7 Steps to Reduce CASL Risk – Part 2

Get ready to put those running shoes on because it’s time to sprint to CASL compliance. The deadline for the Canadian Anti Spam Legislation (CASL) is here. Is your business ready? In part one of this post, we covered what the July 2017 CASL deadline means to businesses.

Important June 8, 2017 Update: Canada has announced that it is suspending the Private Right of Action clause that was to take affect July 1, 2017. Everything else stays in place but this means that individuals can not file lawsuits as part of that deadline. Read more.

Today, we dive into seven steps to reduce your CASL compliance exposure. I say “reduce” because I don’t believe full compliance is attainable unless data and process is perfect. As we all know, that’s a utopia that just doesn’t exist in the business world.

The devil is in the details and companies can’t brush CASL under the rug any longer. What steps can you take today to reduce the CASL compiance risk for your organization?

Part 2 of a 2-part Post.

Part 1 provides the reader’s digest edition of CASL and focuses why the July 1, 2017 deadline is so important. Part 2 dives into the actionable steps you can take to reduce your compliance exposure.

Step 1) Establish a Worldwide Mailing Policy

Just 36% of companies have a written CASL policy. CASL Survey Report: Bridging the Gaps in Understanding and Compliance (PDF)

Does your organization have a documented policy for who gets mailed and when? A worldwide mailing policy is essential to defining how all of your records are mailed, how your data is collected and how to comply with global regulations.

“How your data is collected” is the major piece many companies miss. Assessing someone’s location is pretty hard when the Country value says “Karen” — yes, we see this all the time.

Don’t just discuss an email policy. Write it down so the policy becomes the bible for how your company mails and collects data.

If you are reading this, there is a likelihood that you have waited to the last minute to address the CASL problem at hand. Yes, your arm is broken with CASL so address that now–but there is a bigger picture of your overall worldwide mailing health. You might be able to skip some of the bigger picture initiatives for CASL but don’t wait too long.

Use the policy as a common denominator stepping stone for the upcoming European GRDP regulations (General Data Protection Regulation) coming in 2018.

  • How do you handle trade show leads?
  • Is a person that a Sales rep added to the system mailable? In most cases, this is a “No” from a CASL perspective.
  • Can we mail bulk lists of new leads from list sources like ZoomInfo, D&B and more? (Please NO).
  • What information is captured at Opt-in? Opt-in date? IP Address, etc?
  • How do we leverage the policy to create a Preference Center?
  • Is someone who fills out a demo request on our website automatically subscribed to everything?
  • How do we standardize our forms to collecting mailing data in a compliant manner?

If you want to get up to speed on the intricacies of 10 different international laws, read The Ultimate Guide to International Email Law by litmus.

Step 2) Get Your Systems Ready NOW

Make sure you start capturing all information about when someone expressly opts into your commercial electronic messages (CEMs) including the opt-in date and how the person opted in. It might be difficult to go back in time but that doesn’t stop you from setting best practices moving forward. Many systems capture these actions in their custom logs so you might be all set for the time being.

However, in many cases, those logs might not be exportable if you switch systems any time in the future. We are working with several clients that sit in this boat where they switched systems and all they have is Opt-out information. That doesn’t fly for CASL so figuring out Express consent is a bit of a manual process. As a best practice, we recommend collecting as much information on the opt-in as possible. How you do it varies on your system but try to capture…

  1. Create an Express Opt-in field to time stamp when a person explicitly opts in. Make it a DateTime field to capture the date and the time for more granularity. Also do this for the Implied Opt-in.
  2. Capture the form/activity completed. In a separate field called Express Opt-in Description, collect the form name or other identifying information to provide details into how the person opted in. If using Marketo, you might want to capture the last interesting moment.
  3. Capture other identifying information. If possible, capture the IP Address to show another level of proof.

The Judge Test – What Sounds Better?

When the lawsuit comes, what would you rather say?

  • Ken opted into our list on May 2, 2016 at 9:45 ET from a Google SEM campaign via the Best Practices form.
  • Ken isn’t opted out. His Lead Source says he came from Google PPC but the details exist in our previous system. We believe it happened some time in 2016.

For companies using Marketo, this is an example of a global campaign that listens for someone to explicitly opt-in. When that happens, the time stamp of that activity is captured. You may also want to capture the form that was submitted for further detail.

Step 3) Identify Canadian Records to Gauge Risk

See the Full CASL Infographic (PDF)

46% of respondents were unaware that an organization could be liable for statutory damages under CASL, which do not require proof of actual damages. CASL Survey Report: Bridging the Gaps in Understanding and Compliance (PDF)

Assessing existing data is a big loophole that many articles miss. How do you deal with records where you don’t know where they are from? Many companies don’t capture Country when new names are collected. This will require a bit of a data audit to figure out next steps. Go categorize the following three segments to gauge your exposure.

  • Canada Records. How many records are from Canada? (Country is Canada. Or email address ends in .ca)
  • Outside Canada Records. How many records are from countries outside Canada?
  • Unknown Records. How many Countries are blank? Dive into this bucket by using Inferred Country if your system offers that intelligence.

Looking ahead, make sure Country is captured on all your forms and included as part of your data imports. Enriching the data after-the-fact is another option.

We’ll use the above lists in the following few steps.

Step 4) Enrich Unknown Records

If all you have is an email address or you lack Country, you have several options:

A) Append Country with a Data Provider.

If you have been waiting to enrich your data in general, now is the time to budget this initiative. Go find any number of data providers to append and enrich your data.

If you signup for any of RevEngine Marketing’s services, our package includes the appending of Canadian Country records at no cost from Oceanos.  You’ll also get a no-cost assessment of your overall data health. Learn more.

B) Leverage Inferred Data.

For companies using solutions like Marketo, grab the inferred data and populate it into the Country value if blank (Or use the intelligence as part of your list).

Note: This method is not 100% accurate but serves as a good data point in your overall data analysis. Inferred data is deducted from the IP address which could be routed to the corporate office in another Country. For example, a company in Vancouver could have its traffic routed through its Seattle office and have its inferred Country listed as the United States.

Not capturing country? Leverage any Inferred data captured by your system to help identify Canadian records.

Hold this thought until step 6.

Step 5) Decide on Your Ongoing CASL Execution

There are about 10 permutations of ongoing CASL compliancestrategies, but most approaches revolve around these methods. Pick one and then refine for your business. Many B2B organizations are going with option B.

A) Go the Double Opt-in Route for Canada

The safest/most strict method for compliance is double opt-in where someone signs up on your site and then clicks a link in a confirmation email to accept further communications. This process is more popular for B2C organizations than B2B organizations because B2C content usually comes in the form of a newsletter. You don’t see too many one-off white papers from Best Buy, Groupon or other B2C brands.

Although you trade off some opt-ins, this method ensures the person who requested the content is actually real. It’s also a requirement of some European regulations.

This is a standard autoresponder from Groupon that someone clicks to approve the subscription.

B) Make All Your Forms Opt-in for Canada

In this case, make the opt-in box appear dynamically if Canada is chosen as a Country for all your content and evaluation request forms. Expect your opt-ins to drop significantly but that’s the name of the CASL game. And you can’t have the box pre-checked (Known as toggling) if you were thinking of going that route.

A risk here is lawsuit chasing where someone could enter a bunch of email addresses other than him/herself.  Those other people could claim they never signed up for the CEM and frivolously bring suit. This risk is low but it’s worth mentioning.

This form pops open a subscription email checkbox if Canada is chosen. On the flipside, we would recommend adding more detail to the type of content the subscriber will receive while also adding a link to the privacy policy. Also include language that the subscriber can unsubscribe at any time.

An example from Marketo. It has slightly better language but there is no mention of the ability to unsubscribe later. The language also lacks links to the Privacy policy.

A perfect mix of functionality and language which includes a link to the privacy policy, an explanation of future content. and a reference to future opt-out capabilities. See the Plex example.

A variation of this method is to leave the box unchecked but not allow the person to download the content unless the box is checked. This process puts a toll charge on the content by requiring the user to actively choose consent. I’m not sure how the lawyers love this technique but I like the creativeness.

Language for Signup Form

Feel free to modify but here is some templated copy for you to customize.

Yes, please sign me up to get the latest scoop on Awesome Company product news, events, updates and promotions via email. You may unsubscribe at any time. Please see our privacy policy for further details.

Awesome Company | 17 awesome Way | Awesome, NY | 95367 | 888-888-8888

I agree to receive emails from Awesome Company, regarding products, solutions and events. (You can withdraw your consent at any time.) Refer to our privacy policy for further details.

Awesome Company | 17 awesome Way | Awesome, NY | 95367 | 888-888-8888

C) Don’t Mail Anyone in Canada

You might laugh at this one but auto suspending people from Canada is one of the easiest way to become CASL compliant.

If your company does little or no business with Canada, this is an option to consider. When a new record arrives from Canada, just auto suspend that person. We have a client that didn’t want to risk the Canada exposure and this process works great for them. It also carries a lower implementation cost.

D) Use the Email Address to Verify Opt-in Policies

CASL allows for the typing of an email address into a field as explicit consent in some instances where the offer is the ongoing email communication or newsletter. This option is a variance of Option A.

What if the primary offer is a piece of content (White paper) combined with the below offer? That’s a gray area for your attorneys to decide but we are not recommending that approach as it adds a bit of risk. I’m still looking for a great example of this method, so email me if you know any companies using it. More info.

This specific example is from the CRTC website. If you like the language, adopt it. There is no safer language to use than the wording provided by the agency that enforces the regulation.

Step 6) Reactivate Your Canadian Implied One Last Time before July 1, 2017

Once you have assessed your data and figured out a process, send an opt-in email to your existing Canadian audience that you have defined as Implied.  Remember, the CASL transition period gives you up to July 1, 2017 to get most of your Implied to become Express. As always, double check with your legal team first.

Using the below example, the person would move to an express opt-in upon clicking the opt-in link. You’ll also want to time stamp when the activity occurred and note how it happened.

If you have 45 minutes, make sure to check out this amazing reengagement/CASL campaign presentation from Marketo’s Mike Madden and Stacey Thornbery that covers how Marketo obtained proper consent. Marketo’s campaign not only included a series of emails, it also included some retargeting campaigns.

You aren’t just limited to email. Create a cross-channel campaign to target Canadian records in your database in various social channels. This is an example from Marketo’s CASL reactivation campaign.

Step 7) Train Teams and Mail According to Process

This step sounds simple but process change is never straight forward. Your marketing team needs training on which lists to mail and not mail.

Of course, you’ll want to dummy proof the process as much as possible on the backend from a marketing operations perspective.

  • Setup different mailing segments and lists so process is followed.
  • Create a mailing segment where people can move in and out of different stages (Implied vs Express).
  • Marketing suspend as needed.

CASL Compliance Summary

If you have been putting off CASL compliance, this is your last chance. Don’t risk a lawsuit. Here is a quick checklist to make sure you are on track for Canadian records

  • Ensure your systems are setup to keep records to prove compliance if asked.
  • Always include unsubscribe information in your emails.
  • Mail to only Explicit or Implied (within date requirements) recipients.
  • Collect country values or you risk mailing to people in Canada if your US policy is less strict.
  • Include your business information in all emails (business name, postal address, telephone number or email address).

If you need help, please send me an email at jcoveney@revenginemarketing.com or signup for our no-cost CASL Readiness Assessment.

BONUS! Identify Canadian Records at No Cost

Only collecting email address? Don’t know which records are from Canada that need to comply with CASL?  We’re partnering with data provider Oceanos on a CASL-appending program that leverages social validation to identify Canadian records at no cost.* Learn more in the webinar or contact us now for more details.

* As with any data service. country match rates will vary depending on your audience and data. Since data accuracy  is not 100%, we recommend leveraging multiple data points to determine if a record is from Canada.  RevEngine Marketing and Oceanos are not responsible for inaccurate matches for compliance with CASL.

Disclaimer: This post is designed to help you better understand the compliance requirements CASL. We are not lawyers and this should not be considered legal advice. As always, please have your attorneys review your own mailing policy.

Your marketing technology experts.

At Digital Pi, we use technology to connect revenue to marketing efforts. We fuse marketing strategies, processes, data and applications to make marketing technology solutions work for clients' businesses.

Learn More
Share this resource

Cookies help us keep the site running smoothly and inform some of our advertising, but if you’d like to make adjustments, you can visit our Cookie Notice page for more information.