The internet, by its nature, is an international place, if you can even call it a place. This means that when sharing information with your members, you may be subject to the laws governing electronic communication in all of those regions. This means that if you’re sending out marketing material or any other kind of communication, you need to be familiar with all of those regulations – fortunately, though they’re massive legal documents, there are only a few key take-aways you need to stay compliant. We’re going to discuss some of the guiding principles concerning the kind of practices you need to observe when sending out email, whether via an automated process in your membership management software or when you’re writing a message by hand.
Types of Email Consent
The anti-spam and privacy laws we’re going to discuss all have similar categories when it comes to the matter of consent to your organization’s messages. Broadly speaking, a given member or institution can be in one of four different “states” when it comes to hearing from your organization:
This one’s just like it sounds – the user has stated explicitly, in a form you can offer as evidence in a hearing or court of law, that you are allowed to contact them with commercial communication.
Be careful with this one! This means that an individual has reached out to your organization in a commercial capacity, whether they asked you for information on a product or outright bought something from you. But consent can also be implied by them simply being a member of your organization or providing you a good/service for free. The part that you need to be careful about is how long implied consent lasts – according to CASL, which we’ll talk about later, this period is two years following the last transaction or withdrawal of membership, but CANSPAM treats consent as implied until the recipient explicitly opts out.
Implied Commercial Consent
Suppose that someone’s email address is published in plain view on a company website or trade publication. Where does the line fall here? Well – and this distinction is mainly relevant under CASL; we’ll get to why later – the recipient has implied commercial consent if your messaging directly relates to their role or capacity within the company, and if there are no messages in the same place prohibiting commercial communication.
This means that the recipient has specifically stated in writing that they do not want to receive commercial communication from your organization. Do not pass go, do not collect $200, and do not put this person on your mailing list. Any suite of membership management software worth its price will offer features that allow you to mark users with attached signature opt-outs and automatically exclude them from the mailing lists you create.
The above distinctions are important because they provide a framework for the information we’re about to share, but they largely describe the landscape according to CASL, Canada’s Anti-Spam Law. We’re going to spend the rest of this article discussing three landmark privacy regulations and what they mean for you.
CANSPAM (Controlling the Assault of Non-Solicited Pornography And Marketing)
This American legislation relies on an opt-out model: it assumes that any given user has consented to receive email until they deliberately take a step to say “no”. This is part of the reason for the stringent requirement that you add a clear “unsubscribe” link, and CANSPAM also requires your physical mailing address to be included in the message as well. Any good membership management software will build this into the message for you, but don’t take it for granted: test your email campaigns by sending a test to your own address, and make sure the opt-out link and address are there! There are a couple of other requirements for this part of the email added by CASL, so keep reading.
CASL (Canadian Anti-Spam Legislation)
CASL is a big one, for a big reason: its emphasis is all about ways users must opt into receiving commercial electronic messages (“CEMs”). It’s the reason you need to be concerned with all of the above distinctions: you can’t even reach out to a person via email to ask for their express consent if you don’t have their implied consent. CASL also has a broader set of requirements for the contact information you include: besides the mandatory unsubscribe link and mailing address, there must either be an actively maintained phone number (i.e. one where you can call and reach a human being) or a website/email address included for your organization.
CASL is distinct from CAN-SPAM for one other big reason: while CAN-SPAM refers specifically to emails, CASL defines commercial electronic messages to include any and all telecommunication.
GDPR (General Data Protection Regulation)
The GDPR is a sweeping change to the treatment of user data in the European Union. This somewhat recent piece of European legislation has seriously impacted the way organizations do business online in any environment that reaches European customers, and you need to be aware of what it means for you and your organization, as the penalties for falling afoul of it can be severe – though the same goes for any of the regulations mentioned in this article!
In short, GDPR limits the circumstances under which user data considered “identifiable” can be used without explicit informed consent. “Identifiable” data means any and all data which, when combined with any other resources or methods “reasonably likely” to be available, could be matched to a single specific person. These circumstances include, of course, gaining explicit informed consent from that person, but they also include a number of conditions considered lawful: data that must be collected to enforce or confirm a contract between that person and an organization, data that must be collected as part of that organization’s legal duties, and a handful of other possibilities.
Among the most important implications for you, as a membership-based organization, is that users can withdraw their consent at any time, and that it must be just as easy to do so as giving consent; as well, to the best of your ability, you can’t limit what a user can do if they don’t consent to their data being processed. In practical terms? This means that if a user ever asks you to permanently remove all of their contact information from your system, you need a way to do that. Most membership management software gives you two options for deleting a user’s profile: “soft” deletion and “hard” deletion. The first, soft deletion, is future-proofing yourself: it hides the user’s profile but keeps it saved in case they ever come back. Hard deletion means deletion, full-stop. In order to be GDPR-compliant, you need to ensure that you do not maintain records of any member who demands that you stop storing their information. Failure to do so can come with steep fines and penalties.
Always make sure to review the regulations that relate to handling user data in the regions where your members live; when in doubt, a visit to your legal department can save you a lot of headache, expense, and bad optics down the line.