The purpose of the Canadian Anti-Spam Legislation (CASL) is to more carefully control the use of spam (ie. unwanted Commercial Electronic Messages or CEMs) in electronic messaging. CASL came into effect on July 1, 2014. CASL applies to the majority of organizations in Canada, including McMaster University. All faculty and staff are expected to comply with CASL.
Guidance in complying with CASL is provided in the McMaster CASL Tool-kit and is also available from the contacts listed below.
The penalties for failing to comply with CASL are significant: up to $10 million for an organization and up to $1 million for an individual.
How to Comply with CASL
CASL requires that all CEMs contain the following information:
- The name of the McMaster unit sending the message;
- The mailing address, telephone number, email or web address for the McMaster unit sending the message; and
- Information about how to unsubscribe from future CEMs.
The unsubscribe mechanism should be present at the bottom of all CEMs using language such as:
“You may unsubscribe from the McMaster University [insert name of list] distribution list at any time by emailing [insert email address] or calling 905 525 9140 [insert extension].”
If a request to unsubscribe is received, the recipient must be removed from the distribution list within 10 business days of the request.
The following statement should be also be included in CEMs sent to internal recipients:
"You are receiving this message because you are a member of a subject specific internal email list generated by McMaster University and/or you are in a pre-existing business relationship with McMaster University. In either case, if you believe that you should not be a recipient, you may withdraw your consent to receive these messages at any time, in accordance with Canadian Anti-Spam Legislation (CASL) and subject to McMaster University policy, by contacting the sender of this message.
Please be aware that messages to McMaster University employees and students, sent for the purpose of conducting regular non-commercial University business, are not governed by CASL."
Prior to sending a CEM, a sender must have received the consent of the recipient. Consent may be express or implied.
Express consent occurs where the recipient has provided oral or written consent to receive electronic messages and remains in effect until the recipient unsubscribes from future messages.
Implied consent occurs where the recipient has:
- An existing business relationship with McMaster in the preceding two years;
- An existing non-business relationship (ie donors, alumni, volunteers) with McMaster in the preceding 2 years; or
- Conspicuously published their business contact information AND the recipient has not indicated a wish not to receive unsolicited CEMs; and your message is relevant to the recipient's business, role, functions or duties in a business or official capacity.
Tracking Consent & Unsubscriptions
Compliance with CASL includes implementing systems to track recipient consents and giving effect to requests to unsubscribe. Tracking systems can be as simple as a spreadsheet or as complex as an integrated database. Regardless of the system, the sender must be able to document addresses which have provided express consent and those which have unsubscribed.
Where a sender is relying on implied consent to send CEMs, the tracking system must be able to track the “expiry” dates of the implied consent categories. Implied consent normally lasts for two years so, to take advantage, McMaster entities planning on relying on implied consent to send CEMs should seek express consent as soon as possible.
How to Obtain Express Consent
Electronic messages requesting express consent under CASL are also considered to be CEMs. Unless the proposed CEM fits into one of the exemptions discussed above, the CEM should not be sent or the information should be delivered in an alternate format (such as by direct mail or a telephone campaign). However, requests for express consent can be sent where the recipient has provided their implied consent (as outlined above). Through this process, implied consent is “converted” into express consent.
Requests for express consent must contain the following information:
- The specific purpose for which express consent is requested;
- The name of the McMaster unit seeking consent;
- The mailing address and telephone number, email address or web address for the McMaster unit seeking consent (or a link to a website containing this information); and
- A statement indicating that consent can be withdrawn at any time.
If you are collecting personal information (such as an individual’s name, address and telephone number), the request for consent must also include a privacy statement containing the following information:
- The reason that the information is being collected;
- The legal authority for collecting the information;
- The contact number for a McMaster employee.
A sample privacy statement is provided below:
“Personal information is collected by McMaster under the authority of The McMaster University Act, 1976. Any personal information you provide to McMaster University (“McMaster”) is collected, used, maintained and disclosed pursuant to Ontario’s Freedom of Information and Protection of Privacy Act, R.S.O. 1990, c.F.31 (“FIPPA”). McMaster uses the information to deliver information materials and for statistical purposes. The information will remain confidential and used or disclosed only in accordance with FIPPA. Any questions should be directed to [department contact] at 905 525 9140 ext [#####] or [name]@mcmaster.ca.”