Connexica logo

What is CASL and how does it affect me?

Tuesday 2 January 2018

What is CASL and how does it affect me?

The UK are months away from the EU wide GDPR compliance deadline of May 25th and organisations around the EU and the world are busily preparing their organisation. However, GDPR is not the only legislation that requires organisations to start taking data protection more seriously. One such example is Canada’s ‘CASL’ – hailed as one of the toughest laws of its kind in the world and which has changed the face of digital marketing and how organisations process and manage their data.


What is CASL?

Canadian Anti-Spam Law (CASL) is a new anti-spam law that applies to all commercial electronic messages (CEMs) – such as emails, texts, and social media – that an organization sends promoting a product, service or commercial offering. CASL came into effect in July 2017.

It requires customers to opt-in to CEMs rather than the more traditional approach of requiring an opt-out.

This opt-in is categorised across two permission types – explicit (or express) permission and implied permission. We detail what exactly this means later in this article.

CASL applies to any message accessed within Canada, which covers messages sent from anywhere in the world rather than just within Canadian borders. So as with the GDPR, despite it not being local to your country you still have to comply if Canada makes up part of your target market!

Penalty fines will be given to any non-compliant organisation, ranging from up to $1 million personal liability for company officers and $10 million for organisations.


What is a CEM?

A CEM is any electronic message that encourages the participant to take part in a commercial activity. This could be a voucher, special offer, promotion, or sale.

Please note there is a list of electronic messages exempt from CASL. Examples include messages that contain information regarding a product recall, safety messages, court orders, information regarding a purchase, etc. There are resources available on the web that detail the full list of electronic messages exempt from CASL.


What is the difference between express and implied permission?

Express permission is obtained when you explicitly ask the potential contact for permission to send them information via email. The language used must be clear and you must inform them who will be emailing them. It is also important to log when the data was collected, where it was collected and how they consented.

Implied permission takes place when express permission conditions have not been met but some pervious relationship exists. Examples of implied permission include:

 


What do you need to do comply?

The EU’s impending GDPR has some parallels with CASL and is seen as a harsher ruling than CASL, with heavier fines and a more thorough data handling processes.

 

  GDPR – General Data Protection Regulation CASL – Canadian Anti-Spam Law
EU Canada
  Regulation Legislation
Area Covers any messages sent to or received from the European Union. Covers all messages sent into or out of Canada, but does not include messages simply routed through Canada.
Opt out Unsubscribe must be honoured promptly. Recipients also have the right to be forgotten, or data erasure which requires the organisation handling the data to cease processing. Unsubscribe requests must be honoured immediately or within 10 days. The unsubscribe within a message must be valid for a min of 60 days.
Additional opt out Data processor must make it easy for recipients to opt out of further communications. Data processor must make it easy for recipients to opt out of further communications.
Penalties Fines of up to 20 million Euros or 4% of total annual worldwide revenue – whichever is higher. Up to $10 million per violation. Directors, officers, agents and mandataries of a corporation may face liability under CASL and be subject to an AMP up to $1 million per violation.
Age Parental consent must be provided for children under 16 years of age. Member stats can lower this ago to 13 if they desire. No age restriction requirements
Consent Senders must obtain either express or implied consent before sending CEMs and separate consent is required. The sender must keep a record of what information was shared in the request for consent, when, where and how they consented.

Pre-checked boxes are not permitted as consent.

Senders must gain separate consent requests and must keep a record of what information was shared in the request for consent, when, where and how they consented.

Pre-checked boxes are not permitted as consent.


How are Canada getting on with CASL?

So far only eight public fines have been reported all from organisations within Canada. These organisations are large entities such as Rogers Media Inc and Kellogg Canada Inc. For many though CASL hasn’t yet affected the organisations who are the main culprits – such as scammers and organisations outside of Canada – at whom the legislation was originally aimed at.

A Canadian Chambers Commerce recent survey found that:

Canadians had two years to prepare for the compliance deadline and many organisations still feel unprepared and confused about CASL.


Lessons learnt from CASL

There is a large group of Canadians pushing for a review of the legislation to hopefully stop legitimate businesses being punished.

The review pushes for:

The main lesson learnt is that organisations need more information and guidance regarding the do’s and don’ts of how to operate within the guidelines. Organisations themselves need to be more transparent within their data handling and processing so they can show accountability and visibility to both their data and legal bodies.


Data Discovery

Data discovery tools work perfectly to help answer both GDPR and CASL challenges.

The initial step in both cases is to carry out a data audit to understand where compliance is met and not met across the entire data estate – structured, semi structured and unstructured data simultaneously.  Data discovery software removes the need for someone to manually check online and offline systems to perform this data audit, alongside providing a platform to automate this process moving forwards.

Following the audit organisations need to catalogue all data assets that are affected by the legislation. Both GDPR and CASL require users to catalogue where data has come from, what permission/consent rights have been obtained, where the data is stored, and in the case of CASL a data stamp for implied permission. Cataloguing data not only helps organisations to effectively manage their data estate to ensure compliance but to also provide targeted services and promotions moving forwards.

As legislation like CASL continue to mature and GDPR comes into force the world will need to keep up-to-date with the ever-growing legislative requirements regarding data protection.

Related Posts

GDPR Blog 26th June 2018 by Jenny Jones
GDPR: How can Data Discovery technology be used to answer SAR’s?
Read more
A world map with a pad-lock with a tick on it 15th February 2018 by Steven Hooton
4 benefits of the GDPR for your organisation
Read more
Someone pressing a GDPR key on a keyboard 4th September 2017 by Steven Hooton
GDPR – What is going on and why should I care?
Read more
A stack of money on a note book with a graph on it 9th February 2017 by Steven Hooton
What does big data really mean for the financial sector?
Read more