This blog is a continuation of a previous post
concerning the new Canadian Anti-Spam Legislation (CASL). Part I can be found
here.
This part will deal with how to prepare for this new legislation.
First of all, the question comes to mind on what
should we do to prepare for this law. One must first understand that this law
deals with ALL commercial electronic communication from companies,
organizations, non-profits, individuals etc, that send out email and install
software programs.
Lets take an example or three.
Your company has a booth at a trade show. You have a
fish bowl at your booth for a prize draw. After the show, you take all the
names of those people who entered the draw and add them to a mailing list. Then
as you prospect these potential clients you send out an email soliciting for
their business. Unless they have specifically 'signed' permission to allow you
to do this (OPT-IN), your company can be found in contradiction of the law and
be fined up to $5 million dollars.
Another example:
You have a web site where potential customers can
download marketing material on the goods or services you provide. However, you
require these web surfers to register before that material would be made
available for download. At the bottom of the webpage you have a check box
(which is already pre-checked for the user) allowing the company in question to
email further updates. This case could be interpreted as being an OPT-OUT
option because the check box is already prefilled. This would satisfy the
CAN-SPAM Act (US) but would not be deemed complaint with the new Canadian
law that requires an explicit OPT-IN option. And once again the company could
be liable for millions of dollars in fines.
And one final example:
You bought a software application to be installed on your
Smart Phone (or PC or IPAD or Mac or Tablet). When you start installing the
package, there is no explicit consent to allow for the installation, therefore the
software company would be liable. Also note that an End User License (EUL)
acceptance may not be enough to satisfy the requirements.
Find below a few suggestions that, I believe, would
help to start planning for compliance.
1) Take an inventory of all commercial messages that
your organization is currently, or planning on sending out. This includes text
messaging, Facebook campaigns, emails etc.
2) Discuss and create policies and guidelines that
define what a Commercial Electronic Message (CEM) (as per CASL) is within your
organization. If there are any exceptions that are applicable these should also
be noted within the new policy.
3) Create an all-encompassing list of computer
programs that your company directly, or indirectly installs on any electronic
device.
4) If applicable, create a list of all computer
products (and services) that your organization is involved with. This includes
not only the initial software installation but any updates/upgrades that are
part of your business process.
5) Discuss and create policies and guidelines that
determine when your organization needs to obtain consent for installation of
some software. Also note, while there are some exceptions (which should also be
documented), all the information will need to be retained for review at a later
date.
6) Review current consent that has been collected and
see if it complies with the new legislation. If not, a process may need to be
created to obtain consent using the new polices. This is further complicated
because of the three year transition period mentioned within the law.
7) Document, create, clarify, create a process where
the end user can agree to enter into a commercial arrangement, yet withhold
consent to CEM.
8) Retain documentation/proof that a written consent was
obtained. This includes date, time and manner of consent. Further consideration
may also be needed if your organization allows for verbal consent rather than
written. Given the strong penalties that can be doled out, every type of
consent must be tracked.
9) Update the avenues of interaction between the
organization and the end user to reflect the new polices (see above). This includes
templates that are used to send out CEM, websites, social media etc. Also be
aware that mandatory identity and contact information must be included in any
future CEM.
10) Create a process so that the end user can rescind
any previous consent. Remember that the withdrawal of consent must then also be
forwarded to any third parties and associated companies, if applicable.
Consider the above as only a guideline on how to
proceed. Again, I emphasize that this is not legal advice nor is it intended to be
all encompassing. Every situation is different.
If you have any questions, concerns feel free in contacting me.