Canada’s Anti-Spam Legislation (CASL)
CASL is a new federal law aimed at eliminating unsolicited and malicious electronic communications.
Originally introduced in December 2010, the majority of CASL’s provisions will come into force on July 1,
2014. Once in effect, organizations will have to comply with specific consent, disclosure and unsubscribe
requirements when sending out electronic communications.
CASL is accompanied by two sets of regulations from the Canadian Radio-television and
Telecommunications Commission (CRTC Regs) and from Industry Canada (IC Regs). The CRTC has also
issued two interpretative guidelines (referred to as Compliance and Enforcement Information Bulletins CRTC
2012-548 and 2012-549), but these guidelines do not have the force of law.
This guide provides basic information on CASL to help understand how it will impact electronic
communication practices and will focus on CASL’s prohibition on “spam”. We also include a brief summary in
section VIII below on CASL’s provisions in respect of installation of computer programs. In many cases where
a section applies to your organization, we recommend you look closely as the specific wording of CASL as
the notes below are paraphrased. Section references to CASL and the applicable regulations have been
added for ease of reference.
What does CASL prohibit?
CASL targets three activities:
Spam Prohibition on sending, causing or permitting to be sent commercial electronic
messages (CEMs) without the express or implied consent of the recipient, and in
compliance with prescribed form and content requirements (section 6).
Phishing Prohibition on altering transmission data in an electronic message so that it is
delivered to an alternative address without express consent (section 7).
Spyware/malware Prohibition on installing a computer program on another’s computer or causing
electronic messages to be sent from such a computer without express consent
CASL and its regulations will trump any conflicting provision of the Personal Information Protection and
Electronic Documents Act (PIPEDA) (section 2).
CASL distinguishes in some sections between individuals and “persons”, which are defined to include an
individual, partnership, corporation, organization, association, trustee, administrator, executor, liquidator of
a succession, receiver or legal representative (section 1(1)).
I. Spam - Commercial Electronic Messages
As we prepare to address the obligations of CASL, it is important to understand the overall concept. Firstly,
section 6 includes a broad prohibition against sending, causing or permitting to be sent CEMs without (i)
consent, and (ii) compliance with certain form and content requirements. This prohibition catches many
messages, so after reviewing the basic definition of CEMs, the next step is to look at the exceptions where
neither the consent nor form requirements are necessary, or, where express and/or implied consent may not
be required. It is only by understanding the various exceptions that we can assess the overall impact on a
business. The first step is to assess the scope of the definition of “commercial electronic message”.
“Commercial Electronic Message” or “CEM” – defined broadly to capture electronic messages that have
as one of their purposes “encouraging participation in a commercial activity” sent from email accounts,
text messaging accounts and any other similar account types (section 1(2)). Does not include voicemail or
fax messages (section 6(8)), or messages for law enforcement or public safety (section 1(4)).
“Commercial Activity” – includes any particular transaction, act, or conduct that is of a commercial
nature, whether or not carried out for profit (section 1(1)).
II. Exceptions where CASL does not apply to CEMs
CASL does not apply to certain types of messages, meaning there are no consent or form requirements for:
“Family or Personal Communications”: CEMs sent to family members or those who have
a personal relationship with the sender (section 6(5)(a) & IC Regs). “Personal Relationship” is
defined to include (for individuals only) a history of two way communications, and considers factors
such as sharing of interests, frequency of communications and whether the parties have met in
person (section 2, IC Regs).
“Commercial Inquiry Communications”: CEMs consisting solely of an inquiry or application
related to the commercial activity of the recipient person (section 6(5)(b)).
“Internal Business Communications”: CEMs sent within the same organization (among
employees, representatives, consultants or franchisees) provided the CEM concerns the activities
of the organization (section 3(a)(i), IC Regs).
“Business to Business Communications”: CEMs sent between different organizations (among
employees, representatives, consultants or franchisees), provided (a) organizations have a
relationship and (b) the CEM concerns the activities of the organization to which the message is
sent (section 3(a)(ii), IC Regs).
“Prompted Communications”: CEMs which are responses to inquiries, requests or complaints of
a person, or that are otherwise solicited by the recipient (section 3(b), IC Regs).
“Legal Communications”: CEMs sent to satisfy a legal obligation, or to enforce a legal right
(section 3(c), IC Regs).
“Social Network Communications”: CEMs sent and received on “electronic messaging services”
provided the required information and unsubscribe mechanism are conspicuously published on the
user interface, and recipient has provided implied or express consent (section 3(d), IC Regs). This
is anticipated to apply to social networking services or instant messaging services.
“Secure Account Communications”: CEMs sent to a limited-access secure and confidential
account where only the account provider is able to send messages to the account (section 3(e), IC
“Foreign Destination Communications”: a CEM sent with the reasonable expectation that the
CEM will be accessed in a foreign state having similar anti-spam laws and the message conforms
with those foreign laws (section 3(f), IC Regs). A list of recognized countries is scheduled to the
“Charity Fundraising Communications”: a CEM sent by or on behalf of a registered charity and
the message has the primary purpose of raising funds for the charity (section 3(g), IC Regs).
“Political Solicitation Communications”: a CEM sent by or on behalf of a political party /
organization, with the primary purpose of soliciting contributions (section 3(h), IC Regs).
III. Form requirements for CEMs
Under CASL, all CEMs, unless subject to an exception as noted above in part II, will need to include the
following information “clearly and prominently” (section 6(2) and (3), 11(1) – (3) &, CRTC Regs):
• Identity/business name of person sending and on whose behalf the CEM is sent (section 6(2)).
• If the CEM is sent on behalf of another person, a statement must be included indicating which person
is sending and which person on whose behalf it is sent.
• Contact information including mailing address and either phone number or email/web address of
person sending, or if different, the person on whose behalf CEM sent. The information must enable
recipient to readily contact one of such persons (section 6(2)). Contact information must be valid for
60 days after message sent (section 6(3)).
• Unsubscribe mechanism must be included with an electronic address or web link and must be able to
be “readily performed”. Must be valid for 60 days after message sent. Unsubscribe must be effected
within 10 business days after unsubscribe request (sections 11(1) – (3)).
Consent is addressed in one of three ways:
• Express consent from the recipient (section 10(1)).
• Implied consent to send the CEM (section 10(9)).
• An exception applies (section 6(6)).
The onus to prove consent rests with the sender of the CEM (section 13).
To obtain valid express consent (section 10(1) & CRTC Regs), the request for consent must:
• Set out “clearly and simply” the required information.
• State the purpose(s) for which consent is being sought.
• Include the business name of the person seeking consent, and the business name of any person
on whose behalf consent is sought; and specifying which person is seeking consent and which on
whose behalf consent is sought.
• Include contact information consisting of mailing address and either phone number or email/web
address of person sending or if different the person on whose behalf CEM sent.
• Be Opt-in (i.e. click a box, or enter email address) and not Opt-out (CRTC’s view).
• State that consent can be withdrawn.
• Be separate for each act of sending a CEM, installing a computer program and altering transmission
data (CRTC Regs).
Note: Consent may be obtained orally, in paper form or electronically. However, a request for consent
sent by an electronic message is a CEM, and so must comply with the form and consent provisions in
order to be sent (section 1(3)).
Consent may be obtained on behalf of an unknown person (who will rely on the consent), provided that
certain conditions in the IC regulations are met regarding ongoing use of and withdrawal of such consent.
Implied consent exists where:
• Sender and recipient have an “existing business relationship” (sections 10(9) and detailed
definition in 10(10)):
• Within the last two years: any purchase or lease of products or services, acceptance of
business or investment, bartering; or contract for such things in force or expired within last two
• Within the last six months: an inquiry or application from the CEM recipient to sender, in
respect of any such business transactions.
• Sender and recipient have an “existing NON-business relationship” (sections 10(9) and detailed
definition in 10(13) & IC Regs), i.e. within the last two years a donation of time or money to a
registered charity, political party, organization or candidate, or, membership in a club, association or
• Recipient “conspicuously” published their email address, or has disclosed their address to the sender,
without indicating that they do not wish to receive unsolicited CEMs, and the CEM being sent is
relevant to the recipient’s business, role, function or duties in a business or official capacity (section
Exceptions for Consent
A CEM may be sent without express or implied consent to:
• Provide a quote or estimate requested by the recipient (section 6(6)(a)).
• Facilitate, complete, or confirm a commercial transaction between the sender and recipient that the
recipient previously agreed to enter into with sender (section 6(6)(b)).
• Provide warranty/safety/recall/security information about a product or services used or purchased by
recipient (section 6(6)(c)).
• Provide notification of factual information about an ongoing subscription, membership, account, loan
or similar relationship or goods or services offered thereunder (section 6(6)(d)).
• Provide information directly related to a current employment relationship or benefit plan (section 6(6)
• Deliver a product, good or service, including updates and upgrades further to an existing relationship
• “Third Party Referrals”: a single CEM may be sent to a recipient without consent based on the
referral to the sender by a third party who has a relationship (business, family, personal or nonbusiness)
with the sender and the recipient. The CEM must disclose the full name of the referring
person and that the message was sent as a result of the referral (section 4, IC Regs).
Always remember that even where consent is addressed by implied consent or an exception, the form
requirements of the CEM (contacts, unsubscribe etc.) still apply.
V. Grace period
For the first three years under the law, there will be implied consent for sending CEMs to recipients where,
as of July 1, 2014, there was an existing business relationship or non-business relationship, regardless of
when that relationship may have last been active (i.e. without reference to the two year or six month time
periods); provided that the recipient does not withdraw consent, and the relationship included the exchange
of commercial electronic messages (section 66).
Enforcement may occur by administrative penalty or private claims (no private claims for the first three years
CASL is in force).
Maximum penalties may be $1 million for individuals and $10 million for corporations and other organizations
Directors and officers may be liable (section 31) and employers may be liable for acts of their employees
A due diligence defence may be available if the sender can show established policies and practices for
compliance (section 33).
A three year limitation period for private claims applies (section 47(2)).
VII. What can you do to prepare?
• create implementation team
• audit and assess current CEM practices
• review and update CEM templates
• establish new tracking systems (IT)
• set timeline and priorities for Express Consent
• develop policies and guidelines for staff training
• consider merits of seeking consent in advance of CASL coming into force
VIII. Installation of computer programs
The coming into force of the provisions dealing with the unsolicited installation of computer programs is
delayed until January 15, 2015. Section 8 of CASL is intended to prohibit spyware/malware but will capture
any circumstance involving:
• the installation of a computer program
• on any other person’s computer system
• located in Canada
• during the course of a commercial activity
• unless that person’s express consent is obtained
• the installation is in accordance with a court order
The standard for express consent that is required for the installation of computer programs overlaps with
what is necessary for sending CEMs. In this respect, the general principles for obtaining express consent
outlined for CEMs in this guide apply.
Updates or upgrades will not require additional consent where valid express consent has initially been
obtained. Also, certain programs necessary for the proper function of Internet browsers are exempted, such
as HTML code and java scripts.
Obligation to Describe Program Function and Purpose
As per subsections 10(3) through 10(5) of CASL, when seeking express consent it is required that a party
clearly and simply describe the function and purpose of the computer program that is intended to be installed.
This includes ensuring that the person giving consent has reasonable expectations about the program,
including its functions for:
• Collecting personal information stored on the computer system.
• Interfering with the owner’s or an authorized user’s control of the computer system.
• Changing or interfering with settings, preferences or commands already installed or stored on the
computer system without the knowledge of the owner or an authorized user of the computer system.
• Changing or interfering with data that is stored on the computer system in a manner that obstructs,
interrupts or interferes with lawful access to or use of that data by the owner or an authorized user of
the computer system.
• Causing the computer system to communicate with another computer system, or other device,
without the authorization of the owner or an authorized user of the computer system.
• Installing a computer program that may be activated by a third party without the knowledge of the
owner or an authorized user of the computer system.
Request for Program Removal
For a period of one year after consent for installation is given, the person who gave consent must be provided
with an email address where they can send a request to remove or disable the program which performs one
of the functions listed above. The request can be made where the person who gave their consent believes
that the function, purpose or impact of the program was not accurately described when their consent was
obtained. The removal or disabling of the program must be achieved without cost to the party making the
request (section 11(5)).
Exemptions for Telecommunication Service Providers (TSPs)
Two exemptions are provided for TSPs in regards to the installation of computer programs. First, TSPs will
not be required to obtain prior consent to install a computer program for the limited purposes of preventing
activities which pose an imminent security risk. Second, TSPs will not be required to obtain prior consent to
install network wide software or system upgrades (section 4, IC Regs).
This guide is offered for general information purposes and is not intended to provide legal advice.
Last revised March 2014
For questions please contact the following lawyers in Stewart McKelvey’s Halifax office:
Rob Aske - Practice group leader, IP/IT/Entertainment
9 CHARLOTTETOWN FREDERICTON HALIFAX MONCTON SAINT JOHN ST. JOHN’S STEWARTMCKELVEY.COM
Suite 601, Blue Cross Centre
644 Main Street
Moncton, NB E1C 1E2
Suite 900, Purdy’s Wharf Tower 1
1959 Upper Water Street
Halifax, NS B3J 3N2
Suite 600, Frederick Square
77 Westmorland Street
Fredericton, NB E3B 6Z3
65 Grafton Street
Charlottetown, PE C1A 1K8
Saint John, NB
Suite 1000, Brunswick House
44 Chipman Hill
Saint John, NB E2L 2A9
St. John’s, NL
Suite 1100, Cabot Place
100 New Gower Street
St. John’s, NL A1C 6K3