1.
READY, SET, AUDIT!
PREPARING YOUR
ORGANIZATION FOR CASL
Matt Vernhout Shaun Brown
Director, Client Support Partner, nNovation LLP
& ISP Relations, TC Media
@emailkarma

2.
OUTLINE: PREPARING FOR CASL
1. Primary requirements
2. What we don’t know
3. How to prepare

3.
STATUS
• December 15, 2010 – Bill C-28 given Royal Assent
• August 2011 – IC and CRTC regs published for comment
• March 2012 – CRTC Regs finalized
• October 2012 – Final CRTC Guidelines Published
• January 2013 – Draft Industry Canada regs published
(part II)
• Spam Reporting Centre
• Coming in to force 2014 (?)

4.
WHAT IS CASL?
• Standalone legislation (CASL), amendments to PIPEDA
and Competition Act
• Rules for sending commercial electronic message (CEM)
• Rules for installing computer programs
• Prohibits hacking/alteration of transmission data

5.
APPLICATION
• Apply to any message sent to or from computer system in
Canada
• More than email: IM; SMS; social media; etc.
• Voice, fax currently excluded (covered by DNCL)

6.
COMMERCIAL ELECTRONIC
MESSAGE
• Any message where “it would be reasonable to conclude
has as its purpose, or one of its purposes, to encourage
participation in a commercial activity” including
• Product or service
• Business opportunities
• Promotes an individual who does any of the above
• Message to request consent deemed to be CEM

7.
THREE PRIMARY RULES
1. Consent
2. Identification
3. Unsubscribe

8.
EXEMPTIONS
• CEM sent between two individuals with personal or family
relationship
• Sent to inquire about or apply for service (i.e., purchaser
to vendor)
• Exempt from all requirements of CASL

9.
1. CONSENT (IMPLIED)
• Consent can be express or implied
• Four categories of implied consent:
1. Existing business relationship
2. Existing non-business relationship
3. Conspicuous publication of electronic address
4. Recipient has disclosed electronic address to the sender

10.
1. CONSENT (EXPRESS)
• CASL:
• clear notice, describe purposes, prescribed information
• CRTC Regs:
• Name of person seeking consent
• Name of person on whose behalf consent is sought, if different;
identify who is seeking, and on whose behalf
• Contact info for either of the above, including: Mailing address
and any one of telephone # (live or voice mail), email address or
a web address
• Statement that consent can be withdrawn
• CRTC Guidance:
• No pre-checked boxes; separate box not necessary if person
req’d to fill in email address next to request for consent

11.
2. IDENTIFICATION
• Identification requirements apply to all CEMs
• Identify sender as well as person on whose behalf
message is sent
• Name by which person carries on business
• Must indicate who is “sending” and “on whose behalf” the message is
sent
• Contact information for either of above
• Mailing address and any of telephone number/email address/web
address of either person
• Information must be set out “clearly and prominently”

12.
3. UNSUBSCRIBE
• Must be functional for 60 days
• No cost
• Same means unless impracticable
• Include either electronic address or link
• Must be “able to be readily performed”
• Must process without delay

13.
PUBLIC AND PRIVATE
ENFORCEMENT
Enforcement
Agency/Mechanism
Target/Application Penalties
Canadian Radio-television and
Telecommunications
Commission (CRTC) (CASL)
Consent, prescribed identification
requirements and unsubscribe
requirements
Administrative monetary penalties
(AMPs) up to $1 million/violation for
individuals; $10 million/violation for
organizations
Competition Bureau
(Competition Act)
False or misleading
representations in content,
subject line, sender info
Can pursue civil or criminal remedies;
AMPs similar to those available to
CRTC under CASL
Office of the Privacy
Commissioner of Canada
(PIPEDA)
Collecting, using disclosing
electronic address without
consent
Address harvesting and dictionary
attacks
No real powers for enforcement; can
make recommendations or pursue
order in Federal Court
Private right of action Violations of CASL, Competition
Act and PIPEDA
Actual and/or statutory damages

14.
INDUSTRY CANADA REGS
• Definition of personal family relationship
• Number of new exemptions
• Business communications within organizations and between
organizations with ongoing business relationships
• Response to request, inquiry, complaint or is otherwise solicited by
the recipient
• Messages targeted to non-Canadians, advertising products not
available in Canada; sender could not “reasonably be expected to
know” recipient is in Canada”
• Enforcing legal rights (e.g., court order, copyright, debt collection,
etc.)
• Third party referrals where referring party has personal, family or
existing business relationship with sender and recipient (exemption
from consent only)
• Use of consent on behalf of unknown third party

15.
WHAT WE DON’T KNOW: WHAT
IS A CEM?
• Where is the commercial “threshold”?
• What elements are commercial (hyperlinks, logos,
taglines, request to “like” on Facebook)
• What about “transactional” or “relational” messages?
• Section 6(6) refers to certain types of CEMs as exempt
from the need for consent if they solely (e.g., warranty,
subscription information, delivering a product, etc.)

16.
WHAT WE DON’T KNOW: HOW
TO TREAT LEGACY DATA?
• How does CASL apply to pre-existing lists
• Increased flexibility where:
• Consent not technically compliant (e.g., missing certain identification
requirements)
• Lack of evidence

17.
WHAT WE DON’T KNOW:
SENDING ON BEHALF OF OTHERS
• CASL states that messages must identify person sending
message, and person on whose behalf message is sent,
if different?
• What does it mean to send on behalf of another person?
• Does this refer to ESPs?
• List rentals?
• Both?
• CRTC Guidelines: a person who may "facilitate the
distribution of a CEM", but who has "no role in its content
or choice of the recipients” need not be identified

18.
BUILDING A CHECKLIST
• Who’s involved
• Where to start
• Data collection
• Before Broadcasting
• After Broadcasting

19.
WHO’S INVOLVED?
• Privacy/Compliance team
• Legal Team
• VP Marketing
• Database Analytics Team
• Deployment teams
• Account Teams
• Brand Managers

20.
DATA COLLECTION
• Audit Data Collection Sources
• Internal Sources
• External Sources
• Point of Sale
• Call Center
• Identification requirements
• Proper consent notices/options/scripts
• Contact notices

21.
BEFORE BROADCASTING
• Review CASL exemptions for this message
• Is it a CEM?
• Review the content
• Postal address, unsubscribe, contact requirements
• Review the list
• Remove addresses that have exceed 2 yr consent period as needed
• Review targeting of content to recipients
• Test functionality of all links and seek appropriate
approvals

22.
CHECKLIST REVIEWED
Functional Check (Level 1) Yes/No Yes/No Client/TD Deficiencies Noted/Comments
Images render properly
Alt tags in place and correct
Check for image maps
Links go to correct page or not broken
Links are tracked
Mailto functions properly and has NOTRACK
Display name and From Address are correct
Subject line is correct and does not truncate
Subject line does not contain illegal characters
View as web page included
Personalization is present and populating correctly
Personalization is pulling from the correct DB
HTML TEXT OVERRIDE
Compliance & EMS System Check (Level 3) Yes/No Yes/No Client/TD Deficiencies Noted/Comments
Postal Address included
Unsubscribe link present and working
Correct Database has been selected
Has the Seed List been added
Segmentation is correct
Recipient Count is Approved
Mailing List send to Duplicates option on
Reply Management is correct
Recipient Cap field checked

23.
Is this
a
CEM?
DO ANY EXCEPTIONS APPLY?
Email Message
CASL Does not
apply
Exempt
from
s 6.5?
Exempt
from
s 6.6?
Consent is not
required
Explicit
Consen
t
Implied
Consen
t
Proper
ID and
Unsub
?
Likely NOT
compliant
Ready to Send
 No
 Yes

24.
AFTER BROADCASTING
• Unsubscribe requirements being met
• 60 days of live access
• Unsubscribes are being processes
• Review metrics and begin next broadcast planning

25.
MANAGING UNSUBSCRIBES
K.I.S:
• Limit number of data locations for sync purposes and
timing
• Review current practices
• Identify responsible individuals
• Offer preference choices
• opt-down vs. opt-out
• Vendor options
• Most email marketing providers can manage this for you and supply
delta files

26.
RELATIONSHIP MARKETING
• Identified risks:
• Rolling window of consent
• Unknown data
• Mitigating risk:
• Reduce number of active databases
• Backfill dates when possible
• Re-confirm consent for the unknown address prior to enforcement
• Build automated solutions for sun setting users

27.
CASL COMPLIANCE TO DO LIST
 Watch legislative developments carefully: final IC regs, in-force date,
further guidelines/interpretations
 Review/modify practices for obtaining eMarketing lists, choose
vendors/partners carefully, bind to unsubscribe requirements
 Review/modify formats for eMarketing
 Ensure effective and timely unsubscribe
 Review/modify program installations, associated disclosures and
consent
 Ensure consent records are retained and retrievable
 Engagement of marketing, brand, technical resources to detect
issues, ensure compliance
 Start reviewing your digital marketing programs now

28.
THANK YOU
Questions?