Law booksUnderstanding the New 2014 CASL Canada Anti-Spam Law and How it Affects Your Business

Canada is last of the G20 countries to legislate Anti-Spam, but the name in itself can be a bit confusing because it covers an unsolicited  commercial electronic message (CEM) not just unwanted spam from malware or spyware.   The new 2014 Canada Anti-Spam Law has taken the longest to develop, but is the most far reaching, with fines for breaches up to $1-million for individuals and up to $10-million for business violations.  If you would like to read the legal details, here is a link to the main Government website

We are not legal experts, therefore this is only a guide as to what your Company needs to address to be CASL compliant.   It is important not to panic but to be prepared. If you are using a third party service for your email blasts, make sure they are CASL compliant.  Oh and by the way, it doesn’t just apply to Canadian companies. It applies to any company, worldwide, that sends an unsolicited commercial message to a Canadian recipient.

If you are unsure where you stand, we suggest that you seek a legal opinion to ensure you are within the law.

Three Stages of Legislation and Effective Dates

  • CASL Takes Effect – July 1, 2014 and covers a Commercial Electronic Message (CEM)
  • CASL Computer Program Provisions Take Effect – Jan. 15, 2015
  • CASL Private Right of Action Takes Effect – July 1, 2017

Getting Ready for the CASL Anti-Spam Law July 1, 2014 Deadline

  1. Understanding that the legislation affects unsolicited commercial messages sent out from your website, email and text messaging. It also applies to messages sent through social media sites such as, but not limited to, LinkedIn, Facebook, Twitter etc.
  2. If you are a large company, with many people in different departments sending out commercial messages, you may need to put a task force together to ensure your Company is CASL compliant by July 1, 2014.  Everyone in your Company needs to be on the same page.
  3. Put best practices in place for after July 1, 2014 to ensure you track on a database both your express and implied consents for CEMs.

What Should your Business do before the CASL July 1 2014 Implementation?

The following isn’t mandatory, but it gives you suggestions for avoiding any future non-compliance and will give you peace of mind that your list is clean and compliant with the new law.

Re-qualify your Mailing List for any Commercial Electronic Message

You can do this by simply sending out a specific email to your current list to confirm via ‘a click to confirm’ they want to remain on your mailing list for xxxxx. Be sure to include an unsubscribe button for those who want to unsubscribe. Your subscribers will thank you for asking and you will be CASL compliant.

We say this specifically as the best practice,  as it removes all questions as to whether your current mailing list is comprised of people who have given either express or implied consent.

There are specific rules for express consent and implied consent.  It is important to understand these two methods of consent for the future.

What is Express Consent?

This is where the recipient has expressly signed up to receive information from your Company via email.  There are still some requirements to ensure that express consent is valid including:

  • Clearly describe the purposes for requesting consent, ie to receive your monthly newsletter, or your monthly specials.
  • Provide the name of the organization/person seeking consent, and identify on whose behalf consent is sought, if different.
  • Provide contact information such as a mailing address (PO boxes are valid), telephone number, email address or website address
  • Indicate that the recipient can unsubscribe or withdraw consent at any time.

The three most common ways that express consent is acquired are:

  1. A mailing list sign up form on your website.
  2. A confirmation link in an email.
  3. Sign up in person at the POP (cash register) of a retail establishment.

Whenever you obtain express consent, it is important that you capture the consent in your data base. As the sender it is your responsibility to prove that you received proper express consent. This means tracking items such as the date of sign up, time, IP address, form used, link clicked in email, etc. An excel spreadsheet would work for capturing this information.

What is Implied Consent

Implied consent is a trickier part of the Anti-Spam legislation and is therefore subject to interpretation.   So to be on the safe side we still recommend getting express consent, because there is no doubt, then, that a person really wants to receive your commercial  messages.

Implied consent basically says you can email someone because you have an existing relationship with them, even though they never specifically requested that you email them for commercial purposes.

According to CASL, consent will be implied in the following scenarios:

  • The recipient and sender have an “existing business relationship”.   This means the person receiving the message has done business with you in the last two years by purchasing a product or service. Note the two year window from time of purchase.  A second purchase at a later date means the clock can be reset to a new 2 year window.   This means you would need a mechanism to record dates of purchase.
  • If a prospective customer has made an inquiry to you in the previous 6 months about a product or service, this also qualifies as an “existing business relationship”.  However, it is best to re-qualify this relationship by obtaining express consent to avoid non-compliance after the 6 month period if this inquiry does not become a purchaser of your product or service.
  • If the recipient has “conspicuously published” their email address, and the publication is not accompanied by a statement that the recipient does not wish to receive unsolicited messages, and the message is relevant to the person’s business, role, functions or duties.   For example if the recipient is a chef and you are a producer of children’s toys, your product is not relevant to that person’s profession and probably would not qualify under this rule.
  • If the recipient has given their email address to the sender without indicating that they do not want to receive unsolicited messages and the message is relevant to the person’s business, role, functions or duties. This is often referred to as the “business card” consent.    This can happen at a networking event where you have met the person and exchanged business cards.

There is a special CASL transitional period so that the two year and six month windows discussed above are extended to 36 months from the date CASL takes effect, provided that you have emailed the contact previously.

For non-profits, implied consent is much more complicated and somewhat ambiguous therefore we suggest that you re-qualify your email list for express consent so that you are not violating the new CASL legislation, or seek legal advice.

Validate your Website Sign Up Form

Ensure that your signup on your website is opt-in, not opt-out.  An example of opt-out is where the sign up box is pre-filled in and the subscriber has to ‘click’ to turn off the option.  This method is no longer allowed.    A subscriber must be able to fill in the check boxes themselves.  Also capture the information from your recipient such as name, email address, physical address and telephone number.

lardy and manWhat do the CASL Computer Program Provisions that Take Effect – Jan. 15, 2015 Cover?

Installation of Computer Programs

The Act introduces requirements when installing software on another person’s computer system, but only in the course of commercial activity, a defined term that excludes public safety and other purposes. Specifically, the Act requires the express consent of the owner or authorized user of a computer system before a computer program is installed, and specifies the form consent must take in different circumstances.

The Act further provides that a person is considered to consent to the installation of certain listed types of programs. The Regulations add to this list of programs, creating a limited exclusion from the requirement to seek express consent. This form of deemed consent applies as long as a person’s conduct is such that it is reasonable to believe that they consent to the program’s installation.

The Regulations provide deemed consent for any companies or individuals who together or independently provide a telecommunications service, defined in the Act as a Telecommunications Service Provider (TSP), to install a computer program for the limited purposes of protecting the security of all or part of its network from a current and identifiable threat to its availability, reliability, efficiency, or optimal use.

The Regulations also provide deemed consent for TSPs to install software on devices across all or part of a network for update and upgrade purposes.

As noted above, CASL defines TSPs to be any person who together or independently provide telecommunications services. These services include features of services delivered by means of telecommunications facilities including network routers and servers, regardless whether the provider owns, leases or has any interest in or right to the equipment and software used to provide the telecommunications service.

The Regulations also provide deemed consent for any company or person to install programs that are necessary to correct a failure in the operation of a computer system or a computer program that is already installed. This will allow software providers to take positive steps to ensure the safe and proper functioning of their computer programs and the systems they operate on, consistent with consumer expectations..

CASL Private Right of Action Takes Effect – July 1, 2017.  What does this Mean?

Until this date, private citizens will not be able to take civil action against violators of the CASL   After this date anyone who has been affected can take legal action.

The Government has promised that after July 1, 2014 they will make a concerted effort to go after the serious offenders, the “spammers” we all detest.   The Government will enforce the legislation through the following agencies.

Which Government Agencies will Enforce the CASL Anti-Spam Law?

This is divided into three Government agencies, each having specific responsibilities to enforce the Act.

The CRTC is Canada’s broadcasting and telecommunications regulator. The CRTC has the primary enforcement responsibility under the new anti-spam law and will be able to investigate, take action against, and set administrative monetary penalties for:

  • sending non-compliant commercial electronic messages. An example of a non-compliant message is a message sent without prior consent.
  • altering transmission data without express consent. For example, this prohibits conduct by which Internet users are directed to websites they did not intend to visit and includes other illegal activities that target Internet users.
  • the installation of a computer program on a computer system or network without the express consent. This includes malware, spyware and viruses installed with computer programs, hidden in spam messages or downloaded through links to infected websites.

Competition Bureau

The Competition Bureau, as an independent law enforcement agency, ensures that Canadian businesses and consumers prosper in a competitive and innovative marketplace. The legislation enables the Bureau to more effectively address false and misleading representations and deceptive marketing practices in the electronic marketplace, including false or misleading sender or subject matter information, electronic messages, and locator information such as URLs and metadata.

Office of the Privacy Commissioner of Canada

The Office of the Privacy Commissioner of Canada protects the personal information of Canadians. The new law allows the Commissioner to enforce the legislation with respect to two types of conduct:

  • the collection of personal information through access to computer systems contrary to an act of parliament;
  • electronic address harvesting where bulk email lists are compiled through mechanisms; including the use of computer programs that automatically mine the Internet for addresses.

We hope this information helps you in becoming CASL compliant.  Marketing Company, Elite Email has put together a free comprehensive guide to CASL Survival.   If you are looking for specific legal advice some of the large law firms have specialists in this field.   Here are links to two,  Miller Thomson and Osler.

XL Consulting Group partners with small businesses for strategy, business coaching and all things ‘marketing’, including websites and social media.   Click here for a list of our services or contact us via email with your questions or call us at 905.639.3555.