CASL: Canada’s Anti-Spam Legislation

Canada’s Anti-Spam Legislation (CASL) is intended to protect Canadians from spam, malware, phishing, spyware and other electronic threats. This legislation came into force on July 1, 2014.

CASL applies to the following types of actions:

  • The sending of commercial electronic messages,
  • The creation and use of lists of electronic addresses,
  • Installation of computer programs or software, and
  • Alteration of transmission data (e.g. a link in an email which appears to send you to one website but which actually redirects you to another website).

This introductory guide for OCA members will focus on commercial electronic messages.  It is important to recognize that CASL is substantial new legislation. Its provisions have not been tested in the court system and it covers a wide range of activities. The OCA will update this resource as new information becomes available. This guide is not meant as a substitute for professional advice, and is not to be considered legal advice relating to specific facts or situations. It is intended to provide an introductory resource regarding this new legislation.

Section 6 of CASL prohibits the sending of Commercial Electronic Messages (CEMs) without the recipient’s consent, including messages to email addresses and social networking accounts, and text messages sent to a cell phone.  Section 6 also sets out information that must be included when sending Commercial Electronic Messages. This part of CASL is enforceable as of July 1, 2014.

The OCA would like to thank David Mills of Mills and Mills LLP for assistance in the preparation of this document. Mills and Mills is a Toronto law firm and an OCA Advantages Partner.

Table of Contents

What is a Commercial Electronic Message (CEM)?

The CASL Glossary defines a CEM, in part, as “any electronic message that encourages participation in a commercial activity, regardless of whether there is an expectation of profit”.

CASL defines Commercial Activity as “any particular transaction, act or conduct or any regular course of conduct that is of a commercial character, whether or not the person who carries it out does so in the expectation of profit, other than any transaction, act or conduct that is carried out for the purposes of law enforcement, public safety, the protection of Canada, the conduct of international affairs or the defence of Canada.”

If any part of a message is intended to encourage the recipient to participate in a Commercial Activity, the message is a CEM. For example, if any part of a message is intended to encourage the recipient to purchase products or services, the message is a CEM. Whether or not the sender is the person offering the product or service for sale is not relevant. For example, if you send a message to your patients encouraging them to join a local gym with which you have no business relationship, the message may still count as a CEM.

This legislation is not intended to prevent businesses from sending marketing messages. Rather, it sets out requirements to comply with when sending marketing messages. Specifically: identify yourself, provide the recipient with sufficient information so that they may readily contact you, ensure that you have consent from the recipient, and offer the recipient a way to unsubscribe from future CEMs. If you are sending a CEM on behalf of another person or party, their identity and contact information must be readily available.

Exemptions

A CEM may be exempt from section 6 of CASL in certain circumstances. These include, without limitation, when a CEM or CEMs is/are sent to:

  • Persons with whom you have a personal relationship or family relationship as defined in the CASL Regulations:
    • The Regulations define “family relationship” as “the relationship between an individual who sends a message and the individual to whom the message is sent if those individuals are related to one another through a marriage, common-law partnership or any legal parent-child relationship and those individuals have had direct, voluntary, two-way communication”.
    • A “personal relationship” is defined as “the relationship between an individual who sends a message and the individual to whom the message is sent, if those individuals have had direct, voluntary, two-way communications and it would be reasonable to conclude that they have a personal relationship, taking into consideration any relevant factors such as the sharing of interests, experiences, opinions and information evidenced in the communications, the frequency of communication, the length of time since the parties communicated or whether the parties have met in person.”
    • A recipient who is engaged in a commercial activity and the CEM consists solely of an inquiry or application related to these commercial activities.
    • A recipient in response to a request, inquiry or complaint from the recipient, or which is otherwise solicited by the recipient.
    • A limited-access secure and confidential account to which messages can only be sent by the person who provides the account to the person who receives the message (e.g. if a patient logs into a password-protected section of your website and receives a private message there about supplements).

Both CASL and the Regulations to CASL set out a number of circumstances when section 6 of CASL does not apply to CEMs by virtue of the fact that they fall into a certain class of messages or are sent in certain circumstances. Further, CASL and its Regulations set out certain circumstances when the consent requirement outlined in paragraph 6(1)(a) of CASL does not apply.  Some such circumstances include, but are not limited to:

  • A single CEM sent to someone who has been referred to you. See What About Referrals? for more details regarding the application of this exemption.
  • A CEM which provides a quote or estimate for the supply of products, goods, a service, land or an interest or right in land, if the quote or estimate was requested by the person to whom the message is sent.
  • A CEM that facilitates, completes or confirms a commercial transaction that the person to whom the message is sent previously agreed to enter into with the person who sent the message or, if different, the person on whose behalf the message is sent.
  • A CEM which provides warranty information, product recall information or safety or security information about a product, goods or a service that the recipient uses, has used or has purchased.
  • A CEM which provides notification of factual information about the ongoing use or ongoing purchase by the recipient of a product, goods or a service offered under a subscription, membership, account, loan or similar relationship by the person who sent the message or on whose behalf it is sent; or, the ongoing subscription, membership, account, loan or similar relationship of the person to whom the message is sent.
  • A CEM which provides information directly related to an employment relationship or related benefit plan in which the recipient is currently involved, is currently participating or is currently enrolled.
  • A CEM which delivers a product, goods or a service, that the recipient is entitled to receive under the terms of a transaction that they have previously entered into with the person who sent the message or the person on whose behalf the message is sent.

CASL and Voice/Fax Messages

Section 6 of CASL does not apply to a commercial electronic message that is a two-way voice communication between individuals that is sent to facsimile or telephone accounts, or voicemails. These communications are covered by other legislation and tools including the Do Not Call Registry.

CASL and Social Media

Below is a quote from the CASL FAQ:

An electronic address is defined in CASL as being: an email account, a telephone account, an instant messaging account, and any other similar account.

Some social media accounts may constitute a ‘similar account’. Whether a “similar account” is an electronic address depends on the specific circumstances of the account in question. For example, a typical advertisement placed on a website or blog post would not be captured. In addition, whether communication using social media fits the definition of “electronic address,” must be determined on a case-by-case basis, depending upon, for example, how the specific social media platform in question functions and is used. For example, a Facebook wall post would not be captured. However, messages sent to other users using a social media messaging system (e.g., Facebook messaging and LinkedIn messaging), would qualify as sending messages to “electronic addresses.”

Websites, blogs and micro-blogging would typically not be considered to be electronic addresses.

Therefore, the following activities appear to be exempt from CASL requirements: public posts and comments on Facebook, public tweets on Twitter, public posts on LinkedIn.

In contrast, private messages sent to specific individuals on any of these sites are covered under CASL and, as a result, you must conduct the same analysis regarding whether the message qualifies as a CEM as you would with other forms of electronic messages (such as emails).

As mentioned earlier, an exemption exists with respect to CEMs sent to individuals with whom you have personal relationships.  It is important to recognize that a personal relationship does not automatically exist as a result of being connected to someone through a social media account.  It is important to consult the definition of “personal relationship” (as discussed above) when determining if a personal relationship exists.

Complying with CASL

Requirement 1: Get Consent

CASL recognizes two kinds of consent: implied consent and express consent. Unless provided otherwise within CASL, you must have consent before sending a CEM.

Implied Consent

Implied consent may arise out of an existing business relationship (which is defined within the legislation).  You may have an existing business relationship with:

  • Individuals who buy products or services from your business,
  • Suppliers of goods and services to your business,
  • Practitioners who lease space in your facility, or
  • Individuals who have inquired about entering a business relationship.

Implied consent may also arise out of an existing non-business relationship (which is also defined in CASL), including those with associations like the OCA.  An existing non-business relationship may arise as a result of the recipient’s activities as a donor or volunteer for a registered charity, political party or political candidate, or as a member of a club, association or voluntary organization.

Implied consent does expire.  It is generally valid for two years as long as it is not withdrawn before the expiration of the two-year period (i.e. as long as the person to whom the message is sent does not notify the sender that they do not consent to receiving such messages).

The start date of the two-year period depends on the surrounding circumstances.  For example, in relation to a purchase, lease, donation or gift, which involves an ongoing use, or ongoing purchase under a subscription, account, loan or similar relationship, the period is considered to begin on the day that the subscription, account, loan or other relationship terminates.  In the case of a membership, CASL explains that the period is considered to begin on the day the membership terminates.

It should be noted that an existing business relationship and, therefore, implied consent only exists with respect to an inquiry or application made with respect to (a) the purchase or lease of a product, goods, a service, land or an interest or right in land, (b) the acceptance of a business, investment or gaming opportunity, or (c) the bartering of anything mentioned in (a), by the person to whom a message is sent within the six-month period (not two-year period) immediately before the day on which the message was sent.

A request for express consent is considered to be a CEM and therefore must comply with the requirements set out in CASL.

Express Consent

You have express consent if a recipient has actively and specifically given you consent to send CEMs to a specific electronic address. Unlike implied consent, express consent does not expire. It is only withdrawn if the recipient unsubscribes/notifies you that the consent is withdrawn.  Please refer to the next section on requesting express consent for information on what is required for express consent to be valid.

Requesting Express Consent

Unlike PIPEDA, CASL does not recognize opt-out consent. The recipient must take a positive action to indicate their consent. For example, a pre-checked box cannot be used, as it assumes consent. A blank box which a user can check off to indicate consent, on the other hand, satisfies the requirement for opt-in consent.

Express consent must be separately sought. This means that it cannot be bundled together with other terms and conditions; it must be asked for separately. A business cannot require its clients to subscribe to CEMs in order to purchase goods or services.

When seeking express consent, you must clearly and simply identify:

  • The specific purpose(s) for which the consent is being sought,
  • A statement that the person whose consent is being sought can withdraw their consent at any time
  • The name of the person(s) or organization(s) seeking consent,
  • If the person or organization seeking consent carries on business under a different name, the name by which the person seeking consent carries on business,
  • If the consent is being sought on behalf of another person, the name of the person on whose behalf the consent is being sought, and (where applicable) the name by which such person carries on business,
  • If the consent is being sought on behalf of another person, a statement indicating which person is seeking consent and which person on whose behalf consent is sought, and
  • Contact information (or a link to a website containing this information) of the person seeking consent (or, if different, the person on whose behalf consent is sought) which includes:
    • A valid mailing address where you can be contacted, and
    • A telephone number (providing access to an agent or a voice messaging system) and/or email address and/or web address of the person seeking consent.

Keeping Records of Express Consent

If you send a CEM, you must be able to prove that you have consent to do so. Express consent can be obtained orally or in writing.

On October 10, 2012, the Canadian Radio-television and Telecommunications Commission (CRTC) released an information bulletin which indicates that oral consent must either be verified by an independent third party or you must retain a complete and unedited audio recording of the consent being given.

The CRTC also indicated that written consent includes paper and electronic forms of writing. For example, checking a box on a web page or filling in a paper form will satisfy this requirement so long as the following information is recorded: date, time, purpose, and manner of consent.

The above information and examples provided by the CRTC have yet to be tested in the courts.

What About Referrals?

There is an exception to the consent requirement for the first commercial electronic message (CEM) sent following a referral, if certain conditions are met. The referral must be made by an individual who has an existing business relationship, an existing non-business relationship, a family relationship or a personal relationship with both the sender and the recipient of the CEM. Also, the full name of the individual who made the referral and a statement that the CEM is sent as a result of a referral must be included in the CEM. Finally, the CEM must comply with the other requirements set out in CASL with respect to identification and unsubscribe mechanisms.

Requirement 2: Identify Yourself

All CEMs must clearly and prominently set out the following identification information:

  • The name of the person(s) or organization(s) responsible for the content in the message
    • If the person or organization sending the CEM carries on business under a different name, the name by which the person sending the CEM carries on business,
    • If the CEM is sent on behalf of another person, the name of the person on whose behalf the CEM is being sent, and (where applicable) the name by which such person carries on business,
    • If the CEM is sent on behalf of another person, a statement indicating which person is sending the CEM and which person on whose behalf the CEM is sent,
    • Contact information (or, where it is not practical to include the information in the message itself, a link to a website containing this information) of the person sending the CEM (or, if different, the person on whose behalf the CEM is sent) which includes:
      • a valid mailing address where you can be contacted, and
      • a telephone number (providing access to an agent or a voice messaging system) and/or email address and/or web address.

The contact information provided must be valid for a minimum of 60 days after the message has been sent.  In addition, if, instead of including the contact information in the message, a website leading to the information is included, the website must be readily accessible by the recipient of the message at no cost to them, and the link must be clearly and prominently set out in the message.

The CRTC has indicated that third parties who have no role in the content of the CEM do not need to be identified. For example, you do not need to identify an email service providers like MailChimp or Constant Contact when using their services to send CEMs to a mailing list because they are not involved in content creation or approval.

Requirement 3: Offer an Unsubscribe Mechanism

All CEMs which are not exempt from the requirements of section 6 of CASL must include an unsubscribe mechanism allowing the recipient to provide notice that they no longer wish to receive CEMs or a specific type of CEM from the sender (or the person on whose behalf the message was sent).  The unsubscribe mechanism must specify an electronic address or a link to a page on the internet that can be accessed through a web browser, to which such notice can be sent.  Some options include:

  • A text message CEM which indicates that recipients may unsubscribe by texting the word “STOP.”
  • An email CEM with a hyperlink that is included clearly and prominently in an email that allows the end-user to unsubscribe by simply clicking it.
  • An email CEM with a hyperlink to a webpage with an unsubscribe form that is readily accessible without delay and is at no cost to the recipient.

Your unsubscribe mechanism can allow recipients to unsubscribe from all or just some types of CEMs you or your organization sends.

Unsubscribe mechanisms must be “readily performed.” It should be simple, quick, free and easy for the recipient to unsubscribe.  The electronic address or web page included in the CEM must be valid for a minimum of 60 days after the CEM has been sent.  Once a recipient has exercised their right to unsubscribe, you must ensure that effect has been given to the recipient’s indication that they no longer wises to receive CEMs or a certain type of CEM no later than 10 business days after such action.

Sample Text for Requests for Consent and Unsubscribe Mechanisms

The CRTC has provided the following two information bulletins on how to ask for consent. These bulletins include examples of compliant consent forms and unsubscribe mechanisms:

There is no standard consent form for CASL because each business has a different reason for asking for consent and may choose a different approach. For example, some businesses may ask for consent for each type of communications separately, while others may ask for a general consent which covers all communications.

Other Legislation

As a reminder, there are other pieces of legislation which apply to the collection, use and disclosure of information.  When sending CEMs, you must take steps to ensure you are complying with such other privacy legislation. For example, you must ensure that your CEMs comply with the requirements set out by the Personal Health Information Protection Act, 2004 (Ontario) (“PHIPA”) with respect to the collection, use, and disclosure of patient’s personal health information.

Learn more