Three Ways Canada’s New Anti-spam Law Could Affect Your Business


Canada’s anti-spam law (CASL) comes into effect on July 1, 2014 and its impact is far-reaching. Despite what its name suggests, the legislation is not only targeted at spammers or even those located in Canada. It’s a comprehensive framework that affects many everyday business activities on the Internet such as;

  • Sending an email to a customer (email marketing)
  • Managing and manipulating customer data
  • Operating a company website
  • Offering mobile applications for download

Enforcement will largely come under the scope of the Canadian Radio-television and Telecommunications Commission (CRTC) and fines can total as much as $1 million per violation for an individual and up to $10 million per violation for anyone else. Any “affected” person can seek compensation for damages or loss as well as for statutory damages. For commercial electronic messages, the maximum is $200 per violation, up to $1 million per day, which could attract the attention of pesky class-action plaintiff lawyers.
My point is that the implications of CASL to business are real and should be taken seriously! Let’s look at the three primary types of activities that we need to watch, followed by steps we can take to protect ourselves.

1. Commercial Email

Here is where I believe most businesses are most susceptible. CASL prohibits sending commercial email unless the recipient has provided express or implied consent to receiving the email and the message satisfies specified content requirements. Express consent means the recipient has voluntarily opted in and this consent is documented. To be valid, the request for consent must

(i) set out the purposes for which the consent is being sought and
(ii) identify the person who is seeking the consent.

If you have an “existing business relationship” between the sender and the recipient and also if there is an “existing non-business relationship” between the sender and the recipient, consent can be implied. CASL provides definitions for these terms and outlines the time-limited parameters. Consent can also be implied if the recipient has, through “conspicuous disclosure or publication,” provided his or her email address without indicating that he or she does not wish to receive a commercial email. For example, featuring an email address on your corporate website or handing out business cards with your email address may be considered forms of implied consent.
As for the content requirements, these include name and contact information for the sender as well as any other person on whose behalf the message is sent, and an unsubscribe mechanism.

2. Transmission Data

CASL does not permit transmission data to be altered. For example, a user clicks on a link in an email believing it will take them to a certain website, but the link re-directs them to another.

3. Installing Computer Programs

CASL requires express consent of the owner of a computer system or an authorized user for the installation of computer programs such as mobile applications.
As was previously the case with PIPEDA, CASL enforces zero tolerance for false and misleading electronic representations (including websites), the unauthorized collection of electronic addresses and the collection of personal information by accessing a computer system.

How does a business protect itself from inadvertently exposing itself to the wrath of CASL? It all comes down to consent. For commercial email, you need to request explicit permission from those with whom a relationship already exists (i.e. implied consent exists). I suggest that rather than worry about the nuance of implied consent, there is an expected grace period in the early days of CASL, so it’s best to start the process of obtaining express consent from your contacts now.

Since the onus is on the business to prove it has consent of its recipients, an email campaign is most effective to digitally capture approval and register the recipient’s email address.
Contact Us for Assistance
Setting Up Your Campaign
The same principle applies for transmitting data and installing programs. It is imperative the individual is aware of exactly what’s happening and has the opportunity to consent. Where more than one person manages these areas within your organization, ensure a policy exists for employees to follow and avoid inadvertently exposing your business to violations.
The time to prepare for the new rules is now. For more information, check out