As the Canadian media reports on the panic associated with the new anti-spam law set to take effect next week, consider the following from Macleans titled “Few Companies Prepared for New Privacy Law“:
The new law..says organizations can only collect personal information for a stated reason – and can use it only for that purpose. Among others things, that means a company that supplies a service can’t sell its list of subscribers to another company’s marketing department. Individuals must be informed, and give their consent, before personal information is collected, used or disclosed..But most firms are unaware of the new law.”
The article continues by noting that “there’s confusion over which organizations might be exempt” and that “there is no grandfather clause – all existing customer information needs to be compliant.” The message is similar in a Globe and Mail article titled “Many small firms not ready for privacy rules“, which also notes the possibility of a constitutional challenge. An IT World Canada reiterates that concern in its coverage:
most Canadian organizations are not aware of the [law]. And very few are prepared to comply.
What makes these articles noteworthy is that none involve CASL. Instead, they all date from 2004, when the current private sector privacy law (PIPEDA) was about to take effect. Then, as now, there was ominous warnings about how ill-prepared Canadian business was to address their privacy law obligations. Yet as I noted in my post on complying with the new anti-spam law:
For any organization that already sends commercial electronic messages, they presumably comply with PIPEDA, the private sector privacy law, that requires organizations to obtain user consent, allow users to withdraw their consent, and provide the necessary contact information to do so. Compliance with the new anti-spam law (CASL) involves much the same obligations. While there are certainly some additional technical requirements and complications (along with tough penalties for failure to comply), the basics of the law involve consent, withdrawal of consent (ie. unsubscribe), and accessible contact information.
While CASL does create some new obligations, what is not new is the claims that business is unaware and unprepared to address their privacy law obligations.