A great thing about MailChimp is that our 6 million customers and their billions of subscribers live all over the world. A not so great thing is that there’s no binding worldwide law for email. This means MailChimp users have to comply with US law as well as the laws of any country where they or their subscribers live. And it means that, even though MailChimp’s legal team is based in the US, we have to stay on top of any international laws that may affect our users.
One such international law has recently been creating quite a stir: the long-awaited Canadian Anti-Spam Legislation (CASL), which goes into effect on July 1 (but has a 3-year transition period). CASL has been touted as the most strict—and expensive—spam law in existence, so I’ll explain how it works and how it might impact users all over the world.
Before we get into it, here’s a friendly legal disclaimer: I’m a lawyer, but I’m not your lawyer. This blog post is intended solely for informational purposes. Determining legal compliance is a fact-specific endeavor, and as such, I recommend you speak with a professional familiar with CASL if you have any particular questions or concerns.
How CASL works
Following a long legislative history, CASL was finally passed in December 2010. With its July 1 enforcement date looming, people are worried about the practical implications of the law. Violators may be fined up to $1 million in the case of an individual or $10 million in the case of an entity. CASL will be enforced by three agencies of the Canadian Radio-television and Telecommunications Commission (CRTC), the Competition Bureau, and the Office of the Privacy Commissioner. The CRTC has been the most vocal, providing guidance, an FAQ page, and other resources.
We published a Knowledge Base article about CASL as it applies to MailChimp, but here are a few highlights:
• One of the more noteworthy differences between CASL and CAN-SPAM or other spam laws is that it creates a hierarchy of consent, which can be express or implied.
• Implied consent can be established in a variety of ways. And depending on how consent is given (for example, via a purchase vs. an inquiry), it can last anywhere from 6-24 months. (Meanwhile, express consent lasts until it’s revoked.)
• There are many exceptions, including the reasonable belief that the message won’t be accessed in Canada. (This may be a good excuse to look at your geolocation reports or segment your list using .ca or other Canadian specific domains, thus reducing irrelevance for your non-Canadian readers.)
• The burden of proving consent lies with the sender. So it’s time to keep some accurate records. (And some even argue that MailChimp’s double opt-in method makes it easier to keep those records.)
Overall, CASL is a good thing. It’s encouraging people to document and gain proper consent from the people they’re emailing, which is something we’re always happy to see.
But like many good things, the intention doesn’t immediately line up with the result. Some argue the law is actually causing more spam right now, because people are trying to send messages to whoever they can before July 1. Also, parts of the law are so broadly written that the exact way it will be enforced requires a flow chart to explain.
That said, we’re not sitting around cursing the Canadian Parliament or anything. We’ve been requiring and helping users comply with CAN-SPAM for more than a decade, so this isn’t a scary, new role for us. No anti-abuse law is perfect, either. While CASL’s requirements are slightly different than CAN-SPAM’s, they still fight for the same goal: permission-based email campaigns with accurate information.
Incidentally, that July 1 deadline is a bit of a red herring. There’s a 3 year transitional period contemplated by CASL, during which you can still contact individuals from whom you had implied consent (for example, they bought a product). But you can’t contact any new individuals without consent.
Furthermore, CRTC legal counsel Emilia de Somma has said, "Our position at this point is valid express consent pre-CASL will continue to be valid, even if it doesn’t meet all requirements under CASL.” Of course, if you rely on that, you may need to prove that you had express consent in the first place, so check your records.
You shouldn’t ignore the July 1 deadline, since you need to make sure your consent and messages are compliant with CASL after that date. But if you don’t have documented express consent for everyone on your list on July 1, it’s OK. The general advice is that you should use this transitional period to reconfirm your list and turn those implied consents into express ones. Since MailChimp is designed for permission-based newsletters, we generally don’t let individuals reconfirm their lists through us. But we quickly realized that for CASL we’d have to make an exception. You can read the step by step instructions for reconfirmation in this KB article. We’ve also highlighted some areas you may need to change (like forms and footers), as well as some features you can use to meet your record-keeping requirements under CASL.
We haven’t seen a downtick in Canadian signups, and we expect to keep working with our Canadian users so they can use MailChimp while easily complying with CASL. Thanks for your help keeping the email ecosystem as tidy as possible!