UPDATE: Canada’s anti-spam law is now in force.
Don't be fooled by its name. You don't need to be a spammer, or even be located in Canada, for legislation known as "Canada’s anti-spam law" or "CASL" to regulate important elements of your business.
Many everyday activities – such as sending an email message to a customer, operating a company website and making a mobile application available for download – are now subject to detailed rules that will likely require you to make significant changes to your operational practices or face significant fines.
Michael Fekete discusses anti-spam legislation coming into effect and provides advice for mitigating risks.
What does CASL Mean for Business?
CASL is perhaps the most onerous legislation in the world to regulate the use of commercial electronic messaging. It goes much further than regulating the bulk, unsolicited email communications often referred to as “spam”.
Rather, it creates an express consent-based regime that will apply to almost all electronic messages sent for a commercial purpose. Whereas the US CAN-SPAM Act relies on opt-out consent (i.e., a functioning unsubscribe
mechanism), CASL requires express “opt-in” consent. Additionally, all requests for consent and almost all commercial electronic messages must meet prescriptive sender and contact person identity and withdrawal of consent requirements. The same opt-in consent standard also applies to the installation of a computer program on a computer, smart phone or other computing device. Almost all computer programs are covered, regardless of whether or not the program is installed for a malicious purpose. And there are prescriptive requirements for the form and content of certain user notices and acknowledgments.
Additional activities regulated by CASL include the use of address harvesting tools, the inclusion of misleading sender and subject matter information in an electronic message, and the alteration of transmission data in an electronic message. The scope of CASL is not limited to activities in Canada. CASL applies to electronic
messages where the computer system used to send or access the message is located in Canada. In the case of computer programs, CASL applies if the computer program is installed on a computing device in Canada or if the person who installs or causes the installation of the program is in Canada. This means that organizations located outside of Canada that send messages to computers located in Canada or install computer programs on devices in Canada will also face CASL requirements.
For more detailed information on CASL’s impact and requirements please see our articles:
Anti-Spam Legislation Casts a Wide Net – Requires all Organizations to Take Action
CASL’s Computer Program Rules Cover Much More than Spyware
What Do I Need to Do?
CASL will likely create significant compliance challenges for all businesses, whether large, medium or small. The requirements for sending electronic messages and installing computer programs have the potential to impact
operations across all businesses. In addition, the prescriptive nature of the rules in CASL regarding requests for consent, withdrawals of consent and the content of messages will require an organization to revisit its “pre-CASL”
policies and day-to-day practices regarding electronic marketing, customer communications and software and network management practices. To address these challenges, it is critical to develop a comprehensive compliance plan.
For most organizations, this will require that you work through the seven steps set out below:
- Identify a compliance team
- Identify the CASL requirements that apply to the organization
- Audit and document current practices
- Resolve preliminary “interpretation” issues
- Develop and document a CASL compliance plan
- Implement the CASL compliance plan
- Monitor, track and update the CASL compliance plan
In addition, a number of specific compliance activities will need to be undertaken. Please see our Top 10 List to help guide you:
Top Ten CASL Compliance Planning Activities
Canadian government suspends CASL private right of action
Osler, Hoskin & Harcourt LLP – June 7, 2017
The Canadian federal government has announced that it has suspended the coming into force of the private right of action under Canada’s anti-spam legislation (CASL), originally scheduled to come into force on July 1, 2017. Read more.
CASL’s soon-to-be-enacted private right of action brings risk of class proceedings
Osler, Hoskin & Harcourt LLP – April 13, 2017
On July 1, 2017, the private right of action under Canada’s Anti-Spam Legislation (CASL) will come into force. Largely enacted in January 2014, CASL regulates: (i) the transmission of commercial electronic messages without the consent of the recipient, (ii) installation of computer programs (e.g., malware) on a device without consent and (iii) sending false or misleading electronic messages. To this point, enforcement for violations of CASL has been left to the CRTC. However, with the advent of the private right of action, individuals and organizations will now have a direct right of action against organizations alleged to have breached CASL’s provisions. This is expected to give rise to a number of class actions, many of which will likely be commenced very shortly after the right of action takes effect. Read more.
Preparing for CASL’s private right of action
Osler, Hoskin & Harcourt LLP – April 6, 2017
CASL’s private right of action is coming into force on July 1, 2017. In this article, Adam Kardash, Head of Osler’s National Privacy and Data Management Practice, interviews Christopher Naudie, Osler litigation partner and Co-Chair of the firm’s National Class Action Specialty Group, about the implications of the provision and how businesses can prepare. Read more.
Private right of action under CASL is coming into force
Osler, Hoskin & Harcourt LLP – March 30, 2017
On July 1, 2017, subject to any legislated postponement, the private right of action provisions (PRA) under Canada’s Anti-Spam Legislation (CASL) will come into force. This will expose organizations, including franchisors, to certain risks – chief among them is the risk of PRA-based class actions. Read more.
Recent decision increases class action risk for companies that utilize pre-installed software and adware
Osler, Hoskin & Harcourt LLP – March 2, 2017
In modern commerce, it is quite common for manufacturers and service providers to pre-install software on a consumer’s computer and mobile devices, all with a view to tailoring the efficient delivery of services to the consumer. Given the expanding use of embedded software in Internet-connected consumer products – the so-called Internet of Things (IoT) – manufacturers are now installing software on a broader range of household devices, extending from televisions to refrigerators to automobiles. Since January 15, 2015, Canada’s anti-spam law (CASL) has prohibited the installation of a computer program on another person's computing device, in the absence of express consent from the owner of the device. Read more.
First CASL compliance and enforcement decision released
Osler, Hoskin & Harcourt LLP – October 27, 2016
The first Compliance and Enforcement Decision under Canada's anti-spam legislation was released October 27, 2016, by the Canadian Radio-television and Telecommunications Commission. Read more.
Overview of Canada’s anti-spam/anti-spyware legislation and how It impacts franchisors
Osler, Hoskin & Harcourt LLP – May 2014
CASL was enacted by the 3rd session of the 40th Parliament in 2010, receiving royal assent on December 15, 2010. The commercial electronic message provisions under CASL came into force on July 1, 2014. The provisions related to the installation of computer programs came into force on January 15, 2014, and the private right of action will follow on July 1, 2017. Read more.