CASL Review: Are ISED and CRTC singing from the same song sheet?

A piece of legislation as complex as CASL took many years to write. It started in 2004 and the law was passed in 2010. Technology moves at a slightly different pace than government law-makers. Having said that, given what they knew at the time Industry Canada did an amazing job of tackling a very difficult topic.

According to the Web Services Centre, Communications and Marketing Branch, Innovation, Science and Economic Development / Government of Canada -

"The Standing Committee on Industry, Science and Technology’s first scheduled meeting for the statutory review of Canada’s Anti-Spam Legislation will be on September 26, 2017."

And to be clear that does not mean it is no longer being enforced!

It simply means that in accordance with the language of the law it is to be reviewed in 3 years. It is responsible to examine what has worked and what has not.

CASL has, for the most part in our opinion, worked well.  We are seeing businesses be far more responsible about what they send to who and strangely enough,  business has survived the whole ordeal. Yet there are issues with regard to CASL.

A little more clear direction please...
CASL leaves a lot of issues open to interpretation and application within your industry and your culture. Record keeping for example. We all know how important it is - the onus of proof is always on the sender. We have to prove consent, dates, times, emails sent, working unsubscribe mechanisms (not sure how we prove the unsubscribe mechanism was or was not working on any specific day in the past). The CRTC has repeatedly stated that we are free to interpret how to apply effective record keeping to our situation, but the fact is we could invest a lot of money and resources in setting up a system or process based on our interpretation, only to find it is not acceptable to CRTC during an audit. They say "interpret it as best you can" but it could still end up causing a fine for your organization. We could use some clear guidance on what type of record keeping practices would be acceptable.

As long as we are reviewing CASL, let's look at some of this ambiguous language and put some standards or perameters around them so those who are interested in being compliant can do so. Let's define or at least give some good examples of what is acceptable proof of consent for the various types of consent so we have better guidance for setting up our systems and processes internally. 
Keeping up with the Jones (or in our case, the Europeans)
Switching gears for a moment, as we understand it, CASL and PIPEDA were regulations set in order to allow Canadian companies to more easily conduct business in Europe. The gap in regulations could certainly put Canadian companies at a disadvantage. The European Commission put out Directives, but each European country operated by it's own laws within those Directives.

And now they have introduced the General Data Protection Regulations (GDPR) which set a whole new global standard for managing people's data, including email addresses. Some legal minds in Europe are recommending a "re-permissioning" of express (or explicit) email consent every 2 years. And - no consent - no email. So customers or prospects who did not grant expilicit consent cannot be emailed. This assumes that a lot changes in a person's life takes place every 2 years, so check in and see if the information you are sending them is still relevant to their lives today. So while in Europe it is express consent re-permissioned every 2 years, CASL - which most Canadians thought was far too tough - pales in comparison.

CASL states that express consent, if collected using the proper language, has NO time limit. It is for life or until unsubscribed. This assumes everything is the same for the rest of that individual's life. Should this be reviewed as part of the Standing Committee's review of CASL? I would suggest a 5 year "re-permissioning" rule would suffice. So every 5 years a person must confirm they are still interested in the information you send them. This serves them and the company sending as nobody wants to send messages that are not relevant to people who do not even open their emails. Email marketing, despite the way many marketers have treated it, is not a mass marketing tool. More is not better with regard to email marketing. Engaged and relevant is better.

Then there is our B2B clause: Implied Consent - Conspicuously Published.
If the idea of CASL is to reduce the amount of irrelevant email every Canadian receives, I would say this form of consent creates a huge gap between Canadian business practices and European standards. We are assuming you may be interested in material we want to send you if we can prove your title (role) (proof is likely a screen grab that includes the URL string as well as a date and time stamp) and prove that your email address is publicly displayed without restrictions (same proof applies here), then we can add you to our implied consent list and go ahead and email you. No clear direction has been provided regarding how often this "proof of role and public display" is valid for. For practical purpose we recommend to our clients who rely this form of consent (most do not) that this proof be re-sourced every two years.

On an admittedly small sample size, we are seeing open rates of less than 25% on these types of lists. Is that sufficient? 75% of these people completely ignore the messages yet we keep sending them? Is that not what CASL intended to alter? So we ask, if we are considering the recipient, should this form of consent be allowed under CASL? Are Express consent, implied consent - existing business and non-business relationships and personal relationship good enough when applied to email consent?

The private right of action
Once again switching gears: the infamous and postponed private right of action (PRA). Now here is a prickly issue....

Read The Full Article


0 Comments Write your comment

    1. Loading...