On Canada Day this past July, one of the world’s toughest laws against unwanted email came into force. Canada’s anti-spam legislation (CASL) has incited criticism and confusion among marketers and lawyers alike. In light of this new law, financial advisors should have taken a close look at their processes for sending out electronic messages by now.
CASL’s goal, according to government media releases, is to prevent Canadians from receiving emails they don’t want or didn’t ask to receive, and to prevent crimes such as identity theft and fraud. As well- intentioned as CASL may be, obeying it will take significant effort on your part. And although many legal and compliance experts say certain aspects of CASL are unclear and perhaps even unfair, there are steps you can take to minimize the chance that you will be caught on the wrong side of this new law.
The ramifications for breaking CASL range from “naming and shaming” by federal regulators to steep fines – up to $10 million for businesses.
However, it’s what will happen three years from now that might keep you up at night: on July 1, 2017, CASL will allow Canadian consumers and businesses to sue those who send them spam that violates CASL. There will be no need to prove damages or hardship to launch an action for redress, and complainants will be entitled automatically to receive $200 per email. This provision could lead to class-action lawsuits.
You need to take whatever steps are necessary to ensure that you and your advisory business aren’t at risk, says Robert Burko, president of Elite Email Inc., an email-based marketing company in Toronto. Burko perceives a general sense of ill-preparedness surrounding CASL compliance. There is confusion about the law, which, critics say, has not been promoted or explained adequately to Canada’s business community. Perhaps, Burko suggests, business operators are hoping the regulators will be busy dealing with only the most egregious offenders.
“The reality is that you might not get caught,” Burko says, likening CASL to traffic laws. “Not everyone who is speeding gets a speeding ticket.”
But, he adds, the only way to ensure with absolute certainty that you won’t get a speeding ticket is never to speed. And with CASL’s potential to tarnish reputations and destroy small companies financially, waiting to see who the regulators go after is risky.
Unfortunately, CASL is not the easiest piece of legislation to understand, says David Fraser, partner with McInnes Cooper in Halifax, who specializes in Internet, technology and privacy issues. The authors of CASL – which will be enforced by the Competition Bureau of Canada, the Office of the Privacy Commissioner of Canada and the CRTC – tried to encompass all forms of commercial electronic messages (CEMs).
CASL was developed over a number of years, beginning in 2004, a period during which online technology went through many changes. Spam-filtering programs, for example, have become significantly more effective and sophisticated since 2004. Further, layer upon layer of exceptions have been written into CASL. And the legislation leaves many unanswered questions, even for lawyers specializing in the area.
A key component of CASL is the concept of “consent.” The new law prohibits the sending of any CEM – an email, text message or message via a social- networking site, for example – to individuals and businesses unless the recipient has consented previously to receive that message. There are exceptions to this rule, says Wendy Mee, an associate with Blake Cassels & Graydon LLP in Toronto, but consent represents the starting point from which the rest of CASL flows.
Two types of consent are recognized by CASL, Mee says: express consent and implied consent.
– Express consent
Express consent is permission that is actively and knowingly granted by a recipient of your CEMs. It is the gold standard of consent, which you should try to obtain from all your contacts.
Express consent is prescriptive, Mee says, and it is valid only when the following information is included in the request for consent:
– a clear description of what you want consent for (to send a monthly e-newsletter, for example);
– your legal name or business name (as the sender);
– your mailing address, plus one other piece of contact information (email address, phone number or website URL); and
– a statement indicating that the recipient can withdraw consent at any time.
Additional requirements must be met when a person is requesting consent on behalf of someone else.
The two most common ways to acquire express consent, according to Burko, is through a sign-up option on your website for your mailing list or a confirmation link in an email. Express consent must be indicated through an affirmative action; pre-checked boxes on a registration form are not considered valid.
Blaine Conrad, a financial advisor with Ramey Investments Inc. in Dartmouth, N.S., began garnering express consent from his clients earlier this year through an email campaign. Conrad’s assistant now is following up by phone with clients and prospects who didn’t reply before July 1. Conrad considers this time-consuming task a small price to pay for compliance. “You just have to pay attention,” he says.
Conrad adds that he still has to pay close attention to his referral and networking activities. Conrad’s concerns are well founded, according to Fraser. Gone are the days when you could meet potential clients at a social event, then touch base with them via email afterward to see if they might be interested in your services. Getting express consent in a social setting would be awkward. (Having said that, an iPhone app called Express Consent, which documents a contact’s express consent when it’s provided orally, is available on iTunes.)
– Implied consent
Implied consent allows for situations in which obtaining express consent is not possible. Mee offers the following examples of scenarios in which consent is considered to be implied:
– Someone gives you his or her email address, or conspicuously publishes their email address (on a company website, for example), and does not indicate that they don’t want to receive commercial messages. What you’re sending must be relevant to their business.
– You have an “existing business relationship” (EBR), as defined by CASL. That means the recipient has purchased a product or service from you within the previous two years; has a written contract with you that is in existence or had expired within the past two years; or made an inquiry or application to you in the previous six months. A response to an inquiry also is an exempt message.
– Referrals and networking
Under CASL, if a client provides a referral, you may send to that person only one email, in which you name the person who gave you the recipient’s contact information, says Paula Amy Hewitt, legal counsel and privacy officer with Dundee Goodman Private Wealth in Toronto.
You have the transitional period – until July 1, 2017 – to examine your current contacts and either obtain express consent for each or refresh your EBRs.
Stephen Whipp, an advisor in Victoria, always uses the same approach when he is handed a business card: “I tell them, ‘If you give me your business card, you’re going to end up on our mailing list’.”
This practice might not be good enough for CASL, however. Whipp now must take another step, and track the process as clearly as he can to ensure that he has proof of implied consent. Says Whipp: “It really comes down to keeping good records.”
Hewitt would agree. Her advice to Dundee’s network of advisors when they encounter a prospect: create an audit trail as soon as possible. When exchanging business cards, she recommends, write on the back of each card you receive: the date and a note that the individual has agreed to receive commercial emails. With this in hand, you can contact the individual by email to confirm the verbal consent, ensuring your process follows all the other CASL requirements.
You must keep records that prove consent for three years, Hewitt adds. What if your prospect doesn’t reply or their response is vague – for example, they don’t click on the link provided in your email, then fill out the express consent form? “That’s when you have to follow up by calling,” Hewitt says, “or by some other means.”
Lawrence Geller, president of L.I. Geller Insurance Agencies Ltd. in Campbellville, Ont., believes that that last requirement – confirming by phone – will create an uneven playing field that favours large companies. This step places more pressure on small businesses because they are more likely to need to take this extra step, especially in the financial services sector. It is almost impossible to find a Canadian who doesn’t have an existing relationship with at least one of the large financial services institutions, Geller says, so implied consent is easier for larger companies to demonstrate.
– Compliance tips
Although much of CASL remains unclear for some legal experts, the following recommendations should help to minimize your chances of running afoul of the law:
– Assume nothing. A good starting point, Burko says, is to assume that no one in your database has provided express consent. Take steps to gain express consent from all your clients and other contacts.
Have a mailing list sign-up form on your website, with clear indications of who you are and what you intend to send. Sneaky, pre-checked boxes, Burko adds, should be avoided. Prepare an automatic “welcome email” to send to people who fill out your website’s sign-up form; this email should contain a confirmation link and restate the relevant information. Responding contacts would be considered CASL-compliant.
– Audit your contacts. You won’t be able to email your contacts if you don’t have consent by the 2017 deadline, according to Hewitt. You must start over with them and obtain consent or purge them altogether – unless you had an existing relationship and were sending commercial emails to the client or prospect before July 1, 2014.
You will need to move quickly to shift these clients into the “express consent” category before the three-year window closes. You will have just six months in cases in which an EBR consists of only an inquiry from a prospect.
And you should avoid hassling anyone with too many emails or calls to confirm their status. That can be off-putting, Hewitt says, and work against your goals:
– Be clear and up front. This is not the time to be fuzzy about what you are asking of prospects or clients. If you plan on sending out e-newsletters regularly or updating people or companies with market information via a social media site, tell them, and have them sign off on it electronically. Sales and prospecting are the higher-risk activities, so, if you are contacting someone for the first time, have a set link that takes them to your CASL-required information.
Randy Milanovic, principal with Kayak Online Marketing in Calgary, suggests going a step further. At the bottom of every email Milanovic sends, he is careful to insert a “this is how I know you” line. People forget what they’ve signed up for, he says: “[This step] helps create a record.”
Burko agrees that documenting your efforts to be CASL-compliant is critical. It can help to offset any action that may be taken against you.
If you are worried that you haven’t been CASL-compliant, don’t to try to stay under the radar; it’s best to come clean, says Fraser: “There is a provision in the legislation that allows you to go to the CRTC and say ‘Look, I’ve messed up’.” Coming forward this way, he adds, will prevent any litigation concerning your admitted errors.
However, Fraser doesn’t recommend this step as a regular course of action: “If you have actually tried to comply and you’ve taken reasonable steps and exercised due diligence to prevent a violation, that is actually a defence under the legislation.”
For more articles and videos on CASL, see our web special, “CASL Primer,” by visiting www.investmentexecutive.com.
© 2014 Investment Executive. All rights reserved.