• Scope:  CASL covers not just anti-spam, but also anti-malware, anti-hacking, and through related amendments to other legislation, control of content and misleading information, as well as privacy of personally identifiable information (PII) (harvesting, dictionary attacks).
• Application/Jurisdiction:  CASL covers any message sent from or accessed by a computer in Canada (regardless of where the sender is located).  We are talking about all electronic messaging – email, instant messaging, SMS, social – plus anything new that comes along.  (Fax and voice are covered by Canadian do no call regulations.)
  1. Note that there is no minimum number of messages. So sending one message is enough to put you under jurisdiction of the law.
• Coverage:  CASL applies to commercial activity, defined pretty broadly.  For example, Brown said in the webinar, if you are promoting a person who normally promotes a product or service or business opportunity -  even if you are not specifically promoting that product, service or business opportunity in the message -  then your message is covered.  
  1. Note also that any message sent to seek consent is considered commercial – so you can’t send a request for consent. There are no exceptions for research studies, for example. “This will have to play out in the courts in deciding what is ‘commercial,’” Brown said.  “I would not be surprised if this was challenged.” As the law is enforced, Brown says, we will have more guidance on what is considered “commercial” under the Act.

1. Prior consent – defined as either express or implied.  Both are acceptable for all situations and of equal value.  (Implied does expire, though.)
   
   a.    Express: Must include clear notice and the provision of a set of prescribed info from subscribers when providing consent.   The owner or any authorized user of the email address must give the consent.
   b.    Implied:  The Act deems implied consent when there is an existing business relationship (e.g.: a customer who has purchased in the past two years, or if there is a contract or a subscription which has been active in the past two years.)
   c.    Once consent is implied (e.g.: a purchase), you generally have two years to send messages in compliance (or obtain an express opt in).  An express consent never expires, and is valid until the individual withdrawals consent.
2. Information
   
   a.    Must include contact information for the sender and the subscriber.  It is not clear in the law what this must include.
   b.    Regulations are expected to define this further.
3. Unsubscribe
   
   a.    An unsubscribe opportunity must be provided in all messaging and be available for  60 days post delivery.
   b.    Unsubscribe requests must have no cost, and use the same means by which the message was sent (unless impractical), either via replyto: or a link.
   c.    Must be processed “without delay” (and within 10 days) with no messages sent after the request.  This aspect may also be defined further with regulation.  “Senders must be able to demonstrate that you put forth a best effort to act on unsubscribe requests quickly, with the intent to stop messages,” Brown advises.

1. Check your lists. Do you have consent – and evidence of consent?  The burden is on the sender to prove consent.
2. Check location of subscribers where possible.  The law doesn’t care what the domain of the address is, or if the sender has a clue where the recipient is.  If the message is received on a computer in Canada then it applies.  If a sender does make an attempt to gather this data, This may be a factor in exercising the due diligence defense, where no one can be charged if they have shown due diligence to comply.  “Be sure you have a business objective in NOT complying with the Canadian legislation,” Brown says.  Note that reconfirmation of some permission grants may be necessary.
3. Watch for regulations re: content of messages. The regulations will clarify the information required when obtaining consent as well as when sending a message.

• Liability of service providers.  Telecom/ISPs are generally going to be exempt from liability under the anti-spam provisions where they merely provide the telecommunications service allowing the message to be delivered. However, it’s not clear if this applies to email delivery service providers.  “If you are merely providing a ‘do it yourself’ service and the customer manages the list and the unsubscribe, then it may be that the delivery provider is covered under the Telco exemption,” Brown says.  “This may be different if you offer a full service offering.”
• Ownership of the message, for example, placing ads in an editorial newsletter or providing the name of the email delivery vendor in the message itself is not directly addressed in the law.  “In my view it doesn’t make sense from any perspective to say that the ESP is sending on your behalf, for example identifying the ESP in the message,” Brown says.  There were a number of comments on this as the regulations were reviewed this past summer, and Brown hopes that some clarity will be offered in future revisions.
  1. This brings out the question of where an agency or service provider is vulnerable by trusting their client.  If the agency or ESP sends unsubscribe data to the sender, is the agency responsible if the client doesn’t take action?  “The law is broad, so if you are aiding or causing company to avoid compliance, then you are potentially responsible.  The way to manage risks like this is to inform your customers of their obligations, make sure you have the appropriate language in your agreements, and ensure the relationship agreements are clear who is taking responsibility for managing unsubscribes requests,” Brown advises.
• Transactional messages.  The legislation does not refer to “transactional” messages.   The law does cover some types of messages that could be considered transactional (e.g.: service notices or warranty information).    The law states that these types of messages require an opt out.  “This somewhat confuses the issue, by listing out messages that, in many cases, are likely not commercial electronic messages and therefore not covered by the Act to begin with,” Brown explained.
•   Point of Sale.  What if you ask verbally for consent at the POS?  Brown says that the original draft regulations from the summer declare that consent must besought in writing only.    However, this may be removed based on the amount of comments against it. “I would like to think that if you are entering this into a system form, and there is a date stamp, that this would meet the evidentiary burden under CASL,” he says.
  
  1. There is no legal requirement to send a follow up message, but “It’s always good idea to remind people of their subscription and why they have provided consent.  It’s more of a relationship issue than a compliance issue,” Brown says.
•  Is list rental dead?   A properly compiled permission based list is quite valuable, and the law does not forbid the rental of them.  “It’s not dead, but CASL places a higher onus on list owners and senders to make sure it’s done properly,” Brown says.
  1. The act of appending is not covered under CASL. It is likely covered under privacy laws, particularly if you are making changes to PII footprint without consent.  There may be some situations where appending data is allowed under CASL.   If you have a business relationship – e.g. purchases in the past year – then this append may be in compliance with the CASL legislation.
• Mobile Access.  No one anticipates that certain one-off situations will be covered under CASL (e.g.: a US citizen goes to a coffee shop in Toronto and checks his Gmail account).  Brown expects that the government also did not intend to the law to apply to Blackberry users worldwide when accessing email (e.g., through RIM servers located in Canada).   “I think the intention is not to apply the legislation so broadly,” he said.  It’s not clear how data centers for companies that are not Canadian based will be treated – although Brown expects that they will need to comply just as if the entire company was based in Canada. Messages sent from those centers will be “Canadian” under this law.

• In the EU, starting in May 2011, dropping and accessing a tracking mechanism like a cookie will become illegal without explicit permission to do such.
• US legislators might attempt another go at federal privacy legislation in 2011 which would require an opt-in to collect and process data.
• By the end of this year, Canada is looking at putting into place an anti-spam law that will make the sending of "spam" illegal and prosecutable.

The internet was designed to be a free exchange of information wherein anyone, upon a loose framework mainly having to do with networking and rendering capabilities, could join, share and digest what they wanted. Email was developed as a predecessor to the internet.  Again, one in which, as long as you had the most basic SMTP compliancy between networks, messages would be handed off between point A to B.

Today, email has turned into a monumentally powerful marketing tool and communication channel that still rivals the internet and other upcoming social networks, regardless of which side of the "email is dying" debate you fall under. With email marketing, forward to a friend, sharing links, email filters and forwarders, along with major ISPs providing outsourcing solutions (like Google Apps), the audit trail of an email is sometimes all but impossible to decipher without CSI level forensic header analysis.

But, you don't care about all this.


What should you care about?

When you place an order to have something delivered with the USPS, UPS or FedEx, that item almost never leaves that company's chain of custody.  Meaning, if you dropped it off with FedEx, the recipient will most likely receive it with FedEx.  Again, there are exceptions, but the vast majority of the time this is the rule.  When you send an email out, though, it may be going to a Yahoo! domain address, then forwarded on to a Gmail domain address and finally rendered in Outlook 2007.  What can you do to ensure that your mail has the highest rate of making it to its final destination regardless of the cyber hops in the middle?

1. Ask your recipient up front if their email address is still, indeed, the right one to be using. I check over 8 different email accounts on a normal day, and with inbox email aggregators with dynamic collection addresses (such as OtherInbox), I probably have several hundred email addresses (with OtherInBox I can use disposable email addresses) that will get to me somehow.  However, the email address to sign up with your service when I was a fresh college grad and using my Alumni account may no longer be at the top of my list.  So, I appreciate it when companies I do business with ask me if that's still the one I should have on my account.  If it is, I click through on a prompt when I login.  If not, it takes 2 seconds to change.  I don't get asked this every time I login, but perhaps, every 6 months or so to ensure the email address is fresh.  Guess what?  My Alumni account is forwarded to my Yahoo! account.  So, I changed it to have my Yahoo! account receive the email directly (and thus avoid any errant filtering on the part of my school).

2. Authenticate outbound email. Period. DKIM was designed not to break when making multiple hops in an email's path to the final destination.  Unfortunately SPF will because of the technical nature of email headers, but with DKIM enabled mail, if it comes through at Gmail verified and then is forwarded on to AOL, the DKIM signature stays intact and the message has a higher likelihood of being delivered.

3. Here's the bad part.  Just like you as a sender pushing mail out to a recipient, when email is forwarded to another domain by the recipient domain, the reputation and deliverability of that mail falls back on the ISP doing the forwarding.  For instance, I run my own domain hosted through Gmail.  When you send an email there, it gets forwarded to Yahoo! which is what I consider my central email nervous system.  But, sometimes, email from Gmail gets bulked at Yahoo! because of Gmail's reputation.  This means I don't get my mail.  What can you do about it?  Gently remind your subscribers to check their spam folders for mail that may have accidentally fallen prey to a filter somewhere.  In my case, I'll get email that randomly gets bulked (as opposed to breaking any obvious best sending practices) and have made it a habit to check my spam folder often.

4. Check your content in multiple web clients. Oftentimes, an email sent to a Comcast domain looks fantastic, but when forwarded to an AOL accounts, looks horrible.  Now, like in #3, a lot of this is out of your control if the actual content is changed en route by the ISP.  But, if you ensure that your content looks good in the different clients, you increase your chances that when an ISP doesn't reach in and play with the HTML when it's being forwarded along, it will look fine in the end email inbox.

5. Have unique identifiers in your unsubscribe links tying an email address back to a particular sender.  If I unsubscribe from my Yahoo! address on an email that was sent to me originally at a Gmail account but was forwarded on, you could end up shooting yourself in the proverbial foot.  I could have any wanted email to my Yahoo! account stop but the Gmail email continue.  Recipients will oftentimes setup multiple email addresses for one account, or across multiple accounts you as an ESP or single sender support, so directly tying that recipient's unsubscribed email address to their preferences (and not the one that happened to actually do the unsubscribing) is key.

This is pretty technical stuff, folks.  But, in order to stay on top of the original intent of email being free flowing and having as few barriers as possible, you must be cognizant of the challenges in your path.  Reach out to your technical team to ensure you've got these points covered.  And remember, an email address is easily disposable.  We, as marketers, tend to see them as having high stickiness.  But, recipients can come and go with fluidity and tracking them along the way with their permission (ultimately their keeping you informed of their moves) keeps you in touch with your customers.

Chris Wheeler
Director of Deliverability
Bronto Software
@ChrisAWheeler

Every week the EEC adds new content to its Whitepaper Room. Here are the latest additions:

eec: Top Ten Takeaways from the Email Compliance Seminar
Email Compliance: The Foundation of Reputation and Deliverability

Listrak: 221 Email Marketing Do's and Don'ts
Best Practices Reference Guide

Vidi Emi: Holiday Guide 2008
Six holiday email tips exposed

Email Checklist Series: Landing Page Checklist
This checklist shows you what to check to maximize the user experience and your bottom line with landing pages.

*Have a whitepaper you'd like to contribute? Email it to whitepapers@emailexperience.org.

This 4-hour seminar in New York is part of a ground-breaking series of email compliance-focused events. This specific seminar will cover the LashBack and UnsubCentral processes and deliverables within a framework of educating participants as to the need for comprehensive compliance process as a foundation to successful email marketing and email reputation protection.

Participants will learn the 10 Guidelines of CAN-SPAM compliance, with drill down on unsubscribe compliance, unsubscribe processes including suppression list best practices, the new FTC unsubscribe rule and compliance's overall impact on reputation and deliverability.

Email Compliance: The Foundation of Reputation and Deliverability
Produced by the Email Experience Council and the Direct Marketing Association
Monday, Nov. 3 at 1pm
eec/DMA Seminar Center, New York

Speakers:
John Engler, Vice President and General Manager, UnsubCentral
Bennet Kelley, Esq., Founder, The Internet Law Center
James O'Brien, Director of Marketing, LashBack

This seminar is $99, but eec members can get $20 off using the discount code "eecM."

>>Register Now for this seminar!

Both SubscriberMail and Blue Sky Factory recently released lists of words that shouldn't be used in emails because they're likely to trigger spam filters. But I see some of these words—like "free" and "discount"—used routinely in the subject lines of commercial email that I receive. If I have a good reputation do I need to worry about content filters? Am I staying away from these words unnecessarily? —S.G.

The Voices of Email had this advice:

J.F. Sullivan: The answer should be no. If you have a good reputation then you do not need to worry about content filters. The actual answer is another question, as in it depends on two things: What's your definition of a good reputation, and which content filter are we talking about?

Everyone in the email marketing (and message security) ecosystem has a different view of what a good reputation actually means. For some it's as simple as making sure they are not on a blocklist; for others it may be that they are in compliance with a specific Sender Authentication implementation. In order to answer "yes" to the question, it may be more useful to provide a checklist summary of what a good reputation constitutes. So, if you can say "yes" to the following reputation aspects:

1. You have a good public reputation (not on blocklists, or have upset any ISPs).
2. You have good legislative adherence (e.g., CAN-SPAM compliance).
3. You have good infrastructure (e.g., DNS, MX records and the like).
4. You have good identity (e.g., you have a correctly configured SenderID record).
5. You have best practices (e.g., list scrubbing, opt-in, etc.).

…then yes, you do have a good reputation so you will not need to worry too much about content filters. And while your good reputation will work, say, 80% of the time, your actual delivery will still depend on the content filter you encounter to some degree. A subject of much longer blog entry for another day…

Rob Fitzgerald: You always need to be aware that filtering exists, but I don't think you need to be ruled by that existence either. It's interesting to lay out all the various releases, of all the various words that shouldn't be used within in an email, and see how incredibly long that list is. Sometimes it makes me wonder how you can actually put a string of sentences together without actually using any of them. Practically speaking, you have to use some words that may be "known" filter words. I don't think that should give you pause to run the campaign for fear of a lack of response. We've sent out many campaigns with the word "Free" on them that have performed very well.

I tend to look at it this way—it's all about moderation. Put together a creative with a lot of words that trigger filtering and it could be adversely affected. Give that same creative a diet, and keep some of those same words included, but not all of them, and I think you'll be OK.

Stephanie Miller: Despite the frequency that I receive this question, there is still no magical list of words to avoid, nor is the use of marketing terms like "free," "discount," "special offer" and "click here" an automatic block. Don't misunderstand. Those words can get you blocked. However, judicious, responsible and clear use of them usually won't.

Why? Because spam filters dynamically update to reflect current market conditions and spammer behavior. The only way to ensure your content does not depress inbox deliverability is to run every email through a series of popular message filters to determine your spam score before sending to your entire mailing list. You can do this through a service or on your own by setting up multiple accounts at different ISPs.

Here's how to optimize your message for response and deliverability: Write the copy as a marketer. Sell. Build the relationship. Clarify the offer. Make the call to action very clear. Then, test it. If you fail the spam filters, adjust it. Before you hit send, even if you pass the filter test, be sure to give your message AND subject line a "smell test." If your readers or subscribers will think it's spammy, so will the receivers. If you are using all capped, repetitive words that filters watch like "FREE SHIPPING THAT'S FREE" or using strange punctuation like ***NOW ON SALE***, then you are likely to be blocked.

Chad White: Inspired by this question, I did a little real world research and found that major online retailers have used many of the "dirty" words on SubscriberMail's list of words to avoid using in subject lines. How many have they used? They've used 27 of the 100 in the past two months alone. Some of the words—like "Free," "FREE," "Offer" and "Buy"—they used a LOT. So it's clearly possible to use these no-no words in subject lines under the right conditions. Based on that I'd say that you should explore using them but test to make sure your emails are getting through.

Have some good advice that we missed? Please add a comment and take part in the conversation.

Have a question for the Voices of Email? Email Chad your question at chad@emailexperience.org and we'll REPLY TO ALL by posting the answers so everyone can benefit.

–>Read other Reply to All posts