CASL: Canada's Anti-Spam Legislation

If you send electronic messages or marketing emails to Canadian citizens, then you must comply with Canada's Anti-Spam Legislation (CASL).

Below, we outline what CASL requires, who must comply with the law, and what steps you can take to ensure you are CASL-compliant.

What is Canada's Anti-Spam Legislation (CASL)?

Canada's Anti-Spam Legislation, shorten as CASL, which came into force in July 2014, exists to control when businesses can send marketing or commercial messages to Canadian citizens. It helps to reduce "spam" and other unwanted communications, and it protects citizens from having computer programs installed on their devices without consent.

Before we go further, let's briefly define "spam" for clarity.

Definition of "Spam"

Spam is, essentially, any unsolicited message, sent in bulk, to unsuspecting recipients. It could be selling a product or service, but the message can contain any content, including deceptive content, or even dangerous spyware or malware.

Although spam can be any type of electronic message, Canada's Anti-Spam Legislation (CASL) only applies to commercial electronic messages (CEMS), so let's consider what these are.

Definition of "Commercial Electronic Messages"

A commercial electronic message, or CEM, is defined as a message which is directly or indirectly encouraging someone to participate in a commercial activity.

Even if the encouragement is not explicit, if it's reasonable to assume, from the contents as a whole, that the objective is to have someone engage in commercial activity, then it's a CEM:

For example, even if the message does not explicitly promote goods or services, if the hyperlinks are promotional, then the message is a CEM.

Since CASL only covers commercial messages, then it won't cover messages between friends and family, political messages, or messages from local, state, or federal government.

What are Computer Programs?

As noted, Canada's Anti-Spam Legislation (CASL) also covers "computer programs." In this context, computer programs are any type of code or software installed on a user's device without their consent. Meaning, it does not cover programs which a user voluntarily installs or accepts.

As an example, if a Canadian citizen downloads an app from an app store, CASL does not apply. But it does apply if the app contains a concealed program which the user did not expect to be installed.

Cookies may technically be considered computer programs, so they can fall under CASL's jurisdiction.

What is the Purpose of Canada's Anti-Spam Legislation (CASL)

Helpfully, we can find the reasons behind Canada's Anti-Spam Legislation (CASL) within the law itself. The relevant section is Section 3, "Purpose." In short, CASL exists to:

• Protect consumer privacy
• Encourage Canadians to use electronic communications with confidence
• Prevent commercial conduct which unnecessarily costs businesses and consumers money

Here is the section in full:

Put simply, there are various benefits to CASL:

• The law helps to prevent spam and other harmful communications
• Canadian citizens may be more likely to share their data if they have confidence that it will be used responsibly
• CASL gives Canadian citizens more control over their personal information and how it is used
• The law promotes transparency, which may give Canadian citizens more confidence when doing business with companies around the globe

Who Must Comply with Canada's Anti-Spam Legislation (CASL)?

You must comply with Canada's Anti-Spam Legislation (CASL) if you send any electronic messages to Canadian citizens for commercial reasons, even if you are not based in Canada.

So, for example, even if your message will only reach one or a few Canadian citizens, it doesn't matter. You must still comply with CASL, because it protects every Canadian citizen.

The reality, then, is that every business should understand how CASL impacts their operations because there's a very good chance they must comply with its provisions.

What are the Exemptions to Canada's Anti-Spam Legislation (CASL) Compliance?

There are numerous exemptions to CASL compliance. We can find these exemptions in Sections 5 and 6 of "Requirements and Provisions." In short, a business does not need to comply with CASL if:

• The sender and recipient have a pre-existing family or personal relationship
• The business is responding to a simple enquiry, in which case the sender has disclosed their email address and opened the lines of communication
• The message is responding to a request for a quote, or estimate, made by a prospective customer
• The sender is notifying the recipient of a product recall, or they are providing other crucial safety information

If you're in any doubt as to whether you must comply with CASL, seek legal advice before sending any marketing messages or commercial electronic communications.

What Does Canada's Anti-Spam Legislation (CASL) Require?

Should you be required to comply with Canada's Anti-Spam Legislation (CASL), there are three main obligations placed upon you. You must:

• Clearly identify your company name and contact information
• Obtain the relevant type of consent for sending CEMs
• Provide a clear and conspicuous "unsubscribe" mechanism so that recipients can easily amend their consent settings

Let's consider these three obligations in more detail.

How Do You Comply with Canada's Anti-Spam Legislation (CASL)?

Canada's Anti-Spam Legislation (CASL) compliance is relatively simple, especially if you are already complying with other comprehensive global privacy laws such as the GDPR. However, to help ensure you are fully compliant, let's summarize the steps you should take to be CASL-ready.

Identify Yourself as the Sender

Recipients have the right to know who is sending them any communication. Your CEMs should include your contact information and details about your business.

Here's an example from MOFO Body Mechanic where the business details are obvious and succinctly set out at the bottom of a commercially sent email:

For another example, here's what the Rogue Fitness website footer looks like. This would be an acceptable way to format a CEM from any company, since the company is clearly identified and there is prominent contact information:

Assess the Type of Consent You Require

Determine which type of consent you may require and how to obtain it. You should also keep records of obtained consent, since you may be obligated to show governing bodies that you legitimately obtained consent and complied with Canada's Anti-Spam Legislation (CASL).

You don't always need express consent to send CEMs. According to Section 9 of CASL, you don't need express consent if:

• You have a pre-existing and ongoing business relationship with a recipient,
• The individual made their email address public and does not indicate that you can't send them CEMs, or
• A person voluntarily discloses their email address to you, such as when they make an inquiry, and they have not expressly opted out of receiving CEMs

In such cases, implied consent may be enough. Otherwise, you need express consent, meaning:

• Individuals must know what they are signing up for, and consent to, and
• They must take an active step to opt into CEMs

Here's an example from Vendula London. It's obvious that by entering an email address into the form, a person is signing up to receive CEMs. The person must also take the active step of agreeing to the company's T&Cs, which is an advisable approach because you can infer that the person has read and agreed to your company policies before entering their email address:

Note that the above example also notes that the user can unsubscribe at any time.

Include a Clear Unsubscribe Option

Every CEM should have a clear and clickable "unsubscribe" button or option. This ensures that recipients can easily opt out or change their marketing preferences. Informing individuals of the right to change their preferences is a great way to improve Canada's Anti-Spam Legislation (CASL) compliance.

Here's a good example from HIGH5. There's not only an unsubscribe option, but an explanation of the recipient's rights to unsubscribe. The recipient knows that, by clicking the "unsubscribe" option, he will no longer receive such marketing emails:

Here's another example from Zwift:

And here's an excellent example from HIGH5 that lets users know about their right to withdraw consent at the time of sign up and information on how to do so:

In this example, not only must the intended recipient expressly opt-in by entering their email address, but they do so in full awareness of how to withdraw consent, and what they are signing up for.

Train Your Staff on CASL Compliance

If your staff send electronic communications, then they must understand Canada's Anti-Spam Legislation (CASL) and how to comply with its provisions.

Use regular training, handbooks, and in-house guidelines to support your staff and help them understand the law. And encourage them to raise any questions they have before sending correspondence via electronic means.

Penalties for CASL Non-Compliance

Should you allegedly fail to comply with Canada's Anti-Spam Legislation (CASL), you may receive a "Notice of Violation" which sets out the details of the alleged incident(s). You may be required to show proof that you received the appropriate consent, and that you followed CASL's provisions.

Alternatively, you may receive a citation, which is less formal than a Notice of Violation, but which you must still respond to in writing.

The Canadian Radio-television and Telecommunications Commission (CRTC) has the authority to impose penalties if you do not respond to an allegation, or if your defense is unsuccessful. Penalties include:

• A formal undertaking that you will take certain steps to remedy the alleged non-compliance incident
• A financial settlement, whereby you pay an administrative fine
• A settlement where you admit to wrongdoing (and, in some cases, pay a reduced penalty fine)

If you are unsure how to respond to the CRTC, always get legal advice before moving forward. Failing to respond appropriately could cause reputation damage for your business or lead to significant financial penalties.

CASL and the Personal Information Protection and Electronic Documents Act (PIPEDA)

The Personal Information Protection and Electronic Documents Act (PIPEDA) is Canada's other major privacy law. PIPEDA prevents businesses from indiscriminately sending marketing emails to addresses obtained through email "harvesting." It also compels businesses to obtain consent to marketing messages sent via email in certain circumstances.

If you are subject to CASL, you should also comply with PIPEDA. You should read CASL alongside PIPEDA, as they work together to regulate how businesses communicate with their customers, and prospective customers, through electronic means.

Summary

Canada's Anti-Spam Legislation (CASL) prevents businesses from sending spam, or unsolicited marketing messages, to Canadian citizens.

The law governs "commercial electronic messages" (CEMs) so it does not apply to government or political messages. It also protects Canadian citizens from having unwanted computer programs installed on their device, including unwanted cookies or other tracking technologies.

CASL applies even if your messages may only reach one Canadian citizen. It does not, however, apply if you have a pre-existing business relationship with whoever you are sending CEMs to. It also does not apply if you're responding to a customer inquiry.

To comply with CASL, you must do the following:

• Obtain express consent to CEMs. Typically, you need express consent unless there is a pre-existing business relationship or an individual has publicized their email address and not declared that CEMs are unwelcome. If in doubt, obtain express consent.
• Include your business name, details, and contact information in CEMs, particularly if you require express consent. Sender identification is crucial to CASL compliance.
• Ensure that all CEMs have a clear "unsubscribe" option so that recipients can change their mind at any time.

CASL non-compliance can result in steep financial penalties and reputation damage. Always seek legal advice if you are unsure how to comply with your obligations, or how the law applies to you.