Canada’s Anti-Spam Legislation

Overview and status (last updated: November, 2014)

Canada’s Anti-Spam Legislation (CASL), which was passed in 2010, establishes rules for sending commercial electronic messages (CEMs) as well as the installation of computer programs, and prohibits the unauthorized alteration of transmission data. There are three stages of implementation: most of CASL came into force on July 1, 2014, the rules that apply to computer programs will come into force January 15, 2015, followed by the private right of action on July 1, 2017.

Both the Canadian Radio-television and Telecommunications Commission (CRTC), which is the enforcement agency under CASL, and Industry Canada, have passed implementing regulations. The CRTC regulations were finalized in March 2012, while the Industry Canada regulations were finalized as of December 4, 2013.

The Competition Act has been amended to prohibit false or misleading representations in the sending of a CEM, whether in the content, subject line, or sender information of a message.

Related amendments to the Personal Information Protection and Electronic Documents Act (PIPEDA) address the use of address harvesting and dictionary attacks, as well as the use of computer programs to surreptitiously collect personal information from a computer system.

CASL establishes new enforcement powers, enabling the CRTC to impose administrative monetary penalties,  in addition to a private right of action.

Sending Commercial Electronic Messages

CASL applies to most forms of electronic messaging, including email, SMS text messages, and certain forms of messages sent via social networking. Voice and fax messages are excluded, as they are covered by the Unsolicited Telecommunications Rules. The law applies broadly to any CEM that is sent from or accessed by a computer system located in Canada.

A CEM is defined broadly to include any message that has as one of its purposes to encourage participation in a commercial activity. This includes advertisements and information about promotions, offers, business opportunities, etc.

CASL creates a permission-based regime, meaning that, subject to specific exclusions, consent is required before sending a CEM. Consent can either be express or implied.

In order to obtain express consent the sender must:

  • clearly describe the purpose(s) for requesting consent;
  • provide the name of the person seeking consent, and identify on whose behalf consent is sought, if different;
  • provide contact information for either of those persons (mailing address and either a telephone number, email address of web address); and,
  • indicate that the recipient can unsubscribe.

The CRTC has stated that, in its opinion, a pre-checked box cannot be used to obtain express consent.

CASL provides that consent may be implied in any of the following four circumstances:

  • the sender and recipient have an existing business relationship (e.g., the recipient has made a purchase within the past two years, or an inquiry within the past two months);
  • the sender and recipient have an existing non-business relationship;
  • the recipient has conspicuously published their electronic address (e.g., on a website), has not expressly stated that they do not wish to receive unsolicited messages, and the message is related to the recipient’s professional capacity; or,
  • the recipient has disclosed their electronic address directly to the sender, has not expressly stated that they do not wish to receive unsolicited messages, and the message is related to the recipient’s business or official capacity.

Senders must include the following in every CEM:

  • the name of the person sending the message, and identify on whose behalf the message is sent, if different;
  • contact information for either of those persons (mailing address and either a telephone number, email address or web address); and,
  • a mechanism that allows the recipient to easily unsubscribe at no cost, which could, for example, consist of a reply to an email address or a web-based unsubscribe page.

There are a number of categories of excluded messages. CASL does not apply to a CEM that is sent

  • to someone with whom the sender has a family or personal relationship
  • to someone engaged in commercial activity consisting of an inquiry or application related to that activity
  • to another employee, representative, consultant or franchisee of an organization and the message concerns the activities of the organization
  • to an employee, representative, consultant or franchisee of another organization if the organizations have a relationship and the message concerns the activities of the recipient organization
  • in response to a request, inquiry or complaint or is otherwise solicited by the recipient
  • to satisfy a legal or juridical obligation
  • to provide notice of an existing or pending right, legal or juridical obligation, court order, judgment or tariff
  • to enforce a right, legal or juridical obligation, court order, judgment or tariff
  • and received on an electronic messaging service if prescribed identifying information and unsubscribe mechanism are conspicuously published and readily available on the user interface through which the message is accessed, and the recipient consents expressly or by implication
  • to a limited-access secure and confidential account to which messages can only be sent by the person who provides the account to the recipient
  • with the reasonable belief that the message will be accessed in a foreign state that is listed in regulations  and the message conforms to the anti-spam law of that state
  • by or on behalf of a registered charity  for the primary purpose raising funds for the charity
  • by or on behalf of a political party or organization, or a political candidate for publicly elected office, for the primary purpose soliciting a donation or contribution

Transitioning existing databases

Even though CASL establishes new consent requirements for sending CEMs, this does not necessarily mean that existing subscribers must be “reconfirmed” under CASL.  CASL includes a transitional provision that effectively extends the existing business and non-business relationships. For example, according to this provision, where a business has had an existing business relationship with a customer, and has been sending CEMs to that customer, consent can continue to be implied until July 1, 2017 (or until the customer unsubscribes).

In addition, both Industry Canada and the CRTC have stated that existing express consent obtained in compliance with PIPEDA will be considered compliant with CASL going forward (commonly referred to as “grandfathering”). Please refer here for more information about what grandfathering means.

Installation of computer programs

CASL also establishes rules for the installation of computer programs onto a computer system. These rules apply to all forms of computer programs, potentially including mobile apps. Most importantly, CASL requires any person installing a computer program onto another person’s computer system to obtain express consent from the owner or authorized user of the computer system.

CASL deems consent to have been given if the program is

  • a cookie;
  • HTML code;
  • Java Scripts;
  • an operating system;
  • installed by or on behalf of a telecommunications service provider (TSP) solely to protect the security of all or part of its network from a current and identifiable threat to the availability, reliability, efficiency or optimal use of its network;
  • installed, for the purpose of updating or upgrading the network, by or on behalf of the TSP who owns or operates the network on the computer systems that constitute all or part of the network;
  • necessary to correct a failure in the operation of the computer system or a program installed on it and
  • is installed solely for that purpose;
  • any other program that functions only with the use of another computer program that was previously installed with express consent; and,

it is reasonable to believe that the person has consented to the installation based on their conduct.

Consent is not required for updates or upgrades where:

  • the original program was installed with express consent;
  • the terms agreed to when the user originally provided express consent notified the individual that they would be entitled to receive an update or upgrade in the future; and,
  • the upgrade is installed in accordance with those terms.

Additional requirements apply when installing a computer program that performs any of the following functions:

  • collecting personal information stored on the computer system;
  • interfering with the user’s control of the computer system;
  • changing or interfering with settings, preferences or commands already installed or stored on the computer system without the knowledge of the user;
  • changing or interfering with data that is stored on the computer system in a manner that obstructs, interrupts or interferes with lawful access to or use of that data by the user;
  • causing the computer system to communicate with another computer system, or other device, without the authorization of the user; or,
  • installing a computer program that may be activated by a third party without the knowledge of the user.

If the program performs any of these functions, the function(s) must be brought to the explicit attention of the computer user, and the user must be provided with assistance in removing the program if the user believes that the program was inaccurately described.

There remains some uncertainty with respect to exactly how these rules will apply. This will depend largely on what it means to install a computer program onto another person’s computer system. It would seem that, in many cases, where a user chooses to download and install a program (such as an app) they are actually installing onto their own device, and, according to such an interpretation, CASL would not apply. However, it is expected that further guidance on this issue will be provided before these rules come into force on January 15, 2015.

While CASL has created significant confusion with respect to its application to cookies, this issue appears to have been resolved.

Unauthorized alteration of transmission data

CASL prohibits the unauthorized alteration of transmission data. This is intended to address issues such as ‘pharming’, which involves the use of technical measures to redirect a person to a fraudulent website.

Penalties and enforcement

CASL is enforced by the CRTC. Related amendments to the Competition Act and PIPEDA are enforced by the Competition Bureau and the Office of the Privacy Commissioner of Canada (OPC) respectively.

The CRTC has the ability to impose administrative monetary penalties for violations of CASL of up to $10 million per violation.

CASL also includes a private right of action, which allows any person affected by a violation of CASL and related amendments to PIPEDA and the Competition Act to sue for actual and/or statutory damages. The private right of action comes into force on July 1, 2017.

Further information: Checklists

For a detailed overview of the various requirements and exclusions that apply to sending CEMs, refer to our Campaign Checklist. Refer to our Database Checklist for assistance in understanding the timelines that apply in determining if and when certain subscribers may require reconfirmation (i.e., requesting express consent from existing subscribers). Finally, our Computer Program Checklist provides a guide to the rules that apply to the installation of computer programs.

How we can help

With extensive experience in anti-spam, privacy, electronic commerce, competition and advertising law as well as a deep understanding of the online and digital marketing industry, we are able to provide practical advice in navigating the various requirements of CASL and related legislation. We offer a range of services, including:

  • a comprehensive approach to compliance that addresses all process-related aspects of e-marketing campaigns, from list-building to deployment;
  • tailored training seminars that explain CASL and how it applies to your organization in an easy-to-understand (non-legal) manner;
  • ensuring that message content is neither false nor misleading according to Canadian legal standards; and
  • limiting the risk of liability for service providers, including marketing agencies and email service providers.

While the penalties under CASL are potentially significant, there is no need to panic, and organizations should not be afraid to continue to engage consumers through electronic marketing campaigns. In many cases, only minor changes to existing practices may be necessary. Let us assist you in developing marketing campaigns that are CASL-compliant.

Please contact us if you have any questions.

Resources

The Canadian e-Marketing Blog (for regular updates on CASL and other laws related to online marketing in Canada)
nNovation LLP: Industry Canada finalizes regulations (December 4, 2013)
Canada’s Anti-Spam Legislation
CRTC CASL FAQ
Electronic Commerce Protection Regulations (Industry Canada) (Final)
Electronic Commerce Protection Regulations (CRTC) (Final)
Electronic Commerce Protection Regulations (Industry Canada) (Draft)
CRTC Guidelines on the interpretation of the Electronic Commerce Protection Regulations (CRTC) (CRTC 2012-548)
CRTC Guidelines on the use of toggling as a means of obtain express consent under Canada’s anti-spam legislation (CRTC 2012-549)
Fightspam.gc.ca (Government of Canada resource page)
nNovation LLP: Industry Canada publishes draft regulations (January 7, 2013)
nNovation LLP: CRTC issues Guidelines under Canada’s Anti-Spam Legislation (October 11, 2012)