Don't be fooled by its name. You don't need to be a spammer, or even be located in Canada, for legislation known as "Canada’s anti-spam law" or "CASL" to regulate important elements of your business.
Many everyday activities – such as sending an email message to a customer, operating a company website and making a mobile application available for download – are subject to detailed rules that will likely require you to make significant changes to your operational practices or face significant fines.
What does CASL mean for business?
CASL is perhaps the most onerous legislation in the world to regulate the use of commercial electronic messaging. It goes much further than regulating the bulk, unsolicited email communications often referred to as “spam”. Rather, it creates an express consent-based regime that applies to almost all electronic messages sent for a commercial purpose. Whereas the U.S. CAN-SPAM Act relies on opt-out consent (i.e., a functioning unsubscribe mechanism), CASL requires express “opt-in” consent. Additionally, all requests for consent and almost all commercial electronic messages must meet prescriptive sender and contact person identity and withdrawal of consent requirements. The same opt-in consent standard also applies to the installation of a computer program on a computer, smart phone or other computing device. Almost all computer programs are covered, regardless of whether or not the program is installed for a malicious purpose. And there are prescriptive requirements for the form and content of certain user notices and acknowledgments.
Additional activities regulated by CASL include the use of address harvesting tools, the inclusion of misleading sender and subject matter information in an electronic message, and the alteration of transmission data in an electronic message. The scope of CASL is not limited to activities in Canada. CASL applies to electronic messages where the computer system used to send or access the message is located in Canada. In the case of computer programs, CASL applies if the computer program is installed on a computing device in Canada or if the person who installs or causes the installation of the program is in Canada. This means that organizations located outside of Canada that send messages to computers located in Canada or install computer programs on devices in Canada also face CASL requirements.
For more detailed information on CASL’s impact and requirements please see our articles:
What do I need to do?
CASL has created significant compliance challenges for all businesses, whether large, medium or small. The requirements for sending electronic messages and installing computer programs have the potential to impact operations across all businesses. In addition, the prescriptive nature of the rules in CASL regarding requests for consent, withdrawals of consent and the content of messages requires an organization to review, and if necessary, update policies and day-to-day practices regarding electronic marketing, customer communications and software and network management practices. To address these challenges, it is critical to develop a comprehensive compliance plan.
For most organizations, this will require that you work through the seven steps set out below:
- Identify a compliance team
- Identify the CASL requirements that apply to the organization
- Audit and document current practices
- Resolve preliminary “interpretation” issues
- Develop and document a CASL compliance plan
- Implement the CASL compliance plan
- Monitor, track and update the CASL compliance plan
In addition, a number of specific compliance activities will need to be undertaken. Please see our Top 10 List to help guide you:
Useful links
Resources
Data protection in Canada: The International Comparative Legal Guide 2018
Osler, Hoskin & Harcourt LLP – June 21, 2018
In the 2018 edition of the International Comparative Legal Guide to Data Protection, Osler’s Adam Kardash and Patricia Kosseim provide a comparative overview of the four principal private sector privacy statutes that govern the data protection regime in Canada, as well as guidance for maintaining legislative compliance. Read more
CASL’s computer program rules cover much more than spyware
Osler, Hoskin & Harcourt LLP – April 2018
The computer program provisions in Canada’s Anti-Spam Law (known as CASL) came into force on January 15, 2015. Significantly, these rules go further in regulating the installation of computer programs than laws in other jurisdictions. Read more
Canada’s Anti-Spam Law casts a wide net – requires all organizations to take action
Osler, Hoskin & Harcourt LLP – April 2018
Canada’s Anti-Spam Law (known as CASL) came into force on July 1, 2014. Organizations need to ensure that their practices for sending commercial electronic messages comply with CASL’s requirements or face significant penalties. Read more
Top 10 CASL compliance planning activities
Osler, Hoskin & Harcourt LLP – April 2018
Our experience working through compliance planning initiatives with many clients has given us valuable insights into what compliance planning means in practice. Learn about the 10 most critical (and challenging) compliance planning activities. Read more
Fate of controversial CASL section unknown
Law Times – March 19, 2018
Osler partner Michael Fekete tells Law Times that the private right of action (suspended last June) in Canada’s Anti-Spam Legislation “created a perfect storm for class actions.” Read more
Privacy a primary concern in 2017
Osler, Hoskin & Harcourt LLP – December 13, 2017
Sophisticated cybersecurity threats, high-profile data incidents, and an explosion in the volume of data analytics initiatives have resulted in privacy issues being top of mind for organizations across all sectors. In 2017, there were several key legal and regulatory developments in the Canadian privacy and data arena, most notably relating to statutory security breach notification regimes, Canada’s Anti-Spam Legislation (CASL) and data governance. Read more
Controversial provision suspended, but CMOs should still comply with CASL
ITBusiness.ca – June 30, 2017
Osler’s Adam Kardash discusses the suspension of the private right of action under Canada’s Anti-Spam Law (CASL) and CASL as it stands now. Read more
Canadian government suspends CASL private right of action
Osler, Hoskin & Harcourt LLP – June 7, 2017
The Canadian federal government has announced that it has suspended the coming into force of the private right of action under Canada’s anti-spam legislation (CASL), originally scheduled to come into force on July 1, 2017. Read more
CASL’s soon-to-be-enacted private right of action brings risk of class proceedings
Osler, Hoskin & Harcourt LLP – April 13, 2017
On July 1, 2017, the private right of action under Canada’s Anti-Spam Legislation (CASL) will come into force. Largely enacted in January 2014, CASL regulates: (i) the transmission of commercial electronic messages without the consent of the recipient, (ii) installation of computer programs (e.g., malware) on a device without consent and (iii) sending false or misleading electronic messages. To this point, enforcement for violations of CASL has been left to the CRTC. However, with the advent of the private right of action, individuals and organizations will now have a direct right of action against organizations alleged to have breached CASL’s provisions. This is expected to give rise to a number of class actions, many of which will likely be commenced very shortly after the right of action takes effect. Read more
Preparing for CASL’s private right of action
Osler, Hoskin & Harcourt LLP – April 6, 2017
CASL’s private right of action is coming into force on July 1, 2017. In this article, Adam Kardash, Head of Osler’s National Privacy and Data Management Practice, interviews Christopher Naudie, Osler litigation partner and Co-Chair of the firm’s National Class Action Specialty Group, about the implications of the provision and how businesses can prepare. Read more
Private right of action under CASL is coming into force
Osler, Hoskin & Harcourt LLP – March 30, 2017
On July 1, 2017, subject to any legislated postponement, the private right of action provisions (PRA) under Canada’s Anti-Spam Legislation (CASL) will come into force. This will expose organizations, including franchisors, to certain risks – chief among them is the risk of PRA-based class actions. Read more
Privacy and anti-spam 101: Addressing risks and maintaining compliance
Osler, Hoskin & Harcourt LLP – March 21, 2017
This webinar discusses key issues surrounding privacy and anti-spam that emerging companies face. Read more
Recent decision increases class action risk for companies that utilize pre-installed software and adware
Osler, Hoskin & Harcourt LLP – March 2, 2017
In modern commerce, it is quite common for manufacturers and service providers to pre-install software on a consumer’s computer and mobile devices, all with a view to tailoring the efficient delivery of services to the consumer. Given the expanding use of embedded software in Internet-connected consumer products – the so-called Internet of Things (IoT) – manufacturers are now installing software on a broader range of household devices, extending from televisions to refrigerators to automobiles. Since January 15, 2015, Canada’s anti-spam law (CASL) has prohibited the installation of a computer program on another person's computing device, in the absence of express consent from the owner of the device. Read more
CASL’s first compliance and enforcement decision: lessons learned
Osler, Hoskin & Harcourt LLP – November 2, 2016
Find out what your business can learn from the CRTC’s first CASL enforcement decision. Read more
First CASL compliance and enforcement decision released
Osler, Hoskin & Harcourt LLP – October 27, 2016
The first Compliance and Enforcement Decision under Canada's anti-spam legislation was released October 27, 2016, by the Canadian Radio-television and Telecommunications Commission. Read more
Québec company hit with $1.1-million penalty under CASL
Canadian Lawyer – March 6, 2015
Michael Fekete talks to Canadian Lawyer about the first fine and notice of violation issued by the CRTC under Canada’s anti-spam rules. Read more
CRTC issues $1.1-million penalty under Canada’s Anti-Spam Law
Osler, Hoskin & Harcourt LLP – March 5, 2015
The Canadian Radio-television and Telecommunications Commission issued its first penalty under CASL's commercial electronic messaging (CEM) rules on March 5, 2015. In its News Release, the CRTC states that a Notice of Violation, including a penalty of $1.1 million, was issued against Compu-Finder for sending CEMs without the recipient's consent and without a properly functioning unsubscribe mechanism. Read more
Anti-spam law targets software starting January
The Canadian Press – October 22, 2014
Michael Fekete comments on CASL’s provision relating to computer programs, which came into force on January 15, 2015. Read more
Overview of Canada’s anti-spam/anti-spyware legislation and how it impacts franchisors
Osler, Hoskin & Harcourt LLP – May 2014
CASL was enacted by the 3rd session of the 40th Parliament in 2010, receiving royal assent on December 15, 2010. The commercial electronic message provisions under CASL came into force on July 1, 2014. The provisions related to the installation of computer programs came into force on January 15, 2014, and the private right of action will follow on July 1, 2017. Read more
Canada’s Anti-Spam Law — The countdown begins [PDF]
Osler, Hoskin & Harcourt LLP – January 27, 2014
Osler privacy experts discuss Canada’s Anti-Spam Law (CASL) and the 10 most critical (and challenging) compliance planning activities. Read more
Impact of new misleading advertising rules on electronic messages [PDF]
Osler, Hoskin & Harcourt LLP – January 2014
Osler privacy experts discuss some of the subtle but meaningful provisions in CASL dealing with misleading advertising that could have a real impact on how businesses engage in email marketing. Read more
Canada’s Anti-Spam Law: Final regulations mark countdown to coming into force
Osler, Hoskin & Harcourt LLP –December 4, 2013
Three years after it was enacted, Canada’s Anti-Spam Law (CASL) will come into force in stages over the next four years, beginning on July 1, 2014. Read more
Canada’s Anti-Spam Law: Practical tips for requesting consent (seminar presentation) [PDF]
Osler, Hoskin & Harcourt LLP – May 1, 2013
This presentation discusses critical consent requirements and practical tips for requesting consent. Read more
CASL enforcement bulletins released by CRTC: Increased compliance burden on business
Osler, Hoskin & Harcourt LLP – October 16, 2012
The Canadian Radio-television and Telecommunications Commission (CRTC) dashed hopes that it will be sensitive to the needs of businesses when enforcing Canada’s anti-spam legislation (CASL). On October 10, 2012, it published two bulletins that provide guidance on how it will enforce key elements of CASL, including the rules governing consent. Read more