When your contacts give you verbal or written permission to email them, or sign up for your contact list through one of our sign-up tools, Constant Contact considers them to be active contacts that can be emailed. When it comes to collecting email addresses under the Canadian Anti-Spam Legislation (CASL) or the European Union's General Data Protection Regulation (GDPR), there are additional permissions you need to be concerned with:
Implied Permission Under CASL
Existing Relationships
Under CASL, which went into effect on July 1st, 2014, implied or implicit permission is in place where some previous relationship exists, but express or explicit permission hasn't been granted. Examples of existing relationships include:
Business relationships where the email recipient has:
- Bought or leased a product, good, service, or land from the business owner in the past two years.
- Been involved in a business, investment, or gaming opportunity with the business owner in the past two years.
- Entered into a written or electronic contract with the business owner in the last two years.
- Made an inquiry about products, goods, services, or land in the past six months.
- Made an inquiry about or submitted an application for a business, investment, or gaming opportunity in the past six months.
Non-business relationships where the email recipient has:
- Made a donation or gift to a registered charity or political organization in the past two years.
- Volunteered with a charity or political organization in the past two years.
- Been a member of a club, association, or voluntary organization in the past two years.
 | Important: Contacts collected from social media profiles do not give you any form of consent to email. For example, connecting with someone on LinkedIn does not give you implied or express permission to mail that person through your Constant Contact emails. You are simply connected on LinkedIn and nothing more. |
Expiration of the Relationship
You can't keep contacts with implied permission on your list forever. Implied permission expires after six months or two years, depending on the type of relationship (see above). When the relationship expires, the contact must be removed from your mailing list.
For any contacts captured:
- Before July 1, 2014 - July 1, 2017 was the deadline under CASL to get express permission from the contacts on your list before CASL went into effect, or remove them from your list entirely.
- After July 1, 2014 - Contacts added after CASL went into effect can stay on your list for six months or up to two years after the transaction that started the relationship. After the relationship ends, you must remove them from your list or ask them for express permission to email them.
If the contact enters into a new relationship - for example, by buying something, volunteering, or inquiring about an opportunity - it resets the clock and restarts the relationship on the date that contact took the action.
 | Did you know? You can find old contacts for removal by adding the "Date Added" column to the contacts table and filtering your list by status type. Aging your list is a good habit to get into because it ensures you're not keeping old email addresses on your list, and it improves your open rates too. |
Implied Permission Under the GDPR
Under the GDPR, which went into effect on May 25th, 2018, there may be circumstances where you can rely on a "soft opt-in" for sending emails to contacts. A soft opt-in means that:
- You have obtained their contact details in the context of a sale of a product or service.
- You are sending emails relating to similar products or services.
- Contacts have the ability to opt-out of receiving such emails when they first provided their data, when making a purchase, and in every subsequent email from you.
You should consult with your legal counsel to determine whether you can rely on the soft opt-in going forward under the GDPR. If you have contacts with soft opt-in consent, you can mark them as having given implied consent in Constant Contact, but you will need to maintain your own documentation about how you obtained that soft opt-in consent.
Express Permission for CASL and the GDPR
Express or explicit permission is simple: you ask for specific permission from a person to send her an email and she agrees. But there are differences between CASL and the GDPR. CASL is an anti-spam law and specifically covers emails, while the GDPR is a data protection law that covers emails under a larger umbrella of broader privacy concerns.
Under CASL
When you ask for express permission to send an email, you need to use clear language and also include the following information to fully inform people about who will be emailing:
- Your name (or the name of the party/company asking for permission)
- Company or organization name
- Company or organization address
- Company or organization website
- Company or organization phone number
- Company or organization postal address
Sign-ups to your list must also be told:
- Which email provider will be sending the emails.
- That they can unsubscribe at any time.
Under GDPR
When you ask for permission to email, you need to:
- Make giving consent a true opt-in process. For example, your contacts shouldn't have to uncheck a box to not receive your emails; they should have to check a box to receive them.
- Document the consent of your contacts. This includes who consented, the date, how they consented, and what they were told about giving their consent at the time.
- Clearly state all parties that are relying on the consent. For example, your contacts would need to know that you are asking for consent and that Constant Contact is the email provider you're using to send your emails.
- Make it easy for your contacts to withdraw their consent.
Gaining Express Permission to Email
The good news is that when you use the sign-up tools provided by Constant Contact, you're covered for both CASL and GDPR.
- All sign-up forms include your organization information.
- Nothing is pre-filled or pre-checked on the sign-up form. Your contacts must actively make the choice to submit it.
- The sign-up forms state that your contact is granting permission to be emailed by submitting the form.
- Every sign-up form mentions that a contact can unsubscribe at any time, and every email footer includes a "SafeUnsubscribe®" link.
- A statement that Constant Contact is the email provider and the link to our privacy policy are always present on our sign-up forms.
- When the form is submitted, your contact is automatically documented as having given express consent within your Constant Contact account.
- When the form is submitted, the sign-up tool used is also tracked for each contact in your Constant Contact account.
- If a contact unsubscribes, that contact is added to an "Unsubscribed" list in your Constant Contact account so that you can't accidentally email that contact. The only way to remove a contact from the "Unsubscribed" list is if the contact signs up for your list again through one of our sign-up tools.
We also have tools in place so that you can document express consent from the existing contacts already on your list:
- GDPR and CASL Templates - If you have contacts in your account with implied permission for CASL or without express permission for GDPR, you can request their express permission to email them through our templates designed specifically for CASL and GDPR. Your contacts click the button in the email and are documented as having given their express consent.
- Update Profile Form - Every footer includes a link to the Update Profile form. Your contacts can click the link to update their contact information or, if you have multiple email lists, they can pick and choose which ones they want to be a part of. When your contacts submit their changes, they're documented as having given express permission to email.
In addition, by turning on the Confirmed Opt-in feature, anyone who signs up for your contact list through one of our sign-up forms is automatically sent a confirmation email. Those contacts must click the link in the email to start receiving your emails. It's not required for CASL or the GDPR, but it's an extra measure to make sure that those who sign up for your list really do want to receive your emails.
