Software makers respond to spam law

Earlier this year, in reaction to Canada’s anti-spam legislation (CASL), various organizations flooded their contacts’ inboxes across the country with requests for permission to continue sending them e-mails. Software developers also responded, marketing systems that help businesses comply with CASL.

Knowing little about CASL or the systems being marketed, I contributed to the “flood” by asking a list of lawyers for permission to request their expertise when researching this technology column for The Lawyers Weekly.

Better safe than sorry, I thought, but more than a few lawyers on my list told me I need not worry about CASL. I didn’t know that. I’m not a lawyer, which put me in with many owners of small and medium-sized businesses that don’t know how to comply effectively with CASL.

This uncertainty may spur interest in those systems that help businesses comply with CASL. The potential market may be huge if Canada’s stringent anti-spam stance is adopted elsewhere in the world, although “true” sources of spam (think Nigerian princes, marketers of sexual aids and blog comment spam) aren’t likely to invest in compliance technology.

“Much spam is generated offshore,” says David Elder, Ottawa-based Stikeman Elliott communications, competition and privacy law counsel. “We have yet to see any impact on real fraudsters as a result of this law.”

Kirsten Thompson notes that CASL applies to any message where a computer system in Canada is used to send or access an electronic message.

“Access means reading an e-mail, and my computer is in Canada, so presumably CASL is triggered,” says the Toronto-based McCarthy Tétrault counsel in the firm’s national technology group.

What repercussions might the Nigerian prince expect? “I look forward to seeing how the CRTC will handle the jurisdictional issues,” she says.

For now, only legitimate businesses take any interest in these compliance tools. “Some are complete solutions while others only address one aspect of CASL compli- ance,” says Elder, noting there’s no one- size-fits-all solution.

At the “simple” end of this range, technology support firm Nerds On Site published the Express Consent smartphone app ($4.99) which enables users to scan business cards and let their owners record their consent to receiving commercial electronic messages (CEM).

Charlie Regan, Nerds on Site CEO, says Express Consent was developed for use at networking events, trade shows and other in-person meetings. “Its purpose is to start an audit trail,” he says.

To cover more of CASL’s requirements, automated marketing solution provider Envoke added to its hosted e-mail marketing platform features such as auditing, proof of consent and reporting.

CASL Cure also professes coverage beyond bulk e-mail marketing. It checks every e-mail sent through a company’s e-mail server against a consent database. CASL Cure president Tim Graham says the product mitigates the risk of being slapped with the legislation’s attention-getting fines.

“If a governing body says to an organization that they sent an e-mail that’s offside, the organization can present a full report to regulators of every outbound e-mail a company has sent,” Graham explains.

Few people, including the software vendors, believe the technologies will ensure compliance.

“Given the ambiguity in the legislation, I’m not sure how technology solutions would be instructed to comply with the legislation when lawyers themselves are having difficulty figuring out how to apply it,” says Thompson, noting that few people know how the CRTC will react to complaints.

Some lawyers are concerned that the ambiguity of CASL doesn’t come through in the marketing for products that target compliance. “Don’t use the promotional materials from these companies as a replacement for legal advice,” Elder advises. (The fine print on vendor websites usually echoes that.)

For instance, CASL “doesn’t apply to every commercial message that you send,” Elder says. “It’s an important distinction that is glossed over in necessarily simplified promotional material.”

Compliance technologies must allow for CASL exemptions like those for business-to- business CEMs. For example, Elder notes that the “business card exemption” makes it irrelevant to record consent if the situation is one of business-to-business marketing. “If somebody directly exposes their electronic address to you and doesn’t say they don’t want to receive CEMs from you, you have implied consent to send them CEMs that are relevant to their businesses,” Elder says.

The opposite scenario may also arise. E-mail that isn’t considered a CEM might become one due to something as mundane as an e-mail signature.

“Many companies include in their signature blocks material that might encourage participation in commercial activity,” Elder says. Guidance indicates that a company logo is OK, “but if you have an ad saying ‘click here to download our 2015 catalogue,’ that might make the e-mail into a CEM even if the rest of the content isn’t.”

No technology ensures compliance on its own without documented ancillary efforts.

“In most businesses, you can’t eliminate that human element, so businesses that pursue technology must place equal emphasis on training and processes, expected employee behaviour,” Elder says. “You need to back this up with disciplinary action if necessary.”

The new technologies mentioned above arrived just after CASL became reality. Meanwhile, CASL received royal assent in 2010 and the CRTC published the final regulation in 2012.

“That’s a lot of ramp-up,” Thompson says. “These software solutions should have come out two, three, four years ago. Most of my clients have already spent their compliance budget” on training, processes and configuring their existing technology.

It’s not enough to “merely slap on a software patch,” Thompson adds. Some of her clients have multiple IT systems inherited from acquisitions that often don’t “speak” to one another. “I’m not sure layering another IT solution on top will help.”

Before buying another system, “understand the scope and limits of existing technology and whether or not it can be repurposed to help you comply” with CASL, Thompson advises.

Even simpler tools can suffice. “It’s easy enough to record in the notes field (of a contact application) that you received a business card from somebody on a certain date,” Elder adds. “You train your people to be aware of those sorts of things.”

This article originally appeared in Lawyers Weekly Magazine. To view a PDF of the print version, click here.

 

Leave a Reply