Canadian Anti-Spam Law (CASL): Common Compliance Errors

CANADIAN CASL (ANTI-SPAM LAW) PRECEDENTS

Do you need a precedent or checklist
to comply with CASL (Canadian anti-spam law)?

We offer Canadian anti-spam law (CASL) precedents and checklists to help electronic marketers comply with CASL.  These include checklists and precedents for express consent requests (including on behalf of third parties), sender identification information, unsubscribe mechanisms, business related exemptions and types of implied consent and documenting consent and scrubbing distribution lists.  We also offer a CASL corporate compliance program.  For more information or to order, see: Anti-Spam (CASL) Precedents/Forms.  If you would like to discuss CASL legal advice or for other advertising or marketing in Canada, including contests/sweepstakes, contact us: contact.

********************

Canada’s federal anti-spam legislation (CASL) came into force in 2014. Since then, marketers and their advisors have been working to comply with what remains a complex law with outstanding uncertainties in some key areas.

In providing CASL advice to clients since CASL came into force, and even over the past several years, I have regularly seen some of the same compliance errors being repeatedly made.

The following are some of the most common CASL compliance errors I see in my practice:

Relying on Old Aggregated
Marketing/Distribution Lists

One of the most common CASL compliance errors I see are issues relating to relying on old and often aggregated (i.e., combined) marketing lists. In this regard, it is not uncommon for clients to tell us that they are using an old (sometimes pre-CASL) distribution list and that they are not sure whether or how any express or implied consents were gathered. Commonly, such lists are not regularly reviewed or scrubbed of names where consent to send electronic messages no longer exists or a CASL exemption no longer applies.

There is certainly potential CASL-related risk in relying on old distribution lists where it is not known whether any valid CASL consent has been obtained or any prescribed exemption applies.

In this regard, while CASL does allow for either express consent as well as a number of types of implied consent, for both express consent and the various types of implied consents under the legislation there are specific requirements that must be complied with. For example, express consent requests must include prescribed sender identification information set out under CASL and its regulations.

Similarly, for each type of implied consent and exemption under CASL, including the existing business relationship types of implied consent, the so-called “business card” category of implied consent, “conspicuous publication” implied consent and the business-to-business exemption, there are specific multi-part tests that must be met and documented for each.

For example, for the “conspicuous publication” category of implied consent, (i.e., for published e-mail or other electronic addresses) it is not sufficient that an e-mail address was posted on the web. For this type of implied consent, a three-part test must be met for each e-mail address as follows: (i) the e-mail address was posted on the web or otherwise published; (ii) there is no statement that the recipient does not wish to receive unsolicited electronic messages; and (iii) the message is relevant to the recipient’s “business, role, functions or duties in a business or official capacity.”

Based on the above, marketing lists should be divided into the type(s) of express or implied consent obtained (or relevant CASL exemption) and addresses removed when either the relevant type of consent or exemption has expired / is not longer relevant or recipients have unsubscribed.

In the case of old distribution lists where it is unknown if any type of express or implied consent was obtained, and are not structured as discussed above and regularly reviewed and scrubbed to remove recipients’ names where neither consent nor an exemption still applies, there is clear risk for marketers.

Passive Consent

In general, CASL allows marketers to rely on express consent (e.g., an opt-in electronic form) or a number of categories of implied consent (e.g., existing business relationships) to send commercial electronic messages (CEMs).

I commonly see, however, marketing materials where there is an attempt to gather consent by “passive means”, such as by merely participating in a contest or other promotion.  Sometimes such passive consent language is just included in web page footers, contest rules or privacy policies.

In this regard, marketers need to be aware that if they can’t rely on a category of implied consent or CASL exception, then they need to obtain positive, express opt-in consent in the manner set out by CASL (e.g., via a paper or electronic form that includes all of the prescribed identification and other information).

For more information, see: Common CASL (Canadian Anti-spam Law) Compliance Errors: Passive Consents That Do Not Comply with CASL.

Incomplete Express Consent Requests 

CASL is highly prescriptive and sets out specific identification information that must be included in both consent requests and in CEMs themselves.

I commonly see initial drafts of client marketing materials that include some, but often not all of, the identification information required by CASL.  In addition, the information that must be included (e.g., in a consent request) can vary, according to, among other things, if consent is being requested on behalf of a single or multiple persons, on behalf of a third party or on behalf of an unidentified third party.

Other nuances can include the requirement to include the names of all persons on whose behalf consent is sought and the type of name of the person requesting consent, depending on which name they do business as (i.e., corporate name or doing-business-as or “DBA” name). 

In addition, it is possible to request consent to send CEMs for three categories of persons: (i) the sender on their own behalf; (ii) an identified third party (or multiple third parties); or (iii) an unidentified third party (or multiple unidentified third parties).

I often see, however, requests to gather consents for a broad range of persons without complying with CASL’s requirements, such as identifying third parties where their identities are known or including the required contact information depending on who consent is being requested for.  There are also very specific and unfortunately complex rules where consent is being requested for as yet unidentified third parties, which should be reviewed carefully.

For more information, see: Common CASL (Canadian Anti-spam Law) Compliance Errors: Incomplete Express Consent Requests.

Non-Compliant Express Consent Requests
for Unidentified Third Parties

Another very common CASL compliance error that I see is a request for consent for unidentified third parties without meeting the specific rules under CASL.

Some examples include an express consent request that includes a request for consent for “marketing affiliates”, “marketing partners” or “partners” (or similar language attempting to gather blanket type consents for any and all entities the person requesting consent may share electronic addresses in the future but who are not yet known).

Under CASL, it is possible to request consent to send CEMs for three categories of persons: (i) a sender themselves on their own behalf; (ii) an identified third party (or multiple identified third parties); or (iii) an unidentified third party (or multiple unidentified third parties) who are as yet unknown when the express consent request is made (e.g., future third party marketing partners).

The rules for these requests are set out in section 10(2) of CASL and section 5(1) of the Governor in Council Regulations under CASL (GIC Regulations).

The requirements for express consent requests for as yet unidentified third parties require, among other things, that commercial electronic messages (CEMs) identify the person that obtained consent (as required by CASL), any person with whom electronic addresses are shared also comply with CASL’s unsubscribe requirements and that recipients may choose to unsubscribe from the person that obtained consent or any other person authorized to send CEMs.

There are also obligations on third parties with whom electronic lists have been shared to notify the original person that obtained consent as to the scope of an unsubscribe request by a recipient (i.e., who the recipient is requesting to be unsubscribed from).

Given the complexity of the rules under CASL for express consent requests for as yet unidentified third parties, many marketers opt not to make such consent requests and limit consent requests to the actual sender and identified third parties (e.g., known and identified affiliates).

Having said that, if marketers want to request and obtain express consent for as yet unidentified third parties, they are well advised to carefully review the applicable rules under CASL and the GIC Regulations.

Practically, it is also prudent to have list sharing agreements in place with third parties that reflect the obligations set out under CASL for those requesting consent for unidentified third parties and the third parties that include, among other things, representations by the third parties to comply with CASL and indemnities in favour of the person obtaining consent in the event the third party fails to comply with CASL.

For more information, see: Common CASL (Canadian Spam Law) Compliance Errors: Non-compliant Consent Requests for Unidentified Third Parties.

Consents From List Providers

Another common compliance error I see in my practice is using bulk e-mail lists from list providers.

While there is nothing wrong with using list brokers or third party lists per se, such lists must have been compiled so as to comply with CASL.  In some cases, such lists are assembled by non-Canadian entities, where it is not clear whether, for example, express consent was obtained to use the e-mail addresses.

In other cases, where e-mails are compiled from the web for B2B marketing, it is not clear whether the category of implied consent for compiling such lists has been complied with.  In this regard, while marketers can certainly use e-mail addresses obtained from third parties or list providers, they should satisfy themselves that the e-mail lists obtained comply with CASL’s consent requirements.

For example, if using e-mail lists obtained from the web for B2B marketing, marketers should ensure that not only were such e-mails conspicuously posted with no message against solicitation, but also that any marketing sent is likely to be relevant to the recipient’s business.

For more information, see: Common CASL (Canadian Anti-spam Law) Compliance Errors: Unreliable List Provider Lists.

Bulk Collection of Online E-mail Addresses (B2B Marketing)
Without Meeting Conspicuous Publication Implied Consent

CASL includes a number of potentially helpful categories of implied consent and exemptions.

For example, CASL includes two B2B categories of implied consent, including one for the collection of e-mail addresses that are conspicuously posted online or elsewhere.

However, the test for this category of implied consent (as with others types of CASL implied consent and exceptions) is very specific and requires, in this case, that a 3-part test be met for every e-mail.

Among other things, this so-called “conspicuous publication” category of implied consent requires that any marketing sent to a person whose e-mail was posted online is “relevant to [their] business, role, functions or duties in a business or official capacity.”

For more information, see: Common CASL (Canadian Spam Law) Compliance Errors: Bulk Collection of E-mails Without Meeting Conspicuous Publication Implied Consent.

Failing to Update Electronic Distribution Lists 

While much of the compliance discussion for CASL tends to relate to its three core requirements – i.e., consent, identification and an easy un-subscribe mechanism – back-end compliance is also very important for electronic marketers.

In this regard, CASL requires, among other things, that recipients that request to be unsubscribed be removed from a list within 10 days.  It is also important for marketers to ensure that, unless they have refreshed consent, that existing customers be removed from marketing lists after two years of purchasing a product/service or six months after an inquiry (i.e., the existing business relationship category of implied consent is time-limited and, as such, lists must be regularly scrubbed on a rolling basis).

In all cases, the onus is on the sender to prove that they have consent (whether express or implied) to send CEMs, which should be documented on a rolling basis.

For more information, see: Common CASL (Canadian Anti-spam Law) Compliance Errors: Failing to Update Electronic Distribution Lists.

Sharing Distribution Lists With Third Parties
Without Consent 

Some marketers want to share consents for electronic marketing with other parties, whether related entities such as affiliates or third parties.  While this is certainly possible under CASL, marketers need to be aware that there are specific requirements that must be met depending on who a list will be shared with (e.g., to expressly identify a third party with whom consent is being gathered on behalf, including the third parties contact information and other requirements if the identity of a third party with whom a list will be shared is not known at the time consent is requested).

Marketers should also be aware that there is also potentially not only if they violate CASL, but also if they assist a third party violate the legislation based on an “aiding” provision in section 9.

As such, it is often prudent for marketers that want to share electronic marketing lists to ensure that they have agreements in place with third parties with whom they intend to share e-mails that includes, among other things, a covenant by the third party to comply with CASL and an indemnification in favour of the marketer sharing the list in the event the third party violates CASL.

For more information, see: Common CASL (Canadian Anti-spam Law) Compliance Errors: Sharing Distribution Lists with Third Parties Without Consent.

Combining Electronic Marketing Without Consent
With a Contest or Other Promotion 

I commonly see marketing where clients will want to not only reply to an inquiry, but to also engage in additional (i.e., wider) marketing than merely a follow up to a particular inquiry.

A good example are promotional contests, where after an entrant enters the contest a sponsor will want to send other marketing unrelated to the contest either immediately or following the close of the promotion.

Sending unsolicited commercial electronic messages (CEMs) is risky unless a sender has either consent (whether express or implied) or can rely on one of the exceptions under CASL.

Helpfully, there is an exception from the unsolicited CEMs section of CASL (section 6) for replying to requests or inquiries.  However, this exception is narrow.

As such, for marketers that want to build distribution lists in connection with a contest or other promotion, it is often prudent to ensure that the participants in the promotion also provide express consent to receive other types of marketing (i.e., which is unrelated to the administration of the promotion).

For more information, see: Common CASL (Canadian Spam Law) Compliance Errors: Combining Electronic Marketing Without Consent with a Contest or Other Promotion.

Non-Compliant “Friends and Family”
Marketing Campaigns

Some marketers run “friends and family” promotions – for example, offering additional contest entries to entrants that share the details of the contest with friends or family.

Marketers should be aware, however, that while there is an exception to the unsolicited CEM section of CASL for messages sent to a person with whom they have a personal or family relationship, these terms are very specifically defined.  For example, “family relationship” is limited to spouses, common-law partners and parent-child relationships.  “Personal relationship” is, unfortunately, defined in a multi-factor and case-by-case fashion, such that it is often impractical to rely on this exception for any broad “friends and family” type promotion.

In sum, marketers need to be aware that there is potential risk for both themselves and their clients in running friends and family type promotions, if they cannot satisfy themselves that the specific definitions of “family relationship” and/or “personal relationship” under CASL can be met.  To put it another way, marketers could, depending on the type of promotion, essentially be assisting participants in a promotion violate CASL by encouraging electronic marketing for the promotion to third parties from whom consent has not been obtained and no exception applies.

For more information, see: Common CASL (Canadian Anti-spam Law) Compliance Errors: Non-Compliant “Friends and Family” Marketing Campaigns.

**********

SERVICES AND CONTACT

I am a Toronto competition/antitrust lawyer and advertising/marketing lawyer who helps clients in Toronto, Canada and the US practically navigate Canada’s advertising and marketing laws and offers Canadian advertising/marketing law services in relation to print, online, new media, social media and e-mail marketing.

My Canadian advertising/marketing law services include advice in relation to: anti-spam legislation (CASL); Competition Bureau complaints; the general misleading advertising provisions of the federal Competition Act; Internet, new media and social media advertising and marketing; promotional contests (sweepstakes); and sales and promotions. I also provide advice relating to specific types of advertising issues, including performance claims, testimonials, disclaimers, drip pricing, astroturfing and native advertising.

For more information about my services see: services

To contact me about a potential legal matter see: contact

For more regulatory law updates follow me on Twitter: @CanadaAttorney

This entry was posted in Advertising Law, Anti-spam Law, Articles, Competition Bureau, Competition Law, Compliance, Consumer Protection, Contests, CRTC, Direct Sales, Do Not Call List, Electronic Marketing, Internet Advertising, New Publications, News, Online Advertising, Sectors - Broadcasting, Sectors - Internet & New Media, Sectors - Media, Sectors - Retail, Sectors - Telecommunications, Sectors - Telemarketing, Social media marketing, Targeted Advertising, Telemarketing and tagged , , , , , , , , , , , , , , . Bookmark the permalink.