Canada's Anti-Spam Legislation - CASL

Canada has strict rules on unsolicited messages and these rules can apply to businesses outside the country. Canada's Anti-Spam Legislation (CASL) broadly requires businesses to get permission before sending emails and text messages, identify themselves when sending messages, and make it easy to unsubscribe.

The law is strongly enforced and some businesses have received significant fines.

This article will get deeper into this law, what it requires, and will offer practical steps and guidance for how you can comply with it.

CASL's Background

Canada's Anti-Spam Legislation (CASL) is the commonly used name for a law passed in 2010. It's enforced by the Canadian Radio-television and Telecommunications Commission (CRTC), the Competition Bureau and the Office of the Privacy Commissioner of Canada.

The law took effect in stages between 2014 and 2017. It then evolved through interpretations and guidance from the CRTC and Industry Canada (now Innovation, Science and Economic Development Canada).

CASL's Scope

Unlike other Canadian privacy and data laws such as PIPEDA, CASL does not only apply to businesses physically located in Canada. Instead it's the recipient of the personal data's location that matters.

Messages

The law applies to commercial electronic messages (CEM). This is a message that it would be reasonable to conclude has as its purpose, or one of its purposes, to encourage participation in a commercial activity.

Exemptions from the definition of CEM include charities sending fundraising messages and political parties trying to get contributions.

Perhaps counterintuitively, an unsolicited message asking for consent to send CEMs counts as a CEM itself. A message confirming somebody has unsubscribed does not count as a CEM.

The rules refer to the message going to an "electronic address." This definition has evolved as new technologies emerge.

As a general principle, CASL does cover:

• Emails
• SMS text messages
• A direct contact such as an instant or direct messaging feature

It does not cover:

• Faxes
• Voice calls
• A post on a Facebook page
• A public tweet

Location

CASL applies if:

• The intended recipient is in Canada,
• The message is physically sent from Canada, or
• The message is accessed on a device in Canada.

CASL doesn't apply if the message is simply routed through Canada, for example through a server or data center.

What are CASL's Requirements?

When CASL applies, message senders must follow three main requirements:

• Get consent before sending messages
• Identify the sender in the message, and
• Give a clear and straightforward way to unsubscribe

CASL also says messages must be true and not misleading. If you send a false or misleading CEM, it breaches CASL even if you meet all the other requirements.

CASL-Compliant Consent

Businesses must get consent before sending CEMs. In most cases this must be express consent, though implied consent is allowed in some cases.

Whether express or implied, consent only covers an individual recipient, not an organization. Normally consent only covers CEMs from the sender in their business capacity. For example, if you worked for a business, you could not rely on consent to send messages to customers offering to sell something personally.

The onus is on you to prove you have consent. This usually means you'll need to maintain records of recipients who have given consent (and have not withdrawn it). Remember that these records can count as personal data so you will need to make sure you comply with other data laws such as PIPEDA if they apply to you.

Express Consent

Express consent can be oral or written (including electronically.) It must be informed consent that follows a specific request that includes the following:

• Your business's identity and contact information.
• The reason for requesting consent. This should give a clear indication of what type of CEMs you intend to send.
• A reminder that the recipient has the right to withdraw consent later on, including clear details of how to do so.

The Financial Post's newsletter sign-up contains all three points though the use of small text and poor contrast is very unhelpful:

Remember that sending an unsolicited message asking for consent to CEMs will usually count as a CEM itself. By definition, such a message would breach CASL. This means you'll normally need to ask for consent in another way, for example on a sign-up form on your website.

Under CASL, express consent must be active. This means the recipient must take an affirmative step such as clicking a button. You cannot use passive methods such as:

• Using a pre-ticked box or a toggle set to "consent" by default
• Using an opt-out system where you assume consent unless the individual states otherwise

Visit Virginia Beach requires recipients to tick a clearly labelled box to show consent:

Express consent has no time limit. It remains valid until the recipient withdraws the consent. This is one of the reasons why the rules use the term "unsubscribe" to refer to withdrawing consent.

By default, express consent covers all CEM. The exception is if the recipient specifies that the consent is only for specific types of CEM. For example, they might say they only want to receive messages about a specific product or service, or only receive newsletters and not one-off promotional messages.

Implied Consent

Senders can use implied consent in specific and limited circumstances:

• The sender and recipient have an active business relationship
• The sender and recipient have a membership relationship, for example somebody being part of a club or association (This doesn't cover for-profit organizations)
• The recipient has published their email address online without a disclaimer that they don't want to get CEMs at this address. However, this only applies to CEMs sent to a recipient in a work capacity, not as a consumer. The CEM must be relevant to the person's role in their business.
• The recipient has provided an email address on a business card without a disclaimer that they don't want to get CEMs at this address. Again, this only applies to CEMs sent to a recipient in a work capacity, not as a consumer.

Because it is listed without a disclaimer, it would be acceptable to use the email address in this example to send promotional messages to Dwight Schrute of Dunder Mifflin (if he existed). However, the messages could only relate to his role in the paper business. You could not use implied consent to send him unsolicited messages about his beet farm or other interests:

Implied consent can also apply to former customers. However, since 2017 this has been time-limited so that you can only use implied consent if you've had an active business relationship at some point in the previous two years.

Exemption for Referrals

The rules include a special exemption for referrals. This is where you receive contact details from an individual who has an existing relationship with the recipient.

In such cases, you are allowed to send one CEM without consent. This CEM must include:

• The full name of the individual who made the referral
• A clear statement that you are sending the CEM as a result of the referral

After this initial CEM you must have consent to send any further CEMs to the same person.

Buying a Business or Mailing List

As a general principle, if you buy a business outright, any existing express consent from customers remains valid under your ownership.

If you simply buy a mailing list, you will need fresh consent from recipients before sending them CEMS.

Your Identification Information

Any CEM you send must clearly identify you as the sender. You must also include as much contact information as possible. You must include a postal address where you can be contacted.

This email is clearly identified as coming from The Globe and Mail. Although it is primarily an editorial newsletter, it would fall under CASL's scope as it includes a promotional message for a wine tour:

If you send a message on behalf of somebody else, you must detail everyone involved in controlling what the message says and who it goes to, including through affiliate programs. If this would take too much space, you can include a link to a webpage with the information.

The identification rule applies regardless of the type of consent you have.

An Easy Unsubscribe Mechanism

Any CEM you send must not only remind recipients they can withdraw consent, but allow them to do so. With an email, the easiest way is with an "unsubscribe" link. With a text message you can ask recipients to reply with a message such as "STOP."

Gap Canada gives a clear explanation of how to unsubscribe and what effect this has:

The rules say the unsubscription must be "readily performed." This means you make it as simple and straightforward as possible for the recipient to unsubscribe, for example by minimizing the number of clicks. Do not make the process unnecessarily complicated, for example, to try to deter unsubscriptions.

You cannot impose a charge for unsubscribing a recipient.

Once somebody asks you to stop sending CEMs, you must do so within 10 days.

The unsubscribing rule applies regardless of the type of consent you have.

Full Exemptions to CASL

In a limited range of circumstances, you can send CEMs without having to meet any of the three requirements (consent, identification, unsubscribe mechanism). These include:

• Messages sent between friends or family
• Messages sent between two businesses with an existing business-to-business relationship
• Messages you are legally required to send
• Messages sent in response to a request from the recipient (though this message must be sent within six months of the request)
• Messages sent through a secure account with only one authorized sender such as an online banking tool

Penalties and Enforcement

Breaching the CASL carries a maximum financial penalty per violation of $1 million for an individual and $10 million for a business.

If you use third parties such as affiliate networks to send CEMs on your behalf, you may be held legally liable for them breaching the CASL. In such cases, the size of a penalty may take into account the level of control somebody had (or should have had) over the sending of the message and its content.

The Canadian Radio-television and Telecommunications Commission (CRTC) is the main body that enforces CASL. It has powers to investigate alleged breaches, including to:

• Order somebody to hand over documents or data
• Order a telecommunications provider to preserve transmission data
• Get a search warrant

If it determines a breach has happened, the CRTC can:

• Send a warning letter
• Reach an agreement with the violator to take a particular action and/or make a financial settlement
• Serve a notice of violation
• Impose a financial penalty

The CRTC recommends that businesses set up a corporate compliance program to make sure staff understand and follow the CASL rules. Having such a program may reduce the financial penalty the CRTC imposes after a breach.

The Office of the Privacy Commissioner enforces the CASL's rules against automatic collection ("harvesting") of email addresses. The Competition Bureau enforces the rules against misleading promotional emails.

Summary

Let's recap what you need to know about Canada's Anti-Spam Laws.

• CASL applies if an unsolicited message meets three requirements covering location, technology and content.
• The location requirement is that the recipient is in Canada, the message is sent from Canada, or the message is accessed in Canada.
• The technology requirement is that the message is sent to an electronic address. This includes email, SMS text messages and direct messaging.
• The content requirement is that it is a commercial electronic message (CEM). This means a business is encouraging the recipient to engage in commercial activity, for example through a promotional email.
• When CASL applies, you must get consent, identify yourself in the message, and give a clear way to unsubscribe. You must also make sure the message is true and not misleading.
• Consent covers an individual and can be express or implied.
• To get express consent, you must request it and provide your identity, why you want the consent, and how to withdraw it.
• Express consent must be active and affirmative. You can't use an opt-out system.

• Implied consent is only allowed in limited circumstances such as:

  • You have an active business relationship with the recipient or had one in the past two years.
  • The recipient put their email address online or on a business card and didn't say they don't want CEMs. (This only covers addresses used for business.)
  • You can send a single CEM from a business referral. You'll need consent to follow it up.
• You must always identify yourself in a CEM, regardless of the consent type. You must detail anyone else involved, for example through affiliate marketing.
• You must always include an unsubscribe option, regardless of the consent type. This must be as easy as possible, preferably a one-click link or a one-word SMS reply. You must act on an unsubscribe request within 10 days.
• In specific circumstances, a CEM is exempt from all three requirements. This includes business-to-business messages where you have an ongoing relationship. It also includes replies to a request.
• The maximum penalty for breaching CASL is $1 million per violation for individuals and $10 million per violation for businesses.