Whether your needs are for contracted or permanent resources, or that highly qualified executive to lead your organization, Breckenhill has the right certified professional for you!

Email Lists, CASL and Small Business
July 24, 2014

William (Bill) Wilson CISA, CGEIT William (Bill) Wilson CISA, CGEIT
CEO and Managing Partner
IT Governance, Audit and Privacy Specialist
Now that CASL has come into force, smaller businesses that do direct marketing via email are worried about how they bring their business into compliancy without spending a fortune.

Under CASL (Canada’s Anti-Spam Legislation) an email is considered a Commercial Electronic Message (CEM) if it encourages participation in a commercial activity, including, but not limited to: offering, advertising or promoting a product, a service or a person. As a small business that utilizes a mailing list for direct marketing purposes (sending out CEMs) you are responsible to ensure: you have the recipient’s consent; you clearly identify yourself; and you provide an unsubscribe mechanism.

There two types of consent referenced in the legislation: express and implied. Obtaining express consent (a definite indication of acceptance to receive the CEM from an informed recipient) is now required for most recipients.

This article will focuses on managing express consent (including unsubscribe) within an email client.

The utilization of emails to record subscribe and unsubscribe requests is easy to implement and manage for those smaller businesses with mailing lists containing recipient addresses in the low to mid hundreds and currently manage their mailing lists within the contact management portion of their email client. A consent manager can be created by dedicating one of the custom fields (such as note) to hold the details of the consent. These details should contain the date the consent was obtained, circumstances surrounding the consent and a reference to the actual consent (email, physical file, orally, etc.). Note: Although there is a provision to collect consent orally, it is always easier to validate against a physical indicator.

Since emails already contain the senders email address (yes these can be spoofed but that is another discussion) it is easy to create an email link that contains a predefined subject such as “Subscribe” and a body such as "Please sign me up to your mailing list”. That when clicked on will send a message to you indicating their desire (express consent) to be on your mailing list. It is important to note that the conditions and context of the mailing list is clearly defined and available to the user. This link can be easily included in the signature line of emails you send for normal business correspondence. Here is an example of the HTML code to add to your signature (replace the email address with your company’s email address):

<a ref="">Click here to subscribe to our mailing list.</a>

While this method works well within emails, the electronic collection of consent (subscribe) on a web page is typically performed by programming it to collect the information (email address, consent indicator, etc.) and store it in the consent management tool however the behaviour can be programmed to send the collected information via an email.

The unsubscribe feature can be done the same as the subscribe feature simply replacing the link with an unsubscribe message in the signature line of the CEM (again, replace the email address with your company’s email address):

<a ref="">Click here to unsubscribe from our mailing list.</a>

When a “Subscribe” or “Unsubscribe” email is received you can update your contact information accordingly.

It is important that you differentiate CEMs from normal business correspondence. If you use the same email address for both check to see if your email client supports multiple signatures. If so, create two signatures one with the subscribe link used for normal business correspondence and the other with the unsubscribe link to be used when sending out CEMs.