Don't Fall into a CASL Trap

<b>Think you've got this CASL thing figured out? Don't be so sure. The new law sets tripwires everywhere <br/> <br/>By Dominic Jaar</b> <br/> <br/>YOU'VE PROBABLY already received the Canadian Anti-Spam Legislation (CASL) scare tactic pitch: administrative monetary penalties (AMPs) up to $10 million for a company; fines of $1 million per day and $1 million per violation; risk of class-action lawsuits against companies; reputational and operational risks. Let's discuss CASL from a business standpoint as organizations prepare for it to take effect on July 1. <br/> <br/>Think of the legislation this way: CASL will enable Canadians to build anti-spam moats around their inboxes and your mission is to ensure clients, leads and business partners lower the drawbridge when your company's commercial electronic messages (CEMs) arrive, avoiding the consequences of ...
Don't Fall into a CASL Trap
Think you've got this CASL thing figured out? Don't be so sure. The new law sets tripwires everywhere

By Dominic Jaar


YOU'VE PROBABLY already received the Canadian Anti-Spam Legislation (CASL) scare tactic pitch: administrative monetary penalties (AMPs) up to $10 million for a company; fines of $1 million per day and $1 million per violation; risk of class-action lawsuits against companies; reputational and operational risks. Let's discuss CASL from a business standpoint as organizations prepare for it to take effect on July 1.

Think of the legislation this way: CASL will enable Canadians to build anti-spam moats around their inboxes and your mission is to ensure clients, leads and business partners lower the drawbridge when your company's commercial electronic messages (CEMs) arrive, avoiding the consequences of non-compliance. The pitfalls leading to non compliance with CASL are numerous. Consider these potential misconceptions and potential traps:

> EVERYONE IS SUBJECT
You might think that CASL only applies to sales and marketing departments. Wrong. While certain departments have probably set up databases that include people who have given consent for you to send them CEMs, CASL applies to all employees in an organization who send CEMs. Is everyone checking their recipient lists against these databases when sending CEMs?

Take me as an example. I have more than 9,000 contacts in Outlook. I can email them all even though I have no means of capturing their consent. I might think I'm being helpful when I offer people white papers or invitations to conferences. However, if even one recipient thinks otherwise, I'd better review my knowledge of employer liability and director and officer liability.

> BEING SOCIAL
Spam isn't just email anymore. Externally hosted platforms like Facebook and Twitter might not link to your internal databases, so you can't check a list of recipients that have given their consent. You can generally reach out to people you've already connected with. But what about people who regularly make new connections? Recruiters, for example, use LinkedIn for business development. If one asks you to connect with him, you can assume he sent you a CEM.

> LINES OF COMMUNICATION
A business might have all internal message-senders toeing the CASL line, but what if one reaches customers via agents? Insurance companies sell to brokers. Brokers sell to agents. Agents sell to retail customers. Ergo, insurance companies sell to end users, but not directly. What does one do if one feels spammed by an agent? Does one sue the agent, or the deep-pocketed insurance company the agent represents?

> THE LANGUAGE OF COMPLIANCE
In-house lawyers may believe they have their bases covered. They've told sales, marketing and IT about CASL and each department is addressing it. … Or are they? What they really need are reviewed business processes and practices, systems and guidance, but what they generally receive is a legal opinion that needs to be implemented. This type of gap keeps departments from feeling ready to deal with CASL.

They face other challenges, including lack of time or resources needed to implement systems. Departments don't always share the common language they need to work together on the matter. And not everybody understands that compliance means far more than simply buying a piece of software and implementing it.

> TELEMARKETING
“How are you this evening, sir? Have you heard about …” CEMs have largely eclipsed paper marketing and telemarketing, once much more dominant forms of sending commercial messages. These more analog methods aren't covered by CASL.

> WEB BROWSER TRACKING
Tracking cookies can be used to facilitate CEMs. How will your organization seek consent from those who browse your site? Will your site comply with “do not track” settings in popular Web browsers? Will it seek consent by popping up a screen for first-time visitors?

> CONSENT, SOONER OR LATER
For those pre-existing relationships where you cannot rely on implied consent, you will need to seek explicit consent by 2017. The question is, should you send that consent form now and run the risk that business leads don't opt in? Or would you rather wait three years and run the risk that those leads regard your messages as spam? From what I've seen, many organizations would rather be safe and send consent forms up front.

> WHERE TO GO FROM HERE?
To effectively comply with CASL, build the governance, technology and culture required into your business processes. CASL reviews and assesses an organization's implementation based on these processes, so that's what you need to do as well. Aim for compliance by design.

Dominic Jaar is a partner in the Advisory Services group at KPMG.

Lawyer(s)

Dominic Jaar

Firm(s)

KPMG LLP