CASL: What to Include in a CEM?

So, now that Michael has determined that CASL is applicable to the CEMs he wants to send, and he has defined what kind of consent he needs to collect and how to collect it, there is one last step to follow before actually sending the CEM: including the mandatory provisions that are required under CASL.

Identification information

First, Michael needs to include relevant information so that the recipient knows who Michael is and how to contact his company. Therefore, CASL requires that each CEM sets information that identifies the sender of the message and, if applicable, the person on whose behalf the message is sent, along with their contact information for such persons.

It looks pretty straightforward, but it is important to determine who needs to be identified. For example, if you use service providers that facilitate the distribution of a CEM, you don’t need to identify them in the CEM as long as they have no role in defining the content of the CEM or in determining the list of recipients. However, if the CEM is sent on behalf and in the interest of multiple stakeholders, such as affiliates, then these organizations need to be identified.

So, the main principle to follow is the following: you must identify yourself and the persons on whose behalf a CEM is sent. To do this, you must identify the stakeholders who play a material role in the content of the CEM and in the choice of the recipients.

If you think that there are too many organizations to add in the CEM, you can integrate a hyperlink to a webpage where the individual can consult the entire list of recipients, as long as (i) the link to the webpage is prominent, and (ii) the recipient is not required to open an account or to pay a fee to access it.

In addition, CASL requires that the mailing address of the person sending the message is included. If the address of your affiliates is different, their address must be communicated as well. The mailing address consists of your current street (or civic) address, postal box address, rural route address, or general delivery address. This address must be valid for a minimum of 60 days after the message has been sent.

Unsubscribe mechanism

Under CASL, you must include an unsubscribe mechanism in every CEM you send. For example, a CEM sent via SMS may state that an end-user can unsubscribe by texting the word ‘STOP’. Another possibility is a clear and prominent hyperlink allowing recipient to unsubscribe with a simple click. You can set up your unsubscribe mechanism in different ways. For example, you can offer the recipient a choice, allowing them to unsubscribe from all or just some types of CEMs your organization sends.

A key aspect is that an unsubscribe mechanism must be ‘readily performed’, which means that it should be simple, quick and easy for the end-user.  In other words, the recipient should not have to take multiple steps to unsubscribe, by having to navigate through a text with multiple layers, or to have to create or login into an account, etc.

Any unsubscribe requests must be honoured immediately or within 10 days. The unsubscribe must be valid for a minimum of 60 days after the message has been sent, which means that you may not send another CEM within 60 days after the person has unsubscribed.

In summary:

Before sending a CEM, you need to make sure that you include the following:

  • The name, contact details and mailing address of your organization and all of the organizations on behalf of which you are sending the CEM (if the list is long a hyperlink will do);

  • An unsubscribe mechanism in each CEM that is quick and easy for the end-user, knowing that this mechanism must be valid for at least 60 days;

  • You must take into account any unsubscribe request within 10 days.

Guilda Rostama

Guilda Rostama is a GDPR specialist. As a fully-qualified French lawyer, Guilda has a PhD in law, and holds the Master of Law and Internet Technology from Paris Sorbonne, as well as the LLB of the University of Sheffield, United Kingdom, and the CIPP/C. Before moving to Canada in 2021, Guilda was a senior legal counsel in the Economic Affairs department in the CNIL (the French Data Protection authority) for more than four years. During her tenure in the CNIL, she was actively involved in building recommendations and guidelines for organizations implementing the GDPR. She was also the leader of the Social Media Expert subgroup in the European Data Protection Board (EDPB).

Next
Next

CASL: How to Collect Consent and Demonstrate it?