Email laws are a necessary protection for today’s digital consumer. While all of us enjoy the benefits of these legislations as end-users, the laws can be hard to understand and are changing.

There are two significant dates coming up that will shake up some of the biggest email legislation on the planet, including laws in Canada and the EU, and applying to all businesses which have consumers in those regions. The upcoming changes will have significant impact on how you message your customers and will require preparation in order to be in compliance. To help, here is some of the key information you need to know, and advice for how you can begin preparing.

Note: Make sure you consult your legal counsel to address your specific needs, the information provided here is for informational purposes only and should not be considered legal advice.

If you’re a Sailthru customer and have questions about these upcoming legislation changes, or want to further leverage our industry-leading in-house deliverability team, please get in touch with your Customer Success representative.

CASL Private Right of Action Begins – July 1, 2017

The Canadian Anti-Spam Law (CASL) went into effect in July 2014. However, we are now at the three year mark, which means additional enforcement and expiration dates will apply in 2017.  CASL was put into place to protect Canadians while ensuring that businesses are able to compete in the global marketplace, but the law also has real consequences for those not in compliance.

anti-spam law

Anyone sending Commercial Electronic Messages (CEM) TO a recipient accessing emails in Canada or sending email FROM Canada is covered by CASL if recipient is reasonably expected to access CEM’s in Canada. If your organization is located in the US, EU, or anywhere in the world and sends CEM to Canada, you are still responsible for complying with CASL.

Beginning July 1, 2017, the private right of action kicks in and your risk increases. The law will allow individuals and organizations who have been adversely affected bring a private right of action in court against a sender (individual or company) who they have allege have violated the law. An individual recipient is entitled to C$200 per non-compliant message they receive, up to C$1 million per day for multiple violations. In addition to individual civil actions, class action lawsuits are also possible under CASL.

The same date also signals the expiration of the three year grace period given to bring email lists into compliance. July 1, 2017 signals that the grace period for email that require express consent is over and you must ensure that express consent opt-in is granted for each recipient (subject to the implied consent available under section 10(9) of CASL), or email senders must cease sending CEMs to users that have not provided additional consent during this initial window.

For more information, review the Frequently Asked Questions about Canada’s Anti-Spam Legislation from the CRCT.

GDPR To Take Effect – May 25, 2018

Big changes are coming in the European Union which will affect any marketer sending email to anywhere or anyone in the EU. In May 2018, the General Data Protection Regulation (GDPR) comes into force. The GDPR is one single law that will govern the activities of all EU countries and enforce stronger data protection across Europe. Failure to comply comes with brings stiff fines: up to 20 million Euro or up to 4% of total annual worldwide revenue, whichever is higher. This law does not only apply to email marketing, it applies to ALL parts of your organization that have personal data of EU persons.

While that may seem far off, there are multiple steps organizations will have to take to become compliant. Many organizations struggle with broad regulatory changes and it may take all this time to prepare – the clock is ticking.

The regulations will affect all companies who collect, store, use and transfer data. Even if a sender is not located in the EU, the regulations apply if you are marketing to an EU citizen. It will affect marketers who process activities related to the offering of goods or services (even for free) or monitoring the behavior of anyone in the EU.


Before doing anything, consult your legal counsel to address your specific needs and to gain legal advice. With a little over a year to become compliant, you need to start now if you have not already done so!

To learn more about the specifics of this law, read GDPR Frequently Asked Questions from the Overview of the General Protection Data Regulation  and Consent Guide from the Information Commissioner’s office as well as the GDPR text.  

Here Are 7 Ways You Can Start Preparing

Every leader loves process, so we’ve outlined a number of steps below that you should consider and review with your legal counsel and cross-functional team members to get prepared.

  1. Ensure key business leaders in your organization are aware of the legislation and the impact it can have on your business. This is the #1 priority! GDPR impact is huge and must be addressed at an executive level while there is time to prepare.
  1. Contact your legal counsel to understand how the GDPR affects your organization and how they can provide guidance on helping you get ready.
  1. Take an audit of your current database and your collection practices and identify potential risks. Some ideas below:
  • Know what information you have. Do you know where your contacts are located geographically? Do you deal with data of EU citizens?
  • Know where your information comes from. Ensure you have solid documentation for every data subject.
  • Do you have an audit trail of consent? Do you have enough information on permissions and how your contacts ended up in your database to demonstrate how consent was given?
  • Review your data disclosures and practices, and be transparent with how you handle data. Are your policies simple for a user to access and review? Update your privacy policy to be clear and easy to understand, or put a plan in place to ensure you will be ready for when GDPR is in place.
  1. Assess non-compliant processes and outline steps and timelines to update specific concerns.
  1. Review all upcoming initiatives to ensure privacy is embedded into all new processing or product initiatives.
  1. Ensure that you have clear policies in place within your organization to prove that you meet the required standards for compliance with GDPR.
  1. Train your marketing team to understand and adhere to the requirements of GDPR.

The next several months will go by fast and as you can see marketers must comply with many onerous obligations of the regulations. Start now so you will be prepared for the significant changes and accountability coming up in July 2017 and May 2018.