A few weeks ago, I shared a post on Pardot and GDPR compliance. Since then, a few people have asked me how this relates to CASL and if it’s more or less stringent.
So if you’re wondering:
“Ottawa comply with CASL?”
…then pour yourself a Molson and let’s break it down, eh?
PS fair warning, the Canadian jokes do not elevate in their level of sophistication as this goes on, so manage your expectations, please.
The Keys to the CASL
“Strict” and “onerous” are the two most common adjectives I see paired with explanations of the Canadian Anti-Spam Law (CASL). Why? Because it’s pretty darn complicated, and creates a structure for gaining consent that applies to all “commercial electronic messages” – not just email.
CASL applies to both companies in Canada and to any companies marketing to citizens of the Great White North. The legislation first went into effect July 1, 2014, and has had a staged rollout.
The last wave of provisions were scheduled to go into force July 1, 2017, and would have allowed lawsuits to be filed against individuals and organizations for alleged violations of CASL. There was significant pushback from the business community, though, and this piece pulled back at the last minute for parliamentary review (which is part of the reason why you’re still hearing about it this year.)
So, CASL governs commercial electronic what now?
Commercial electronic messages include anything sent to an electronic address — including emails, instant message accounts, and some social media accounts.
Phone calls aren’t relevant under CASL, so Drake and his hotline bling can carry on. Text messages, however, ARE governed by CASL.
There is an exemption in the law for BBM (Blackberry Messenger) – go figure. And fax numbers aren’t covered under this legislation (whew).
Consent according to CASL
CASL has rules for two kinds of consent: express and implied.
First, the easy one. Consent can be implied for:
- Friends and family
- Employees and contractors
- Customers that have been active with you in the last 2 years
- Someone who’s inquired about your company’s services in the last 6 months
- Charitable and political fundraising efforts
- Legal, warranty, and recall stuff
- Transactional emails (like receipts and confirmations)
- Recipients that conspicuously publish their contact info without saying “don’t spam me”
- Referrals – but you have disclose the full name of the person who referred you, and you only get to play that card once
If your contacts don’t meet one of the above criteria, you need express consent to market to them. This consent can be given either orally (the late Mayor Rob Ford would approve), in writing, or electronically.
When requesting express consent, you have to include:
- Who you are (name of person or organization)
- If you’re acting on behalf of someone, who that person or organization is
- Way for people to get in touch with you to get more information
- The ability to opt-out of all types of communications sent by you, your organization, or third-party partners
- An opt-in checkbox that the user actually checks — no pre-filling
What else do I need to do to skate to where the puck is going here?
In addition to getting CASL-compliant consent for the folks on your list, keep in mind that:
- You’re required to maintain records of how you got consent.
- Commercial electronic messages must include your name, your mailing address, phone number, email, and website URL. And if you’re reaching out on behalf of someone else, their name too.
- All messages need to include an unsubscribe mechanism, and unsubscribes need to be processed in 10 days.
- You can’t make people give you more than their email address to unsubscribe (so no required “why are you leaving us?” stuff)
- You can’t make people log in somewhere or visit multiple pages to submit an opt-out request.
- Express consent applies until someone unsubscribes. Implied consent applies until 2 years after a client/business relationship is terminated, or 6 months after a prospect inquiry.
Penalties for CASL non-compliance
If you think Canadians are nice, you haven’t read up on CASL penalties.
They include criminal charges, fines up to $10M, and personal liability for company officers and directors. Yikes.
Ignore CASL at your own risk — there’s nowhere to hide, and there’s nowhere Toronto. (Okay sorry, that one was really bad. And sorry for interrupting to say sorry. How Canadian of me.)
The Pardot Admin’s CASL action items
As Ontario native Shania Twain would say, “from this moment on,” CASL is the law of the land – onerous or not. To stay in compliance, consider:
- Adding an “express consent” opt-in checkbox to all of your Pardot forms
- Using variable tags to add the info required by CASL to your email templates. Physical address and unsubscribe link are already required by Pardot, but be sure to add in website URL and phone number.
- Adding custom fields to track things like Permission Type (express vs. implied) and Date of Confirmed Opt-In.
- Using automation rules in Pardot or workflow rules in Salesforce to update your custom fields so they reflect the current implied opt-in status for clients/prospects.
- Running an permission pass for the Canadian portion of your list (companies with addresses in Canada, emails with .ca, etc.) to get the express consent you need to continue contacting them
- Documenting your plan for all this, in case Prime Minister Trudeau comes calling
I’m sorry to any Canadians reading this who I may have offended. At least the wah-mbulance will be covered under your amazing healthcare.
Got questions? More Canadian puns? Horror stories of your CASL compliance journey?
I recommend poutine it in the comments!
Like being hip checked into your own bench, this is brutal. Especially when combined with the GDPR and Cookie compliance (you didn’t forget about cookies, did you?). Pardot tried to help with the whole cooke opt-out thing, but it’s not useful when combined with any other cookie tool, so you end up needing to buy or custom code a solution that literally deletes Pardot cookies AFTER they’re already set in someone’s browser (which may or may not comply with the law). If not, you end up with two cookie bars, which in any other context sounds amazing, but when we’re talking about browser cookies in legal compliance terms… I’d rather hug a polar bear.
Oh, and don’t forget, if GDPR hasn’t changed since last I looked, you also can’t transfer Personal Data outside of the EEA without express consent by the people whose information you have. Which is fantastic because I’m pretty sure there’s no way to stop Pardot form data from leaving the EEA to be stored on US servers. Again, consult with legal counsel (specifically someone IN the EEA) for details on what that means for you.
“Like being hip checked into your own bench” — love it. That analogy is about as Canadian as it gets, lol.
My take on the cookie opt-out thing is that it’s borderline impossible to comply. Agree that the two bars thing is not a solution… and depending on how many 3rd party tools are in use, it might even be worse than that. There’s a UK software company that was working on a compliant solution, but gave up and is taking this approach instead: http://nocookielaw.com/
I want to buy a cookie bouquet for whoever wrote that hilarious copy. 🙂
Although I’ve seen conflicting reports on the data transfer piece, Salesforce appear to be interpreting GDPR as not preventing them from transfering data outside of the EU… https://www.salesforce.com/campaign/gdpr/ Either way though, there are definitely compliance gaps in the product that need to be looked at.
With all of this compliance stuff, my question is “who really is getting in trouble?” I have a half written blog on worst case scenarios and actual cases that have been prosecuted that is coming soon…
https://www.civicuk.com/cookie-control Has a rather good solution (and a terrific team of people). But yeah, you have to wonder how this cookie will crumble. I spent many hours trying to make a corporate site compliant and I’m not sure if it was worth it.