Home » Articles » GDPR - Privacy Lessons from CASL

Slated to go into full effect on May 25, 2018, GDPR brings sweeping changes to European Union anti-spam and privacy rules. And now many North American companies, with customers and employees in the EU, are racing to get up to speed.

I asked B2B marketing consultant Andrew Seipp for his thoughts on the new rules. Seipp, founder of Canadian Marketing Consultancy Grow Automatic, specializes in helping companies grow without resorting to spammy or shady tactics.

Seipp was careful to note his advice shouldn’t be taken as legal counsel. Nevertheless, he happily shared best practices from adapting to CASL — Canada’s anti-spam law, which Deloitte calls one of the toughest in the world.

Given your experience advising companies in the run up to CASL’s enforcement in 2014 — what was the biggest criticism of the new rules? Do you think people overreacted?

I think one of the biggest criticisms was that it was really unnecessary, making it harder to do business in Canada. And there’s some validity to that point.

On the other hand, in the run up to the law’s enforcement, I was receiving dozens of emails every week from companies asking me to re-opt into their email list. In many cases, that wasn’t really necessary. They’d already gotten implicit permission in one shape, way or form  and even after the deadline had passed, they could still have gotten explicit consent within the 2 year implied consent window.

What did you find were the most cost- and time-effective strategies marketers could use to ensure they’re CASL compliant?

The reality is a lot of compliance issues are taken care of automatically when using a marketing tool. They tend to track whether you’ve gotten a customer’s consent in a very auditable form. On MailChimp, for example, you can even know what IP Address a customer opts in on.

Just about any good email marketing provider will handle compliance for you because if their customers don’t follow best practices, it could put their email deliverability at risk; their business model depends on their customers following the rules.

Is there any danger that with these technologies in place, companies might get a false sense of confidence? Above and beyond technology, what do you need to do to ensure you’re safe?

There’s this saying, “A fool with a tool is still a fool.” A good way somebody could run afoul of the law, even if they have the right tools, is to import an email list without tracking how those contacts were collected. Very large companies, that you wouldn’t expect, have gotten into trouble this way for not being able to prove consent.

It’s critical to go beyond what the tools provide and write a compliance playbook for staff and have them follow it. This also serves as one of the most effective and important legal defenses any company can create. Because if you get audited, you’ll be able to say, in full confidence, you’ve taken these policy measures, here’s our documentation and here’s our staff training.

It’s not an airtight defense; but if you don’t show due diligence and careful documentation of consent, and you get audited — you’re in really big trouble, compared to if you’ve taken the proactive steps necessary to follow through on a clear compliance strategy.

What are the biggest similarities and differences between CASL and GDPR? How will these impact how North American companies conduct their marketing towards the EU?

One of the biggest similarities is the need for explicit consent (known as opt-in) when reaching out. A good example is if you’ve got a form on your website and there’s a checkbox to get subscribed to the newsletter. That checkbox under both laws cannot be pre-ticked.|

Where there’s quite a big difference is that CASL only covers electronic commercial messaging. GDPR goes much further in covering personal data privacy and removes a lot of flexibility in what you can do with customer data, especially where you want to repurpose that information for other purposes.

That extends to many common marketing practices, like display ads or Facebook ad retargeting. You want to upload data to Facebook or Linkedin to have your ads follow your visitors around the web? Under GDPR, that would be considered a change in the use of that customer’s information, and you’re supposed to ask for their permission again.

Can you outline what a GDPR compliance action plan might look like?

First, you’ll want to get a clear idea on what you want to do with data and why you need it. You want to make sure you’re only collecting the right amount information that will help your business. Depending on the data you’re collecting, it could be completely useless, but carrying it could be a complete liability if it were to leak out.

For example, getting someone’s name, email, phone number and so on is very useful for a variety of purposes. Getting other info, like a browser fingerprint — a way to identify users without a cookie — that’s nice to have. But do you really want to tell customers you’re collecting that level of detail?

Point number two: At its core, GDPR is about handing control over people’s personal information back to them so they can decide. It’s critical to ensure across all your interactions, you have a plan for collecting consent. One way to achieve this is to make sure every form on your website is compliant.

Finally, you’ll want strong governance in place around keeping and purging customer data that you don’t need anymore or when a customer requests it to be purged under GDPR’s “Right to be forgotten” clause. You have a plan for if a customer asks to see their personal information — or asks for you to delete it.

What do you see as the potential compliance trouble spots peculiar to North American companies?

One of the more challenging parts of the legislation is that you have to keep track of consent on somebody you don’t even know that you gathered consent on. Business in North America includes a lot of inadvertent data collection and use which is really problematic under GDPR.

However, whether you should be concerned is really a matter of degree. If the majority of your market is North American and you have one customer in the EU, who visits your website and you forget to ask for consent — European regulators aren’t necessarily going to have much interest in going after you. It’s hard to imagine enforcement action on some mom and pop shop selling artwork on Etsy.

If you’re a huge company, you have a huge burden to follow through on. But a company like Facebook or Google has the resources to comply.

Where things get really challenging is for medium-sized businesses with a sizeable presence in the EU. If you’re going after EU customers as a market, you must follow the law very carefully because you’re in easy reach of regulators.

I also see an interesting contradiction given what’s known as the Right to be Forgotten. Under CASL, you need to keep a record of who has consented into your email list — and that means holding onto their email address even potentially after they’ve unsubscribed. Whereas under GDPR, customers can ask for their data to be purged, and you have 30 days to comply after their request.

If you’re a Canadian company and if you’re given the choice, it’s perhaps better to follow the Canadian anti-spam law and violate GDPR  because you’re well within reach of Canadian regulators.

There is a clause in the GDPR that goes into legitimate reasons to hold onto customer information after they request to have their information to be deleted. For example, holding onto customer information that is directly related to a transaction that needs to be kept for legal reasons (i.e., a tax audit on company invoices). For this reason, holding onto the minimal amount of information (email, opt-in date, IP address, etc.) to prove CASL consent seems like a legitimate reason for holding onto data.

Of course, it’s a bit challenging to be selective of what gets deleted and what doesn’t from a technical sense.

You mentioned the Right to be Forgotten, also known as the Right of Erasure, which is just one of several new consumer protections reinforced by GDPR. What challenges do you see these rights creating for North American businesses? And how can they be best addressed?

If you think about how many touch points you have with a potential customer — it’s way more than just email. Think about trade shows, newsletter subscriptions, your website, social media. It can be overwhelming to track everything across so many channels.

An important best practice for GDPR is CRM. Properly implemented, it can serve as your system of record or single point of truth — a core tool you can use to control customer information across your business by connecting people, apps and databases.

When a customer asks for their information, you’ll be able provide it practically at the click of the CRM’s export button. If they ask for that information to be deleted it may be as simple as simply deleting the record from the CRM; however, where the challenge lies is all of the connected marketing tools.

Your CRM likely syncs with marketing automation software, internal databases and the myriad of other services that are either feeding data into it or are using data from it in other process. Deleting all of that is a challenge — there’s nothing at the moment that can do that automatically, but it isn’t a stretch to have that functionality built in. As more companies need to be GDPR compliant, more software providers will build provisions like the Right to be Erasure into their tools. I envision a CRM like Saleforce having a feature that would cascade the erasure request down to all of the associated tools and would use the API of each to make it automatic. The technology is on its way.

Is it better for companies to apply the same stringent consent standard across their web engagement?

As a general rule going forward, you will want to use the same compliant web forms with all your traffic, since you don’t necessarily know who you’re dealing with or where they’re from.

Technically speaking, GDPR protects EU citizens regardless of where they are; if somebody from the EU is on holidays in Canada, you may still need to get their consent. Plus, more and more countries will look to update their laws. Even the United States — where Facebook has been operating in a Wild West environment when it comes to privacy controls for a long time — there’s a growing chorus of public demand to hold companies accountable, especially after the Cambridge Analytica incident.

I think it really depends on how dependent your business is on that kind of granularity. If you’re an ecommerce retailer and you do a lot of retargeting — it may be worth segmenting off EU traffic. Perhaps using things that will geo-target consent so if they’re in the EU you ask them explicitly.

If you need to reach out to current prospects to get opt-in confirmation – can you recommend how to best ask for permission for achieving email opt-in under GDPR?

I’ve seen marketers send out an email to say we have this information on you; if you don’t consent to its use, click on this link or confirm and we’ll remove you from our database. That’s a painful proposition to do — a sort of nuclear scenario.

Going forward, you want to apply the same consent standards to everyone; but you need to filter out the obvious ones that need to be compliant and send them an email asking for their consent.

I think the easiest way is to narrow down to the ones that are vague in where their consent is. If they’ve filled out a form, you’ve kind of got their permission assuming there was verbiage around how you were using the data. But it’s almost more effective to start with a whitelist of companies you know 100% are not in the EU and filter out from there.

Should companies reach out to all their EU prospects to get them to opt-in to being in their CRM?

It depends on what level of consent you got in the first place. If you’ve been following CASL rules you should have had wording around asking for their permission to email them which means that you’re OK to email them, but you’re not technically allowed to use their information for ad targeting or for a big data project. For these additional uses you would need to ask for their permission to do this.

If there are vagaries around this kind of consent you’re likely in violation of CASL as well, which has a lot more regulatory reach for Canadian companies.

If there is a doubt though you should, at the very least, email contacts you know are located in the EU.

One critical thing is to understand where you got their information in the first place. If you have CASL-compliant forms — you’re probably OK. But it really depends on how specifically you worded those forms in the first place and how you intended to use their information. For the ones you don’t know, you’ll have to reach out.

Companies often view compliance with new regulation as onerous. Is there a way to see a silver lining?

There’s companies that have had major data breaches, costing them a lot in civil judgements. Equifax, for example, now faces billions of dollars in fines. In a lot of cases, the law really prescribes what should be best practice anyways.

Marketers will always test the limits of what they can do. However, the biggest opportunity for marketers, as I see it, is this may take out the shady dealers poisoning the well. Being bound by the same rules reduces the pressure to engage in the sort of marketing practices that erode consumer trust and damage brand reputations — creating a better environment for everyone.