CASL compliance: More than spam. Understanding Canada’s anti-spam law

Don't be fooled by its name. You don't need to be a spammer, or even be located in Canada, for legislation known as "Canada’s anti-spam law" or "CASL" to regulate important elements of your business.

Many everyday activities – such as sending an email message to a customer, operating a company website and making a mobile application available for download – are subject to detailed rules that will likely require you to make significant changes to your operational practices or face significant fines.


What does CASL mean for business?

CASL is perhaps the most onerous legislation in the world to regulate the use of commercial electronic messaging. It goes much further than regulating the bulk, unsolicited email communications often referred to as “spam”. Rather, it creates an express consent-based regime that applies to almost all electronic messages sent for a commercial purpose. Whereas the U.S. CAN-SPAM Act relies on opt-out consent (i.e., a functioning unsubscribe mechanism), CASL requires express “opt-in” consent. Additionally, all requests for consent and almost all commercial electronic messages must meet prescriptive sender and contact person identity and withdrawal of consent requirements. The same opt-in consent standard also applies to the installation of a computer program on a computer, smart phone or other computing device. Almost all computer programs are covered, regardless of whether or not the program is installed for a malicious purpose. And there are prescriptive requirements for the form and content of certain user notices and acknowledgments.

Additional activities regulated by CASL include the use of address harvesting tools, the inclusion of misleading sender and subject matter information in an electronic message, and the alteration of transmission data in an electronic message. The scope of CASL is not limited to activities in Canada. CASL applies to electronic messages where the computer system used to send or access the message is located in Canada. In the case of computer programs, CASL applies if the computer program is installed on a computing device in Canada or if the person who installs or causes the installation of the program is in Canada. This means that organizations located outside of Canada that send messages to computers located in Canada or install computer programs on devices in Canada also face CASL requirements.

For more detailed information on CASL’s impact and requirements please see our articles:

What do I need to do?

CASL has created significant compliance challenges for all businesses, whether large, medium or small. The requirements for sending electronic messages and installing computer programs have the potential to impact operations across all businesses. In addition, the prescriptive nature of the rules in CASL regarding requests for consent, withdrawals of consent and the content of messages requires an organization to review, and if necessary, update policies and day-to-day practices regarding electronic marketing, customer communications and software and network management practices. To address these challenges, it is critical to develop a comprehensive compliance plan.

For most organizations, this will require that you work through the seven steps set out below:

  1. Identify a compliance team
  2. Identify the CASL requirements that apply to the organization
  3. Audit and document current practices
  4. Resolve preliminary “interpretation” issues
  5. Develop and document a CASL compliance plan
  6. Implement the CASL compliance plan
  7. Monitor, track and update the CASL compliance plan

In addition, a number of specific compliance activities will need to be undertaken. Please see our Top 10 List to help guide you:

Useful links

Resources

Data protection in Canada: The International Comparative Legal Guide 2018

Osler, Hoskin & Harcourt LLP – June 21, 2018

In the 2018 edition of the International Comparative Legal Guide to Data Protection, Osler’s Adam Kardash and Patricia Kosseim provide a comparative overview of the four principal private sector privacy statutes that govern the data protection regime in Canada, as well as guidance for maintaining legislative compliance. Read more

 

CASL’s computer program rules cover much more than spyware

Osler, Hoskin & Harcourt LLP – April 2018

The computer program provisions in Canada’s Anti-Spam Law (known as CASL) came into force on January 15, 2015. Significantly, these rules go further in regulating the installation of computer programs than laws in other jurisdictions. Read more


Canada’s Anti-Spam Law casts a wide net – requires all organizations to take action

Osler, Hoskin & Harcourt LLP – April 2018

Canada’s Anti-Spam Law (known as CASL) came into force on July 1, 2014. Organizations need to ensure that their practices for sending commercial electronic messages comply with CASL’s requirements or face significant penalties. Read more


Top 10 CASL compliance planning activities

Osler, Hoskin & Harcourt LLP – April 2018

Our experience working through compliance planning initiatives with many clients has given us valuable insights into what compliance planning means in practice. Learn about the 10 most critical (and challenging) compliance planning activities. Read more


Fate of controversial CASL section unknown

Law Times – March 19, 2018

Osler partner Michael Fekete tells Law Times that the private right of action (suspended last June) in Canada’s Anti-Spam Legislation “created a perfect storm for class actions.” Read more


Privacy a primary concern in 2017

Osler, Hoskin & Harcourt LLP – December 13, 2017

Sophisticated cybersecurity threats, high-profile data incidents, and an explosion in the volume of data analytics initiatives have resulted in privacy issues being top of mind for organizations across all sectors. In 2017, there were several key legal and regulatory developments in the Canadian privacy and data arena, most notably relating to statutory security breach notification regimes, Canada’s Anti-Spam Legislation (CASL) and data governance. Read more


Controversial provision suspended, but CMOs should still comply with CASL

ITBusiness.ca – June 30, 2017

Osler’s Adam Kardash discusses the suspension of the private right of action under Canada’s Anti-Spam Law (CASL) and CASL as it stands now. Read more


Canadian government suspends CASL private right of action

Osler, Hoskin & Harcourt LLP – June 7, 2017

The Canadian federal government has announced that it has suspended the coming into force of the private right of action under Canada’s anti-spam legislation (CASL), originally scheduled to come into force on July 1, 2017. Read more


CASL’s soon-to-be-enacted private right of action brings risk of class proceedings

Osler, Hoskin & Harcourt LLP – April 13, 2017

On July 1, 2017, the private right of action under Canada’s Anti-Spam Legislation (CASL) will come into force. Largely enacted in January 2014, CASL regulates: (i) the transmission of commercial electronic messages without the consent of the recipient, (ii) installation of computer programs (e.g., malware) on a device without consent and (iii) sending false or misleading electronic messages. To this point, enforcement for violations of CASL has been left to the CRTC. However, with the advent of the private right of action, individuals and organizations will now have a direct right of action against organizations alleged to have breached CASL’s provisions. This is expected to give rise to a number of class actions, many of which will likely be commenced very shortly after the right of action takes effect. Read more


Preparing for CASL’s private right of action

Osler, Hoskin & Harcourt LLP – April 6, 2017

CASL’s private right of action is coming into force on July 1, 2017. In this article, Adam Kardash, Head of Osler’s National Privacy and Data Management Practice, interviews Christopher Naudie, Osler litigation partner and Co-Chair of the firm’s National Class Action Specialty Group, about the implications of the provision and how businesses can prepare. Read more


Private right of action under CASL is coming into force

Osler, Hoskin & Harcourt LLP – March 30, 2017

On July 1, 2017, subject to any legislated postponement, the private right of action provisions (PRA) under Canada’s Anti-Spam Legislation (CASL) will come into force. This will expose organizations, including franchisors, to certain risks – chief among them is the risk of PRA-based class actions. Read more


Privacy and anti-spam 101: Addressing risks and maintaining compliance

Osler, Hoskin & Harcourt LLP – March 21, 2017

This webinar discusses key issues surrounding privacy and anti-spam that emerging companies face. Read more


Recent decision increases class action risk for companies that utilize pre-installed software and adware

Osler, Hoskin & Harcourt LLP – March 2, 2017

In modern commerce, it is quite common for manufacturers and service providers to pre-install software on a consumer’s computer and mobile devices, all with a view to tailoring the efficient delivery of services to the consumer. Given the expanding use of embedded software in Internet-connected consumer products – the so-called Internet of Things (IoT) – manufacturers are now installing software on a broader range of household devices, extending from televisions to refrigerators to automobiles. Since January 15, 2015, Canada’s anti-spam law (CASL) has prohibited the installation of a computer program on another person's computing device, in the absence of express consent from the owner of the device. Read more


CASL’s first compliance and enforcement decision: lessons learned

Osler, Hoskin & Harcourt LLP – November 2, 2016

Find out what your business can learn from the CRTC’s first CASL enforcement decision. Read more


First CASL compliance and enforcement decision released

Osler, Hoskin & Harcourt LLP – October 27, 2016

The first Compliance and Enforcement Decision under Canada's anti-spam legislation was released October 27, 2016, by the Canadian Radio-television and Telecommunications Commission. Read more


Québec company hit with $1.1-million penalty under CASL

Canadian Lawyer – March 6, 2015

Michael Fekete talks to Canadian Lawyer about the first fine and notice of violation issued by the CRTC under Canada’s anti-spam rules. Read more


CRTC issues $1.1-million penalty under Canada’s Anti-Spam Law

Osler, Hoskin & Harcourt LLP – March 5, 2015

The Canadian Radio-television and Telecommunications Commission issued its first penalty under CASL's commercial electronic messaging (CEM) rules on March 5, 2015. In its News Release, the CRTC states that a Notice of Violation, including a penalty of $1.1 million, was issued against Compu-Finder for sending CEMs without the recipient's consent and without a properly functioning unsubscribe mechanism. Read more


Anti-spam law targets software starting January

The Canadian Press – October 22, 2014

Michael Fekete comments on CASL’s provision relating to computer programs, which came into force on January 15, 2015.  Read more


Overview of Canada’s anti-spam/anti-spyware legislation and how it impacts franchisors

Osler, Hoskin & Harcourt LLP – May 2014

CASL was enacted by the 3rd session of the 40th Parliament in 2010, receiving royal assent on December 15, 2010. The commercial electronic message provisions under CASL came into force on July 1, 2014. The provisions related to the installation of computer programs came into force on January 15, 2014, and the private right of action will follow on July 1, 2017. Read more


Canada’s Anti-Spam Law — The countdown begins [PDF]

Osler, Hoskin & Harcourt LLP – January 27, 2014

Osler privacy experts discuss Canada’s Anti-Spam Law (CASL) and the 10 most critical (and challenging) compliance planning activities. Read more


Impact of new misleading advertising rules on electronic messages [PDF]

Osler, Hoskin & Harcourt LLP – January 2014

Osler privacy experts discuss some of the subtle but meaningful provisions in CASL dealing with misleading advertising that could have a real impact on how businesses engage in email marketing. Read more


Canada’s Anti-Spam Law: Final regulations mark countdown to coming into force

Osler, Hoskin & Harcourt LLP –December 4, 2013

Three years after it was enacted, Canada’s Anti-Spam Law (CASL) will come into force in stages over the next four years, beginning on July 1, 2014. Read more


Canada’s Anti-Spam Law: Practical tips for requesting consent (seminar presentation) [PDF]

Osler, Hoskin & Harcourt LLP – May 1, 2013

This presentation discusses critical consent requirements and practical tips for requesting consent. Read more


CASL enforcement bulletins released by CRTC: Increased compliance burden on business

Osler, Hoskin & Harcourt LLP – October 16, 2012

The Canadian Radio-television and Telecommunications Commission (CRTC) dashed hopes that it will be sensitive to the needs of businesses when enforcing Canada’s anti-spam legislation (CASL). On October 10, 2012, it published two bulletins that provide guidance on how it will enforce key elements of CASL, including the rules governing consent. Read more


Key Contacts

Our Privacy and Data Management Group comprises acknowledged leaders in the privacy arena and advises on a broad range of privacy and data-related legal matters.

Meet our team

AccessPrivacy Solutions

• Integrated Consulting Services
• CPO Forum and Events
• Information Services and Resources

View more information

Join our Monthly Privacy Call
Keep up to date on the latest privacy-related matters with our complimentary monthly call.

Learn more