How the introduction of privacy

regulations (CASL, GDPR) has

changed the way businesses
operate as it relates to Direct
Marketing
Course: MRK916MMT (Interactive Marketing)
Professor: Andrew Temes
Student name: Zoe Nguyen- ID: 114818198
Background information
Why introduction of GDPR and CASL?
70.0%
59.8%
In digital age, personal data is so valuable because 60.0%

Share of respondents
49.1%
businesses can collect it to positively impact customer 50.0%
experience. However, it could be misused or stolen, leading to 38.9%
40.0%
the fact that consumers are concerned about whether 30.0%
companies are doing enough to use and protect them properly.
20.0%
10.0%
Why Canada’s Anti-Spam Legislation (CASL)?
0.0%
To protect Canadian citizens from SPAM, phishing, identity Unsolicited calls Spam e-mails Misleading
theft and from malware by introducing strict law into advertising
commercial electronic messages (CEM) since according to (1) Leading forms of spam considered as offensive according to consumers in Canada as of August
2016
Statista consumer survey, the leading forms of spam as
considered as offensive are unsolicited call, spam email, etc. Concerned Somewhat concerned Not concerned

0.0% 20.0% 40.0% 60.0% 80.0% 100.0%120.0%

Why General Data Protection Regulation (GDPR)?
Companies setting insurance/
According to Chartered Institute of Marketing, 57% of 46% 44%
10%
health coverage
consumers don’t trust brands to use their data responsibly. The impact on your reputation 58% 24% 16%
41% of marketers admit that they do not fully understanding
how they should use consumers’ personal data. Government surveillance 41% 40% 19%
In Canada, the top concerns with online personal information
Determining suitability for a job 39% 46% 16%
usage are consumers’ reputation, behavior analysis of
Marketing companies analyzing
marketing companies, etc. 43% 44%13%
likes/ dislikes
GDPR introduced by EU in 2018 was to put some of the power
back into the hands of the consumer. (2) Concern with online personal information usage according to internet users in Canada as of November 2016

1 Source: (1), Leading forms of spam considered as offensive according to consumers in Canada as of August 2015, Statista Canada
(2) Cyber crime in Canada, Statista Canada
Background information
CASL is more descriptive but GDPR is the most pervasive.
CASL GDPR
Scope unsolicited commercial collection, storage, usage and
There are some similarities between advertising by email and management of personal data.
CASL and GDPR at basic level. text, phishing and unwanted
 To promote transparency and choice software installation.
through explicit consent between the
companies and consumers. Application senders and recipients of businesses based inside the EU,
 To require thoughtful internal CEM in Canada businesses based outside the EU that
processes to make sure that the offer goods and services to, or that
request will be processed quickly monitor, individuals in the EU
 To come with huge penalties. For
Consent Senders must obtain explicit Businesses must obtain explicit consent
example, Flybe and Honda Motor
consent from recipients from recipients through opt-in
Europe fined £70,000 and £13,000
through opt-in mechanism. mechanism.
respectively
Recipients can revoke Recipients can revoke consent through
 To clear on who’s accountable. Even
consent through opt-out opt-out mechanism at any time.
if businesses are outsourcing data
mechanism at any time. Businesses only use data for the specific
processing, they are still be liable for
purpose that recipients give consent to. If
any breach.
for another purpose, businesses must
However, they still have some big
obtain recipients’ consent again.
differences as the table shown.
Comparatively speaking, GDPR is more Exceptions various cases: CASL-exempt compliance with legal obligations and for
stringent and far-reaching than CASL. to Consent country, product updates, the performance of official duties.
warranties, membership,
subscription, etc.

2 Source: Brain Station Blog

How CASL impacts businesses
What types of marketing platform are affected by CASL?
Before sending CEM to any platform, companies
need to go through 3 steps: consent,
identification and unsubscribe
Contact Forms Consent:
Criteria for tracking and recording consent
includes
 oral or written form
 the date it was obtained,
 the purpose it was obtained for,&
Email addresses  how it was obtained
Identification & Unsubscribe
The keyword here is transparency. Companies
need to clearly identify these factors:
(1)Name of sender, even if third party behalf on
Text messages it.
(2)Clearly visible unsubscribe mechanism and
available to opt-out at any time. The recipient’s
name must be removed within 10 days if
requested. E-Newsletter Footer Example of CASL Compliance
Social (3)Contact account must be an active for 60 days
networking at least.
accounts (4)Reason why recipient receiving it from sender.

3 Source: Eye Light

How GDPR impacts businesses
Who is affected most by GDPR in marketing?

Email marketing managers

In B2B, emails are integral part of lead generation program. In the sale
process, companies must ensure that email users are willing to give their
email address through affirmative consent. If companies buy emailing list
or copying them from website, it is violation under GDPR.

Marketing automation specialists

Every information in CRM database and every email in automation system
must be given consent to. If someone opts out of an automated email
sequence, the system must be updated for no further emails sent.

Public relation executives

If PR specialist wants to pitch a press release or company announcement
to journalists, journalists still need to give consent to be contacted by PR
execs rather than traditional email outreach program.

4 Source: Super Office

 How GDPR impacts businesses
Marketers should consider key areas: data permission –
data access – data focus.
Data permission
Businesses need to make sure that they actively
obtain (not assume) permission from leads,
Data customers, and partners physically confirming they
permission
want to be contacted.
For instance, businesses now have to ask customers
to opt-in for product updates, news and offers, instead
Data
Data focus of assuming that those who register for free trial want
access
to receive the marketing emails in the future.
For referral program, once customers enter a friend’s
email, companies will automatically send notification
to that friend without consent from him/her. But,
companies are not allowed to use these emails for
marketing purposes.

5 Source: Super Office

 How GDPR impacts businesses
Marketers should consider key areas: data permission –
data access – data focus.

Data focus
Businesses should avoid collecting unnecessary
Data
permission data and focus on the basics.
For example, if marketers want know a visitors
shoe size, and can prove why they need it, then

Data they can continue asking for it.

Data focus
access
Data access
Businesses are responsible for making their
customers easily access their data and remove
consent at anytime.

6 Source: Super Office

 Bright side of both CASL and GDPR
CASL and GDPR are good for data quality
•It is a great chance for companies to find out what their contacts are really interested in and they can take advantage of it
Understan through consent form. If customers choose more than one area of interest, companies can consider as a cross-sale
ding of opportunity.
contact’s
interest

•Even though the emailing list may reduce, the open and click-through rates would be increased since companies only send
marketing emails to contacts that they are mostly likely to find them relevant.
Improved
metrics

•In CRM database, duplicate is a very common problem. However, consent could be a solution to reduce a significant
number of duplicates. In other words, if companies have more than record for a contact, the contact could receive mailings
Control of for which they had not give consent to. That means companies would be more responsible for regular updating the
duplicates database if they don’t want to violate the regulations.

•Under regulations, records with only email address without mailing address may not be archived. It also means the contact
Fewer records would be more complete. This is clearly beneficial for sending event invitations based on guests’ location.
incomplete
records

•The key to the success of CRM is high-quality data. Besides, poor data costs companies more than data cost as fines for
Better non-compliance are huge under the regulations, about 4% of a company’s annual revenue. Now companies have a very
CRM good reason to improve data.
adoption

7 Source: JD Supra
Recommendation
What businesses need to prepare for CASL?

 Do not buy generic lists. The best way to get high-quality

email list is to build a relationship with contact companies want
to obtain permission from.
 Find interests and needs of customers and prospects.
Companies need to give them value through their products or
services then they will give consent.
 Select appropriate email marketing tool. That tool should
not only allow recipients to opt out at anytime but also allow
companies to send a permission alert to email recipients at the
first time.

8 Source: Marketing Copilot

Recommendation
What businesses need to prepare for GDPR?
Phase 1. Getting consent
 Send consent form through an affirmative action
 Record how and when consent is received
 Clean the database and lists to ensure compliance with regulations
Phase 1:  Add a data field into list and database where consent is recorded
Getting  Apply direct marketing campaigns
consent

Phase 2. Building process to remove data subject

 Audit database and ensure that the system allows to remove data at
individual level, if not, upgrade to the latest version
 Build procedures and contracts with data processors to make sure
Phase 2: these data processors and third-party partners have the ability to
Phase 4: Building
Preparing process to remove them
for breach remove data
subject
Phase 3. Building process to rectify
 Build procedures to keep data clean and updated
 Give individuals the rights to correct or fix untruthful or inaccurate
data
Phase 3: Phase 4. Preparing for breach
Building
process to  Build a fast and efficient process to send out breach notification to
rectify affected contact in case of data breach
 Develop a process to notify data protection authorities

9 Source: Engines
Future landscape
GDPR’s impacts for Canadian businesses next years

Built-In Privacy Solutions

Canadian businesses would design the built-in technology solutions to ensure the businesses activities to be compliant with the
regulation from the start. The consumer brands with focus on those solutions will gain a competitive advantage.
Top priority to tech, media, and telecom companies
According to PwC, over 50% of tech, media and telecom companies consider data privacy as one of the top priorities which are
most impactful to their business. In the near future, more and more companies would prioritize privacy as their key policy. PwC
found that companies integrate privacy into all business operations from the start of process would be three times more likely to
achieve ROI than those who don’t.
Impact on every aspect of business
Although privacy regulations are directly associated with Marketing, GDPR would touch every aspect of business such as
finance, logistics, customer service, and so forth. It is not just a data management or legal issue, but also a business process
issue. Hence, a new position like Chief Privacy Officer in companies could be required.

10 Source: SAS, PwC, Corporate Compliance Insights

 Works cited
1. “A Comparison of CAN-SPAM, CASL, and GDPR”, Brain Station, 9th Jan 2020, blog.brainstation.io/a-
comparison-of-can-spam-casl-and-gdpr/. Accessed 30th Jan 2020.
2. Barber, Daniel. “The Future of Data Privacy Regulation”, Corporate Compliance Insights,
www.corporatecomplianceinsights.com/future-data-privacy-regulation/. Accessed 1st Feb 2020.
3. “CASL Will Affect Your Business”, Eye Light, www.eyelight.com/article/casl-will-affect-your-business. Accessed
30th Jan 2020.
4. “Cyber crime in Canada”, Statista Global Consumer Survey, 2016
5. Finerty, Dan. “GDPR and Canadian Business: Be prepared”, SAS Canada,
www.sas.com/en_ca/insights/articles/data-management/local/gdpr-canadian-business.html. Accessed 1st Feb
2020.
6. Fritsch, Chris. “GDPR and CASL: Why Data Privacy Rules Are Good for Data Quality”, JD Supra,
www.jdsupra.com/legalnews/gdpr-and-casl-why-data-privacy-rules-98929/. Accessed 31th Jan 2020.
7. GDPR: What it Means for Canadian Businesses”, Enginess, 23rd April 2018, www.enginess.io/insights/gdpr-
what-it-means-for-canadian-businesses. Accessed 1st Feb 2020
8. “How does the Canadian Anti-Span Legislation (CASL) affect your business?”, Marketing Copilot,
marketingcopilot.com/how-does-casl-affect-your-business/. Accessed 31st Jan 2020.
9. “Leading forms of spam considered as offensive according to consumers in Canada as of August 2015, Statista
Global Consumer Survey 2015
10. MacDonald, Steven. “GDPR for Marketing: The Definitive Guide for 2020”, Super Office, 3rd Jan 2020,
www.superoffice.com/blog/gdpr-marketing/. Accessed 30 Jan 2020.
11. “Top Policy Trends 2020: Data privacy”, PwC, www.pwc.com/us/en/library/risk-regulatory/strategic-policy/top-
policy-trends/data-privacy.html. Accessed 1st Feb 2020.

11