CASL compliance: More than spam. Understanding Canada’s anti-spam law

Don't be fooled by its name. You don't need to be a spammer, or even be located in Canada, for legislation known as "Canada’s anti-spam law" or "CASL" to regulate important elements of your business.

Many everyday activities – such as sending an email message to a customer, operating a company website and making a mobile application available for download – are subject to detailed rules that will likely require you to make significant changes to your operational practices or face significant fines.

What does CASL mean for business?

CASL is perhaps the most onerous legislation in the world to regulate the use of commercial electronic messaging. It goes much further than regulating the bulk, unsolicited email communications often referred to as “spam”. Rather, it creates an express consent-based regime that applies to almost all electronic messages sent for a commercial purpose. Whereas the U.S. CAN-SPAM Act relies on opt-out consent (i.e., a functioning unsubscribe mechanism), CASL requires express “opt-in” consent. Additionally, all requests for consent and almost all commercial electronic messages must meet prescriptive sender and contact person identity and withdrawal of consent requirements. The same opt-in consent standard also applies to the installation of a computer program on a computer, smart phone or other computing device. Almost all computer programs are covered, regardless of whether or not the program is installed for a malicious purpose. And there are prescriptive requirements for the form and content of certain user notices and acknowledgments.

Additional activities regulated by CASL include the use of address harvesting tools, the inclusion of misleading sender and subject matter information in an electronic message, and the alteration of transmission data in an electronic message. The scope of CASL is not limited to activities in Canada. CASL applies to electronic messages where the computer system used to send or access the message is located in Canada. In the case of computer programs, CASL applies if the computer program is installed on a computing device in Canada or if the person who installs or causes the installation of the program is in Canada. This means that organizations located outside of Canada that send messages to computers located in Canada or install computer programs on devices in Canada also face CASL requirements.

For more detailed information on CASL’s impact and requirements please see our articles:

What do I need to do?

CASL has created significant compliance challenges for all businesses, whether large, medium or small. The requirements for sending electronic messages and installing computer programs have the potential to impact operations across all businesses. In addition, the prescriptive nature of the rules in CASL regarding requests for consent, withdrawals of consent and the content of messages requires an organization to review, and if necessary, update policies and day-to-day practices regarding electronic marketing, customer communications and software and network management practices. To address these challenges, it is critical to develop a comprehensive compliance plan.

For most organizations, this will require that you work through the seven steps set out below:

  1. Identify a compliance team
  2. Identify the CASL requirements that apply to the organization
  3. Audit and document current practices
  4. Resolve preliminary “interpretation” issues
  5. Develop and document a CASL compliance plan
  6. Implement the CASL compliance plan
  7. Monitor, track and update the CASL compliance plan

In addition, a number of specific compliance activities will need to be undertaken. Please see our Top 10 List to help guide you:

Additional information

Useful links


Canadian government suspends CASL private right of action

Osler, Hoskin & Harcourt LLP – June 7, 2017

The Canadian federal government has announced that it has suspended the coming into force of the private right of action under Canada’s anti-spam legislation (CASL), originally scheduled to come into force on July 1, 2017. Read more.

CASL’s soon-to-be-enacted private right of action brings risk of class proceedings

Osler, Hoskin & Harcourt LLP – April 13, 2017

On July 1, 2017, the private right of action under Canada’s Anti-Spam Legislation (CASL) will come into force. Largely enacted in January 2014, CASL regulates: (i) the transmission of commercial electronic messages without the consent of the recipient, (ii) installation of computer programs (e.g., malware) on a device without consent and (iii) sending false or misleading electronic messages. To this point, enforcement for violations of CASL has been left to the CRTC. However, with the advent of the private right of action, individuals and organizations will now have a direct right of action against organizations alleged to have breached CASL’s provisions. This is expected to give rise to a number of class actions, many of which will likely be commenced very shortly after the right of action takes effect. Read more.

Preparing for CASL’s private right of action

Osler, Hoskin & Harcourt LLP – April 6, 2017

CASL’s private right of action is coming into force on July 1, 2017. In this article, Adam Kardash, Head of Osler’s National Privacy and Data Management Practice, interviews Christopher Naudie, Osler litigation partner and Co-Chair of the firm’s National Class Action Specialty Group, about the implications of the provision and how businesses can prepare. Read more.

Private right of action under CASL is coming into force

Osler, Hoskin & Harcourt LLP – March 30, 2017

On July 1, 2017, subject to any legislated postponement, the private right of action provisions (PRA) under Canada’s Anti-Spam Legislation (CASL) will come into force. This will expose organizations, including franchisors, to certain risks – chief among them is the risk of PRA-based class actions. Read more.

Recent decision increases class action risk for companies that utilize pre-installed software and adware

Osler, Hoskin & Harcourt LLP – March 2, 2017

In modern commerce, it is quite common for manufacturers and service providers to pre-install software on a consumer’s computer and mobile devices, all with a view to tailoring the efficient delivery of services to the consumer. Given the expanding use of embedded software in Internet-connected consumer products – the so-called Internet of Things (IoT) – manufacturers are now installing software on a broader range of household devices, extending from televisions to refrigerators to automobiles. Since January 15, 2015, Canada’s anti-spam law (CASL) has prohibited the installation of a computer program on another person's computing device, in the absence of express consent from the owner of the device. Read more.

First CASL compliance and enforcement decision released

Osler, Hoskin & Harcourt LLP – October 27, 2016

The first Compliance and Enforcement Decision under Canada's anti-spam legislation was released October 27, 2016, by the Canadian Radio-television and Telecommunications Commission. Read more.

Overview of Canada’s anti-spam/anti-spyware legislation and how it impacts franchisors

Osler, Hoskin & Harcourt LLP – May 2014

CASL was enacted by the 3rd session of the 40th Parliament in 2010, receiving royal assent on December 15, 2010. The commercial electronic message provisions under CASL came into force on July 1, 2014. The provisions related to the installation of computer programs came into force on January 15, 2014, and the private right of action will follow on July 1, 2017. Read more.


For help with your CASL Compliance, please contact:


Michael Fekete

Michael Fekete