It’s been five years in the coming, but the new Canadian Anti-Spam Law (CASL) is nearly here at last. The new requirements go into effect July 1st, so if you haven’t made preparations for compliance yet, now’s the time to get started.

The new law applies to anyone who sends mail to recipients in Canada, and requires senders of email to have or to obtain permission from those recipients to send them marketing messages. The problem, of course, is that unless senders have been collecting geographic data about their recipients at the time they gathered permission, it’s hard to know whether any particular recipient is in Canada. Furthermore, the burden rests on the sender to prove that they had consent should any action be brought under under the law.

Compliance can be a tall order, especially for senders who’ve been a little lax in segmenting their lists, or keeping track of how and when permission was obtained. Here’s a list of frequently asked questions to help you assemble a compliance plan. Bear in mind that I’m not a lawyer, nor do I play one on TV. I cannot provide legal advice, and this article should not be construed as legal advice. If you have questions about the law, it’s always best to consult legal counsel.

Who should comply? Anyone sending mail to recipients in Canada – even if the sender themselves is not a Canadian citizen – must comply. Also, there’s no “willful and knowing” aspect to violations. In other words, it is not a defense to claim that the sender did not know that the recipient of their unpermissioned mail was in Canada.

What happens if I don’t comply? The financial penalties for non-compliance can be stiff – up to $10-million for corporations and $1-million for individuals. Starting in 2017, individual recipients in Canada can sue senders of unpermissioned mail and claim damages of $200 per message.

What must I do to become compliant? In a nutshell, senders cannot send mail to anyone who has not explicitly opted in to their mailing list. If you’re not sure whether you have explicit consent from any Canadian recipients on your lists, it’s time to go back and obtain that consent. If you use an ESP, it’s time to get on the horn with their deliverability team to develop a confirmation strategy for your recipients, and suppress or remove any recipients who do not opt in to continue receiving your mail.

Are there exceptions in the law for consent that may not be explicit? It’s not an exception per se, but there is an important provision in the law that gives senders a three year transition period to obtain explicit consent from recipients who’ve previously given only implied consent. If you’ve followed your ESP’s permission-based practices (as required by their terms of service), the contacts you already have in your ESP account may already qualify for implied consent under the law. For any new contacts from whom you acquire implied consent during and after the transition period expires, the law provides a two year clock that starts at the time consent is acquired to meet the explicit consent requirement.

What else qualifies as implied consent under CASL? An existing business relationship with the recipient (such as a previous purchase within the last two years) or if the recipient had made an inquiry to the sender in the last six months are both good examples of implied consent under the law. Implied consent also exists if the recipient has “conspicuously published” their email address without an accompanying statement that they do not wish to receive unsolicited mail, AND the mail “is relevant to the [recipient’s] business, role, functions or duties in a business or official capacity”.

What doesn’t qualify as consent? The point of the law is to require that recipients have committed some sort of affirmative act to communicate permission to the sender. Pre-checked checkboxes on electronic forms submitted to the sender to sign up for mail is not consent under the law. Senders cannot send a message that says, “If you want to continue to receive our mail, do nothing” and rely upon inaction as proof of consent. These are just two examples, but they are illustrative of the general point that, in order to be meaningful (and legal), consent must be explicit and never assumed.

What if I am not a business? If you’re sending  for your school’s newsletter, Church group or similar organization, CASL still applies to you. The law creates a type of implied consent for existing non-business relationships, where “an individual has made a donation or gift in the last two years, or performed volunteer work in the last two years, to or for a registered charity or political party, organization or candidate or where the individual is a member of certain clubs, associations or voluntary organizations.” Non-business senders must still obtain explicit consent from their recipients, but they get the same three year transition period to obtain that consent as business senders.

What other requirements are there aside from consent? CASL requires all messages to have a functioning unsubscribe mechanism in the message, typically a link that loads an unsubscribe page in a web browser. Mail that most US-based ESPs send on behalf of its customers may already meet this requirement, which mirrors existing requirements of the US CAN-SPAM law. Senders must also accurately identify themselves within the message itself, typically with the postal address where the sender can receive postal mail. This is also a CAN SPAM requirement, and many ESPs populate the sender’s postal address in mail sent on their behalf. Make sure the address you provided in your ESPs application is up to date.

Is there anything else I can do to mitigate the risk of CASL infractions? Yes. There is an affirmative defense against action brought under CASL for “due diligence.” If the sender of an infringing message can demonstrate that it had made a reasonable effort to comply with the requirements of the law at the time of the violation, the sender may be able to avoid liability. So, senders should not only construct a good compliance strategy and execute it, but they should also thoroughly document that strategy and its implementation.

Establishing and maintaining compliance with CASL can be tricky, but with a good plan, strict application of best practices for consent and list hygeine, and careful organization of your contacts, senders can ensure they’re on the right side of the law well before the end of the three year conversion window.