For almost every small business, Canada’s new anti-spam law will be a game changer. Unfortunately the changed game will be tedious and more expensive for most of you. It started out as a law to stop people and companies from spamming Canadians with unwanted messages. The way the law turned out, however, is using a hand grenade to get a squirrel out of your bird feeder. It will have a huge impact on the way your company can do its business online.
The law covers almost any electronic messages you send for business purposes – including email, text messages, and direct messages on social media, but not phone or fax. The basic premise of the law is that businesses must get the recipient’s consent before sending business messages to them. Simple enough, right?
The rest of the law is a rats-nest of exceptions, conditions, and legal grey areas. This blog will map out said rats-nest, without taking too much of the magic out of what I do. Practically speaking, your two main concerns are getting consent to send messages to the recipient, and having the right content in the message itself. That’s what this blog will focus on.
The penalties for businesses that ignore or break this law can reach up to $10,000,000, so it’s kind of a big deal. It’s also an offence to aid someone in breaking this law – so social media marketers, IT, and CRM dudes, beware!
The law will come into effect in three phases:
- Most parts of the law will be in force on July 1, 2014
- Parts dealing with the unsolicited installation of computer programs – January 15, 2015
- Right for individuals to sue for damages caused by spammers – July 1, 2017
In this blog, I’m only going to talk about the parts of the law that come into force this year.
The recipient must actively and voluntarily give consent to you sending them business messages. This consent can be express or implied – which I’ll tackle below. You don’t need consent:
- from friends and family
- from employees, representatives, consultants or franchisees of your organization
- from foreign recipients – though your message must comply with that jurisdiction’s anti-spam laws
- if you’re
- answering an inquiry, request, or complaint
- giving notice of a legal right or obligation
- giving them factual information about an ongoing relationship like a subscription, membership, or loan
- providing information about an employment relationship or benefit plan that they’re in
- delivering updates or upgrades
- a charity or political party
- if the message is solely an inquiry about the products or services the recipient provides
This is when the recipient takes a positive action to approve of you sending them business messages. Once given, express consent remains valid until withdrawn. More on withdrawal below. The guts of express consent are:
- The message or form asking for consent must:
- explain why you’re asking for consent
- give the name of the organization or person seeking consent (or identify who you’re getting consent for, if it’s not you)
- give valid contact information – including at least one non-electronic means
- let them know they can unsubscribe at any time
- If consent was expressly given before this new law, you don’t have to go back and re-confirm
- The recipient must “opt in” (as in, checking a box), rather than opt out (unchecking a box), or the consent isn’t valid
- Keep a record of who consented, when, and how – as it’s up to you to show that you got it, not the other way around
This is a little trickier, as most types of implied consent have an expiry date. Express consent is more practical for you to get, because it doesn’t expire, and is easier for you to keep track of. That said, if your contacts aren’t big on clicking through links in email, implied consent may still cover you. Implied consent can be found:
- in an existing business relationship, meaning that you and the recipient have
- in the past two years,
- bought, sold, or leased goods, services or land from each other
- were bound by a written contract with each other
- bartered goods, services or land with each other, or
- in the past six months, made an inquiry about doing any of the above
- in the past two years,
- an existing non-business relationship
- if the recipient has published or disclosed their email address, they have not stated that they don’t wish to receive unsolicited messages, and the message is relevant to their business or role
So once you’ve got consent from all of your adoring fans, and you’re dutifully keeping accurate records of who has consented, your work is still not done. From July 1, 2014 onwards, every business message you send must have certain content, except messages
- to recipients you have a personal or family relationship with, or
- which are an inquiry about the business products or services the recipient provides
All of your business messages must contain information that:
- identifies the sender, or on whose behalf it’s sent
- sets out contact information for the sender, including at least one non-electronic means
- has a way to unsubscribe or withdraw consent
The unsubscribe mechanism must:
- operate at no cost to the recipient
- allow the recipient to unsubscribe by the same means the message was sent, or give another electronic means to unsubscribe
- give a link to a webpage that allows them to unsubscribe
Once they unsubscribe, you’ve got 10 business days to take their name off the list, or else.
Like I said, game changer… though how it changes the game will differ from business to business. There are a few best practices that I’d recommend you start implementing now:
- Vet your contact lists now to determine who you will need consent from
- Before July 1, 2014, send a message to your existing mailing lists asking them to opt in, and create a new mailing list of those who do
- After July 1, 2014, you’ll have to get consent the old fashioned way – by mail, phone, or other non-electronic means
- Keep records of information showing consent
- Put together a new email signature that meets the content requirements
- Build an “unsubscribe” link into your website, and make sure the unsubscribe mechanism works
Most IT service providers should be CASL-compliant by now, and companies like my friends at Response Magic have developed simple and thorough systems to help you colour within the lines. Of course, every business and every situation is different, and applying a general rule is no substitution for consultation with an intrepid lawyer. You know where to reach me if you’ve got questions.
There. I just saved you $10,000,000. You can thank me later.