The document summarizes Canada's Anti-Spam Legislation (CASL) and what charities and non-profits need to know to comply. Key points include:
- CASL regulates all commercial electronic messages sent or accessed in Canada and other online activities.
- Consent is required to send commercial electronic messages, and can be express or implied. Implied consent expires after two years.
- Messages must include identifying information and an unsubscribe mechanism. Requests to unsubscribe must be honored within 10 days.
- There are exemptions for registered charities raising funds and other cases, but those messages still require identifying information and unsubscribes.
- Organizations should use
5. Maanit Zemel
MTZ Law P.C. &The Solution…
Regulate Everyone!
»CASL regulates all Commercial Electronic
Messages sent or accessed by a computer in
Canada
»CASL also regulates a broad range of
electronic and online activities, including:
» The installation of computer program
» Misleading advertising and marketing
practices
» Privacy invasion via computers
» Collecting email addresses without consent
(i.e., email harvesting) Maanit Zemel
MTZ Law P.C. &
6. Maanit Zemel
MTZ Law P.C. &Underlying Principles
»All regulated activities may only be carried out
with:
1. Informed consent by the recipient; and
2. Clear identification of the sender
»All activities are based on an Opt-In regime,
not an Opt-Out
Maanit Zemel
MTZ Law P.C. &
7. Maanit Zemel
MTZ Law P.C. &Non-Compliance
»CASL provides a complaint mechanism
»Anyone can complain to the regulators at
www.fightspam.gc.ca
»There will be significant consequences for
non-compliance
Maanit Zemel
MTZ Law P.C. &
8. Maanit Zemel
MTZ Law P.C. &Consequences Include
»Administrative penalties
»Fines up to $1 million for individuals per
violation
»Fines up to $10 million for organizations
per violation
»Private rights of action
»Class action suits
»Vicarious liability of organizations for employee
actions
»Liability of officers and directors for
organization actions
Maanit Zemel
MTZ Law P.C. &
9. Maanit Zemel
MTZ Law P.C. &Regulating Bodies
»Regulators have sweeping investigative
powers
(search an seizure orders)
»Division of responsibility among 3 government
bodies
»CRTC – Commercial Electronic Messages
and installation of computer programs
»Privacy Commissioner – Collection of personal
information and address ‘harvesting’
»Competition Bureau – misleading advertising
and marketing
Maanit Zemel
MTZ Law P.C. &
10. Maanit Zemel
MTZ Law P.C. &Dates to Know
»July 1, 2014: Requirements respecting
Commercial Electronic Messages
»January 15, 2015: Requirements respecting
computer programs
»July 1, 2017
»End of transition period for implied
consent
»Private rights of action become available
to complainants
Maanit Zemel
MTZ Law P.C. &
12. Maanit Zemel
MTZ Law P.C. &CEMs
A Commercial Electronic Message (CEM) is
a message sent by any electronic means
(i.e., email, SMS text, instant message,
social media) that has,
as its purpose, or one of its purposes, to
encourage participation in a “commercial
activity”
Maanit Zemel
MTZ Law P.C. &
13. Maanit Zemel
MTZ Law P.C. &Commercial Activities
Commercial activity is “any particular
transaction, act or conduct that is of a
commercial character whether or not the
person who carries it out does so in the
expectation of profit.”
Maanit Zemel
MTZ Law P.C. &
14. Maanit Zemel
MTZ Law P.C. &Examples of CEMs for Charities and Non-Profits
»Email appeals for donations
»Emailed invitations to events
»Promotional emails (i.e., event or lottery
promotions)
»Emails promoting a charitable event or activity,
if those activities are of a “commercial
character”
»Electronic newsletters
»Emails promoting the organization, if the
organization’s activities are of a “commercial
character”
Maanit Zemel
MTZ Law P.C. &
16. Maanit Zemel
MTZ Law P.C. &Requirements
»You are prohibited from sending a CEM to an
electronic address unless:
»The recipient has already consented
to receive the CEM; and
»The CEM contains specific prescribed
information
»Consent can be “express” or “implied”
»The onus is on the sender to provide
documentation proving consent
Maanit Zemel
MTZ Law P.C. &
17. Maanit Zemel
MTZ Law P.C. &Establishing Implied Consent
»Implied consent exists when the recipient has
»Conspicuously published his or her electronic
address (e.g., on a website); and
»Has not indicated a desire not to receive
unsolicited CEMs; and
»The message is relevant to the
recipient’s business role, duties, or
functions
Or
»Disclosed his or her electronic address to
the sender without indicating a wish not
to receive unsolicited CEMs; and
»The message is relevant to the
recipient’s business role, duties, or
functions Maanit Zemel
MTZ Law P.C. &
18. Maanit Zemel
MTZ Law P.C. &Establishing Implied Consent (non business relationships)
»Consent is implied when the sender is a
registered charity (as defined in ITA) and:
»The recipient has made a donation to the
charity within the preceding two years; or
»The recipient has volunteered in the
preceding two
years;
or
»The sender is a Non-Profit Organization
(as defined in ITA) and:
»The recipient was a member of the
organization at some point in the
preceding two years
Maanit Zemel
MTZ Law P.C. &
19. Maanit Zemel
MTZ Law P.C. &Establishing Implied Consent (existing business relationships)
»Consent is implied when the recipient had:
»Purchased / leased / bartered a product /
good / service / or land in the preceding
two years;
»Accepted a business / investment / gaming
opportunity offered by the sender in the
preceding two years; or
»A written contract is created or had
existed between the recipient and sender
in the preceding two years
Or
»The sender had received an inquiry or
application about one of the above items
in the preceding six months
Maanit Zemel
MTZ Law P.C. &
20. Maanit Zemel
MTZ Law P.C.. &Proving Implied Consent
Proving implied consent relies on your ability to
track and report on your constituents’ relationships
and activities with your organization.
We strongly recommend using a centralized
Customer Relationship Management (CRM) system.
21. Maanit Zemel
MTZ Law P.C. &Express Consent
»Express consent may be obtained orally or in
writing
»The request for express consent must include:
»The purpose for which consent is being
sought, stated “clearly and simply”
»The sender’s identification and contact
information and/or on whose behalf
consent is being sought
»Statement that the receiver can withdraw
their consent
»No pre-checked boxes
»Cannot be in the form of a CEM – post July 1,
2014 cannot send an email requesting consentMaanit Zemel
MTZ Law P.C. &
22. Maanit Zemel
MTZ Law P.C.. &Proving Express Consent
Express consent can be tracked within a CRM as
well,
by marking how and when your constituents
consented
to each message type (like “event invitations”) you
easily
send messages to the people who have asked for
them.
23. Maanit Zemel
MTZ Law P.C. &Transitional Period
»Parties who are in an existing business
relationship or non-business relationship and
have been sending CEMs to the recipients
prior to July 1, 2014, will have their implied
consent period extended until July 1, 2017
»Therefore charities and non-profits have
implied consent from their existing donors,
volunteers, and members until July 1, 2017
Maanit Zemel
MTZ Law P.C. &
24. Maanit Zemel
MTZ Law P.C. &Information Requirements on CEMs
»All CEMs must include the following:
1. The sender’s (and/or on whose behalf the
CEM is sent) identifying information and
contact details (name and mailing
address and email or phone) – this
information must be valid for 60 days
following the deployment of the message
2. A means by which to contact the sender
3. An unsubscribe mechanism
»If it isn’t practical to include all the requirements
directly within the CEM, the information must
be posted on a website and a link to that
website be included, prominently and clearly, in
the CEM Maanit Zemel
MTZ Law P.C. &
25. Maanit Zemel
MTZ Law P.C. &Unsubscribing
»The unsubscribe mechanism must be effective
for at least 60 days
»The provided unsubscribe mechanism must be
in the same means as the message or other
electronic means
»The mechanism must be at no cost to the
unsubscriber
»All requests must be given effect within 10
days
Maanit Zemel
MTZ Law P.C. &
26. Maanit Zemel
MTZ Law P.C.. &Unsubscribing
Many email deployment programs track unsubscribes
by removing email addresses from their deployment
list.
We recommend not doing this, rather we suggest
tracking ‘unsubscribes’ much like explicit consent
(to what, when, and how did a person unsubscribe).
28. Maanit Zemel
MTZ Law P.C. &Registered Charities Exemption
Maanit Zemel
MTZ Law P.C. &
CEM sent by or on behalf of a registered charity
which has “as its primary purpose raising funds for
the charity”
29. Maanit Zemel
MTZ Law P.C. &Other Exemptions
»“Personal” or “family” relationships
»A CEM consisting solely of an inquiry or
application relating to the commercial activity of
the recipient
»Solicited CEMs – i.e., responses to requests,
inquires, or complaints, or otherwise solicited
by the person to whom the message is sent
»Internal CEMs to the business, if concerns the
activities of the business – emails sent
between employees that are unrelated to the
business are not exempted (e.g., soliciting
volunteers for an external charity event)
Maanit Zemel
MTZ Law P.C. &
30. Maanit Zemel
MTZ Law P.C. &Other Exemptions
»CEMs between organizations/business if they
‘have a relationship’ and concerns the activities
of the receiver’s business/organization
»CEMs sent to enforce a legal right
»CEMs sent to foreign jurisdictions listed in the
CASL schedule – but, must comply with any
foreign anti-spam laws in force in that
jurisdiction or face prosecution under CASL
»CEMs sent by political parties for the primary
purpose of soliciting contributions
Maanit Zemel
MTZ Law P.C. &
31. Maanit Zemel
MTZ Law P.C. &Other Exemptions
»CEMs sent within electronic platforms where
‘unsubscribe’ and identifying information is
readily available (e.g., most social networks)
»CEMs sent within a limited-access secure
account by the person who provides that
account (e.g., banking portals)
»Two way voice communications
»Faxes and voicemail messages
Maanit Zemel
MTZ Law P.C. &
32. Maanit Zemel
MTZ Law P.C. &Exemptions that Require Information and Unsubscribes
»Third party referrals – the first CEM sent to a
person based on a referral by a third party,
consent is required thereafter
»Quotes or estimates in response to a request
»Warranty, recall, or product safety information
»CEMs that deliver products or services,
including updates and upgrades
Maanit Zemel
MTZ Law P.C. &
33. Maanit Zemel
MTZ Law P.C. &More Exemptions that Require Information and Unsubscribes
»CEMs that facilitate or confirm transactions;
and
»CEMs that provide factual information about:
»Ongoing subscriptions, memberships,
accounts, loans
»Ongoing use or purchases
»Employment relations or benefit plans for
employees
Maanit Zemel
MTZ Law P.C. &
35. Maanit Zemel
MTZ Law P.C. &CASL Flowchart
Maanit Zemel
MTZ Law P.C. &
Do you send
CEMs?
You may be exempt from compliance only If:
The primary purpose of CEM is to raise
funds for the charity*
Are you a
Registered
Charity?
No further action
required
Is the CEM:
•A third party referral?
•Providing a quote or estimate in
response to an request
•Providing warranty, recall or
product safety information
• delivering a product or service,
including updates and upgrades
• facilitating or confirming
transactions
• Providing factual information
about:
1. Ongoing subscription,
membership, accounts, loans;
2. Ongoing use or ongoing
purchases;
3. Employment relations or benefit
plans for employees
No further
action
required
Yes
Yes
Implied consent only good for 2
years
Need to:
1. Include prescribed info
2. Keep track of 2 years
3. Obtain express consent before
2 years expires
Yes
• Before July 1, 2014:
1. Obtain express consent
2. Include prescribed ID info and unsubscribe
mechanism in all CEMs
• After July 1, 2014:
1. Obtain consent in prescribed form
2. Include prescribed ID info and unsubscribe
No / unsure
No
Yes
Yes
(most
likely)
No
(unlikely
)
No
Unsure – consider next step
No consent
required but CEM
must include:
• Identifying
information
• Unsubscribe
mechanism
Do Other Exemptions Apply?
• Organization to organization
• Personal / family relationship
• Internal CEM
• An inquiry / application
• A response to an inquiry / request
/ complaint
• To enforce a legal right
• Sent within a secured access
platform
• Within a platform containing
unsubscribe and ID info
• To a foreign jurisdiction (must
comply with foreign laws)
Is Consent Implied?
1. You are a registered charity / Not-
for-profit org.; and
2. Recipient has been a donor,
volunteer or member in the preceding 2
years
36. Maanit Zemel
MTZ Law P.C. &CASL Systems
»Contains constituent
information
»Stores relationship
(transaction, volunteer,
membership) details
»Express consent
»Processes self-serve
unsubscribe requests
»Filters email deployments
against opt-out lists
»Sends email contact
information to the CRM
Maanit Zemel
MTZ Law P.C. &
Database
(CRM) Email System
37. Maanit Zemel
MTZ Law P.C. &The CRM and Email System Supports Your Planning
Maanit Zemel
MTZ Law P.C. &
Do you send
CEMs?
You may be exempt from compliance only If:
The primary purpose of CEM is to raise
funds for the charity*
Are you a
Registered
Charity?
No further action
required
No further
action
required
Yes
Yes
Implied consent only good for 2
years
Need to:
1. Include prescribed info
2. Keep track of 2 years
3. Obtain express consent before
2 years expires
Yes
Obtain / Send with Express
Consent
Filter Track Unsubscriptions
No / unsure
No
Yes
Yes
(most
likely)
No
(unlikely
)
No
Unsure – consider next step
No consent
required but CEM
must include:
• Identifying
information
• Unsubscribe
mechanism
Do Other Exemptions Apply?
• Track applicable relationships
through the CRM, for example family
relationships can be coded in most
systems.
Is Consent Implied?
Is the CEM itself exempted?
Planning
CRM Email System
38. Maanit Zemel
MTZ Law P.C.. &Developing and Email Process
There are a lot of steps to remember. Building a solid
and systematic process will help make it easier,
encourages compliance, and allows for effective
process monitoring.
39. Maanit Zemel
MTZ Law P.C. &Recommended Process
Plan deployment
Create email list
Filter list
Send email
Process
opt-outs
Report on
success
Maanit Zemel
MTZ Law P.C. &
40. Maanit Zemel
MTZ Law P.C. &
Database
(CRM)
Email System
Some Functions Fit Best With Specific Systems
Plan deployment
Create email list
Filter list
Send email
Process
opt-outs
Report on
success
Maanit Zemel
MTZ Law P.C. &
41. Maanit Zemel
MTZ Law P.C.. &Integrated Systems?
There are a number of integrated systems that
handle both Constituent management and Email
deployments. If you have such a system we still
strongly encourage maintaining
distinct processes for each activity – or even
separate staff members be responsible for different
phases.
42. Maanit Zemel
MTZ Law P.C. &Plan Your Message
»Planning out your emails is the first step in
sending compliant and effective messages:
• Identify a clear goal for the message –
are you trying to acquire new donors,
engage current constituents, inform them
about your organizations activities?
Based on your goals who should receive
your message?
• When is the message being sent, are there
critical groups that you need to
establish consent for and do you have
time to do that before you send?
• Can you take what you’ve learned from
previous messages and improve this
message?
Maanit Zemel
MTZ Law P.C. &
Plan
deployment
Create email list
Filter list
Send email
Process
opt-outs
Report on
success
43. Maanit Zemel
MTZ Law P.C. &Building a List
»Build your email list through your database
(CRM) based on groups of constituents that are
meaningful to your organization, but ensure:
• You track, on each constituent or
individual person, what they have opted
in to and when
• You develop a standard set of queries or
criteria that comply with CASL’s implied
consent criteria
Maanit Zemel
MTZ Law P.C. &
Plan
deployment
Create email list
Filter list
Send email
Process
opt-outs
Report on
success
44. Maanit Zemel
MTZ Law P.C. &Filtering the List
»Building your email list creates a baseline of
people who have opted in, and by extension
filter most of the people who have opted out.
Now just before sending we filter again, directly
within the email system, to ensure self-service
opt-outs are captured.
• To be effective the master opt-out list
should be maintained in the system that
sends the emails
• All unsubscribes should be added to this
list
Plan
deployment
Create email list
Filter list
Send email
Process
opt-outs
Report on
success
Maanit Zemel
MTZ Law P.C. &
45. Maanit Zemel
MTZ Law P.C. &Send Your Message
»All of your planning is done, now write the email
message and send it. Ensure that you have all
the crucial information:
• You’ve identified your organization and
whom the message is sent on behalf of
Current mailing address
• Phone, email address, or web address
(that’s valid for at least 60 days after
sending)
• An unsubscribe mechanism – preferably
automatic, but must process opt-outs in
at least 10 days.Plan
deployment
Create email list
Filter list
Send email
Process
opt-outs
Report on
success
Maanit Zemel
MTZ Law P.C. &
46. Maanit Zemel
MTZ Law P.C. &Process Any Unsubscribes
»After the message is sent you can generally
expect to see a few unsubscribes, remember
that they must be processed within 10 days of
sending. Generally we suggest
• Updating your opt-out information on the
email system first
• Make sure you are flagging peoples’
accounts that they have opted out, do not
delete them! This is a valuable and
important record
Plan
deployment
Create email list
Filter list
Send email
Process
opt-outs
Report on
success
Maanit Zemel
MTZ Law P.C. &
47. Maanit Zemel
MTZ Law P.C. &Synchronize Your Information and Report
»Your plan identified some goals, it’s important to
review them as well as the general performance
of your message. As well this is a good
opportunity to update your constituents in your
CRM
• Build an import/synchronization schedule
for regular updates
• Track usable metrics in your database,
and evaluate your message and identify
any lessons learned for future
deployments
• Use your opt out list to update your CRM
• Note, the opt-out data in the CRM should
be used for analysis and review, not for
filtering your lists as it will always be
slightly out-of-date.
Plan
deployment
Create email list
Filter list
Send email
Process
opt-outs
Report on
success
Maanit Zemel
MTZ Law P.C. &
49. Maanit Zemel
MTZ Law P.C. &Get Your Board on Board!
Decisions respecting CASL should form part of
the organization’s overall risk management
strategies
»Decisions must be made at board and
executive levels
»If you are not getting the board or senior
leadership to pay attention – remind them of
the directors’ and officers’ liability
Maanit Zemel
MTZ Law P.C. &
50. Maanit Zemel
MTZ Law P.C. &Conduct an Audit
Create an inventory of all messages that your
organization sends, and identify the audiences
that you reach out to
»Try to think through an entire business cycle
– you may be surprised how much is actually
sent
»Audit each message and audience for CASL
compliance
»Have they opted in?
»Implied consent?
»Have they opted out?
»Do the messages contain requisite
information?
Maanit Zemel
MTZ Law P.C. &
51. Maanit Zemel
MTZ Law P.C. &Obtain Consent
While express consent isn’t required for all
emails, it is the safest way to send messages
and a great way to qualify contacts
»Consent is required in most cases for
businesses and non-profits, charities have
additional exemptions
»An opt in – or express consent – is not just a
requirement it is a person telling you that they
want to hear from you
Maanit Zemel
MTZ Law P.C. &
52. Maanit Zemel
MTZ Law P.C. &Develop a CASL Compliance Policy
A Due Diligence defence only works if you
have a reasonable compliance policy
»The procedures must include:
»Requesting, maintaining, and utilizing
consents
»Tracking implied consents
»Acting on ‘unsubscribe’ requests
»Include CASL compliance and
indemnification clauses in third-party
contracts
Maanit Zemel
MTZ Law P.C. &
53. Maanit Zemel
MTZ Law P.C. &Train Staff, Volunteers, and if Necessary Contractors
It is critical that anyone sending messages on
behalf of your organization is educated and
trained on your process
»Develop and deploy a training program
»Ensure Management, Employees, and
Volunteers have gone through the program
»Include CASL training in new hire onboarding
»Ensure third-parties who send messages on
your behalf are familiar with and adhere to
your process – this may require some training
for them Maanit Zemel
MTZ Law P.C. &
54. Maanit Zemel
MTZ Law P.C. &Get Help!
CASL compliance can be challenging to
achieve and maintain. Don’t be afraid to seek
help achieving compliance, avoiding
complacency, and mitigating risk
»Consider CASL insurance
»IT professionals or departments may have
systems based support
»Ensure you have any compliance language
and policies reviewed by legal counsel
Maanit Zemel
MTZ Law P.C. &
56. Maanit Zemel
MTZ Law P.C. &Not Just SPAM – Other CASL Activities
CEMs are only one part of CASL, the following
other areas are controlled by CASL regulators
»Installation of computer programs without
consent
»Unauthorized collection of personal
information online
»Email address harvesting
»Misleading marketing and advertising in any
electronic format
Maanit Zemel
MTZ Law P.C. &
57. Maanit Zemel
MTZ Law P.C. &How Can We Help?
»Comprehensive compliance and systems audits
– current and planned
»Advice on developing and implementing CASL
compliance
»Drafting and review of compliance policies,
processes, and documentation
»Computer systems and process design
»Drafting and review of third party contracts
»Compliance training
»Representation before regulators and courts
Maanit Zemel
MTZ Law P.C. &
58. Maanit Zemel
MTZ Law P.C. &
Disclaimer: This presentation is provided as an information service and
is a summary of current legal issues. The information is not meant as
legal opinion or advice and viewers are cautioned not to act on
information provided in this publication without seeking specific legal
advice with respect to their unique circumstances.
All rights reserved. This presentation may not be reproduced and
redistributed without the prior written consent of the author.
Maanit Zemel
mzemel@casllaw.ca / @maanitzemel
Jim Freer
jimf@methodworksconsulting.com
Notas do Editor
- What does “raising funds” mean? Is it different than “fundraising”, as interpreted by the CRA?
- CRTC likely to focus less on the intended use of the funds and more on the content of the message
- “Primary purpose” is likely to be interpreted from the point of view of the receiver of the email (and not of the sender)
Most email deployments fit this process in some fashion. We suggest treating each phase discretely, and building CASL compliance into each area.
E.g.,
- During planning you can craft messages that specifically follow exemptions
- Creating compliant lists early simplifies your segmentation process
- By filtering your list as a separate process, you catch late unsubscribers and allow you to strategically build a list without trying to address opt-outs at that point- If each deployment has a standard report it makes it easier to revise your email strategy going forward
Each system has a best fit process. Planning is relying on the expertise of the marketing or fundraising staff. Everything else relies on one of two systems.
Short cuts remove checks on a process and make it easy for mistakes to happen.
The more vague your email the less effective it becomes, and the more likely you are to blur the email ‘type’ (like “Enewsletter”). Clear messaging is part of CASL compliance, and leads to higher conversion rates. Sending messages to disinterested individuals is a sure-fire way of getting unsubscribes. Don’t try to be sneaky, people don’t like being fooled and in the face of complaints the CRTC is unlikely to be swayed by ‘clever.’
Tailoring your audience to your message or vice versa also leads to more effective messages, in web design we call this user-centric messaging, in fundraising it’s donor-centric messaging. Also by knowing your audience at the outset you can determine if you have the appropriate consent from that group to send your messages.
Many systems allow you to flag whether or not someone has unsubscribed, or requested no contact. This is a useful part of tracking consent but is normally insufficient for the sort of tracking that CASL requires.
Depending on the system there are a number of different ways to flag individuals as having expressly consented, or of building database queries that match donors with last donation dates
Consistency is key to making this work, develop business rules around how you track consent and stick to it, you may run into situations that seem complicated or make you unsure of whether someone has consented or not. To avoid risk exposure we recommend a blanket “if you’re not sure or can’t prove it, then the person hasn’t consented” rule.
The master opt-out list (sometimes called the kill list) is the last compliance tool – it includes people who have explicitly opted out of the message you are about to send.
Some organizations have multiple opt-out lists that consist of people who have explicitly opted out of everything as well as people who have opted out of specific messages. For example an Enewsletter Opt Out List might include:
People who have opted out of everything
People who have opted out of enewsletters, and
People that the director of development is contacting directly
The unsubscribe mechanism must be in the same format as the message (e.g., you can’t force people to phone to unsubscribe when you’ve sent an email). For emails it means your ‘reply to’ address should be valid and monitored for unsubscribe requests, and ideally that you include a link to your website that allows people to automatically unsubscribe themselves.
By maintaining opt-out information on the email system it lets you control the synchronization without risking unauthorized messages going out. Integrated systems will synchronize automatically, but commercial systems (such as Mailchimp™ or Industry Mailout™ for example) track by email address and so do not require a constituent record in your database
Integrated systems do this automatically, however often disparate systems will require a manual import process. This can be challenging, so we recommend doing this on a regular basis (or on a contingent schedule – such as download records immediately before building the new list).
By clearly distinguishing the two systems you will have a solid process without any gaps. People will not be emailed in a uncompliant fashion.