Canada’s Anti-Spam Legislation (CASL)
Canada’s Anti-Spam Legislation (CASL) was enacted to help Canadians avoid spam and other electronic threats, and is in effect as of July 1, 2014. In general terms, CASL prohibits sending commercial electronic messages without the consent of the recipient. It also requires that all commercial electronic messages include information about the sender and an ‘unsubscribe’ mechanism.
Non-compliance with the legislation can have serious consequences, including significant monetary penalties. As a result, it is important to understand the basic requirements under CASL and ensure that your electronic communications practices comply with its expectations and standards.
Policies and procedures to provide clear guidance for Conestoga employees related to compliance with CASL are currently in development.
The information provided here has been adapted from numerous sources to provide you with some basic guidance for working within CASL requirements. It is not intended to provide a substitute for legal advice.
If you have any doubt about a message you are planning to send, please contact firstname.lastname@example.org for advice.
Commercial Electronic Messages (CEMs) - Definition
A commercial electronic message (CEM) is any message that is sent electronically and that encourages participation in a commercial activity. Emails, electronic newsletters, texts, SMS, electronic alerts and instant messages all fall within the definition of electronic messages. The legislation does not apply to direct telephone conversations, faxes or voicemails sent to a machine or hardcopy materials sent using traditional delivery methods.
If an electronic message – or any part of it – includes a request, promotion or inducement for commercial activity, it may be considered a CEM. “Commercial” is defined very broadly and includes any activity with a commercial character, whether or not there is an expectation of profit.
Any message that promotes a product or service and thus encourages the recipient to purchase that product or service may be considered CEM.
The CEM rules apply to messages sent by any employee or representative of an organization. If your email signature includes a logo, hyperlink or tagline that promotes a commercial activity, every email you send may be considered a CEM.
Requirements for sending CEMs
There are three general requirements for sending any CEM to an electronic address:
- You must have the consent of the recipient
- The message must include specific identification information
- The message must include an unsubscribe mechanism.
After July 1, 2014, you must have the consent—either express or implied—of the recipient before you send commercial electronic message.
Keep records of how you obtained implied or express consent. The onus is on the sender to prove consent in all cases.
Implied consent exists when there has been no indication from the recipient that commercial electronic messages are unwelcome, and one of the following conditions is met:
- the sender and the recipient have an existing business relationship
- the sender and the recipient have an existing non-business relationship
- the recipient has conspicuously published the electronic address to which the CEM is sent (e.g., on a public website), and the CEM is related to the recipient’s business or official capacity
- the recipient has provided to the sender the electronic address to which the message is sent (e.g., through the exchange of business cards), and the CEM is related to the recipient’s business or official capacity.
Implied consent is time-limited. It is typically a period of 2 years after the event that starts the relationship (e.g., purchase of a good or service). For subscriptions or memberships, the period starts on the day the relationship ends.
Where there is an existing business or non-business relationship that includes the communication of CEMs, consent to send commercial electronic messages (CEMs) is implied for a period of 36 months beginning July 1, 2014.
This means that an organization can continue sending CEMs to current and past customers, donors or members during the transition period. Content requirements must still be met, and if recipients choose to unsubscribe during that period, the organization can no longer send them CEMs.
To rely on this transition period, you must already be engaged in a relationship that includes the sending of CEMs between the sender and recipient as of July 1, 2014.
Express consent can be obtained either in writing or verbally. In either case, the person who is sending the message must be able to demonstrate that consent to send the message has been obtained.
Requests for consent must be clear, and not contained within general terms and conditions.
Requests must include:
- the purpose for requesting the consent (e.g., to send newsletters, updates, promotions, special offers)
- the name, business name and full contact information of the person seeking consent
- the person or business on whose behalf consent is sought
- a statement that the recipient may withdraw consent.
Consent must be obtained through an opt-in mechanism: an individual must take a positive action (e.g., checking off a box or typing in an email address) to indicate consent. Pre-checked boxes are not permitted under the legislation.
Email requests for consent to receive CEMs are themselves CEMs, so are not permitted under the legislation after July 1, 2014.
Exceptions to consent requirement:
The following types of messages are exceptions to the consent requirement. They are still subject to the identification and unsubscribe requirements described below:
- Pending transaction: Messages that solely facilitate, complete or confirm a commercial transaction previously agreed to by the recipient
- Previous transaction: Messages that solely provide warranty, recall, safety or security information for a product or service used or purchased by the recipient
- Factual notice: Messages that solely provide factual information about ongoing use of a product or service under a subscription, membership or account purchased by the recipient (e.g., emails confirming course enrolment, class cancellations).
All CEMs must contain identification information about the sender and about any other persons on whose behalf the message is sent.
Such information must include a valid mailing address at which you can be contacted as well as one of the following:
- a phone number to access an agent or a voice-messaging system
- an email address
- a web address for you or the person on whose behalf you are sending the message.
Where it is not practical to include this information in the body of a CEM, a hyperlink to a webpage containing the information is an acceptable practice as long as the webpage is readily accessible at no cost to the recipient of the CEM. The link must be clearly and prominently displayed in the message.
Ensure the contact information provided in the CEM is accurate and valid for a minimum of 60 days after sending the message.
All CEMs must provide a clear and prominent mechanism for recipients to unsubscribe.
The unsubscribe mechanism must be simple, quick and easy to use, able to be accessed without difficulty or delay, and free for users.
- a link in an email that takes the user to a web page where he or she can unsubscribe from receiving all or some types of CEMs from the sender
- for SMS, the choice between replying to the SMS message with the word “STOP” or “Unsubscribe” and clicking on a link that will take the user to a web page where he or she can unsubscribe from receiving all or some types of CEMs from the sender.
Under the legislation, all unsubscribe requests must be implemented within 10 business days.
Exemptions to CASL
The following types of messages are not subject to CASL:
- messages between family members
- messages between persons with a personal relationship
- messages sent in response to a request or otherwise solicited by the recipient
- intra-organization messages and messages between organizations, if they have an existing relationship and message is related to the organization’s activities
- messages sent under a legal right or obligation
- messages sent to a recipient in a foreign country, where the message complies with the anti-spam laws of that country
- messages by or on behalf of a registered charity (as defined in the Income Tax Act) for the primary purpose of raising funds for the charity
- messages sent by or on behalf of a political party or organization, or a political candidate for publicly elected office, for the primary purpose of soliciting a donation or contribution.
Consequences of non-compliance
Penalties for violations under CASL can be as high as $1 million per violation for individuals and up to $10 million per violation for organizations. Officers of an organization can be held accountable for the CEMs sent out by their organization.
As of July 1, 2017, individuals will also have the right under the legislation to take action in cases where electronic messages have been sent without consent. This means that a recipient would be entitled to sue the college privately, and it raises the prospect of a class action if a large number of people have received the same message. Damage awards in these situations could amount to millions of dollars.
The CRTC will be the primary enforcement agency. However, depending on the prohibition being violated, the Competition Bureau and/or the Office of the Privacy Commissioner of Canada may also enforce CASL.