Skip to main content

Canada's Anti-Spam Law is a Step Closer

US marketers who have been paying attention to anti-spam developments north of the border are concerned about proposed new Canadian regulations.   If you have not been paying attention, it's probably time that you did.   We have a guest post today discussing the progress of those regulations.



The implementation of anti-spam legislation in Canada got a step closer when, on January 5, Industry Canada released its newest version of proposed regulations under the legislation (“IC regulations”).  Industry Canada is accepting comments until February 4.  The draft IC regulations can be viewed here:  Canada Gazette site.

Although Canada has been seen as a leader in the legislative protection of personal information through the introduction of privacy legislation in 2001, Canada is the last of the G8 countries to adopt anti-spam legislation.  Legislation was enacted on December 15, 2010 to fill that gap. Canada’s new anti-spam legislation, unofficially known as “CASL”, amends existing legislation and establishes a regulatory framework to prohibit the sending of spam.  The introduction of CASL will require organizations doing business in Canada to evaluate and update their practices regarding electronic communications.  Organizations should pay careful attention to the express consent requirements.

CASL prohibits the sending of unsolicited commercial electronic messages (“CEMs”) without prior consent of the recipient and provides rules regarding the manner in which such messages may be sent.  The legislation is expected to come into force in late 2013. The legislation will involve interplay by 3 regulatory bodies—the Competition Bureau, the CRTC (Canada’s telecommunications regulatory agency) and the Office of the Privacy Commissioner of Canada.  While CASL has received Royal Assent, consumers and businesses alike are currently awaiting finalization of the regulations (Industry Canada and CRTC) which will provide important details regarding its practical application.  The CRTC has previously published its final regulations.

What does CASL require?

CASL prohibits the sending of CEMs to an electronic address unless (a) the person to whom the message is sent has consented to receiving it, whether the consent is express or implied; and (b) the message complies with content and other requirements set out in the legislation. This includes prescribed content such as identification of and contact information for the person who sent the message as well as an unsubscribe mechanism.

Are any CEMs excluded?

The requirements in CASL not apply to CEMs sent by or on behalf of an individual to another individual with whom they have a personal or family relationship as defined in the IC regulations. The requirements also do not apply to a CEM that is sent to a person who is engaged in a commercial activity and consists solely of an inquiry or application related to that activity.

The proposed regulations also provide for a number of other exemptions for commercial electronic messages, including those that are sent within a business; or sent between businesses that are already in a business relationship.

Exemptions are also proposed for messages that are solicited or sent in response to complaints and requests. Additional exemptions are proposed for messages sent due to a legal obligation or to enforce a legal right.

What is an electronic address?

CASL creates a new, detailed definition of “electronic address”, which refers to addresses used in connection with the transmission of an electronic message to an e-mail account, an instant messaging account, a telephone account, or any similar account.

What is valid consent and will opt-out consent do?

CASL requires express or implied consent by the recipient of a commercial electronic message.  It is the relatively strict requirements for express consent that are a distinguishing feature of the new legislation.

The CRTC has recently indicated its view that opt-out consent or pre-checked boxes do not satisfy the express consent requirement.  Where express consent is required, a person must set out clearly the following information:

(a)  the purpose or purposes for which the consent is being sought;

(b) prescribed information that identifies the person seeking consent and, if the person is seeking consent on behalf of another person, prescribed information that identifies that other person; and

(c)  any other prescribed information.

Implied consent is permitted in some circumstances, including where there is an existing business relationship or an existing non-business relationship between the parties.

What are some exceptions to the consent requirement?

There are some exceptions to the requirement to obtain consent.  These include, where the CEM provides a quote or estimate if the quote or estimate was requested by the person to whom the message is sent.  A CEM that facilitates, completes or confirms a commercial transaction that the person to whom the message is sent previously agreed to.  The proposed regulations also provide a consent exception for third party referrals.

What are the penalties?

CASL imposes significant monetary penalties for violations pertaining to the sending of unsolicited electronic messages, the alteration of transmission data, and the unauthorized installation of a computer program.  CASL also sets out a list of factors to be considered in determining the amount levied, including the nature and scope of the violation. Financial penalties range up to $1 million for an individual and up to $10 million for a business per violation

Subscribe To Viewpoints


Cynthia J. Larose

Member / Co-Chair, Privacy & Cybersecurity Practice

Cynthia J. Larose is Chair of the firm's Privacy & Cybersecurity Practice, a Certified Information Privacy Professional-US (CIPP-US), and a Certified Information Privacy Professional-Europe (CIPP-E). She works with clients in various industries to develop comprehensive information security programs on the front end, and provides timely counsel when it becomes necessary to respond to a data breach.