Spam I Am – A Health Check for CASL Compliance

Law For Non-Profits is a simple and low-barrier digital platform offered by the Pacific Legal Education and Outreach Society. It’s designed to help non-profit leaders understand their legal obligations and compliance. This tool was created for non-profits working in BC, however, all other provinces in Canada will have similar laws with different names.

2024 will be the 10th anniversary of the introduction of the Canadian Anti-Spam Legislation (CASL), so it seems a fitting time for all organizations to do a health check on their own email and data retention policies.

The CASL regulates many online activities including: Commercial Electronic Messages (CEM) which includes email, SMS text messages, and instant messaging platforms, misleading and deceptive marketing practices, collecting email addresses without consent and installation of computer programs without the user’s knowledge. Consequences of non-compliance can be severe with fines ranging from $1 million for individuals to $10 million for organizations. Thankfully, enforcement has largely focused on achieving compliance rather than enacting punitive measures. So here’s an easy Best Practices Checklist you can use to ensure your organization stays in compliance and utilizes all the available tools to achieve your mission.

Implied Consent
While there are consequences to not following CASL, you can use the law to your advantage. Consent is considered implied when you have an existing business relationship. This includes if an individual makes a donation or purchase, volunteers, or attends an event for your organization within a two-year period of when the message was sent.

Charities Exemption
CASL does apply to registered charities, however, charities are exempt when CEMs are sent with the primary purpose of raising funds. This includes events e.g. dinners, tournaments, or performances where the proceeds flow to the charity.Email Template

The template for all bulk messages - event announcements, newsletters, fundraising emails, etc - should include Address and Contact Information for your organization, a Clear Unsubscribe Link, and a Clear Link to Your Privacy Policy

Clear Opt-in Process
It is recommended to have a double opt-in process for electronic communication. A new follower who visits your website and opts in to receive email communication from you, including CEMs, should receive a follow-up email with a link to confirm their subscription. They opt in once when they sign up and a second time when they receive the confirmation email. For physical sign-ups at events or other in-person settings, your organization should ensure consent and retain the physical forms in a secure place with limited access.

Create a List Management Policy
An effective list management policy will restate the process whereby you collect, store and maintain your mailing list and its permitted uses. The list management policy should be consistent with your privacy policy and be shared with all staff, volunteers and directors. If you don’t have a Privacy Policy, we have tips for that [here].

Follow The Rules for Text & Instant Messaging
Communication tools such as SMS (text messages) and instant messaging platforms have become more prevalent since CASL was initially introduced. Use of these tools should follow the same rules as those in email. You must identify your organization in the message body, provide an opt-out method, and not use deceptive marketing tactics.

Educate Your Staff, Board and Volunteers
Of course, policy that is written and not shared is of little use so you must share the relevant policies - Privacy & List Management - with your staff, volunteers and board members.. Privacy and List Management policies, perhaps paradoxically, thrive on transparency. Inform everyone at your organization why it matters and what might be the consequences if compliance is not maintained.

Regular reviews of these simple steps will help ensure that your organization is in compliance and will continue to be so for the foreseeable future.

Want to ensure your organization is following best practices? Try our free Privacy Legal Help Guide and get instant results to address any areas of concern. You’ll be provided with a checklist, sample documents, and resources to put your organization on the path to compliance.