In December 2013, the Canadian federal government announced[1] firm dates for Canada’s anti-spam legislation (commonly referred to as CASL) to come into force, some three years after Bill C-28 (the operative bill) received Royal Assent in December 2010.[2]

Implementation Dates

To assist individuals and organizations, the Canadian government has decided to implement CASL in the following stages: 

  1. CASL’s anti-spam provisions will come into force on July 1, 2014;
  2. CASL’s provisions pertaining to the installation of computer programs will come into force on January 15, 2015; and
  3. CASL’s provisions pertaining to the private right of action will come into force on July 1, 2017.[3]

Activities captured under CASL

CASL regulates a broad range of activities, including:

  1. the sending of commercial electronic messages;
  2. the altering of transmission data in an electronic message;
  3. unsolicited installation of computer programs;
  4. engaging in fraudulent or misleading practices through electronic messages or websites;
  5. the use of spyware, malware, botnets, and phishing;
  6. automated collection of electronic addresses (email harvesting); and
  7. unlawful use of computers to collect personal information

How does CASL apply to non-residents?

The sending of commercial electronic messages

CASL’s provisions applicable to the sending of commercial electronic messages apply where a computer system located in Canada is used to send or access such messages.  Therefore, if a non-resident located outside of Canada sends a message to an individual or organization located in Canada, CASL will apply to the non-resident.  If the non-resident is located in Canada, CASL will also apply.

The altering of transmission data in an electronic message

CASL’s provisions applicable to the altering of transmission data in an electronic message apply where a computer system located in Canada is used to send, route or access the electronic message.  Therefore, like the example above, if a Canadian accesses a message that was altered by a non-resident located outside of Canada, CASL will apply to the non-resident.  If the non-resident is located in Canada, CASL will also apply.

The unsolicited installation of computer programs

Certain CASL provisions apply where an unsolicited computer program is installed on a computer system located in Canada at the relevant time or if the person who installed the computer program is either in Canada at the relevant time or is acting under the direction of a person who is in Canada at the time when they gave the directions.

In addition, CASL prohibits individuals and organizations from aiding, inducing, procuring or causing to be procured the doing of any of the CASL restrictions pertaining to sending of commercial electronic messages, the altering of transmission data in an electronic message, and the unsolicited installation of computer programs.

How is the Canadian government able to enforce CASL against non-residents?

CASL permits the Government of Canada, the Canadian Radio-television and Telecommunications Commission (CRTC), the Canadian Commissioner of Competition or the Canadian Privacy Commissioner to enter into a written agreement or arrangement with the government of a foreign state, an international organization of states or an international organization established by the governments of states, or any institution of any such government or organization.

The purpose of the agreement or arrangement would be to share information between signatories that pertains to:

  1. information that a foreign state, organization or institution has that may be relevant to one or more of the prohibitions in CASL; or
  2. information that Canada has that may be relevant to an investigation or proceeding in respect of a contravention of the laws of a foreign state that addresses conduct that is substantially similar to conduct that is prohibited under CASL.

CASL only permits an agreement or arrangement to be entered into if the sharing of information will be done on a reciprocal basis.

The prohibitions in CASL are types of activities that governments around the world are trying to crack down on.  As a result, there is an increased desire by foreign states to co-operate with each other and to help each other root out individuals and organizations who may be located in one jurisdiction but who are unlawfully targeting, intentionally or unintentionally, individuals and organizations located in another jurisdiction.

Other CASL Details

The CRTC and Industry Canada both have regulatory making authority under CASL, and the CRTC, the Canadian Commissioner of Competition and the Canadian Privacy Commissioner all have CASL enforcement powers.

Should CASL really be a concern for non-residents who carry on business in Canada?

While a non-resident may not alter transmission data in an electronic message or install unsolicited computer programs onto a computer system, and thus not run the risk of being off-side with those prohibitions in CASL,a non-resident who carries on business in Canada will most certainly need to be concerned about CASL’s prohibitions regarding the sending of commercial electronic messages.

CASL’s Commercial Electronic Messages (CEMs)

The anti-spam provisions of CASL, as they are commonly referred to as, prohibit a sender from transmitting a commercial electronic message (“CEM”) to an electronic address, unless: (i) the intended recipient has consented; and (ii) the message includes certain prescribed information.

Under CASL, “Electronic messages” mean a message sent by any means of telecommunication, and includes text, sound, voice, and image messages.  “Electronic address” means an address used in connection with the transmission of an electronic message, and includes email, text messaging/SMS, instant messaging, social networks (Facebook®, LinkedIn®, etc.), other online services (e.g., web forums, portals), telephone accounts, and “any similar account”.

“Commercial” refers to anything that “encourages participation in commercial activity”, including: (i) an offer to purchase, sell or lease products, goods or service; (ii) an offer to provide a business, sell or lease investment or gaming opportunity; or (iii) advertising or promotion of these and other activities or of a person carrying out or intending to carry out these and other activities.

Factors that would affect the determination of whether a message encourages participation in commercial activity include: (i) content of the message; (ii) hyperlinks in the message to content on a website or other database; and (iii) contact information contained in the message.  For these purposes, a “commercial activity” is “any particular transaction, act or conduct or any regular course of conduct that is of a commercial character, whether or not the person who carries it out does so in the expectation of profit…” [Emphasis Added]

CEMs may be sent only with a recipient’s express or implied consent.  Under CASL, the onus of proving sufficient consent rests with the sender of a CEM, and the recipient of a CEM does not have to prove that he or she did not provide consent.  Also, an electronic message that requests consent to send a CEM is, under CASL, deemed to be a CEM. 

CASL contains a number of requirements around how consents may be obtained, and what information must be included in commercial electronic message.  In additional, CASL prescribes that a certain type of unsubscribe mechanism must be made available to message recipients.

CASL also contains a number of available exemptions from its anti-spam provisions as well as a number of exemptions from its consent requirements but not its information and unsubscribe mechanism requirements.

There are a number of things that non-residents can do to prepare for CASL.  These include:

  1. conducting an audit/gap analysis of their current electronic communication practices;
  2. reviewing and updating their privacy policies, including website privacy policy (where applicable), and the terms of use/terms of service for their website(s) (where applicable); and
  3. following completion of an audit/gap analysis, considering CASL’s requirements and assessing what changes might be required to their current policies, procedures, processes, practices, and/or computer systems and networks in order to ensure CASL compliance.