Safe Harbor Compliance and Canadian Anti-Spam Law

Church Community Builder recently became more aware of information privacy laws in the United Kingdom and communication laws in Canada. We’d like to take a moment to update you on what we have found and steps we have taken to better serve you.

Safe Harbor Compliance

We are happy to announce that as of August 8, 2014, Church Community Builder is fully compliant with the Safe Harbor framework, allowing all churches within the European Economic Area (EEA) the opportunity for full compliance while using the Church Community Builder software!

What is Safe Harbor? Safe Harbor is a streamlined process for U.S. companies to comply with European Union (EU) directives on the protection of personal data. The Safe Harbor framework was developed by the U.S. Department of Commerce in consultation with the EU and is designed to prevent accidental information disclosure or loss by adherence of Safe Harbor Principles. To this end, Church Community Builder has certified it complies with the seven Safe Harbor Privacy Principles of Notice; Choice; Onward Transfer (Transfers to Third Parties); Access; Security; Data Integrity; and Enforcement. For more information about the Safe Harbor program, please visit the U.S. Department of Commerce Safe Harbor site at

Want deeper background? There are a number of information privacy laws in the United Kingdom and European Economic Area (EEA) and the Information Commissioner’s Office (ICO) is the enforcing entity for all things information privacy in the United Kingdom. They obtain their authority from the Ministry of Justice. While the ICO doesn’t legislate, they enforce five legislations. The ICO’s reach extends to all organizations within the United Kingdom. Additionally, much of this legislation is extended to all countries in the European Economic Area (EEA). So, if you are a church located in the United Kingdom or in the EEA, see the table below for how the ICO’s authority may apply to you, especially as it relates to the use of your Church Community Builder site.

  Does Church Community Builder offer full compliance for European churches? Applies to:
INSPIRE Regulations Yes Public Authorities
Environmental Information Regulations (EIR) Yes Public Authorities
The Freedom of Information Act (FIA) Yes Public Authorities
The Data Protection Act (DPA) Yes All Organizations
The Privacy and Electronic Communications Regulations (PECA) Yes All Organizations

How do these laws affect our church?

INSPIRE, EIR and FIA apply to public authorities, or to organizations storing information on behalf of public authorities. In most cases, these laws shouldn’t apply to you as a church.

DPA is the most critical legislation because it applies to all organizations within the United Kingdom that store information. Principle 8 in DPA substantiates that to transfer data lawfully out of country, the out-of-country organization must either be a participant of the EEA, or must meet the guidelines as defined by the ICO. Specifically, in order for United States–based organizations to meet ICO guidelines, which in turn allows United Kingdom organizations to lawfully transfer data to U.S.-based organizations, those U.S. organizations must achieve compliance through the Safe Harbor framework. The Safe Harbor framework is specifically designed for U.S. organizations to demonstrate compliance with ICO. Upon this realization, Church Community Builder made the decision to become Safe Harbor compliant.

PECA, under the spirit of the law, seems not to be targeted at churches. However, the letter of the law may still apply to churches. The one principle that stands out in PECA is one of cookies notifications. This has been a topic of great discussion. We have taken additional steps to provide even greater notice about the storing of cookies, which provides opportunity for full compliance with the law.

Does our church need to do anything to make sure we are compliant?

When it comes to your use of the Church Community Builder software, you don’t need to do anything to demonstrate compliance to your local enforcing agencies. However, all these laws have great implications for privacy practices of all EEA-based organizations. there are many facets of information privacy beyond the scope of your Church Community Builder site which affect your church’s compliance with local and state law. We recommend you review ICO guidelines to determine if your organization is compliant with laws.

Canadian Anti-Spam Legislation (CASL)

What is CASL?

The Canadian Anti-Spam Law (CASL) went into effect July 1, 2014. CASL governs the sending of commercial electronic messages (CEMs) to residents of Canada. It aims to protect Canadian residents from spamming, hacking, malware, spyware, fraud, and other forms of privacy invasions.

CASL applies to residents of Canada but is not limited to just Canadians. Any time a device is used to access an electronic message in Canada, it is subject to the law. Essentially, American business entities and professional organizations must abide by CASL on any correspondence with Canadians.

The vast majority of emails churches send — by nature of their content — are exempt from the Act. For those that are not exempt, there are provisions that allow you to freely email active and recent members of your church.

What is a Commercial Electronic Message (CEM)?

A Commercial Electronic Message (CEM) is defined by CASL as:

“An electronic message that, having regard to its content, or its links, or the contact information provided, would reasonably be determined to have as a purpose encouraging participation in a commercial activity.”

Under CASL, commercial activity may be both for profit and non-profit. In the case of churches, sales of concert tickets, fundraising sales, and similar activities would be considered commercial activity.

In order to be deemed a CEM, the message only needs to contact one item which is intended for commercial activity. For example, if your weekly newsletter advertises many noncommercial activities, but has one small link for the sale of tickets, the entire message is considered CEM.

However, CASL does provide one exemption for CEMs: emails which are primarily intended for fundraising or obtaining donations are exempt. Note the word primarily. If an email is mostly about other matters but includes some fundraising content, it is not exempt and can still be considered a CEM.

How do churches ensure CEMs are compliant?

A CEM is compliant with CASL if it meets three requirements:

  • Consent
  • Identification Information
  • An Unsubscribe Mechanism

The Church Community Builder software provides both identification information and an unsubscribe mechanism for all emails. Consent is the responsibility of the church/organization.

How do churches ensure CEMs have consent?

CASL defines consent as either implied or express (see definitions below). CASL has provided a three-year window in which implied consent is satisfactory to meet the requirement of the law (beginning July 1, 2014). At the conclusion of this window, express consent is required.

  • Implied consent is based on the nature of the relationship between the sender and recipient. Specifically, implied consent requires a personal relationship, meaning contact is held with the recipient beyond the virtual world and within an existing non-business relationship. Within the church, an example of personal relationship might be a member or a volunteer (for up to two years after the recipient has stopped being a member or volunteer).
  • Expressed consent is based on whether the recipient has positively indicated they wish to receive information from you and lasts indefinitely until consent is withdrawn.

How do churches obtain express consent?

The following information must be included with the request for consent:

  • A clear and concise description of your purpose in obtaining consent
  • A description of messages you'll be sending
  • Requestor's name and contact information (physical mailing address and telephone number, email address, or website URL)
  • A statement that the recipient may unsubscribe at any time

While Church Community Builder provides the opportunity for compliance with the requirements of CASL, it is ultimately the responsibility of the church/organization to read, interpret and understand the implications of the law and make decisions on how you wish to comply.

Note: This text is provided with the understanding that Church Community Builder is not rendering legal or other professional advice or service. Professional advice on specific issues should be sought from a lawyer or other professional. For more information specifically about any of the laws discussed in this post, please refer to appropriate governing authorities (ICO and CASL).

Topics: This entry was posted in Software News, This entry was posted in Communications, This entry was posted in Blog

Posted by Church Community Builder Marketing Team on Aug 12, 2014 7:00:17 AM