I’m a Canadian Marketing Operations Manager and I’m drowning in compliance work!
Risk reduction work. Privacy data cleanses. Meeting CASL anti-spam rules.
Every minute I spend on compliance is a minute I’m not generating revenue. And generating revenue is the whole reason I’m a Marketer in the first place!
If you work in digital marketing, then you know this feeling.
But being buried by compliance is just that – a feeling.
Join me on this journey where we explore the real number of hours spent on compliance work. You will learn what it takes to comply with CASL – Canada’s email regulations. The surprising consequences of breaking the law, and the likelihood that you will be targeted for an investigation.
Before we dive into the deep end:
I’m an experienced Marketing Operations Manager, working on marketing automation and CRMs since 2013. I know what I’m doing on the tech and marketing front.
I am not a lawyer. I just pretend to be one in the shower when no one’s looking. There are absolutely bound to be mistakes in this article. If you spot one, add a note in the comments.
I do not speak on behalf of my employer. These opinions are my own.
Ok, how much time do you actually spend on compliance work?
I have been time-tracking my work as an in-house Marketing Ops Manager for almost 5 years. This means that there’s a trove of objective data about the time I spend on compliance work.
I use the Toggl Track application for timetracking. I highly recommend it. And it’s free.
Pulling data from 2017 to March 2022, we see what portion of my work hours are spent on compliance work:
Some months it’s a whopping 27%. Those are the times when I feel like hanging up my hat, shutting down Pardot, and retiring to a simple life as a tomato farmer.
Other months, I spend zero time on compliance work.
Actually… there are many months when I spend under 2% of my time on compliance.
Work on privacy policies and CASL email compliance comes in waves. It’s not a steady high-workload. Turns out I do a lot less compliance work than I thought.
Here is another view of compliance work – the percent of time it takes year-by-year:
An average of about 10% per year is what I spend on compliance. Not so bad. And that was surprising to me.
So, what kind of “compliance stuff” do you do?
At my company, the Marketing Operations team is responsible for 2 main types of compliance (risk reduction) work:
- Purging marketing data from people who didn’t interact with us in 3 years. This cleanse is done every 6 months, and is required by an internal company policy.
- Compliance with Canada’s “CASL” laws around email marketing.
This is required by a law that affects all Canadian companies.
Let’s focus in on CASL and what it takes for a Canadian business to stay on the right side of this law.
What it takes for a Canadian business to comply with CASL:
Here is an unofficial list of things I’ve seen large organizations implement in order to comply with CASL:
- A database for tracking each “known” email address and the kind of mailing consent we have for it. This includes “proof” documents like screenshots and scanned business cards. There are at least 4 consent statuses to track:
- Opt-out (because of an intentional unsubscribe)
- Implicit consent to communicate (lasts 6 months)
- Implicit consent due to a business relationship (lasts for the duration of the relationship + 2 years)
- Express consent
- (Default status: Unmailable. No record of any consent = unmailable)
- Proper sender identification in emails.
- Ensuring emails have an unsubscribe mechanisms. The opt-out must take effect within 10 days of unsubscribe.
- Proper “opt-in” functionality and legal disclaimer on marketing forms.
- CASL compliance training for key staff members.
- Integrations between the database in A and any other email-sending system impacted by an “unsubscribe”.
Most organizations would not build the kind of tracking database in A. It is very expensive, as it needs to be aware of business relationships, email unsubscribes, manual upload of scanned business cards from events etc.
Here is what Kim Arsenault – then Sr. Director at Inbox Marketer – had to say in a public consultation on CASL in 2017 (emphasis mine):
“…regulators should remove the confusion and requirement around six-month versus two-year implied consent. They should clearly define what express versus implied is and remove the time frame of six months and two years. It’s a big challenge for many companies, both small and large, to properly maintain this level of detail that can be constantly changing and updating. Not all technology solutions out there are equipped to properly document this.
If you think of a large enterprise company that has multiple lines of business—multiple customer relationship management systems, multiple CRM systems—and they all have a business need to communicate with their customers, many of these customers are going to cross over the various lines of business. To expect that all messages are going to be managed and controlled in one central spot is not realistic for many organizations today.https://www.ourcommons.ca/DocumentViewer/en/42-1/INDU/meeting-82/evidence (section 1115)
A smaller organization would often use existing features of their email marketing tool to build a compliance system. It would cover some of the simplest “permitted to email” scenarios set in the law. The downside: such a system blocks people who are actually fine to email – because their consent is more complex/time sensitive/multi-layered.
Let’s look at a graph of just the CASL work I’ve done over the years. Here are specifics of what I worked on during each of the periods shown. If you’re interested in being a Marketing Operations professional then this will be part of your reality:
- Re-testing CASL compliance database to make sure every possible combination of implied and express consent ends up with the “correct final status”.
- Improving CASL status check tools so they can check 100,000+ emails at one time. This was laying the groundwork to a weekly mailability check of our entire email database.
- IT project: setting up our marketing forms so they pass consent data into the CASL database.
- Back from Parental Leave. In my absence, my colleague Lin did a great job connecting the Pardot marketing automation system and our CASL database.
Here, I corrected unforeseen problems caused by the way manual data uploads into Pardot interacted with our automated compliance routines.
- Researching if it was viable to purchase email lists or do web scraping under CASL. Spoiler: it wasn’t.
Part of the job is educating others why web-scraping emails is a bad idea.
- More troubleshooting of our automated CASL processes within Pardot. There are complex interactions here.
Note: If you are a Pardot user and you’re building something that involves multiple Automation Rules, make sure you build it as a “Finite State Machine”.
- Still discovering and resolving exotic edge-cases in our compliance system.
- May and Dec. 2021: ensuring that CASL training is part of onboarding for the people who need it. Verifying that our new hires finished the CASL training.
- Assisting the Sales Operations team with launching a Sales-focused nurturing tool that has to be aware of the CASL “mailable/unmailable” status of prospects. This included:
- Ensuring email footers contain mandatory text
- Ensuring all “unsubscribe” links work in tandem with our existing system
- Automated + manual routines to ensure the new tool can see prospects’ latest email permission status
It is a lot of work.
It is also complex work – you need to understand the law; explain guidelines to new hires; stay vigilant for errors; and know enough about software so you can support IT when they integrate your CASL database with different systems.
The above list only captures my personal tasks. What you don’t see is the work done by others:
- Creating CASL training programs for staff, answering legal questions – Corporate Counsel
- Developing a CASL tracking database, coding integrations – IT Team
- Following extra CASL-compliance steps as part of every email campaign – Marketers
Lots of unglamorous work.
But what if you just… didn’t do any of this?
What would happen if you broke the law?
I got curious about the consequences of breaching the law. And there was one way to find out – learn what happened to past violators.
Who enforces CASL, anyways?
Technically 3 organizations enforce CASL. The CRTC, the Office of the Privacy Commissioner of Canada (OPC) and Competition Bureau. They jointly police different aspects of CASL.
They finance and run something called the Spam Reporting Centre (SRC), a database where Canadians can report CASL violations.
In practice, though, only the CRTC is active in enforcing CASL.
(The only instance of OPC enforcement of CASL was when the CRTC brought them in to “tag team” Compu-Finder.)
Lucky for us, the CRTC maintains a public registry of all CASL enforcement actions.
I set out to read all enforcement actions and decisions related the parts of CASL that apply to email marketing. As of April 2022 that’s 22 documents. Dry, dry documents.
What I learned from reading every CASL enforcement action bulletin:
Now, a reminder: CASL came into force on July 1, 2014. It’s been 8 years. Companies that are household names have been caught up and fined. In 2015, Plentyoffish Media Inc. was whammed with a $48,000 fine for emailing their own registered users with messages that:
Why is the CRTC intent on blocking couples from meeting on the same site where my wife and I did? How DOES the government expect us to populate the vast Canadian wilderness under these conditions!?!
How does the CRTC choose targets for investigation?
Let’s start by looking at what kind of people are targeted for CASL violations.
Reading through enforcement actions, the CRTC seems to use a few approaches when picking their targets:
- Go after big brands – make some noise: Gap Inc., Kellogg Canada, Rogers, Porter Airlines
These are high-profile targets. A fine against them spooks all the smaller businesses into compliance. “If they got Rogers, they can definitely get our smaller company”.
This is a cost-effective way of getting maximum compliance from businesses with the least resources spent.
- Enforcing the whole range of CASL:
It seems that the CRTC pursued cases that let them implement the whole range of the law, with at least one action against each type of violation:
- Plentyoffish: unsubscribe mechanism not prominently visible
- Porter Airlines (an early case that covers a lot of different violations): No proof of consent, incomplete contact info. Other messages had no unsubscribe/unclear unsubscribe. 1 Malfunctioning unsubscribe link of 2 present.
- Rogers: did not unsubscribe people within 10-day timeframe
- Mr. Bassam Alzeir & William Rapanos: pursuing an individual for fines, rather than only companies
- Ancestry Ireland: an action against a foreign company communicating with Canadians
- 9118-9076 QUÉBEC INC.: CASL as applied to SMS messaging
- Datablocks, Inc. and Sunlight Media Network Inc.: an action against a malware distributor and a business that enabled their violations of CASL.
- Scott William Brewer: enforcing CASL against a large-volume spammer (where spamming is the core business, rather than email being incidental to the main business)
- Positive public relations for the CRTC:
In the CRTC’s case against nCrowd and Couch Commerce Inc. it appears that their action was prompted by negative media coverage of what these companies were doing. They were running a “daily deal” scam that relied on email and a series of bankruptcies. Going after these scammers shows the benefits of CASL and sets up the CRTC as the “good guys”.
You’d expect that the CRTC would use their Spam Reporting Centre to find offenders. Surprisingly, I saw no indication that they use the SRC as the starting point for investigations.
Once the CRTC picks a target, they use the SRC as a way of supporting the case by gathering up all reported offending emails. These reports establish the magnitude of the violation (how many emails sent) and the types of violations by the same entity (no consent, broken unsubscribe, missing unsubscribe link, missing identification etc.)
The SRC gets about 5,500 complaints per week, so I’m not surprised that they don’t act on spam reports more often. This volume is way more than a small team can review manually.
No, your spam report will not trigger any sort of investigation.
Yes, your spam report will influence the size of the fines, in the event of that there is a probe.
After all that reading, my conclusion is: the CRTC has pretty reasonable criteria for picking targets for investigation.
Now that we’ve seen that the CRTC has a pretty rational process for targeting violators, lets explore how likely it is that you will be one of the people targeted for enforcement.
How many organizations get caught up in CASL?
Looking at the CRTC’s published figures, here is what we find about the scale of enforcement in these past 8 years:
- There were 17 enforcement actions.
- 5 against individuals (2 of which also included organizations)
- 12 purely against organizations
- Actions ranged from $200,000 fines to a Citation without a fine.
In addition to the list of enforcement actions, the CRTC publishes an infographic summary of CASL enforcement activities.
Those infographics give us data related to the steps that precede a full-blown “action” or “decision” by the CRTC. The infographic data spans April 1, 2018 to September 30, 2021. It shows that in these ~3.5 years there were:
|930||Notices to Produce (NTP)|
Note: these figures include non-email CASL enforcement related to SMS messaging, botnets and malicious software installation. For example, the 1 warrant was served in an operation with the RCMP to take down a network operating remote-control trojans.
So, in 8 years of CASL, only 17 entities had serious action taken against them. And in 3.5 years, about 930 have had any sort of demand related to an investigation.
Based on these numbers you are statistically unlikely to be targeted by the CRTC.
But… an individual like Brian Conley got ka-powed with a $100,000 fine. This could be you and it’s scary.
It raises the question:
How much would it REALLY cost if you got fined?
The consequences for violating CASL are severe: a $10 million fine for organizations, and $1 million for individuals (like company Directors).
Think about it. Families torn apart by bankruptcy! Thriving businesses shattered! People too scared to use email, resorting to an elaborate network of carrier pigeons! 📬✉️🕊️
Remember this is $1 million per violation.
What is a “violation” you ask?
Scott William Brewer sent out 671,342 commercial emails in 3 campaigns and the CRTC cited him for 3 violations. William Rapanos only had 58 offending emails reported to the SRC, but he was cited for 10 violations.
It seems that the CRTC sees violations as every type of violation, multiplied by the number of campaigns you sent out. So, 4 campaigns, with 2 types of violations in each one, means 8 violations – regardless of the actual number of emails sent.
Let’s come down to reality for a moment
Actually, the CRTC often greatly reduces the size of its fines as an enforcement action progresses.
Scott William Brewer was first hit with a mouth-puckering fine of $75,000. Blackstone Learning Corp. was served a Notice of Violation with a $640,000 penalty.
But… after reconsideration, the CRTC reduced the fine on Scott from $75,000 to $7,500. And the Blackstone fine fell from $640,000 to $50,000.
It’s also important to note that CRTC actively avoids fines that would destroy an offending business. Subsection 20(3) of the CASL Act says regulators must consider these factors when setting fines:
- The purpose of the fine is to promote compliance with the Act and not to punish
- The person’s ability to pay the penalty
Several actions ended with no financial penalties, only commitments to implement better compliance procedures. In the case of Blacklock’s Reporter, given the company’s size, the CRTC felt that any fines would be better spent on Blacklock’s building a solid email compliance system.
I’m being investigated! How can I reduce the size of the penalties levied against me?
It appears there are several ways to decrease fines:
- Do push back on the fines. For example, Compu-Finder successfully reduced the number of “violating emails” they were cited for, by pointing out technical issues on the CRTC’s side. Email evidence was served in unintelligible encodings & some violating emails were sent outside the date range cited in the notice of violation. (see items 25, 26 and 31 in the Decision against them)
- If the monetary penalty is bigger than you can handle, don’t just say so. Bring financial evidence to support your claim. In several instances, the CRTC essentially says “telling us that the fine is too big isn’t enough – we need something more than just your word for it”. (See item 36 in the Decision against William Rapanos)
- Immediately change your ways. From the moment that you are notified of a violation by the CRTC you need to start improving your compliance program. This is something the CRTC considers when setting fines.
- Cooperate with the investigation and be polite. Don’t… um… pretend that it wasn’t you, or that your identity was stolen, and it was your “lodgers” using your wifi connection to send spam. (Those are all actual claims)
The biggest financial penalties top out at $200,000 for organizations (levied on Rogers, Gap and Compu-Finder) and $100,000 for an individual (Brian Conley – the CRTC believe he is a millionaire).
And the CRTC is not using fines as their main tool. Between Oct. 1, 2018 and March 31st of the following year, the CRTC piloted a program where they started sending out more Warning Letters as a deterrent to organizations who are likely violating CASL.
Their data shows that they changed tack in the next reporting period – they stopped sending out so many Warning Letters, and started sending out hundreds of Notices to Produce. This has been the CRTC’s approach since late 2019.
I support this approach because it imposes a real burden on potential violators (digging through their records to satisfy the CRTC’s data requests), while saving the CRTC’s limited resources.
What all this adds up to is: your organization is way more likely to receive a Notice to Produce than they are to be the target of a full-blown enforcement action and a fine.
So… does it make sense to spend all this time & money complying with CASL?
Let’s look at the costs of compliance.
From the perspective of my organization, they are:
- Building a database to track 4 types of compliance entries.
- Coding user-facing tools for uploading consent records and checking current consent status
- Integrating the database in “A” with various other systems
- Creating a training program and ensuring new hires complete it
- Ongoing maintenance/vigilance by me (~10% of a Marketing Operations Manager’s salary – that’s a lot of Dolsot Bibimbaps).
As for what other organizations spend to comply, the fantastic “CANADA’S ANTI-SPAM LEGISLATION: CLARIFICATIONS ARE IN ORDER” from 2017 gives us a few hints:
Few witnesses could provide a precise assessment of the costs of complying with the Act. Evidently, compliance costs vary depending on the size of an organization and the extent of its electronic communications. The Committee nonetheless heard figures amounting to $700 for individuals, and ranging between $1,300 and $25,000 for small and medium-sized businesses, $25,000 and $100,000 for large businesses, and reaching millions of dollars for the largest organizations. One witness noted that some marketing companies offer inexpensive electronic communication services designed to be compliant with the Act.
Now compare those costs with the $200,000 maximum fines we’ve seen so far for first-time violations.
Make your own conclusions.
I’ll tell you that, for my organization, the costs of compliance absolutely made sense when CASL was introduced. Originally the Act included a “right of private action” – a provision allowing individuals to sue organizations for violations starting on July 1st, 2017. Our customers are lawyers and would not have hesitated to sue if our CASL compliance program fell short. We needed a state of the art compliance program.
On June 7, 2017, the federal government suspended the right of private action. I believe this was a good thing. Having individuals sue organizations for emails would have unleashed a firestorm. It would have ended with all Canadian businesses being nice and compliant.
This compliance would cost a lot of time and money.
And all this effort would not translate to even 1 extra dollar of revenue.