CASL and GDPR Compliance Best Practices for Marketers
Canadian Anti Spam Law (CASL)
I have been eating, sleeping and breathing the Canadian Anti Spam Law (CASL) since 2014, educating email marketers on who they can/can’t send emails to. Until July 2017, all of those discussions on best practices were just that, discussions. Now that there are dollar signs behind noncompliance, the world is taking it seriously.
I coached many national associations in D.C. on how to gain consent and also executed many full-service consent campaigns to gain consent for CASL. I’ve consulted with IT to add database objects with date/time stamp that collected consent, changed data collection methods to incorporate consent and audited databases to ensure no Canadian records were getting added to their digital communication databases if they didn’t have consent.
If they’re not careful, many marketers could still be sending to Canadian email addresses and not suppressing subscribers with expired implied consent. They may be reaching out to a previous customer and therefore a record with a previous business relationship, but those records should have been purged or suppressed once implied consent expired. Don’t let that be you!
For communications, it boils down to consent and if you do or don’t have it. If you do have it, you can continue sending digital communications. If you don’t have it, stop sending digital communications. It’s black and white compared to the gray of the CAN SPAM act in the United States that allows anyone to send an email to anyone as long as there is a way to unsubscribe, and it’s up to the marketer hitting the send button to follow consent best practices. But like any other best practice or directive, if the consequence doesn’t have dollar signs involved, it’s more like a “if you feel like it” guideline, and following that guideline many times falls by the wayside if the goal is to reach the maximum number of subscribers possible.
For CASL compliance since 2014, you should have already implemented measures to collect express consent on all registration vehicles and forms. Express consent is when someone takes action to check a box to give you permission to send them digital communications. Moving forward, if you didn’t collect consent at the time the contact information was acquired when they purchased from you or made an inquiry, you have a bit of time during the implied consent period to gain express consent. Implied consent is when someone buys something from you or makes an inquiry where there is a time period you’re allowed to send digital communications. If you have no consent because you acquired a list, or the implied consent time frame is over, there is still hope. You can send them a direct mail piece that drives them to a landing page to collect express consent.
CASL Compliance Must-Haves for 2018
- Implied or express consent to send CEM
- All data collection methods have a checkbox or field that collects consent at the time of form submit or inquiry
- A data object in the database of record that stores the date/time stamp and ideally IP of the CASL consent collected
- A regular data hygiene routine that purges all email addresses from Customer Relationship Management (CRM) or any Email Service Provider (ESP) lists without consent to prevent marketers from inadvertently sending email anyway
“Don’t send communications to known Canadian records at all if you don’t have consent that took a specific human action to request those communications from you specifically.”
General Data Protection Regulation (GDPR)
CASL has more to do with how information is being used, but General Data Protection Regulation (GDPR) is taking it to the next level and is how personal data is acquired, protected, processed and used for European citizens. Now businesses are scrambling to become GDPR compliant prior to enforcement in May 2018.
The way marketers use data and information to market products and services to European citizens most likely needs to change unless you are already 100 percent compliant. And if you are 100 percent compliant, you would be the unicorn in the marketing space. You may not market your products or services to EU, but if your website and other digital properties collect IP addresses or other Personally Identifiable Information (PII) from traffic, including traffic from the EU, then your business will need to do something to be compliant even if you’re not using that information.
What types of privacy data does the GDPR protect?
- Basic identity information such as name, address and ID numbers
- Web data such as location, IP address, cookie data and RFID tags
- Health and genetic data
- Biometric data
- Racial or ethnic data
- Political opinions
- Sexual orientation
GDPR Compliance Must Haves
- All data collection methods have a checkbox or field that collects affirmative consent at the time of form submit or inquiry
- A data object in the database of record that stores the date/time stamp and ideally IP of the affirmative consent collected
- A regular data hygiene routine that runs to purge all email addresses from CRM or any ESP lists without consent to prevent marketers from inadvertently sending email anyway
- A way to revoke consent at any time
“As of May 2018, don’t send communications to EU citizens at all if you don’t have consent that took a specific human action to request those communications from you specifically and have systems in place that won’t collect data on any EU citizens without affirmative consent.”
Disclaimer: The content in this blog post is not to be considered legal advice and should be used for information purposes only.