The Canadian Anti-Spam Law (CASL) went into effect July 1, 2014. If you’re in Canada or send a Commercial Electronic Message (CEM) to Canadian residents, you need to comply with CASL.

This article is provided as a resource and does not constitute legal advice. If you have more questions about CASL, we encourage you to contact a lawyer in your area who is familiar with this issue.

Liability

Under CASL, the consequences for spammers include fines of up to $1M per violation for individuals and $10M per violation for companies. It’s important to note that individuals and companies, including directors, officers and other agents, are responsible and liable for the messages they send. Directors and officers have also been found personally liable for CASL violations. The private right of action, originally scheduled to come into force July 1, 2017, has been indefinitely suspended.

What’s covered under CASL

CASL regulations apply to any “Commercial Electronic Message” (CEM) sent from or to Canadian computers or devices in Canada. Messages routed through Canadian computer systems are not subject to this law.

A CEM is any message that:

• is in an electronic format, including emails, instant messages, SMS text messages, and some social media communications;
• is sent to an electronic address, including email addresses, instant message accounts, phone accounts, and social media accounts; and
• contains a message encouraging recipients to take part in some type of commercial activity, including offers to purchase, sell, barter or lease a product, goods, a service, land or an interest or right in land or offers to provide a business, investment or gaming opportunity, the promotion of products, services, people/personas, companies, or organizations.

Fax messages and fax numbers aren’t considered electronic formats or addresses under CASL.

Exempt messages

The following types of CEMs are exempt from CASL for various reasons. 

• Messages sent by or on behalf of an individual to another individual whom they have a family or personal relationship.
• Messages sent to an employee or consultant of your business or another organization with whom your organization has a relationship.
• Messages sent in response to a request, inquiry, or complaint or that is otherwise solicited by the recipient.
• Messages that will be accessed in a foreign country, including the U.S., China, and most of Europe, as long as the message complies with the anti-spam laws of that foreign country.
• Messages sent by or on behalf of a registered charity or a political party or organization for the purposes of raising funds or soliciting contributions.
• Messages sent to a person to satisfy a legal obligation, provide notice of an existing or pending right, legal, or juridical obligation, court order, or to enforce a legal right, juridical order, or court order.
• Messages sent and received on an electronic messaging service if the information and unsubscribe mechanism that are required under CASL are conspicuously published and readily available on the user interface through which the message is accessed, and the person to whom the message is sent consents to receive it either expressly or by implication.
• Messages sent to a limited-access secure and confidential account to which messages can only be sent by the person who provides the account to the person who receives the message.

CASL also contains an exception to the consent requirement for certain types of transactional messages. These messages still require that the sender comply with CASL’s identification and unsubscribe requirements. For example, the options to unsubscribe must be simple and easy to use and must be accessible for 60 days following receipt of the message.

Transactional messages include CEMs that solely:

• Provide warranty, recall, safety, or security information about a product or service purchased by the recipient.
• Provide notification or factual information about a purchase, subscription, membership, account, loan, or other ongoing relationship, including delivery of product updates or upgrades.
• Facilitate, complete, or confirm a commercial transaction that the recipient previously agreed to enter.
• Provide a quote or estimate for the supply of a product, good, or service.

If your message does not fall within one of the exemptions or exceptions to the consent requirement listed above, then consent is required under CASL.

Implied vs. express consent

Under CASL, consent is required to send a CEM unless an exception to the consent requirement applies or the message is exempt from CASL altogether. There are two types of consent: implied consent and express consent. Implied consent is only recognized in certain circumstances (as set out below) and express consent means someone has taken/ a positive step to agree (verbally or in writing) to receive a CEM.

CASL provides that consent to send a CEM may be implied only if:

• The sender has an “existing business relationship” or an “existing non-business relationship” with the recipient; or

  • “Existing business relationship” is a business relationship between the individual who sends the message and the recipient arising from: (i) the purchase of a product, good, or service within the last 24 months; (ii) the recipient accepting a business deal or investment within the last 24 months; (iii) a written contract entered between the recipient and sender within the last 24 months; or (iv) an inquiry or application made within the last 6 months.
  • “Existing non-business relationship” means a non-business relationship between you and the recipient arising if you are a registered charity or political organization, and the recipient has made a donation or gift, has volunteered, or attended a meeting organized by you within a two-year period.

• A professional message is sent to someone whose email address was given to you, or is conspicuously published, and who hasn’t published or told you that they don’t want unsolicited messages. The messages sent must be relevant to the recipient’s business, role, function, or duties in a business or official capacity.

• A single message sent following a referral. The referral must be made by an individual who has an existing business relationship, non-business or personal relationship with both the sender and recipient of the message. The message must: (i) disclose the full name of the individual or individuals who made the referral; (ii) state that the message is sent as a result of the referral; and (iii) comply with the prescribed content and unsubscribe requirements under CASL.

If your recipients don’t meet any of the above criteria, then express consent is required before you can send campaigns to them.

An example of express consent is “Yes, I want to receive commercial electronic messages, including monthly newsletters and weekly discount notifications about products and services from Company B. I can unsubscribe at any time. (Insert Company B’s mailing address and one of either a telephone number, email address, or website URL)”

Express consent is only valid if the following information is included with your request for consent:

• A clear and concise description of your purpose in obtaining consent
• A description of messages you’ll be sending
• Requestor’s name and contact information (physical mailing address and one of either a telephone number, email address, or website URL)
• A statement that the recipient may unsubscribe at any time.

The requestor can be you or someone for whom you’re asking. If you’re requesting consent on behalf of a client, the client’s name and contact information must be included with the consent request and other requirements must also be met.

It is always the sender’s responsibility to prove that they obtained consent to send the message. Express consent does not expire, but the recipient has the right to withdraw their consent at any time.

Additional requirements

In addition to understanding what qualifies as a CASL-regulated message, and what type of consent is needed, there are a few other details to keep in mind.

• You must retain a record of all consents (i.e. date, time, source, manner of consent).
• Express consent must always be proactive. When requesting written consent, checkboxes cannot be pre-filled to suggest consent. Each subscriber must opt-in and check the box themselves for consent to be valid.
• Remember that an electronic message that contains a request for express consent is also considered to be a CEM under CASL and therefore you cannot use this method to obtain express consent unless you already have the right to send the CEM.
• All messages sent must include your name, the person on whose behalf you are sending (if any), your physical mailing address and one of either your telephone number, email address, or website URL.
• All messages sent after obtaining consent must also include an unsubscribe mechanism, and unsubscribes must be processed without delay and in any event within 10 business days after the unsubscribe request was made.
• Regardless of the type of consent you have, if a recipient asks to stop receiving CEMs via your unsubscribe mechanism or through another form of communication, you must give effect to their request and stop sending them CEMs within 10 business days.

Here’s the full text of the law. The Canadian Radio-Television and Telecommunications Commission’s also set up an FAQ page and some guidelines for obtaining consent and guidance on CASL corporate compliance programs. If you have additional questions, we encourage you to contact a lawyer in your area who is familiar with the law.