top of page

 

 

CASL & GDPR Checklist 

for Association Communications

​

Date Updated: July 2025

 

Understanding privacy laws like Canada's Anti-Spam Legislation (CASL) and the General Data Protection Regulation (GDPR) can feel overwhelming. This checklist is a quick way for you to check your association's messages are following the regulations.
 

CASL(Canadian Anti-Spam Legislation)

If it's a commercial electronic message (CEM) – basically, anything you send electronically to promote, advertise, or encourage participation in a commercial activity – and it touches Canada, you need consent, clear identification, and an easy escape route (unsubscribe). 

 

Your CASL Checklist:

Consent Management:

Express Consent: 

  • Are you getting clear "yeses" for all your CEMs? Think: no pre-checked boxes, no opt-ins. It's about an active, affirmative nod from the recipient.

  • When someone says "yes," do you clearly tell them what they're saying "yes" to? For example, "Yes, sign me up for your monthly newsletter!" or "I want updates on upcoming events." 

  • Are you keeping solid records? We're talking date, time, IP address, the exact form they used – proof of that consent for each contact.

Implied Consent:

  • If you're leaning on "implied consent" (like an existing business relationship or a publicly listed email without an opt-out), are you absolutely, 100% certain you meet CASL's very specific criteria? 

  • Do you have a system to track when that implied consent expires? (Generally, two years from the last interaction, six months for an inquiry). 

  • Are you actively trying to convert those implied consents into express consents? 

Identification:

  • Does every single CEM you send clearly state who it's from? Your association's name should be front and center.

  • Is your actual, physical address included in every CEM? 

  • Do you provide at least one other way for people to contact you (phone, email, website URL)? And does it stay active for at least 60 days?

Unsubscribe: 

  • Is your unsubscribe link obvious and easy to use in every CEM? No hidden buttons, no tiny text.

  • Does that unsubscribe link work for at least 60 days after you send the message?

  • Is the process free and frictionless? No logins, no hoops to jump through. 

  • Are you processing unsubscribe requests within 10 business days?

  • And finally, do you have a system to make sure once someone unsubscribes, they're off all relevant lists, immediately?

Message Content & Common Sense:

  • Are your subject lines honest and true to what's inside the email? 

  • Are you avoiding any false or misleading claims in your CEMs? 

  • If you're using an outside service to send your CEMs, are you confident they are also following CASL's rules? 

 

GDPR (General Data Protection Regulation)

If you're dealing with personal data of anyone in the European Economic Area (EEA), regardless of where your association is located, GDPR applies. 

 

Your GDPR Checklist:

Data Inventory & Mapping: 

  • Do you have a clear picture of all the personal data you collect from individuals in the EEA?

  • Do you know exactly where this data comes from, where it lives (stored), and who can access it?

  • Can you articulate why you collect and process each piece of personal data? 

Lawful Basis for Processing: 

  • For every time you process personal data from EEA individuals, do you have a solid, defined legal reason (like consent, legitimate interest, or contractual necessity)?

If you're relying on consent for marketing, is it:

  • Freely given: No pressure, no hidden conditions.

  • Specific: They know exactly what they're agreeing to.

  • Informed: You've been upfront about what you're doing with their data.

  • Unambiguous: A clear, affirmative action – no room for doubt.

  • Easily withdrawn: Can they pull their consent just as easily as they gave it?

  • Are you documenting and storing evidence of this consent for every person?

Transparency & Privacy Policy: 

  • Is your privacy policy easy to find and understand? 

  • Does your privacy policy clearly spell out individuals' GDPR rights?

  • Are you telling users about your cookie usage on your website and giving them clear options for consent?

Data Subject Rights: 

  • Do you have a smooth process in place to handle requests from individuals who want to exercise their GDPR rights (e.g., "Show me my data," "Please delete my data")?

  • Can you actually fulfill "right to be forgotten" requests by deleting an individual's personal data when they ask and when the law requires?

Data Security & Breaches: 

  • Are you taking appropriate technical and organizational steps to protect personal data from prying eyes, loss, or destruction?

  • Do you have a plan for spotting, reporting, and investigating personal data breaches within that tight 72-hour window to the relevant authority?

Third-Party Processors: 

  • If you're working with outside services (like email marketing platforms, CRMs) that handle EEA personal data, are their contracts GDPR compliant?

  • Have you checked to ensure these third-party processors also meet GDPR's tough security and data protection standards?

​
What's Next for Your Association's Marketing Compliance?

  1. Review & Document: Go through this checklist. Write down your current practices and any gaps you find.

  2. Update & Refine: Based on your findings, update your privacy policy, your internal data handling procedures, and how you get consent.

  3. Train Your Team: Make sure everyone on your team involved in communications and data handling knows CASL and GDPR. 

  4. When in Doubt: Bring in legal counsel who specializes in privacy laws.

​

bottom of page