CASL is more privacy law than anti-spam law

Michael Geist, a law professor in Canada, writes about the new CASL law, why it’s necessary and why it’s more about privacy and consumer protection than just about spam.

The law has at least three goals: provide Canada with tough anti-spam rules, require software companies to better inform consumers about their programs before installation, and update Canadian privacy standards by re-allocating who bears the cost for the use of personal information in the digital environment.

There are a lot of marketers out there that are really in a tizzy about CASL and about actually having to ask for and receive permission before sending mail to people. These are the same marketers who will tell you that they only do permission email. I’ve not quite gotten past the cognitive dissonance. They already do permission email, now they just actually have to keep some accurate records and have an audit trail.
The more cynical side of me says that the problem is that these senders who are stomping around ranting about how awful CASL is and how unfair are just pouty because they can no longer pretend they have permission. They actually have to have permission. They can’t bury an opt-in somewhere in a privacy policy, they have to have a real opt-in. They can’t tell a complainant “well, you opted in at some point, we just don’t know when” they have to be able to demonstrate the opt-in. They can’t just collect an email address and assume that address is a viable target forever, they have to either have a demonstrable relationship with the recipient or stop mailing the address after a few years.
Whenever I read about how awful CASL is, the underlying issue seems to me to be that marketers don’t like being told to stop taking permission from recipients. The marketers don’t like begin told they have to respect consumers. Not only that, they really hate that if they violate the law they may be held accountable for that.
Canada was one of the last western, industrialized nations to adopt an anti-spam law. I do not think it’s coincidence that CASL is extremely consumer friendly. Canada saw what happened with other laws and wrote a law that was a lot harder for marketers to ignore.

Related Posts

Signup forms and bad data

One thing I frequently mention, both here on the blog and with my clients, is the importance of setting recipient expectations during the signup process. Mark Brownlow posted yesterday about signup forms, and linked to a number of resources and blog posts discussing how to create user friendly and usable signup forms.
As a consumer, a signup process for an online-only experience that requires a postal address annoys and frustrates me to no end. Just recently I purchased a Nike + iPod sport kit. Part of the benefit to this, is free access to the Nike website, where I can see pretty graphs showing my pace, distance and time. When I went to go register, however, Nike asked me to give them a postal address. I know there are a lot of reasons they might want to do this, but, to my mind, they have no need to know my address and I am reluctant go give that info out. An attempt to register leaving those blanks empty was rejected. A blatantly fake street address (nowhere, nowhere, valid zipcode) did not inhibit my ability to sign up at the site.
Still, I find more and more sites are asking for more and more information about their site users. From a marketing perspective it is a no-brainer to ask for the information, at least in the short term. Over the longer term, asking for more and more information may result in more and more users avoiding websites or providing false data.
In the context of email addresses, many users already fill in random addresses into forms when they are required to give up addresses. This results in higher complaint rates, spamtrap hits and high bounce rates for the sender. Eventually, the sender ends up blocked or blacklisted, and they cannot figure out why because all of their addresses belong to their users. They have done everything right, so they think.
What they have not done is compensate for their users. Information collection is a critical part of the senders process, but some senders seem give little thought to data integrity or user reluctance to share data. This lack of thought can, and often does, result in poor email delivery.

Read More

The DMA: Email marketing or spam?

A few weeks ago, I signed up for a webinar from the DMA. As is my normal process I used a tagged address. I don’t remember any notification that I would be signing up for mail, and I generally do look for those kinds of things. I also know a lot of webinars are used to drive sales processes and I prefer not to waste sales time if I’m not actually looking to purchase.
In recent weeks I have gotten an ongoing stream of marketing messages from the DMA. I’ve tried to opt-out, but the DMA don’t actually want me to opt-out. Each marketing message is a different type of message from a different list. Each list must be opted out of individually.
First it was Conferences, then it was Education, then it was Awards, then Events. I’m trying to figure out what’s next and how many more times the DMA is going to get to spam me before I just turn that address into a spam trap.
And before you tell me that I can’t make an address a spam trap, think about that a little bit. I never opted this mail in to receive anything but the webinar confirmation. I’ve dutifully opted out each and every time the DMA has mailed me. I’ve even tried to opt-out of all mail. Unfortunately, the DMA has placed the “opt-out of all mail” behind a registration wall, one I cannot get to as I do not have (or want) a DMA account.
DMASignOn
The DMA is sending me mail I did not request and do not want. They have made it impossible for me to determine how much mail I will get. They have made it difficult for me to opt-out of all their mail.
This is an example of bad email marketing. I’m sure that the DMA will tell me this is all permission based email. I disagree. This is an example of the DMA taking permission. This is not an example of a sender asking for permission. I didn’t give permission to be added to all these DMA lists, and I have no way to actually revoke the permission that they took from me.
I signed up for a second webinar with this email address, one related to CASL. The irony is that the DMA’s behavior here is a violation of a number of points of CASL. First, there was no clear opt-in notice on the website. Second, CASL requires parity between opt-in and opt-out. If I opt-in once then I should be able to opt-out once. CASL puts an end to this opt-in once, opt-out dozens of times process.
I wish I could say I was disappointed in the DMA. But I’m barely surprised. Their track record is poor and they have typically fallen on the side of “I have consent until you force me to acknowledge that I don’t.” In this case, the DMA is demonstrating that quite clearly. They will keep spamming and spamming and spamming. I have no doubt were I to actually register an account, they would continue to spam me with “account notifications” that I was unable to opt-out of because they are transactional, membership messages.

Read More

Have fun storming the CASL!

I’ve given Humble Bundle my (tagged) email address a bunch of times – as part of purchases, as my username on their website, to download games and books I’ve bought.
And, naturally, they’ve sent me newsletters announcing when they have new sales. Did I check a checkbox or uncheck a checkbox? I don’t remember, and don’t really care. It’s a company I have a real relationship with and have purchased from, they’re sending content I want to see, and I trust them not to misuse my address and to honour an unsubscription request.
So … probably opt-in, and I’m fairly sure they’ve confirmed that it’s my email address. But did they explicitly tell me they’d use my email address for a newsletter? I and my email archive don’t remember that far back, and it’s quite possible that Humble Bundle’s current staff and records don’t either.
In todays newsletter, right above their talking about their summer sales, they had this:
 
All_Mailboxes__Found_118_matches_for_search_
 
They’re confirming that I want to keep getting newsletters, and stressing why I want to keep getting them. Their database probably dates back to the iron age, or at least 2010, and my clicking on the big, friendly green button both lets them know that I’m an engaged subscriber and lets them record in their database that “Yes! This subscriber has explicitly said they want our newsletters!”.
Gradually adding that information to their subscriber database will let them better make decisions in the future about what content to send, how often, whether to try and reengage with a subset of their subscribers.
Oh, and there’s CASL, of course.
If you or your recipients have a Canadian presence you have a little less than eighteen months to make sure you have documented, explicit consent from any recipients for whom you only have implicit (e.g. business relationship) consent or for whom you’ve lost the original records.

Read More