If you haven't visited the content corner of SendGrid in a while, you may have missed some of the new content we've created around Canada's Anti-Spam Legislation (CASL). Our delivery consultant, Jacob Hansen, hosted legal expert, Shaun Brown, in a CASL-focused webcast where we discussed what CASL is, what it does and doesn't apply to, and what measures you need to put in place for your email program to be compliant. We received a ton of great questions that we summarized and submitted to Shaun for a quick webcast recap--check out Shaun's answers below!
Is there a similar nation or state law (e.g. California) that may be comparable to CASL? Are there good examples of sites that are doing it correctly according to CASL?
I am not familiar with the California anti-spam law, but, yes, there are other laws that share similarities with CASL. The Australian and New Zealand laws are probably the closest examples. In fact, the anti-spam provisions of CASL were closely modeled on the Australian law. On a more general level, most anti-spam laws around the world are consent-based, meaning that the default basis is that some form of consent is required before an email can be sent (e.g. the EU). The United States' CAN-SPAM Act is one of the few remaining laws that allow commercial email to be sent with no prior consent.
As for specific examples of sites that are following CASL, start by looking at any major Canadian brand. Despite the fact that Porter Airlines suffered a glitch that resulted in some non-compliant emails (see the undertaking with the CRTC), I’ve been a subscriber to their emails for years, and from my perspective as a consumer, they have done a great job. Start with their sign-up process.
What is the exact time period that implied consent needs to be renewed? Express consent? Are they both every 2 years? Is there a grace period?
Express consent never needs to be renewed according to CASL. As for implied consent, the existing business relationships and existing non-business relationships are the only forms of consent that are time-limited. Most of those categories of implied consent last for 24 months. There is one form of implied consent–based on an inquiry or application about a product or service–that only lasts for 6 months. These time periods are specified in both of the checklists, which are available in this SendGrid blog post.
As for a “grace period,” there is a transitional provision for implied consent that existed before CASL came into effect on July 1, 2014. This is explained in the Database Checklist.
What details need to be included in proof of consent? Is it always first/last name and email? Does the expectation set at collection need to be recorded and followed as well?
The CRTC has stated that you should have “a record of the date, time, purpose, and manner of that consent…stored in a database.” Fortunately, many email systems make this very easy to do, especially if consent is obtained through an online form. For consent obtained offline (e.g. verbally or on a paper ballot) there will be a need for some sort of manual input, but the same information should still be retained in a database. In short, you should be able to show when, how, and where consent was obtained for each email (or other) address you have.
As for setting expectations, there is nothing in CASL that requires you to state the frequency of messages. This is more a matter of exercising common sense and good business practices. If you do state frequency, you should stick to it (and not send more often than you say you will).
Is this just applicable to Commercial Electronic Messages (CEMs) sent to Canadian citizens? Or is it including just Canadian email addresses and machines/mailbox providers and citizenship is not a factor?
CASL applies to any CEM sent from or accessed on a computer system located in Canada. So citizenship is irrelevant at this stage, as well as the location of the mailbox provider for the recipient. What does matter is where the recipient is physically located when they open your email.
That being said, there is an exclusion for CEMs sent with the reasonable belief that the message will be accessed in a foreign state with anti-spam legislation listed in the schedule to the regulations under CASL. Factors such as residency and home address of the recipient could be relevant in determining whether it is reasonable to believe that a message will be accessed in Canada or elsewhere. For example, if you know that a recipient is a US resident, but they happen to be on vacation in Canada when they open one of your emails, then I think this is a scenario where the exclusion should apply.
For exclusions, is this just those organizations or other organizations sending on behalf of the excluded ones (e.g. a company sending out a promotion for their favorite charity)?
Most of the exclusions are based on the purpose of the message itself, and not who is sending (so it shouldn’t matter whether the message is sent by an organization or on their behalf). The exclusions for charities, political parties, etc., do depend on who the organization is, but they do apply to messages that are sent by those organization, or on their behalf.
Are educational institutions excluded?
No, educational institutions that send CEMs need to follow the law like any other organization.
Is an unsubscribe link required for CASL and does it have to actually say the word "unsubscribe?" What is the time period those requests must be honored according to CASL? Is an unsubscribe function required for apps or social media?
An unsubscribe mechanism is required in every CEM. The word “unsubscribe” is very common, but it could say something else, like “opt out” or “remove me.” The unsubscribe request must be processed “without delay, and in any event no later than 10 business days after the indication has been sent.” If the message being sent via the app or social media is a CEM according to CASL, then an unsubscribe mechanism is required.
Do the CASL software requirements refer to social media or mobile apps bought through the Google App Store and Apple Store?
CASL does not apply to software that is “self-installed.” The CRTC provides the following as an example of where CASL does not apply: “For example, the owner of a mobile device goes to an app store to purchase and download an app. As the owner is installing the app on their own personal device, CASL does not apply.” However, as stated by the CRTC, CASL could apply when updates to an app are installed: “if the app installs the update in the background, without prompting or informing, then CASL would apply.”
For more information on CASL, you can watch our webcast CASL Compliance 101 on-demand.
