CASL and other compliance projects
If you are located in Canada or do business with a Canadian or deal with customers in Canada, you’ve probably been inundated with information on the new Canadian Anti-Spam Law (CASL for short). Every company that does business through email has been going ga-ga to beat the law. And there is good reason for their concern.
What is CASL ?
As I said, CASL is the new Canadian Ant-Spam Law that comes into effect on July 1, 2014. Canada Day for those who aren’t familiar with our holidays. It’s actually been in place for some time but kept being delayed and kicked around. But finally it is here and businesses need to obey it.
It is the toughest anti-spam law in the world at the moment and it implements most of the best practices that internet experts have been calling for.
What does CASL require?
First off, it applies to all entities (including individuals) who send emails for the purposes of marketing. So charities and other not-for-profit organizations are not subject to the law for the purposes of fund raising. However if they sell something then they are subject to the law. For example, I worked for Canadian Standards Association (CSA International). We developed, sold, and certified to standards. We sent mailings asking for donations and also mailings sent to sell the standards. The former would be exempt while the latter would not. So it applies to the reason you are sending the email not to the organization. The other exception are customers … but only for a limited time and only with regards to their business with the organization.
Second it applies to email only. This is one of the objections that many experts have with the law. Theoretically, telephone solicitation is already covered by legislation. And direct mail has become very expensive. So they were ignored in the legislation.
Finally, it applies to all Canadians — both senders and recipients. So if you are located outside of Canada and send emails to Canadians, you are affected. Whether you can be prosecuted is another matter. If you are a Canadian organization with recipients outside of Canada, they may or may not be affected. If they live in a country with comparable laws, then they are affected. If not, then they are exempt. In fact, most companies are not going to pay any attention to the difference. It’s too much trouble to have one set of rules for Canadians, one for included countries, and another for exempt. Similar to the privacy laws. Pick the toughest and apply to everyone.
CASL requires only three things:
- Recipients must ASK to be put on mailing lists
- The default is to NOT put them on the mailing list (called opt-in)
- The recipient must know what they will recieve in the way of emails.
Why is it so important?
Quite frankly there are three main reasons for CASL being so important.
The first is that opt-out was the standard method of adding people to mailing lists for many years. Opt-in starts from the position that people don’t want to be on the mailing list. So people need to choose to be on the list. Opt-out starts from the position that people want to be on the mailing list. So people need to choose to be not on the list. Subtle difference but big in implication.
Secondly, because of the opt-out position, many organizations have mailing lists that include people who did not choose to be on the mailing list. Maybe they were old customers or business contacts. Or maybe they were from purchased mailing lists.
And third, most important of all, is the size of the penalty. While $5,000 per occurrence does not sound major, each email to a non-compliant recipient is an occurrence. So if you have 10 customers your organization did not recieve opt-in from and they recieve 10 emails in a year that would be 100 occurrences. Meaning the fine could be as high as $500,000. Most organizations have well over 10 customers in their mailing list. And if you’re only sending 1 email a month you probably are not getting much from your mailing list. Multiply that to a maintenance level (one a week) and you’re looking at 10 customers costing you $2,000,000. Surviving a CASL prosecution is almost impossible for any sized organization.
What do most companies need to do?
First off, you need to have done this before. If you’re starting now you are too late. The chances of actually finishing on time are between slim and none — and Slim has left town.
Having said that the following steps need to be performed:
Review the law
Like all compliance projects you need to start by understanding the law. After all, that’s what you now have to obey. Part of the review process should include a basic (i.e. list) of processes and requirements. In the case of CASL the list above is a good example.
Review organization and identify variences
The next task is to determine what you need to do in terms of products or changes. Most likely you will do this in several stages. Each stage would deal with the problem at a different level of detail. Eventually you’ll end up with a detailed list of changes you need to do. Detailed of course, being a relative term. In the case of CASL this means identify all email lists (including those that aren’t formal lists), identify where the addresses came from, and determine if the source meets the legal criteria. If not then they need to be handled. Effectively, they will fall into x categories:
- Lose the list entirely
- Start over
- Request confirmation
- Advise recipient (aka do nothing)
Plan your project
Once you have the list of changes you need to develop a project plan. Typically one change may require multiple tasks. And in fact, may require different forms of attack. I’m not going to go into the whole project planning process here. I’ve written too many books about it — usually about one aspect and then only at a high level. So going into detail isn’t practical.
Perform the appropriate remediation
In other words, once you’ve planned what you have to do, you need to work the plan. In the case of CASL there are four possible processes you need to do:
Lose the list
Some lists you have will not be worth bringing up to compliance. Or they may be unmanageable within the law. In other words, you can’t guarantee your employees will ensure the law is obeyed. For these you need to retire the list permanently and institute processes to prevent their reappearance.
Start over
Some of your lists will be important but so badly non-compliant that they cannot be reused. For these you will need to establish a new list. Then send out an email (before July 1) to the original list asking them to join your new list. Of course, the request will need to be coached in compliant terms.
Request confirmation
Some of your lists will be important and reasonably compliant or exempt. For these you need to send out an email (again before July 1) asking the recipient to confirm that they are happy with recieving the mailings. Track the responses. Those who do not respond need to recieve follow-up emails. Finally, those who don’t respond to any of the emails must be removed from the list if they are not exempt.
Advise your list
If you are lucky some of your lists will already be compliant. Theoretically, you need do nothing with these lists. However, you may want to send an email indicating that you are compliant and giving them the option to remove themselves from the list. You may loose some of your recipients but overall you should have better list as a result.
Change your processes
Bringing your existing situation into compliance isn’t enough. You need to ensure that the future situation will be compliant. This may involve changing software, processes, training and several other ongoing activities. In the case of CASL, as a minimum you will have to change the data collection process (usually software or web pages) to be compliant.
Ensure compliance
One of the problems you will face is that some people don’t want to do things the new way. In the case of CASL you will find people want to buy external mailing lists, they want to add people to their email contacts. You need to put in place a set of processes which will prevent doing so unless the result is compliant.
Audit the result
At this point you are (in theory) compliant both today and in the future. However, mistakes happen. Processes get missed. In the case of CASL, recipients are left on mailing lists when they should be removed and lists that are not compliant get missed. The purpose of the audit is twofold. Firstly, to find those human error situations. And secondly, to ensure that the new processes are working the way they are intended. In short, the audit proves that you are trying to be compliant and mostly are.
If you need assistance with planning compliance projects (CASL, AODA, BASEL, and others) please contact me directly (see here). I’d be glad to help.