A few weeks ago, I shared a post on Pardot and GDPR compliance. Since then, a few people have asked me how this relates to CASL and if it’s more or less stringent.
So if you’re wondering:
“Ottawa comply with CASL?”
…then pour yourself a Molson and let’s break it down, eh?
PS fair warning, the Canadian jokes do not elevate in their level of sophistication as this goes on, so manage your expectations, please.
The Keys to the CASL
“Strict” and “onerous” are the two most common adjectives I see paired with explanations of the Canadian Anti-Spam Law (CASL). Why? Because it’s pretty darn complicated, and creates a structure for gaining consent that applies to all “commercial electronic messages” – not just email.
CASL applies to both companies in Canada and to any companies marketing to citizens of the Great White North. The legislation first went into effect July 1, 2014, and has had a staged rollout.
The last wave of provisions were scheduled to go into force July 1, 2017, and would have allowed lawsuits to be filed against individuals and organizations for alleged violations of CASL. There was significant pushback from the business community, though, and this piece pulled back at the last minute for parliamentary review (which is part of the reason why you’re still hearing about it this year.)
So, CASL Governs Commercial Electronic What Now?
Commercial electronic messages include anything sent to an electronic address — including emails, instant message accounts, and some social media accounts.
Phone calls aren’t relevant under CASL, so Drake and his hotline bling can carry on. Text messages, however, ARE governed by CASL.
There is an exemption in the law for BBM (Blackberry Messenger) – go figure. And fax numbers aren’t covered under this legislation (whew).
Consent According to CASL
CASL has rules for two kinds of consent: express and implied.
First, the easy one. Consent can be implied for:
- Friends and family
- Employees and contractors
- Customers that have been active with you in the last 2 years
- Someone who’s inquired about your company’s services in the last 6 months
- Charitable and political fundraising efforts
- Legal, warranty, and recall stuff
- Transactional emails (like receipts and confirmations)
- Recipients that conspicuously publish their contact info without saying “don’t spam me”
- Referrals – but you have disclose the full name of the person who referred you, and you only get to play that card once
If your contacts don’t meet one of the above criteria, you need express consent to market to them. This consent can be given either orally (the late Mayor Rob Ford would approve), in writing, or electronically.
When requesting express consent, you have to include:
- Who you are (name of person or organization)
- If you’re acting on behalf of someone, who that person or organization is
- Way for people to get in touch with you to get more information
- The ability to opt-out of all types of communications sent by you, your organization, or third-party partners
- An opt-in checkbox that the user actually checks — no pre-filling
What Else Do I Need to Do to Skate to Where the Puck is Going Here?
In addition to getting CASL-compliant consent for the folks on your list, keep in mind that:
- You’re required to maintain records of how you got consent.
- Commercial electronic messages must include your name, your mailing address, phone number, email, and website URL. And if you’re reaching out on behalf of someone else, their name too.
- All messages need to include an unsubscribe mechanism, and unsubscribes need to be processed in 10 days.
- You can’t make people give you more than their email address to unsubscribe (so no required “why are you leaving us?” stuff)
- You can’t make people log in somewhere or visit multiple pages to submit an opt-out request.
- Express consent applies until someone unsubscribes. Implied consent applies until 2 years after a client/business relationship is terminated, or 6 months after a prospect inquiry.
Penalties for CASL Non-Compliance
If you think Canadians are nice, you haven’t read up on CASL penalties.
They include criminal charges, fines up to $10M, and personal liability for company officers and directors. Yikes.
Ignore CASL at your own risk — there’s nowhere to hide, and there’s nowhere Toronto. (Okay sorry, that one was really bad. And sorry for interrupting to say sorry. How Canadian of me.)
The Pardot Admin’s CASL Action Items
As Ontario native Shania Twain would say, “from this moment on,” CASL is the law of the land – onerous or not. To stay in compliance, consider:
- Adding an “express consent” opt-in checkbox to all of your Pardot forms
- Using variable tags to add the info required by CASL to your email templates. Physical address and unsubscribe link are already required by Pardot, but be sure to add in website URL and phone number.
- Adding custom fields to track things like Permission Type (express vs. implied) and Date of Confirmed Opt-In.
- Using automation rules in Pardot or workflow rules in Salesforce to update your custom fields so they reflect the current implied opt-in status for clients/prospects.
- Running an permission pass for the Canadian portion of your list (companies with addresses in Canada, emails with .ca, etc.) to get the express consent you need to continue contacting them
- Documenting your plan for all this, in case Prime Minister Trudeau comes calling
I’m sorry to any Canadians reading this who I may have offended. At least the wah-mbulance will be covered under your amazing healthcare.
Got questions? More Canadian puns? Horror stories of your CASL compliance journey?
I recommend poutine it in the comments!