Form Visibility Rules

Thanks for that clarification Dan Stevens​! The definition of a transactional message is really helpful and I think I have a better idea of how I need to set my forms/emails up now. I really appreciate it!

I think what's still unclear, Sandy, is that for a user to proceed in submitting the form - and making the field required, aka "checked"

You can't prevent someone from submitting a form? You must let them submit it, even if they don't agree to the terms? If their desired data privacy terms are stricter than GDPR, are you then obliged to comply with their terms because you aren't allowed to stop their data from entering your system?

Compelling private companies to allow user data into their systems, even when the user specifically refuses to agree to public and private restrictions, sounds really implausible. (Government sites may be another issue.)  CASL doesn't have anything to say about this, that's clear.

Requiring someone to check a box to prove that the user agrees to the terms presented to them is one thing (and we do this all the time as part of our "Gifts & Entertainment" policy when user register for events that exceed a certain value (e.g., when we're paying for their hotel room)).  That's different than an opt-in checkbox to provide explicit consent to send marketing emails in the future.

And the unchecked opt-in checkbox to provide express consent (on the front end at least, pending round-trip confirmation) is what you're saying is not allowed? There would then be no way for the person to provide express consent. Meaning you legally can't contact them again, even though a statute exists that allowed you to gather express consent and proceed. Strange, dude!

No, what I'm saying is that requiring a user to CHECK that checkbox before they can submit the form is where the issue lies.  A user should have the right to leave the checkbox unchecked without having to subscribe to future marketing emails.

BTW, I'm learning more each day with regards to GDPR - and it's causing me heartburn.  While not explicitly required, using a double-opt-in approach is highly recommended.  Primarily so that someone can't opt-in on behalf of someone else.  Having that feedback/consent loop will be necessary should someone ask why they're receiving unsolicited marketing emails.

A user should have the right to leave the checkbox unchecked without having to subscribe to future marketing emails.

Ergo, a company is compelled to accept personal data into their systems via web forms from people who expressly refuse further contact.

But CASL doesn't say anything about that -- it doesn't require companies to do business with people who are not marketable.

I'm looping Grégoire Michelinto this thread.  Greg has some good perspectives on this - especially where spam/consent laws are strict (and will be even stricter, come next May with the EU GDPR).

Thanks Dan Stevens​! I appreciate it!

and check with your legal counsel.

"Canadian IP address" is not the same as "protected under CASL." It's not a valid way to comply with the statute.

ETA: In case this wasn't clear, a Canadian citizen who fills out a form on vacation in Rio is still protected by CASL.  Like Josh said, check with your counsel directly, but there's no exemption in the law for failing to ask the right questions.  False positives from non-CASL subjects who happen to fill out a form in Canada and need to opt-in are harmless, of course. False negatives from not making a reasonable effort to gather the lead's legal status, on the other hand, are harmful.

Great to hear there is another workaround Sanford. I was always curious why you couldn't use visibility rules dependent on a field not added on the form. So I would always just use my workaround I mentioned above and simply add the field to the form.