PPB November 2019

Understanding Canadian and U.S. Anti-Spam Laws: CAN-SPAM and CASL With the old U.S. CAN-SPAM laws, you could pretty much put anyone on your email list, so long as you allowed them to opt out by unsubscribing. But under GDPR and CASL, you are required to ensure everyone on your email list has opted in by getting their express consent. In Canada this means getting written/ digital or oral consent documented and maintaining records of the consent. In Europe, express consent is only written/ digital, and must be documented and recorded. With GDPR, you are also required to provide more disclosure over how the collected contact information will be used and allow someone to be fully purged from your database forever, known as “the right to be forgotten,” if they so request. As you can probably tell, the laws range in severity from CAN-SPAM as the most permissive to CASL, which is more “middle ground,” to the most robust and restrictive GDPR. These laws also carry significant penalties. While enforcement action is still relatively rare, a consumer complaint can trigger a government investigation. Companies have been investigated by the Canadian Government and fined up to $150,000 for violations in recent years. GDPR carries even heftier fines for violations (up to $20 million Euros, or nearly $22 million USD). CASL Versus GDPR CASL gives businesses a way to “ease into” compliance as it allows “implied consent” permission for up to two years, at which point you need to ask your list member for their express consent. Implied consent means you can email some people who didn’t give you written permission, but only for a limited time and within specific circumstances. Implied vs. Express Consent— Get Permission The key to staying in compliance with CASL and still running an effective email marketing program is understanding when you have implied or express consent to email your customers or prospects. You can send commercial messages to current, past or potential clients when you have implied consent. This means they’ve either a.) made an inquiry about your products or services, b.) purchased from you in the past, c.) their email is conspicuously published (this could mean it is public on their own website or in a printed directory), or d.) you are emailing them in their professional capacity (this covers most B2B emails). You can, of course, also email someone once you have express consent. This means they have expressly given you permission to email to them by digitally signing a form on your site or indicating their permission in writing through other means (i.e. you can make it part of your regular service contract or quote request form). For more on complying with this legislation, check out the Canadian Source: https://www.maximizer.com/blog/can-spam-casl-gdpr-difference/ CAN-SPAM CASL GDPR Passed 2003 2010 2016 Enforced 2004 2014 May 25, 2018 Scope Any commercial electronic mail messages (emails). Any commercial electronic messages (CEM), including email, SMS, audio and video, sent within Canada or messages routed through Canadian servers. Prohibits intrusive software like spyware and malware. Similar to CASL but includes tough personal data protection safeguards that must be 'built into products and services from the earliest stages of development.' Penalties Up to $41,484 for each separate email in violation (in ation adjusted). Up to $1 million ne for an individual and $10 million per business. Up to 20 million Euros or 4% of annual global turnover. Private Right of Action 'Internet access services' such as ISPs, MySpace and Facebook. Individuals and businesses. Individuals and businesses. Consent Rules OPT-OUT – you will continue receiving messages until you say no. OPT-IN – you give verbal or written consent before you receive CEMs with exception cases (an existing business relationship). For implied consent, you have a two-year window to send CEMs; after which you have to renew the relationship. OPT-IN – similar to CASL but extends opt-in rules to collection, sharing and processing of personal information. Requires renewed consent each time you want to use personal information in another way (with exceptions). Difference between International Anti-Spam and Data Protection Laws | NOVEMBER 2019 | 75 THINK