Skip to main content

Canada's Anti-Spam Law Means New Set of Rules for Businesses

December 11, 2013

After much anticipation and speculation that it may not even happen, Canada's anti-spam law ("CASL") will come into force on July 1, 2014. "Spam" is a misnomer, since the law goes beyond unsolicited email or "spam" by extending to all commercial electronic messages as well as other practices, like requiring businesses to make certain disclosures upon the unsolicited installation of computer software. 

The law casts a wide net by impacting most businesses that send electronic communications, such as emails. The law is not limited to Canadian businesses either, and for example, applies to emails, and other communications, sent from foreign businesses to Canadians. 

CASL was passed in 2010, and after 3 years of consultation, the final set of regulations was introduced on December 4, 2013. Most of the anti-spam provisions will be in force as of July 1, 2014, including consent and disclosure requirements to send commercial electronic messages. The provisions related to installing computer programs/software will come into force January 15, 2015 (s.8). In addition, certain other provisions, including a private right of action, will come into force July 1, 2017.

Businesses have just over 6 months until July 1, 2014, before they are restricted in how they can obtain consent to send commercial emails and other electronic communications. Today, under privacy laws, consent can be implied or expressed, and there are no prescribed disclosure requirements to obtain consent. Generally speaking the new law requires an express opt-in by recipients of emails, which is a much higher threshold than other countries. Notably, consumers must do something active to consent, such as checking a box or entering their email address. A pre-checked box, something that had become fairly ubiquitous, will no longer be considered adequate. There will also be specific information that must be disclosed at the time consent is obtained, such as the identity of the person seeking consent together with complete contact information, and a statement that once consent is given it can be withdrawn at any time. Businesses have the burden of proving they have obtained consent under CASL. Thus, a record of consents received should be kept, including the date, time, purpose, and manner of that consent.  

There are exceptions to the law, including exceptions for emails between family members and between businesses, from registered charities where they are sent for fundraising purposes, and political parties where the primary purpose is soliciting a contribution.  

CASL recognizes implied consent but only in those limited circumstances set out in law. For example, consent will be implied if there is an "existing business relationship" or "existing non-business relationship" between sender and recipient, both of which are specifically defined under CASL.

There are three federal agencies responsible for enforcement of the law: the CRTC, the Competition Bureau (CB), and the Office of the Privacy Commissioner of Canada (OPC). The CRTC will have a primary enforcement responsibility and will be able to investigate, take action against, and set administrative monetary penalties ("AMPs") for: (a) sending non-compliant commercial electronic messages; (b) altering transmission data without express consent; and (c) the installation of a computer program on a computer system or network without express consent. AMPs are steep at up to $1 million for individuals and $10 million for corporations. 

The CB will address false and misleading representations and deceptive marketing practices in the electronic marketplace (e.g. false and misleading message headers). The OPC will enforce regarding conduct that collects personal information through access to computer systems and electronic address harvesting for bulk email lists compiled through mechanisms (e.g. computer programs that crawl the Internet for addresses).

The CRTC has indicated that it will go after the most egregious players first, leaving legitimate businesses time to comply without facing large fines. Nevertheless, the time to get consent is now, and to make any other necessary changes to your databases before July 1, 2014.    


Jennifer McKenzie Jennifer McKenzie
B.A. (Hons.), LL.B.
416.957.1628  email Jennifer McKenzie