Canada's Anti-Spam Legislation (CASL)
If your business sends marketing emails to Canadians, then you must understand how Canada's Anti-Spam Legislation (CASL) affects your marketing campaigns.
Under CASL provisions, businesses can only send marketing emails in specific circumstances, and they must take steps to ensure individuals are happy to receive marketing communications.
Below, we consider how CASL works, how to comply with CASL provisions, and what penalties may apply if you fail to comply with Canada's Anti-Spam Legislation.
CASL is a Canadian-based privacy law designed to combat spam. "Spam" is essentially any type of unsolicited email or text message.
For example, if you receive an email from a business trying to sell you a product or service, and you didn't give that company permission to message you, then it could count as spam.
A failure to comply with CASL can lead to severe financial consequences, but we'll show you how to ensure compliance below.
Need a Privacy Policy? Our Privacy Policy Generator will help you create a custom policy that you can use on your website and mobile app. Just follow these few easy steps:
- Click on "Start creating your Privacy Policy" on our website.
- Select the platforms where your Privacy Policy will be used and go to the next step.
- Add information about your business: your website and/or app.
- Select the country:
- Answer the questions from our wizard relating to what type of information you collect from your users.
-
Enter your email address where you'd like your Privacy Policy sent and click "Generate".
And you're done! Now you can copy or link to your hosted Privacy Policy.
- 1. Goals of Canada's Anti-Spam Legislation (CASL)
- 2. Commercial Electronic Message (CEM)
- 3. Communications Exempt from Canada's Anti-Spam Legislation (CASL)
- 4. Who Must Comply With Canada's Anti-Spam Legislation (CASL)?
- 5. How Does Canada's Anti-Spam Legislation (CASL) Affect PIPEDA?
- 6. Requirements of Canada's Anti-Spam Legislation (CASL)
- 7. How to Comply With Canada's Anti-Spam Legislation (CASL)
- 7.1. Does Implied Consent Work?
- 7.2. How to Get Express Consent Consent
- 7.2.1. Your Business Details
- 7.2.2. Your Purpose for Requesting Consent
- 7.2.3. How to Revoke Consent
- 7.2.4. Make Users Take an Active Step to Subscribe
- 7.3. What to Include in Your CEM
- 7.4. Keep Records of Consent
- 7.5. Monitor for Expired Consent
- 7.6. Appoint a CASL Officer
- 7.7. Provide Staff Training
- 8. Penalties for Failing to Comply With Canada's Anti-Spam Legislation (CASL)
- 9. Summary
Goals of Canada's Anti-Spam Legislation (CASL)
The legislation aims to discourage spam communications because these messages:
- Undermine consumer confidence
- Cost businesses and consumers money
- Leave personal data vulnerable to compromise
CASL protects consumers and businesses alike.
Commercial Electronic Message (CEM)
CASL applies to "commercial electronic messages," or CEMs. A CEM is any electronic message designed to encourage someone to participate in a commercial activity, such as buying something.
Examples of CEMs include emails or electronic messages which:
- Contain a promotional or discount voucher
- Advertise goods or services
- Promote a business opportunity
- Advertise a person as someone who sells goods or services
For example, if this advertisement from Illamasqua was sent as an email, it would be a CEM:
A message is not a CEM just because it includes business details e.g. a logo or contact information. The intent behind the message must be to encourage the recipient to partake in a commercial activity; otherwise, it's not a CEM.
CEMs aren't just emails. They can also be text messages or messages to social media accounts, for example if a business sends a promotional message on Facebook Messenger.
Communications Exempt from Canada's Anti-Spam Legislation (CASL)
CASL doesn't apply to every CEM. For example, it doesn't cover:
- Messages between friends and family
- Communications between businesses with existing relationships (B2B communications)
- Messages sent in response to a customer's inquiry
- Telecommunications (unsolicited marketing calls or emails)
Other rules may apply to telecommunications, so always check the applicable laws before sending telemarketing messages.
Who Must Comply With Canada's Anti-Spam Legislation (CASL)?
CASL protects Canadian citizens. However, that doesn't mean it only affects Canadian businesses.
CASL applies if at least one of the following is happening:
- A Canada-based computer system is used to send or access the message
- A program is installed on a Canada-based computer, or,
- The individual responsible for installing software is based in Canada
It doesn't matter if your business is physically located in Canada. If you're sending communications to a Canadian, or a Canadian installs your software, CASL applies to you.
CASL does not, apply if at least one of the following is happening:
- It's a federal, territorial, or provincial government message
- You're sending a message to a recipient in another country or
- The CEM is political in nature, as CASL only covers commercial messaging
If you're in Canada and you send a message to someone in another country, although CASL doesn't apply, other anti-spam laws may be relevant. Always check which laws apply before sending any commercial messages.
There are some other limited circumstances when CASL may not apply. However, if you're unsure about whether CASL applies, it's often safer to assume that it does.
How Does Canada's Anti-Spam Legislation (CASL) Affect PIPEDA?
CASL should be read alongside Canada's other major privacy law, the Personal Information Protection and Electronic Documents Act (PIPEDA).
Briefly, here's how CASL and PIPEDA work together to regulate how businesses communicate with customers:
- PIPEDA prohibits what's known as electronic address harvesting. Electronic address harvesting means collecting e.g. email addresses to indiscriminately send out marketing messages. You could breach PIPEDA if you use an email list which you suspect has been harvested.
- All businesses subject to PIPEDA must be transparent about how they collect, use, and share personal information such as email addresses. You should obtain meaningful consent before using someone's email address for marketing messages unless a very limited exception applies.
For our purposes, just be aware that CASL and PIPEDA both deal with commercial activities and electronic communications, and so they should be read together to ensure full privacy law compliance.
Requirements of Canada's Anti-Spam Legislation (CASL)
CASL imposes some very specific requirements on businesses subject to its provisions. We will explore how to comply with CASL shortly, but let's first summarize the main CASL compliance requirements:
- Ensure you obtain consent before sending marketing or commercial emails
- Keep a record of the consent you obtain and audit your email list regularly
- Include an unsubscribe option with every email
- Monitor for expired consent statuses
- Appoint a member of staff to be in charge of CASL compliance
- Ensure your staff understand CASL compliance and provide appropriate training
Now that we've touched on the major CASL compliance requirements, let's break down how your business may comply with CASL.
How to Comply With Canada's Anti-Spam Legislation (CASL)
To comply with CASL, businesses must get consent from customers before sending any marketing communications. Under Section 6, consent can be express or implied, so long as certain conditions are met.
Let's consider how to get both types of consent, and when implied consent will suffice.
Does Implied Consent Work?
You won't need express consent if one of the following applies:
- There's a pre-existing business relationship between the recipient and the sender
- The person has voluntarily disclosed their electronic address to you without opting out of marketing messages, or
- Someone makes their electronic address public, such as on a blog and doesn't say you can't send unsolicited marketing emails to this address
We can find these exceptions set out in Section 9.
Here are some examples of when consent may be implied:
- A customer buys something from you
- Someone posts their email address on their blog and they don't include a phrase like "no unsolicited messages"
- A prospective customer emails you about a service you offer. They don't agree to purchase the service, but they don't say you can't send them marketing emails.
Even if you have implied consent, it doesn't last forever. According to CASL Section 10, implied consent expires:
- 6 months from the date someone inquires about your goods or services, or
- 24 months from the date a customer buys something from you
So, for example, if someone emails you asking if you can perform a service for them, there's an implication you can send them marketing emails for 6 months unless they specifically tell you not to. You must also remember to include an unsubscribe option in any CEM you send.
How to Get Express Consent Consent
Typically, under CASL, you'll need someone's express consent before sending them CEMs. To get express consent, your consent request must include the following:
- Your business details
- Why you need consent
- Notice that someone can revoke consent or unsubscribe, and
- A manual means for someone to give consent
Your Business Details
Include your business information e.g. your business name and contact details in any request you send for consent. This ensures that people know who they're communicating with and who is asking for consent to send CEMs.
Here's an example from the bottom of the Baker's Journal subscription page:
Your Purpose for Requesting Consent
Highlight why you're asking for consent. Inform people about what they can expect from you if they opt in to receive CEMs. For example, subscribers to the Baker's Journal know they're signing up for a free weekly newsletter:
You might also link to your Privacy Policy and other important legal policies, like We Are Knitters does here:
How to Revoke Consent
Make it clear that someone can revoke consent or unsubscribe at any time.
This could just be a sentence like, "You're free to unsubscribe at any time" or some variation of this phrase. Just make it clear that revoking consent is an option.
Here's how Hermes does this with a statement in the footer of emails it sends out:
Make Users Take an Active Step to Subscribe
Someone must take an active step to subscribe to your marketing emails. This could be, for example, clicking a "subscribe" button after physically entering their email address.
Here's an example from Strong Strong Friends. People must manually enter an email address and click the "Train With Us" button to subscribe to marketing content:
Here's a similar example from Katie Crewe Fitness:
If you decide to use checkboxes or sliders to request consent for marketing emails, you can't use pre-checked boxes. The person must take a clear, affirmative step to give consent i.e. by clicking the box.
What to Include in Your CEM
Once you've obtained express consent, make sure your CEM includes:
- Your business name
- An option to unsubscribe, and
- Details for how to contact you
For example, you might include your business name and contact details in the email footer.
You should also include a clear "unsubscribe" link, either in the footer or somewhere obvious in the email body. The link must work, meaning it takes customers to an "unsubscribe" page.
Some companies also make it possible for customers to access their "unsubscribe" page from their main website.
Here's an example from Bed Bath & Beyond. Underneath its email subscription bar, you'll see the "Update Your Email Preference" page linked:
While this isn't necessary for CASL compliance, it's a great step to take to make it easy for people to update their email settings.
There are a few other steps you should take to ensure full CASL compliance, so let's break them down.
Keep Records of Consent
Keep a written record of consent from email recipients. For each recipient, include the date they gave implied or express consent and keep a record of emails sent to them.
Monitor for Expired Consent
Remember, under Section 10(10) of CASL, implied consent doesn't last forever.
Monitor for expired consent at least every six months.
Appoint a CASL Officer
Appoint a member of staff who's responsible for overseeing CASL compliance within your business. This person should be responsible for e.g. setting guidelines, arranging training, and reviewing communications.
If you're unsure who to appoint as a CASL compliance officer, you can seek outside help.
Provide Staff Training
It's vital that your staff knows what a CEM is and how to get appropriate consent. So, offer staff training to ensure your team understands CASL and how it affects your business.
Consider creating a handbook or guidelines for your team and ensure they know who the CASL officer is.
Penalties for Failing to Comply With Canada's Anti-Spam Legislation (CASL)
The Canadian Radio-television and Telecommunications Commission (CRTC) is responsible for issuing penalties under CASL. If a business breaches CASL, the following penalties may apply:
- Administrative financial penalties: Individuals can be fined up to $1 million, while corporations may be fined up to $10 million
- Private right of action: If someone can prove they've suffered harm or loss as a result of receiving an unsolicited CEM, they can bring a private action against the business
- Reputation damage: If a business develops a reputation for flouting Canada's Anti-Spam Legislation, it could cause irreparable damage to the company's reputation
These penalties are outlined in Section 20 of CASL.
Summary
Canada's Anti-Spam Legislation (CASL) establishes rules for when businesses can send emails to their customers. The idea is to prevent businesses from sending emails without permission and to combat spam.
To comply with CASL, one of the most important things you must do is get implied or express consent to send CEMs.
If you need explicit consent, your consent request and CEM should include:
- Your business name and contact details
- Why you are requesting consent
- Information on how people can revoke consent, and
- A clickable "unsubscribe" button or link so people can opt out of CEMs.
It's also helpful to link to your Privacy Policy within the correspondence or at least close by.
Implied consent may be sufficient if:
- There's a clear, ongoing business relationship
- The individual put their email address somewhere public e.g. a blog and they do not explicitly state you shouldn't send marketing emails here
- Someone has provided you with their email address for business activities in the past, and they haven't indicated any refusal to accept marketing emails
If there's any doubt, always get express consent.