On May 27th and May 29th, 2014, we hosted webinars with Maanit Zemel, an internet lawyer practicing in Ontario, all about the new Canadian Anti-Spam Legislation (CASL) for Non-Profits and Charities. All attribution for the legal information in this blog goes to Maanit, and we are very appreciative of the time she took to work with TechSoup Canada on to help prepare us all for these big changes.
The CASL webinars were at full capacity, and we had a very busy question and answer period. This blog outlines what we learned about CASL and what it means for nonprofits and charities. You can watch the webinar at any time for more detail, access the slideshow available on slideshare and read the CASL Q&A transcribed here.
As you read this, here’s something important to remember: Don’t panic! It may feel like an uphill battle right now to understand and implement all the changes you have to make, but think about the long term result. Everyone receives so much junk mail-- how many of your current email campaigns are reaching everyone you’d like them to now, anyway? Knowing that, soon, your emails will reach only those who said they were interested (by giving express consent) or interacted with you recently enough to remember you (because implied consent lasts 2 years) could mean you’ll have more effective commercial emails in the long-run.
An Overview of Canada’s Anti-Spam Legislation (CASL)
Spam is the problem, and CASL is the hopeful solution. Passed in 2010 by the Canadian government, this law shifts Canada from a country with one of the most relaxed approaches to spam to one of the countries with the strictest laws in the world.
At www.fightspam.gc.ca, anyone will be able to file a complaint about suspected spam mail.
There are 3 regulating bodies for this, and they are each responsible for a different piece of enforcing the legislation:
- CRTC – CEMs and installation of computer programs
- Check out the CRTC’s page on CASL here for a useful walk through
- Privacy Commissioner – collection of personal information and address harvesting
- Competition Bureau – misleading online advertising and marketing practices
The intention of the law is to create a Canada where everyone knows what emails they receive contain, who sent it, and why they're getting them. (There are two kinds of consent, express and implied, which will be covered later in this post.) Imagine an inbox like that! How does your organization help this dream come true? We’ll get to that. But first, a few reasons why implementing a CASL preparedness plan is crucial.
Reasons to Comply With CASL
- Administrative monetary penalties:
- Individuals – fines up to $1 million per violation
- Corporations – fines up to $10 million per violation
- Private rights of action
- Class actions
- Vicarious liability of corporation for employees
- Liability of officers and directors for acts of corporation
- Sweeping investigative powers (search and seizure orders)
To summarize, this means that non-compliance could result in a large fine, being sued, or facing a class action suit. It also means that liability isn’t just on an individual employee- a corporate entity can get in trouble for this vicariously, too. And finding yourself at the receiving end of a search and seizure situation would no doubt be uncomfortable. Proving consent to send CEMs is going to rest on the sender of the CEM, so keeping records of consent will be important.
Important Dates for Compliance
- July 1, 2014: Requirements for CEMS are in place. It is possible to be fined by the regulatory bodies, but private rights of action (being sued) won’t be in place until 2017.
- January 15, 2015: Requirements respecting computer programs are in place. This blog post does not discuss the non-CEM components of CASL, so check out the webinar recording for details.
- July 1, 2017: The transition period for implied consent ends (see the implied section for detail), and private rights of action are in force (being sued is possible).
What’s a Commercial Electronic Message (CEM) Anyway?
An email, text, instant message, tweet, or any other electronic message that has as a part of its purpose to encourage the recipient to engage in “commercial activity.” Even if there is no profit, it can still count as commercial activity. These are the examples Maanit provided in the webinar:
- Emails seeking donations
- Emails seeking volunteers / members
- Emails selling tickets to an event / lottery
- Emails promoting services
- Emails promoting a charitable event / activity
- Electronic newsletters
- Emails promoting the organization / charity
What Does a CEM Need to Include to Be Compliant?
- The recipient gave consent: this can be express consent (which lasts until unsubscription) or implied (which lasts 2 years). More on these definitions later.
- Identifying info of all the people it is sent on behalf of.
- A way to contact the sender.
- An unsubscribe option: this may be a button to click on through an email marketing program, or it could be instructions on who to email. Make sure your method unsubscribes the person within 10 days and is available for 60 days after the email is received.
Good questions to ask here are: Do I make it clear who I am when I send an email? Have I included my contact info? Can people unsubscribe and I can guarantee I will not email them anymore? Are the people I’m emailing people it makes sense to email, or did they ask to receive my emails?
Can I Just Email Everyone and Ask for Consent?
After July 1st, 2014, sending emails to ask contacts to give express consent will not be allowed. This means you can do this now, but not after July 1st, 2014.
What Counts as Consent to Send CEMs?
Express consent may be acquired orally or in writing, and must include:
- The purpose for which consent is being sought put “clearly and simply”
- Sender’s identifying and contact information and/or on whose behalf consent is being sought
- Statement that the receiver can withdraw their consent
For oral consent, records still need to be kept. Maanit suggested documenting this with a date attached, or sending a follow-up confirmation email.
Implied consent gets a little trickier. There are non-business and business relationships that allow for implied consent, and other general circumstances. This is what Maanit went over with us in the webinar:
Consent may be generally implied when:
1. the recipient has:
- “conspicuously published” his/her electronic address (on a website for example)
- has not indicated a desire to not receive unsolicited CEMs; and
- the message is relevant to recipient’s business role, duties or functions
2. the recipient has:
- disclosed his/her electronic address to sender without indicating a wish not to receive unsolicited CEMs (e.g., business card); and
- message is relevant to person’s role or duties in business or official capacity
Implied consent in a non-business relationship is:
- The sender is registered charity and CEM recipient made donation or performed volunteer work in the preceding two years
- The sender is a non-profit organization and recipient has been a member in the preceding two years
Implied consent within an existing business relationship is:
- In the two years prior to the sending of the CEM, the recipient had:
- Purchased / leased / bartered a product / good / service / land from the sender;
- accepted a business / investment / gaming opportunity offered by the sender; or
- a written contract is created between the recipient and the sender.
- Or - Six months before the message is sent, the sender received from the recipient an inquiry or application about one of the items above.
Once you have it, implied consent lasts for 2 years. There’s a little caveat at the early stages of implementation, however. A 3 year transitional period means that, if you have an existing non-business or business relationship with the recipient of the CEM prior to July 1, 2014, and you have been sending that recipient CEMs prior to July 1, 2014, then you have implied consent to send CEMs to that recipient until July 1, 2017.
Transitional period example:
- You bought an event ticket from my nonprofit on June 4th, 2014; I have your implied consent to send CEMs until July 1, 2017.
- Your friend will buy an event ticket from my nonprofit on July 4th, 2014; I’ll have their express consent until July 4th, 2016.
What About Exemptions?
I Heard Charities Are Exempt. Is that True?
CEMs sent by or on behalf of registered charities are exempt from CASL IF the message is for the primary purpose of raising funds for the charity. Fundraising has to the be the primary purpose, and Maanit recommends putting the ‘ask’ right away in the email. Clear intent is an important piece of compliance.
Not all charity messages are exempt-- just those that are clearly for fundraising purposes.
There are 12 other exemptions to consider:*
- “Personal” or “family” relationship (Maanit described this as a very narrow definition)
- A CEM that consists solely of an inquiry or application
- Solicited CEMs - sent in response to a request, inquiry or complaint, or otherwise solicited by the person to whom the message is sent.
- Internal CEMs – sent within an organization / business and it concerns the activities of that organization / business
- CEMs between organizations / business – if the businesses / organizations “have a relationship” and the CEM concerns the activities of the receiver business / organization
- CEMs sent to enforce a legal right
- CEMs sent within an electronic platform where “unsubscribe” and identifying information is conspicuously published and readily available (e.g., within a social network)
- CEM sent within a limited-access secure account by the person who provides that account (e.g., banking portals)
- CEM sent by a political party for the primary purpose of soliciting contributions
- CEMs sent to a foreign jurisdiction (but must comply with foreign anti-spam laws)
- Two way voice communications
- Faxes and voicemail messages sent to telephone accounts
And a few circumstances where you don’t need consent but must have identifying info and an “unsubscribe” option:
- Third party referral - the first CEM sent to a person based on a referral from a third party, after which consent will be needed for added CEMs
- Provision of quote or estimate in response to a request
- Warranty, recall or product safety information
- CEM that delivers a product or service, including updates and upgrades
- CEM that facilitates or confirms transactions
- CEM that provides factual information about:
- Ongoing subscription, membership, accounts, loans
- Ongoing use or ongoing purchases
- Employment relations or benefit plans for employees
* For detail on these exemptions, it’s a great idea to listen to the recording of the webinar. Maanit does a great job clarifying further with more legal detail.
How Can My Organization Prepare for CASL?
In Maanit’s presentation, she offers these 5 tips:
- Conduct an Audit
- Develop and Implement CASL Compliance Policies and Procedures to make a“Due Diligence” defence possible
- Provide Training and Education to employees and volunteers about CASL
- Review Contracts with 3rd Parties and include indemnification provisions for non-compliance
- Consider buying insurance for CASL
I highly recommend reading through the slides and listening to the webinar recording, as much greater detail is provided.
Maanit also created this great flow chart to help understand the process. Take a look and maybe print it out to refer to as you develop your own CASL procedures. Download the pdf here.
As you go through your CASL preparation, know that we at TechSoup Canada are going through it with you. It’s a learning process for us all, and we hope that this webinar will be a good first step for those charities and nonprofits that are wondering how to begin. As we learn more, we’ll be keeping an eye out for more resources, tips, and best practices to share. In the mean time, contacting a legal professional such as Maanit Zemel may help establish a process for implementing CASL specific to your own organization.