CASL: How to Collect Consent and Demonstrate it?

In our previous article, we saw that Michael needs to collect consent for his marketing campaign. Now, we will take a closer look at the steps that Michael needs to take to collect consent and to prove that he has a valid consent.


First, we need to clarify that sending a CEMs to collect consent is not an option for Michael. In other words, Michael can’t send a promotional email and take the opportunity to ask the individual to consent to receiving further CEMs from him. Therefore, Michael needs to collect consent before he sends any type of CEMs.



How to collect valid express consent?


As you may recall, the collection of express consent requires that the individual takes a positive action to indicate his or her willingness to receive CEMs. One thing to keep in mind is that express consent is not necessarily written consent, it can also be given orally. For example, you may ask individuals during point-of-sale purchases if they are willing to receive CEMs from your organization. However, you would need to keep a record of the verbal consent that was given to you.


Therefore, a safer way before sending CEMs is to rely on express written consent, whether in paper or electronic form. For instance, Michael could set up on the company’s website a field where the individual would type their email address to receive CEMs from the company. Another possibility would be to include a checkbox or a toggle to activate when an individual visits the organization’s website. If you choose to use checkboxes or toggles, it is very important that they are not pre-ticked or pre-activated, and that the individual actually takes a specific action to indicate their consent.


Don’t forget to include your contact information in the request for consent (more on that in our next article).


Last but not least: the collection of consent cannot be bundled with other requests for consent. In other words, you can’t mix together the consent for receiving CEMs with the consent to the general terms of use or the privacy policy. The request for consent for CEMs must be clearly identified, and individuals must be able to grant their consent to the terms and conditions of use or sale while, for instance, refusing to grant their consent for receiving CEMs.



How to prove you have valid implied consent?


As you may recall, the collection of implied consent doesn’t require that the individual takes a specific action to indicate its willingness to receive CEMs. Therefore, the key is to be able to prove that the individual agrees with receiving CEMs, even if they are not asked to take any specific action to show such agreement.


To go back to Michael, let’s say that he decides to collect email addresses from public websites and to send them CEMs. As we have seen in our previous article, he must be able to prove that:

  • The email address he has collected was intentionally made public;
  • There were no statements against receiving CEMs on the website; and that
  • The CEMs he intends to send are relevant to the recipients’ business, role, functions, or duties in a business or official capacity.

CASL does not provide any specific guideline on how to prove you have valid implied consent, which makes it tricky for organizations to comply with this obligation. But just imagine the following: if you were facing the individual in court one day, what would be the elements you would use to demonstrate that you had indeed the implied consent of the individual?


One way you could prove that you had implied consent is by using screenshots, that would show:

  • the date, the collected email address and the URL, which would allow you to demonstrate where and how you discovered the recipient’s address;
  • the page where you found the email address, which would show that there were no statement indicating that the individual does not wish to receive any CEMs;
  • the settings of the website, to demonstrate that it was safe to assume that the recipient had taken proactive steps to make his or her email address available online; and
  • the individual’s title within the organization, to prove that the messages you sent were, at that time, relevant to the roles or functions of the recipient.

Not easy, eh? Well, this is done on purpose: CASL is an anti-spam legislation and wants to encourage the sending of CEMs by relying on express consent, and not on implied consent.


Here is another example of a challenging scenario if you wish to rely on implied consent. Let’s say that Michael has recently attended a major training event that took place in his city. He talked to many stakeholders, had great conversations with them, which ended with an exchange of business cards. Can Michael send them CEMs?


Well, it is safe to assume that the sharing of a business card with you probably means that an individual is happy to be contacted by you or your organization. So, Michael could consider that he has the individuals’ implied consent, as long as (i) the message relates to the recipient’s role, functions or duties in an official or business capacity, and (ii) the recipient has not made a statement when handing the business card to Michael indicating that they do not wish to receive CEMs at that address. But how could Michael prove in this situation that he has an implied consent?


A safe strategy he could deploy is to send the person an email referencing the conversation they had during the event and ask them if they wish to receive CEMs from the company. If the recipient agrees, Michael should keep this email (and any response) in their records.


These are just examples, and it is relevant to note that Michael should deploy similar record-keeping strategies if he intends to send CEMs by relying on implied consent with recipients that have an existing business relationship with the company. So, although relying on implied consent may seem to be tempting at first, proving that you have valid consent can sometimes be very challenging. 



What records to maintain to prove you have valid consent?


Whether you decide to rely on implied or express consent, it is essential that you keep evidence of the actions you took before you started sending CEMs. More precisely, the collection of valid consent requires the following:

  • Documenting the reasons why you chose to rely on implied or on express consent;
  • Keeping a record of the collection of express or implied consent.

Indeed, CASL highlights that the sender of the CEM is responsible for being able to prove that he had valid consent before he started sending CEMs. To achieve this objective, you should maintain hard copies and/or electronic records of the following:

  • all evidence of collection of consent (e.g., audio recordings or completed forms);
  • recipient consent logs;
  • scripts for the collection of oral consent;
  • any supporting information if you relied on implied consent (see above); and
  • the content of CEMs and the dates where they were sent.

How long to retain those records? Well, as long as you will be contacting the individual to send CEMs, that’s for sure. And the retention period should also be defined according to the limitation period (i.e., the time limit in applicable laws under which the individual can actually complain about your CEMs in court).


In summary:

  • The collection of express written consent can be considered as the safest option: it is easy to prove, and the individual takes a proactive action indicating that they want to receive CEMs;
  • If you rely on express oral consent, don’t forget to record it, because you will need to be able to demonstrate it;
  • Implied consent can seem like the most flexible option, but it is also the hardest to prove;
  • Keep records of consent as long as you are in contact with the individual and take into account statutory limitations as well.

Learn more about how PrivacyWorks can help you. Tell us a bit about yourself and we'll follow up with you shortly.