These steps are taken from the OPC website
What are some practical steps to take?
- Ask questions: It is your responsibility to confirm if a third-party company you are dealing with is aware of PIPEDA and abiding by its provisions. So, when buying a list of addresses from a vendor or employing a firm to conduct e-marketing on your behalf, be sure to ask:
- Where do they get e-mail addresses and how were they gathered? For example, are people providing their addresses knowing what they will be used for and have they provided their consent to this use? Or, are the addresses being generated or scraped, or otherwise collected indiscriminately?
- How was consent obtained? Even when your organization relies on a third-party to collect e-mail address lists for marketing purposes, you are responsible for ensuring that appropriate consent is obtained. Generally, an organization is required to inform individuals in a meaningful way of the purposes for the collection, use or disclosure of their email address, which is their personal information. Consent should be obtained before or at the time of collection, and renewed when a new use of the address is identified.
- How are the lists kept up to date? Organizations should enable individuals to withdraw consent to the use of their personal information at any time, subject to legal or contractual restrictions and reasonable notice.
- How are organizations purchasing and using lists kept informed of changes? When people whose addresses are on a list you purchased withdraw their consent, you need to know this, so that you can stop sending them commercial messages.
- Put it in writing: Once you’ve asked these questions, take appropriate steps to establish that you have exercised due diligence, by keeping a written record and/or contract with the list vendor or e-mail marketing firm. Make it a clear obligation up front that you don’t want to have your commercial messages sent to people who have not consented to:
- providing their email addresses; or
- receiving commercial messages.
Remember, you must have all this in writing as you may be called upon to PROVE that you took these steps and were doing your best to comply with CASL and PIPEDA.
