A Beginner's Guide to Complying With CASL

May 26, 2022

To protect Canadians from the ever-increasing cybercrimes and spam attacks, Canada's anti-spam legislation (CASL) was rolled out in 2014. Since CASL came into effect, there have been a lot of questions about how it impacts businesses across Canada, United States and the world. Of all active regulations governing business communications, CASL takes the cake as one of the strictest regulations in the world. 

In this guide, we'll provide an overview of CASL and offer some tips on how to comply with the law. If you're looking for more information, we've also provided links to some helpful resources. So, let's get started!

What is CASL?

Enforced by Canadian Radio-television and Telecommunications Commission (CRTC), CASL is a broad set of guidelines aimed to protect digital consumer data from being exploited by businesses. CASL analyses commercial electronic messages (CEMs) to determine whether a business has undermined users’ privacy preferences and pushed emails, text messages, or social media posts to promote a product, service, or business. 

It focuses heavily on how consent is gathered, how businesses identify their purpose of communication, and how easy it is for consumers to opt out of the marketing messages. 

Does CASL impact you?

CASL applies to you if:

  • Your marketing and sales strategies target Canadians, irrespective of whether your business is located in Canada or any other part of the world
  • A Canada-based system has been used to access the CEM
  • A Canadian has installed your software

CASL doesn't cover anything that's not commercial, such as federal and political communications, e-invoices, privacy policy notices, and market research. 

If your business is in Canada but sends emails to foreigners, then you must follow the rules of that country or region.

CASL: Key concepts

CASL is one of the rarest legislation that gives equal importance to consent acquisition and opt-out instructions. 

To know how CASL functions, it's important to understand a few key concepts which we break down in the section below. 

Electronic Commercial Message (CEM)

A CEM is a message sent to an electronic address, encouraging the recipient to perform a commercial activity. "Commercial" is the keyword here.

An email with a general business logo or signature would not be part of CEM if it's not expecting the recipient to take any commercial action. Typical CEMs include coupons, offers, services, and business promotions. 

However, CASL doesn't cover all kinds of CEMs. 

CASL doesn't apply when:

  • Messages are shared between friends and families
  • Messages regarding existing B2B relationships are shared between employees, consultants, or representatives of the organizations
  • Messages that respond to a customer query
  • Unwanted telemarketing calls since they're regulated by Unsolicited Telecommunications Rules (UTR)

Expressed vs implied consent

Consent is another key term within CASL that you should brush up on. CRTC checks expressed consent and implied consent to determine CASL compliance. 

Expressed consent

Expressed consent indicates that the recipient has clearly taken steps to receive the CEMs. 

To obtain Express Consent from the Canadian recipients in your database, you must explicitly provide the following information:

  • Clearly describe the purpose for requesting consent (marketing services, share company news, product info, etc.)
  • Provide the name of the company seeking consent
  • Provide contact information, such as mailing address and either a phone number, website address or an email address of the company seeking consent or the person on whose behalf consent is being sought.
  • Inform the recipient that they can unsubscribe at any time and make it easy to do so

Examples of explicit or expressed consent would be signing up to access newsletters, products, or documents and filling up offline forms. You cannot use pre-checked boxes or misleading language to acquire email addresses. 

Once you’ve put in the work to get express consent, you can breathe because expressed consent does not expire. You can continue to email the recipient until they request you to stop sending CEMs via opting out or unsubscribing. 

Implied consent

While expressed content is more black and white, implied consent dwells in the gray area. There’s alot of unknowns and this is a cause for confusion for many B2B businesses and their marketing / sales teams.

We’ll try to break it down as simply as we can. 

Consent is implied when:

  • The CEM recipient has given you a business card or consciously made their digital addresses public without stating that they do not want to receive commercial messages
  • The CEM recipient has a pre-existing business relationship with you. For example, you can send CEMs to customers who have recently bought from or enquired about your business
  • The CEM recipient is a member of your organization or volunteered for a charitable program

Implied consent does not last forever

It expires 6 months after someone enquires about your business or 24 months after they purchase something from you. Essentially, if you have implied consent, you'd want to acquire express consent sooner than later. 

What are the consequences of breaching CASL regulations?

The cost of breaching CASL regulations is steep. 

Individuals can be fined up to $1 million and organizations can be fined up to $10 million per incident. There's also the possibility of imprisonment for misleading representations. If a victim can prove the damages, a private action can be leveled against organizations that could cost them up to $1 million per day. Last year, CRTC imposed a fine of $75,000 on an individual for running a spam campaign between 2016 to 2018. 

The financial loss, despite being huge, is only one part of the cost of non-compliance. Consumers tend to lose trust in businesses that use misleading tactics to market their products and the brand reputation can take years to recover. That alone is enough reason to follow the proper protocols to maintain compliance. 

Now that you know the key concepts of CASL and what it can cost your business, it's time to explore ways to avoid the risks. 

Steps to comply with CASL

One of the major challenges facing modern B2B marketers is how to be CASL compliant while generating equal or better marketing results. The best way to marketing to Canadians is to take the proper steps needed to maintain a state of compliance. 

Here are 4 ways B2B marketers can do the work needed to comply with CASL:

1. Identify ways to acquire consent

To acquire express consent, start offering value the prospect can't ignore. Be it an original study, ebook, proprietary tool, or a live event, focus on creating valuable assets that can be unlocked with email addresses. 

The consent form should clearly mention specific elements to get express consent. 

These include:

  • Your business details, including ways to contact you
  • The purpose of requesting consent 
  • A statement that says the prospect can withdraw consent anytime they want
  • A positive step the prospect must take to give consent. Pre-checked boxes do not work here.
  • A privacy policy attached to the consent page
  • Double opt-in messages to confirm steps

2. Provide details in CEM

Once you have express or implied consent, you can email the recipient with CEM. However, your CEMs must include two things:

  • Business details such as name, contact, and address
  • A distinct and functional unsubscribe button to easily opt out of the CEMs. It must be valid for at least 60 days and the unsubscribe requests must be processed within 10 days

3. Maintain CASL records an opt-in status

CASL records must be monitored and maintained to avoid non-compliance issues. 

Often, a database is used for tracking each email address including the email consent details for those email addresses. Document how you gather express and implied consent, monitor marketing campaigns and unsubscribe requests, and include the procedures in the privacy policy. The more records and proof your business keeps, the safer you are. 

Examples of proof may include screenshots of the source of original opt-in or perhaps a scanned business card for emails collected during tradeshows. 

Types of Consent Status:

  1. Opt-out - means the recipient has intentionaly unsubscribed from your communication
  2. Implied consent - expires in as soon as 6 months so you have to keep the records updated
  3. Express consent - Express consent does not expire; however, the recipient has the right to withdraw their consent at any time.
  4. Unmailable - If there is no record of consent - therefore recipient is deemed unmailable 

4. Prepare your workforce

As a business, it's important for your entire team to be aware of the various privacy regulations in place in order to protect your brand. One way to ensure your team is compliant is to provide training on the topic. 

You can also appoint a CASL officer to handle all compliance issues for your business. By taking these steps, you can help ensure your marketing campaign runs smoothly and avoid any legal issues.

Worried that your business is not CASL compliant? We can help!

At Opensense, we're helping businesses protect their business email communications with CASL-compliant tools. Opensense enables marketing and compliance teams to easily enforce their compliance policies across every single email. If you’re interested in learning more, get in touch with us to see how we're enabling universal email compliance across Canada and other regions. 

Was this helpful? Share the love.
Biplab Mazumder
Content Writer
View all posts