This blog is a continuation of a previous post concerning the new Canadian Anti-Spam Legislation (CASL). Part I can be found here.
This part will deal with how to prepare for this new legislation.
First of all, the question comes to mind on what should we do to prepare for this law. One must first understand that this law deals with ALL commercial electronic communication from companies, organizations, non-profits, individuals etc, that send out email and install software programs.
Lets take an example or three.
Your company has a booth at a trade show. You have a fish bowl at your booth for a prize draw. After the show, you take all the names of those people who entered the draw and add them to a mailing list. Then as you prospect these potential clients you send out an email soliciting for their business. Unless they have specifically 'signed' permission to allow you to do this (OPT-IN), your company can be found in contradiction of the law and be fined up to $5 million dollars.
You have a web site where potential customers can download marketing material on the goods or services you provide. However, you require these web surfers to register before that material would be made available for download. At the bottom of the webpage you have a check box (which is already pre-checked for the user) allowing the company in question to email further updates. This case could be interpreted as being an OPT-OUT option because the check box is already prefilled. This would satisfy the CAN-SPAM Act (US) but would not be deemed complaint with the new Canadian law that requires an explicit OPT-IN option. And once again the company could be liable for millions of dollars in fines.
And one final example:
You bought a software application to be installed on your Smart Phone (or PC or IPAD or Mac or Tablet). When you start installing the package, there is no explicit consent to allow for the installation, therefore the software company would be liable. Also note that an End User License (EUL) acceptance may not be enough to satisfy the requirements.
Find below a few suggestions that, I believe, would help to start planning for compliance.
1) Take an inventory of all commercial messages that your organization is currently, or planning on sending out. This includes text messaging, Facebook campaigns, emails etc.
2) Discuss and create policies and guidelines that define what a Commercial Electronic Message (CEM) (as per CASL) is within your organization. If there are any exceptions that are applicable these should also be noted within the new policy.
3) Create an all-encompassing list of computer programs that your company directly, or indirectly installs on any electronic device.
4) If applicable, create a list of all computer products (and services) that your organization is involved with. This includes not only the initial software installation but any updates/upgrades that are part of your business process.
5) Discuss and create policies and guidelines that determine when your organization needs to obtain consent for installation of some software. Also note, while there are some exceptions (which should also be documented), all the information will need to be retained for review at a later date.
6) Review current consent that has been collected and see if it complies with the new legislation. If not, a process may need to be created to obtain consent using the new polices. This is further complicated because of the three year transition period mentioned within the law.
7) Document, create, clarify, create a process where the end user can agree to enter into a commercial arrangement, yet withhold consent to CEM.
8) Retain documentation/proof that a written consent was obtained. This includes date, time and manner of consent. Further consideration may also be needed if your organization allows for verbal consent rather than written. Given the strong penalties that can be doled out, every type of consent must be tracked.
9) Update the avenues of interaction between the organization and the end user to reflect the new polices (see above). This includes templates that are used to send out CEM, websites, social media etc. Also be aware that mandatory identity and contact information must be included in any future CEM.
10) Create a process so that the end user can rescind any previous consent. Remember that the withdrawal of consent must then also be forwarded to any third parties and associated companies, if applicable.
Consider the above as only a guideline on how to proceed. Again, I emphasize that this is not legal advice nor is it intended to be all encompassing. Every situation is different.
If you have any questions, concerns feel free in contacting me.