Canada’s new anti-spam law: are you ready?

As of July 1, 2014, Canada’s new anti-spam legislation will come into effect. The new law is designed to help combat the overwhelming amount of spam messages that most of us receive in our in-boxes, or on social media, everyday.

Here is an overview of what the new law is, how it affects your business, and what you can do to be in compliance with the new law by July 1.

What is the anti-spam law?

Bill C-28, aka Canada’s Anti-Spam Legislation (CASL), is a new law that regulates commercial electronic messages (CEMs). CEMs are “any electronic message that encourages participation in a commercial activity, regardless of whether there is an expectation of profit.” and include the following:

  • Newletters sent via electronic means to individuals
  • Private messaging on social media (Twitter, Facebook, LinkedIn, etc.)
  • Text messages via mobile devices

The new law will deter and, in time, eliminate much of the unwanted spam – especially those instances where the spam is a fraudulent attempt to gain personal information for the purposes of identity or financial theft, and/or to install malicious software on a users computer without their knowledge or consent (computer viruses, Internet browser add-ons that are opt-out only, etc.).

How does the new law affect me?

If you send out CEMs – regardless of whether you’re using the message to make money – this law affects you.

The new law will require that you, as the CEM sender, “obtain consent from the recipient before sending the message and will need to include information that identifies the sender and enables the recipient to withdraw consent.”

If you currently have names and email addresses on your mailing list that were not obtained with explicit consent via an email opt-in, you have two options:

  • Before July 1, 2014: you can email the recipient and obtain consent by simply asking if they’d like to remain on your list. If they say no, you must remove them.
  • After July 1, 2014: you will have to call or mail (via post) the intended recipient to obtain consent. If you email to ask for consent after this date, it is considered a violation of the new law.

For many businesses, this could be a difficult process as it can be hard to know who opted-in to messages legally, and who didn’t. In these cases, it might be a good idea to email your entire current list before July 1 with a new opt-in message to obtain consent. It’s possible to lose a few people with this process, but chances are they were the people who were added without their consent, or aren’t interested and are therefore not your target audience.

How will I reach new people once the law is in place?

Currently, email lists are often populated/created via buying email lists, and harvesting information from business cards, websites (blogs, business sites, etc.), social media sites, sign-up sheets (for contests, sporting events, etc.), and any other publicly visible way of seeing or obtaining contact information. Beginning July 1, many of these methods will be in violation of the new law.

Reaching new people is as easy as telling them via your website, Twitter feed, FaceBook page, LinkedIn profile etc., that you would like to communicate with them via email sometimes, and where to go to opt-in to those communications.

What exactly am I supposed to do to comply?

Recipients must receive an email asking them to confirm their choice to receive CEMs from you – and you must state clearly who you are, and what the recipient is opting in to. Once the recipient clicks “confirm” – you’re in the clear.

In each communication from you, there must be an opt-out/unsubscribe option. This option must unsubscribe the recipient without delay, and there can be no barriers to opting out (e.g., you cannot force a recipient to explain to you why they want to unsubscribe in order for the unsubscribe action to be successful).

What happens if I am not in compliance with the new law?

It could happen by accident that someone on your mailing list didn’t give consent, and you missed deleting them – mistakes are going to happen, but there could be repercussions. There are three government agencies enforcing this new law:

  • Canadian Radio-Television and Telecommunications Commission (CRTC),
  • The Office of the Privacy Commissioner of Canada,
  • The Competition Bureau.

Non-compliance might result in warnings or investigations from any or all of these agencies. By July 1, 2017, individuals will be able to take legal action against businesses or other individuals who are not compliant with the new law. This can result in class-action lawsuits. Fines for those who are found guilty of not complying could face fines up to ten million dollars per violation of the law.

Where else can I read about the new law?

This post gives the basics of the new law, but there is a great deal of information out there:

Industry Canada – Q&A about CASL

CASL Survival Guide (by Elite Email)

Government of Canada – Canada’s Anti-Spam Legislation

Government of Canada – Full text of Anti-Spam Law