Just like most pieces of legislation, it contains clauses that can lead to different interpretation and are making marketers scratch their head.
- What exactly are you supposed to do?
- Do you need to immediately reconfirm all recipients in your database?
- Do your email opt-in forms need to be updated?
- Does double opt-in automatically make you CASL compliant or not?
- And how about your transactional messages? Do they need to be changed?
For the last several months we kept a close eye on lots of articles on the topic and have been monitoring scores of conversations in the email industry (in fact, we pretty much can’t take it anymore!!). This article is the result of this research.
Please note that the content of this article is definitely NOT legal advice. Taking another section from the American Bar Association’s article “Given the complexity and novelty of CASL, compliance with CASL will be complex and must be tailored for each client’s specific operations and processes.”
Take the notes and suggestions found on this page as practical advice that might help you get started on the path toward compliance. Discuss full compliance with your legal counsel.
The type of messages it covers
CASL applies to Commercial Electronic Messages (CEMs): messages that include as one of their purposes to promote participation in a commercial activity. If your message is pitching something, you’re in. A transactional email message that contains some cross-selling, for instance, becomes a commercial message. More on this later.
Note that CASL does not apply only to email: it applies to other electronic messages such as text and social messages. In this article, however, we’re focusing on email.
Fortunately, CASL establishes a 3-year transition period during which you can continue to send commercial messages to your list(s) as long as you are sending to recipients…
- with whom you have had a business or non-business relationship (i.e. they’re not strangers)
- to whom you have sent commercial emails (i.e. you want to continue doing what you’ve been doing)
In other words: if you’ve been sending special offers to Mr. Smith and have had a business or non-business relationship with him, CASL gives you the benefit of the doubt that you had properly obtained consent from Mr. Smith, even if that consent might have been obtained in a way that is not compliant with CASL’s requirements for obtaining express consent. His consent is “implied”.
You have 3 years – starting July 1, 2014 – to turn implied consent into express consent and continue to send messages. Otherwise that consent expires on July 1, 2017 or when the recipient unsubscribes, whichever happens first.
The beauty of this grandfathering provision is that you can continue sending commercial messages: you DO NOT need to send a message to your list(s) requesting to confirm consent before July 1 2014, if this clause applies to you.
That’s great, but then the big question becomes: can you take advantage of this transition period?
It depends. As indicated in What does grandfathering mean under CASL you still had to obtain consent. It might have been obtained in a way that’s not complaint with CASL (e.g. using a pre-checked check box), but it still needed to be there. Combining this with the requirement of having had a business or non-business relationship with the recipient (see a definition of those), it seems pretty clear to us that the grandfathering clause does NOT apply to purchased or rented lists.
Consent and opt-in
Unlike CAN-SPAM (US), CASL is an opt-in based law. It’s built around the basic idea that you should only send CEMs to people that asked to receive them. A pretty basic concept, and yet an often ignored one in the United States precisely because CAN SPAM is an opt-out law.
There are two ways for email recipients to opt-in to receive CEMs from you, which CASL calls express and implied consent:
- Express consent = They clearly, actively told you that it is OK to send them CEMs
- Implied consent = They didn’t specifically tell you that it’s OK to send them CEMs, but what they did (e.g. a purchase, an inquiry, a donation, etc.) implies that it’s OK to email them for a while (and CASL says for how long)
Note that express and implied consent have nothing to do with single opt-in (SOI) or double opt-in (or Confirmed Opt-in, COI), but COI might help you provide evidence of consent.
- A company using COI could fail to be CASL compliant (see why)
- A company using SOI could certainly be CASL compliant
- CASL does not require COI
- COI, however, allows you to better track who, when, and how provided express consent, making it easier for you to provide proof of such consent. Under CASL, the onus is on you to provide such evidence.
The top things you should considering doing about CASL email compliance
Let’s go back to where we started. What are you supposed to do? Where should you get started? Here is our suggested “To Do” list in the form of answers to common questions. We hope you find it helpful.
Do I need to immediately resend a request for consent to my list(s)?
In many cases the answer is no. If you’ve been following good email marketing practices, the answer is probably no. This is thanks to the existence of the 3-year transition period. So scroll back up and read that section again if you need to.
Do I need to update opt-in forms?
Yes. CASL has some specific requirements about what information you need to provide to obtain express consent (the cool type of consent that does not expire). An opt-in form:
- Must clearly indicate what you are asking recipients to opt into;
- Must indicate who you are or whom you are asking consent on behalf of. This second part is important for opt-in email forms that include co-registration (e.g. a newsletter by a partner of yours);
- Must include mailing address AND phone, email, or Web address of the parties seeking consent;
- Must indicate that the recipient may unsubscribe.
If editing a form is difficult or impossible, we believe that using a confirmed opt-in subscription method as discussed in the next paragraph might help. This is our opinion, not legal advice.
Can double opt-in help me collect express consent in a compliant manner, if my opt-in forms are not?
We’ve been trying to determine what the right answers is, but email experts still disagree on this one. Here is what we think. Once again, this is our opinion, not legal advice.
If editing opt-in forms is hard, confirmed opt-in might provide a solution. If you are using a double opt-in signup process (also called confirmed opt-in or COI), you may be able to satisfy some of the opt-in requirements under CASL outside of the opt-in form.
Specifically, in a COI sign-up process express consent is collected via the subscription confirmation request message, and it is in that message that you can include some or all of items mentioned under (1). This becomes especially important if you are using a large number of opt-in forms on several Web properties – which might be time consuming to update – or if you don’t have easy access to editing such forms (e.g. a checkout page on an ecommerce store).
For instance, the email sign-up form shown above – which looks like hundreds of thousands of other email sign-up forms – does not contain details on how to unsubscribe, and therefore is not CASL-compliant. However, the COI confirmation request email sent by the company could certainly include full details on that matter, and therefore achieve compliance.
Can an opt-in form include a pre-checked checkbox (or alike)?
No, a pre-checked checkbox or radio button on an opt-in form does NOT represent express consent.
Do transactional messages need to be updated for CASL compliance?
Yes. You need to add an unsubscribe link to transactional messages. Transactional messages don’t require consent (i.e. it’s implied), but do require a way for recipients to opt out of any CEMs sent by you.
In other words: you can continue to send transactional messages to a customer that buys from your online store – for instance – but each of those transactional messages should contain a link to unsubscribe (or to the preference center where they can unsubscribe) from any CEM that you may send. When recipients unsubscribe, they don’t unsubscribe from your transactional messages, but from any CEMs that you may send.
If you are using MailUp’s SMTP relay service, you can just add the unsubscribe link to the header or footer, and then turn on the header and/or footer feature: MailUp will automatically add a header and/or footer to the transactional messages that pass through the SMTP relay system.
Can a transactional message include promotional content (e.g. cross-selling)?
Any commercial content (upsell, cross-sell, etc.) in a non-commercial message (e.g. order confirmation email) makes it a commercial email message. So a transactional email with a tiny bit of commercial content becomes a commercial message and is subject to the consent requirements for CEMs. To be safe, remove any commercial content from transactional emails (or only include it as dynamic content based on the subscribers’ status for CEMs).
I’m still confused between Express and Implied consent. What’s the key difference?
Express consent does not expire: subscribers that provided express consent don’t need to be contacted again to re-confirm consent.
Implied consent – instead – expires. Therefore, it needs to be “upgraded” to express consent before it expires, if you want to keep sending CEMs to those contacts.
Consent is implied only in specific cases defined by CASL. Outside of those scenarios, consent is not implied and you need to obtain express consent to be able to send CEMs to those recipients.
Here is a quick summary of when implied consent expires:
- 2 years after a purchase or a signed contract;
- 2 years after a donation, a meeting, a membership, and a few other cases;
- 6 months after an inquiry.
See a list of scenarios in which consent is implied.
Can I send an initial email just to ask for consent?
No, a CEM cannot be used to obtain consent. In other words, you can’t email people a commercial message and in that message ask them if you can email them! If there is implied consent, however, you can indeed email those people before that consent expires, and try to “upgrade” them to an express consent.
- See a list of scenarios in which consent is implied or in which CASL does not apply
- If you are unsure whether something you are doing or plan to do falls under one of those circumstance, consult a lawyer.
Do I need to make changes to the message content?
Probably not because this is an area where CASL and CAN-SPAM have similar requirements. You must include in every CEM:
- Clear information on who the sender is, or whom the message is sent on behalf of, is different from the sender.
- Contact information for them, including physical address, and phone number, email or web address.
- A way for the recipient to unsubscribe.
Are there cases in which CASL does not apply?
Yes, if you pitch your bicycle to a friend, for example, you are sending a CEM, but CASL does not apply to family or personal relationships. There are many scenarios: see this article contains a good level overview of CASL, including details about those provisions.
MailUp terms are stricter than CASL
For instance, CASL contains a provision that says that you can send CEMs without consent if you are a politicians asking for contributions during a political campaign. Well, we don’t think so. Those are unsolicited messages and cannot be sent with MailUp.
As a rule of thumb, consider that MailUp always requires express consent for sending CEMs. There are pretty much no exceptions to the rule. This means that what is implied consent under CASL, is not consent at all for MailUp.
For instance, let’s say that 1,000 people in filled out an inquiry form on your Web site last month asking about your products. Under CASL, consent is implied for 6 months, and you can send a message to those 1,000 people pitching them on buying your products. As far as MailUp is concerned, however, you never asked for and received permission to send them emails, and therefore you would be sending unsolicited bulk email, which is SPAM. Therefore, you cannot do so.
Note that you can send them non-bulk messages with MailUp using the triggered messaging functionality, but not bulk messages (e.g. a “Welcome” series after somebody signs up for a certain service, even if they did not opt into that “Welcome” series).
Digging deeper into CASL with these useful links
- Official CASL Web site, including plain-language FAQs, which we recommend that you review. If you are interested in the exact definition of a Commercial Email Message, you can find it at the bottom of this page.
- Legal updates on CASL: articles and opinions by many leading law firms
- A Canadian law firm’s in-depth review of CASL and related, useful tools:
- The American Bar Association looks at CASL and its extra-territorial reach
- What does grandfathering mean under CASL
- Opinion: in some cases COI may not be enough for express consent: see why
If you find any of the above to be inaccurate, please let us know in the comments and we will correct it as quickly as possible.