Archive for the ‘Email and the Law’ Category

Canadian Anti-Spam Law Expert Talks CASL

Posted by Rob Ropars on March 12th, 2015


Interview with Shaun Brown, Canadian lawyer practicing at nNovation LLP and Canadian Anti-Spam Law (CASL) expert

These are the opinions of the guest and not that of Harland Clarke Digital. This does not serve as legal advice and is informational only. Facts and circumstances vary, so please seek the advice of counsel on the topics discussed below if you have further questions. 

HCD: In the lead up to CASL’s final form, what surprised you most about the Canadian government’s approach to promulgating this law?

SB: The fact that it happened at all. It was a big undertaking, and it’s a fairly aggressive approach. When you look at federal privacy legislation, which has been in place for almost 15 years, the government has been working since 2006 to make relatively minor amendments to that law, and it still hasn’t happened.

In the same time period, CASL was drafted from scratch, addressing a variety of issues, and although it draws on the experiences from other countries, it was largely new. So, I think the most surprising thing was the government having the energy to draft and get CASL through the legislative process.

HCD: What do you consider to be CASL’s strengths as an anti-spam law?

SB: In many ways, the government tried to capture and reflect industry best practices.

HCD: Conversely, what are its weaknesses?

SB: CASL is very prescriptive. It’s a very detailed set of rules for sending email. While spam and malware can bring huge problems/threats, the vast majority of businesses are doing things right, and the emails they send aren’t a huge problem for most consumers. So, we have ended up with a large number of rules, in some cases redundant/overlapping to other laws, which now causes challenges for compliance. For example, there are various requirements for capturing opt-in consent, such as the requirement to provide more specific contact information and telling a person he/she can unsubscribe — these things can be a hassle.

HCD: Based on your dialogue with industries and businesses, what are the top misconceptions/questions you heard prior to CASL’s launch?

SB: A lot of people weren’t aware of allowances to transition existing databases, such as the transition provision for extending the time periods for implied consent, and the ability to grandfather those with existing consent obtained in compliance with privacy legislation.

Also, some didn’t understand the breadth of some of the implied consent provisions, specifically within the B2B space. For example, consent can be implied if someone gives you his/her email address, or if he/she conspicuously publishes his/her email address, so long as the information you send is relevant to what the recipient does in his/her business capacity. This can be quite helpful for B2B marketing where you have to essentially “cold call” people by email, which is less appropriate in B2C context.

Another example was how Canadian Radio-television Telecommunications Commission (CRTC) was going to enforce the legislation. With penalties of up to $10 million per violation, there was a lot of concern that the CRTC would begin penalizing everyone for minor violations. This hasn’t been the case.

HCD: What are the top misconceptions/questions you heard since CASL’s launch?

SB: Generally the same as pre-launch, but the computer program rules in CASL went into force the week of Jan. 12 of this year. So for some businesses, the focus has moved to these rules, which are potentially more complicated as are the involved scenarios. The software portion of CASL does not impact as many businesses, whereas the anti-spam portions apply to anyone doing email marketing.

The computer rules don’t apply as broadly as a lot of people think at first glance. CASL only applies when a business is installing software on someone else’s computer, not self-installed software. A large number of software programs are self-installed, i.e., apps.

HCD: We are six months post-CASL’s official start date (7/1/14). What did you anticipate we’d be experiencing at this point?

SB: I thought we might see a few published enforcement actions by now, although I knew it would take some time. The fact that we haven’t seen anything yet is not a bad thing.

This indicates, to me, that the CRTC investigations are complex, and they’re not coming out looking to tag some bigger business with “borderline” enforcement issues. This suggests that they are looking at the worst behavior going on, and it’s complex with multiple levels and players potentially in various countries.

Of course that is largely speculative at this point. There were comments pre-launch that maybe this was going to dramatically change email marketing, and people weren’t going to use email any more. I haven’t seen any indication of that.

HCD: Related to that, what has actually transpired related to CASL enforcement thus far?

SB: The indications, so far, are that the CRTC is going to tend to be reasonable, and for the time being focus on the worst actors causing actual harm to consumers.

HCD: Looking ahead, what do you anticipate we’ll have seen occur when we reach the first anniversary of CASL’s launch?

SB: More of the same. We could see some enforcement actions based on my assumptions about the type of situations being investigated. I don’t know if that’s going to result in guidance to the average email marketer however.

For example, there are outstanding questions about what constitutes a Commercial Electronic Message (CEM) vs. a transactional message. I don’t know if the CRTC is focusing on those types of specific questions/scenarios. I don’t think they’re focused on things that impact the day-to-day reality of marketers. I could be wrong, but don’t expect to see anything that will dramatically impact what email marketers are doing in the next six months.

Shaun, I want to thank you for taking some time to talk with me and share your thoughts on CASL with the readers of Digital Spin.

UPDATE: Following my interview with Shaun, the first CASL enforcement has coincidentally occurred.

CRTC Chief Compliance and Enforcement Officer issues $1.1 million penalty to Compu-Finder for spamming Canadians


Enchantment, Deliverability and The Beatles

Posted by Kavita Jaswal on February 13th, 2015

KJBlog_21315The Email Evolution Conference (EEC) in Miami was all it promised to be. As we boarded the yacht of information and sailed along the smooth sea of industry-expert knowledge, I was able to soak in an abundance of informative ideas, trends and industry information.

Here are a few key points I took away from the conference:

Opening keynote speaker, Guy Kawasaki spoke to the “Art of Enchantment.” He defined enchantment as, “the process of delighting people with a product, service, organization or idea,” and introduced this concept with the idea of creating an atmosphere of likability and trust in any given situation. He went further by stating that, “cultivating those elements  into a service or product, we can “enchant” a consumer.”

As marketers, our email campaigns rely heavily on engagement. We create and deploy several emails within one campaign, collect data, test and analyze metrics. But sometimes, no matter what we do, we do not get the results we are looking for. Kawasaki’s theory is not rocket science, anyone can assume that being “delighted” with a service or product would initiate the click of a button to open an email or request more information, but to actually attain that level of enchantment through elements such as likeability and trust is the challenge.

An email marketing conference would not be complete without the topic of deliverability. In his Deliverability 101 session, Spencer Kollas spoke to the importance deliverability has on an organization as, “98% of brands use email as a marketing channel.” Clearly, this indicates the importance email deliverability can have on an organization’s overall marketing plan.

Kollas also discussed how, “78% of organizations globally have had deliverability issues within the last 12 months.” The results are not only staggering, but they prove the point that an organization must continuously monitor bounce rates, manage list hygiene and ensure its sender reputation is not susceptible to email filtering. The discussion lead to various types of spam traps, and the impact they have on inbox delivery. Once an IP address is blacklisted in a spam database, 85-90% of mail can be blocked. These are frightening figures for any marketer, but it’s more proof that organizations need to pro-actively take all the necessary steps to stay clear of simple spam traps.

Through a series of cleverly chosen song and album titles, a panel of industry experts lead a discussion on trending topics that encompass the future of email marketing.

The Beatles’ “Here, There and Every Where,” began a discussion on today’s omnichannel consumer. Today, marketers have the ability to reach customers through multiple channels other than email. What does this mean for today’s marketer? While it’s still necessary to utilize and optimize an email communications plan, we must  use a multi-level approach for any email campaign can offer greater opportunity for success.

R.E.M.’s “Automatic For the People,” lead to a conversation of traditional vs. behavioral marketing. Traditional email included the idea of filling up a marketing calendar with general content. Today, behavioral marketing is more impactful and easily accessible through data collection and marketing automation. The general idea was to go from being a push marketer to advancing into a pull marketer. This means instead of pushing out all sorts of content and information that is relevant to your brand as a whole, you take the time to learn more about what your consumers want to read by pulling in data and revising and personalizing your content calendar on a regular basis.’s “Geekin’” brought about a discussion on the ever present struggle between a company’s marketing department and respective technical teams. As we progress into the future, marketers need to get their left-brain wheels turning, so to speak. Technology is now a big part of marketing and everything we do seems to be more data-centric. In order to progress towards these technological advances, pairing up with other departments and working cohesively can ensure successful outcomes.

Beginning with a keynote session on enchantment, a seminar on deliverability and a panel discussion on what we can expect for the future of email marketing, the EEC proved to be an informative and insightful success.

For more insight from the EEC, check out the Twitter stream from attendees using the EEC15 hashtag.


Minor Details: When Kids Are Kustomers

Posted by Dave McCue on September 3rd, 2013

Marketing to MinorsAre you marketing directly to minors? More importantly, would you know if you were? My son recently received a piece of direct mail addressed to him specifically, promoting an offer of a complimentary orthodontic screening from our dentist’s office. That in itself wouldn’t be much of an issue, except for the fact that my son is two years old.

To be fair, this communication was not completely out of the blue. We recently scheduled his first visit to the dentist, so the fact that his patient record existed in their database makes sense. What makes very little sense is that there wouldn’t be some indication in that database of his age, given the information we had already supplied. More than likely, while the information was available, it was simply not put into practice — with the end result being a postcard promo delivered to a recipient who is still learning his ABCs.

As a parent, seeing mail addressed to my child annoys me. As a marketer, it simply strikes me as sloppy. For any organization whose products or services cater to individuals of all ages, it’s important to have measures in place to properly identify those whose age indicates they need to be treated differently and/or excluded from communications altogether. An appointment reminder is one thing, a cross-sell promotion is quite another.

Beyond best practices and common sense, federal regulations demand that marketers pay attention to their use of data related to minors. In the online world, where children are becoming more tech-savvy at an increasingly early age, COPPA requirements will continue to adapt to the changing landscape and keep brands on their toes. Recent updates to COPPA, effective July 1, expanded the definition of protected personal information to include cookie data, photos, geolocation information, and more. For websites geared toward children this should all be high-priority stuff, however, for those that aren’t necessarily geared toward children—but could potentially draw interest from the younger age group—there is risk involved if proper processes are not in place.

Whether minors represent your target market or a rare use case, it goes without saying that they must be treated differently when it comes to marketing communications. It’s much easier to do wrong than to do it right.


Make Your Emails Fine, Not a Source of One

Posted by Dave McCue on June 21st, 2013

The affordability of email in comparison to other channels has long made it a preferred choice among organizations looking to communicate with their audience. However, as affordable as email can be, it is also a channel that must be respected in light of federal regulations designed to prevent abuse and/or misuse. Failure to do so can severely undermine the cost-effectiveness that helps make email so attractive.

One recent example should serve as a cautionary tale for any organization dealing in investment services and communicating related information to their customers. In May 2013, FINRA reported that it had imposed a $7.5M fine on LPL Financial LLC for failures related to email communications, the largest such fine in FINRA’s history. These failures prevented the company from properly retaining email messages at various times over a six-year period starting in 2007, a large number of which originated from independent contractors representing the company.

SEC Rule 17a-4 requires email messages related to securities to be retained and retrievable by the sending organization. This includes messages sent directly by the organization or, as noted above, any individual acting on behalf of the organization. This can also pose problems for organizations with multiple business units sending email independently, as there is often no central archive of sent messages. In other cases, such an archive exists, but is reliant on manual processes susceptible to human error/oversight.

Ideally, any organization sending emails that fall under the reach of SEC Rule 17a-4 should have an automated process in place to archive messages in a central location where they can’t be modified or deleted, allowing for the timely and accurate retrieval of any sent message(s) upon request. If this sounds applicable to your organization, SM:Vault from Harland Clarke Digital is uniquely suited to meet the requirements of SEC Rule 17a-4.

With the proper safeguards in place, you can rest easy that your email program will continue to be as cost-effective as it has always been.

LPL hit with largest Finra fine ever for email case (*login required)


What Does The Standard Privacy Notice in an Email Look Like?

Posted by Deanna Cruzan on June 3rd, 2013

The Gramm-Leach-Bliley Act (the “GLBA”) requires financial institutions to protect themselves against unauthorized access, anticipate security risks, and safeguard a consumer’s nonpublic information.  It also prohibits individuals and companies from obtaining consumer information using false representations.

If a financial institution collects and receives nonpublic information regarding a consumer, they are required to disclose and provide written notice of its policies and procedures to its customers stating how the customer’s nonpublic information is protected and shared.

As financial institutions start utilizing emails as another communication channel with consumers, the question is often posed on what the privacy verbiage should look like within their email communications.  I am not a lawyer and I don’t claim to be.  So, my first suggestion is to not send out anything regarding privacy policies without gaining the approval from your legal council first.  However, below are some privacy policy ideas that can be provided to legal council for approval.


As always, we are committed to protecting your privacy and we do not sell customer information to third parties. If you would no longer like to receive promotional emails from (COMPANY NAME), you may opt-out of these emails at any time by simply clicking on the unsubscribe link below.


Please do not send a reply to this email notification. If you have questions about this email, please call us at (COMPANY PHONE NUMBER), or email us at (COMPANY EMAIL ADDRESS).

Update your email address and preferences easily and securely through (COMPANY NAME) Online Banking and selecting “User Options.” To safely unsubscribe from (COMPANY NAME) emails, please click the link below.

As a general security policy, (COMPANY NAME) will never send an email that directly solicits you for personal information. We respect your privacy. For more information, please refer to our Privacy Statement.


Disclaimer Notice

© (COMPANY NAME). © All Rights Reserved. All (COMPANY NAME) deposit accounts are NCUA-insured up to $250,000. Hours may vary by location. Visit our Branch Locations for a complete listing.

(COMPANY NAME) respects your privacy. (COMPANY NAME) will never ask you to enter personal or account information in an email, or download an attachment from an email. Also, we will never ask you to verify your account number and PIN by phone. Any unsolicited requests for account information you receive through emails, websites or pop-up windows should not be considered a request from (COMPANY NAME).

If you have any doubt about the authenticity of an email from (COMPANY WEBSITE), simply open a new web browser, type in (WWW.COMPANYWEBSITE.COM), log in to your (COMPANY NAME) account safely and securely and then perform your online banking activity.

Privacy Statement

For details pertaining to our email practices, please click here to visit our online Privacy Policy.

(COMPANY NAME) and the (COMPANY NAME) logo and waves are registered trademarks of (COMPANY NAME).