Senior managers within an organization can give permission to email people within their organization providing the email address is their comany address. So if Microsoft is a customer of yours, you can request and recieve "blanket permission" to email Microsoft employees regarding the goods or services you provide.
In addition, if someone publicly displays their email address, under the following conditions you can send them CEMs.
Implied Consent - referral or conspicuously published
This is what has become known as the B2B Clause. If someone:
1. displays their email publicy, online or otherwise,
2. does not include a statement indicating non-solicitation
3. is currently in a role that is relevant to the content (CEMs) you intend to send them
Again, this form of consent is implied therefore lasts 2 years from the date you can prove the above 3 factors. Remember the onus of proof is on you.
Can I send CEMs to an email address I find online?
It depends on the situation. You can only rely on this conspicuous publication—or in other words, when someone posts or publishes their email address—when:
There is no statement in connection with the address that the person does not want to receive CEMs at that address;
The content of your CEM is relevant to the recipient's business, role, functions, or duties in a business or official capacity.
See section 10(9) of CASL for more details.
Not sure whether your content is related to a recipient's business, role, functions or duties in a business or official capacity? Here's an example for clarification.
A company conspicuously publishes on its website the email addresses of its employees, including the chief operating officer (COO) and the marketing officer. There are no accompanying statements that the employees do not want to receive CEMs at those email addresses.
Example 1: A training company sends a CEM to the COO. This CEM promotes a course on how to be an administrative assistant. This CEM is not relevant to the recipient's business, role, functions or duties in a business or official capacity. Accordingly, the training company cannot rely on conspicuous publication as a form of implied consent for the sending of this CEM.
Example 2: A training company sends a CEM to the marketing officer. This CEM promotes a course on how to develop social media platforms for e-marketing. In this case, the CEM is relevant to the recipient's business, role, functions or duties in a business or official capacity. Therefore, the training company could rely on conspicuous publication as a form of implied consent for the sending of this CEM.
Remember that under CASL, the sender of a CEM has the onus of proving consent. Therefore, if relying on conspicuous publication, the sender has the responsibility of demonstrating, if needed, how its situation meets the criteria for implied consent.
How can I prove I have consent?
You must be able to prove that you have consent of the recipient before sending CEMs. If you're relying on implied consent, you need to prove that your situation meets the criteria for implied consent under CASL. The CRTC issued guidance to help businesses develop corporate compliance programs, which may help facilitate compliance, reduce the likelihood of violating CASL, and help businesses establish a due diligence defense in relation to a violation prescribed by CASL. If you continue to send CEMs over time, based on implied consent, there is an ongoing need to maintain accurate records.
Here are some examples of situations in which you would need to prove that you have obtained implied consent:
Example 1: A company collects email addressesFootnote 4 from websites or other media publications. If the company wants to rely on conspicuous publication as a form of implied consent, then the company must be able to prove that there were no statements against receiving CEMs on the website or in the advertisement where the email addresses were collected, and must demonstrate how the CEMs were relevant to the recipients' business, role, functions or duties in a business or official capacity. For example, to prove there were no statements against receiving CEMs a company could record screenshots or have a contemporaneous record of the publication where the address was listed, including information such as the date, email address and URL.
Example 2: A company uses a third party which provides the company with a list of email addresses. These addresses were collected from websites or other media publications where they were conspicuously published. Even though the company did not create the list, as the sender of the CEMs, it must still be able to prove that consent was implied, in accordance with the requirements of CASL. The company should therefore take all reasonable steps to assure itself that the list it is relying on meets the requirements set under CASL.
Example 3: A company acquires a business where the contract included provisions transferring a list of email addresses for which consent has been obtained as part of all its assets and wants to send a CEM to a person that purchased a product from the original business one year ago. The onus of proving consent rests with the person sending the CEM. In this case, the acquiring company must be able to prove consent by demonstrating that the EBR existed and that the person has not since unsubscribed, or that they exercised due diligence when sending the CEM. To prove consent, a company's records should be made within a reasonable period of time from when consent was obtained, and should include information such as the electronic address, the date and the method that consent was received (e.g. acquired through purchase of another business).
Example 4: A company receives implied consent from a person disclosing their email address verbally or in writing, perhaps by providing their business card at a tradeshow. To create a record of the implied consent, the company could, as an example, send the person an email referencing the conversation and date where the disclosure was made, and then keep this email (and any response) in their records. Keep in mind that the confirmation email sent may be considered a CEM. As a result, the company must ensure that proper identification information and an unsubscribe mechanism are included in the message.
Note that these examples are not exhaustive and you may have alternative records that demonstrate consent.