The CASL regime is aimed at unsolicited commercial electronic messages (CEMs). It also includes provisions addressing the installation of computer programs, and unfair or deceptive online practices. As it is based on opt-in consent to send CEMs, CASL effectively raises the bar for organizations that have long communicated with customers and other organizations on an opt-out basis. Since CASL is a new regime, contains a private right of action and significant administrative monetary penalties (maximum $10 million), and is broader in scope than the anti-spam laws of the US and other countries, many organizations within and outside Canada have been monitoring its status closely. Some have already begun to take steps and adopt practices intended to allow them to comply with the Act.

The CASL regime consists of the Act itself and three sets of regulations. These include the much-anticipated Industry Canada Regulations which were published today, December 4. The Act was passed in 2010, and contains certain limited exceptions to allow organizations to send “commercial electronic messages” without meeting all of the CASL’s many requirements. It was widely understood by interested stakeholders that the Industry Canada Regulations would represent the best opportunity to obtain a phased-in implementation, additional exceptions, and important clarifications.

Also Applies to Non-Canadian Organizations

Importantly, CASL has extraterritorial implications. For example, the CASL regime applies to CEMs originating in or being sent to Canada, with some minimal exceptions. Although many Canadian organizations have already begun preparations, organizations based outside of Canada should consider what measures they should begin to implement in order to comply.


As noted above, most of CASL’s provisions will enter into force on July 1, 2014. The private right of action will not enter into force until July 1, 2017, giving stakeholders three years to get a better sense of the complexity and interpretation of CASL’s requirements.


CASL and the Industry Canada Regulations provide limited exceptions for certain types of CEMs, including:

  • messages between individuals with personal or family relationship;
  • inquiries or applications to a person engaged in a commercial activity;
  • quotes or estimates requested by the recipient;
  • facilitating, completing or confirming a pre-existing transaction;
  • warranty, product recall or safety/security information;
  • factual information regarding subscriptions, memberships, accounts, loans;
  • messages within organizations, or between organizations in a relationship
  • legal notices;
  • one-time third-party referrals;
  • limited-access, two-way accounts (e.g. banking sites); and
  • charities and political parties soliciting funds.

Installation of Computer Programs 

As noted, CASL also applies to the installation of “computer programs” as well as to certain deceptive practices regarding the transmission of messages. The definition of a “computer program” is broad. One aspect of the regulation of the installation of computer programs that may have broad application to organizations that operate websites and electronic marketing relates to the use of cookies and other similar technologies. Although consent is “deemed” for some of these technologies, an organization may only rely on deemed consent where the “person’s conduct is such that it is reasonable to believe that they consent to the program’s installation.” Organizations may wish to consider whether their disclosure and opt-out regarding cookies and other similar technologies is sufficient to rely on this deemed consent.

Clarification and Interpretation

The Industry Canada Regulations’ Regulatory Impact Analysis Statement (RIAS) states that two Interpretation Bulletins published a year ago by the Canadian Radio-television and Telecommunications Commission (CRTC) are not legally binding, and that Information Bulletins are not meant to be exhaustive. While the RIAS does attempt to clarify certain questions raised by stakeholders during regulatory consultations – including what constitutes a “CEM”, whether consents that were valid under pre-existing privacy law are valid for CASL purposes, and whether CASL applies to communications on social media – stakeholders should take note that the interpretation and application of CASL will be an ongoing process.