Why Canada’s Anti-Spam Legislation (CASL) Matters to Businesses in the U.S.

Benjamin Franklin lived long before electronic messaging, but his advice about preventions and cures now rings especially true for U.S. businesses marketing in Canada. Canada’s new anti-spam legislation regulates businesses sending “commercial electronic messages” (CEMs) received in Canada and those installing programs on “computer systems” in Canada, regardless of where the communication is initiated. Because noncompliance can have serious repercussions, U.S. businesses must understand the new law and review their marketing practices to ensure they conform. After all, both best practice and financial security call for prevention over a very weighty cure.

CASL overview

Canada’s new Anti-Spam Legislation (the “CASL”) has two main parts. The first regulates CEMs.[1] The second focuses on programs installed on computer systems,[2] including personal computers as well as mobile devices. The law applies to activities completed within Canada, regardless of where originated.

The Canadian Radio-Television and Telecommunications Commission is responsible for the CASL’s enforcement, but  the CASL also authorizes private causes of action with damages of up to $10 million dollars Canadian. A three-year statute of limitations applies to both administrative and private actions. Provisions of the law become effective on different dates:

  • July 1, 2014—CEM rules effective
  • January 1, 2015—Computer program rules effective
  • July 1, 2017—Provision authorizing private right of action effective

The time for prevention is now.

CEM rules

The new law prohibits sending CEMs unless the sender has obtained the recipient’s express or implied consent. Section 6 of the CASL broadly defines CEMs and identifies the attributes of the required consent.

CEMs include text, sound, voice, or image messages, sent electronically by e-mail, instant message, or phone if the message purpose is to encourage participation in a commercial activity. Message content, hyperlinks, and contact information are all indicative of purpose. Most business marketing e-mail and social media messages fall within this definition. Arguably, the law also extends to “push” messages sent within a business or commercial app.

The CASL allows a message recipient’s consent to be express or implied. Express consent may be written or oral, but a sender should strive for written consent because the sender bears a difficult burden of proving consent. The recipient must “opt-in,” meaning that the sender cannot use pre-checked boxes to gain consent. Further, the sender must provide the recipient its name and contact information (mailing address and phone number, e-mail, or web address), explain the purpose for the consent, and give information on withdrawing consent.

A recipient’s consent may be implied if the sender and recipient have an “existing business relationship.” Under the law, an existing business relationship may arise in three situations:

  • The recipient purchased goods or services from the sender within the two-year period immediately preceding the day on which the CEM was sent;
  • The recipient accepted a business or gaming opportunity offered by the sender within the two-year period immediately preceding the day on which the CEM was sent; or
  • The recipient and sender are parties to a written contract regarding goods, services, or a business or gaming opportunity. The contract must still be in existence or have expired within the two-year period immediately preceding the day on which the CEM was sent.

Once the recipient consents, any CEMs sent to the recipient must again identify the sender’s name, contact information (mailing address and telephone number, e-mail or web address), and provide unsubscribe instructions. The sender must honor an unsubscribe request within ten days. The sender may provide the required information directly or may provide a prominent hyperlink containing the information.

Computer program rules

In addition to regulating CEMs, section 8 of the CASL also regulates programs installed on computers. The computer’s owner or authorized user must expressly consent to program installation and electronic messaging from the program.

When asking for consent, the business initiating the program must furnish its name and contact information (mailing address and phone number, e-mail, or web address), the purpose for consent, the purpose of the program, and information on withdrawing consent. The CASL requires an additional notice if the program:

  • Collects personal information stored on the computer system
  • Interferes with the owner’s control of the computer system
  • Changes or interferes with the settings, preferences, or commands on the system without the user’s knowledge
  • Changes or interferes with data on the system in a manner that obstructs, interrupts, or interferes with the user’s lawful access to or use of that data
  • Causes the computer system to communicate with another computer system or other device without the owner’s authorization
  • Installs a computer program that may be activated by a third party without the user’s knowledge

Users may expressly consent through their conduct—e.g.,  if the program installed is a cookie, an HTML code, a Java script, an operating system, or any other program executable only through use of another program whose installation or use the person previously expressly consented. The entity need not get additional consent for program updates or upgrades.

For one year after installation, the entity must furnish an electronic address where a recipient may send a request to remove or disable the computer system

Tips for CASL compliance

Companies should take the following steps to make marketing communications CASL compliant.

  • Eliminate the pre-checked box. Message recipients must affirmatively “opt-in.”
  • Make sure e-mails, web-based landing pages,[3] apps,[4] push notification consent-requests,[5] and push notifications,[6] contain the information required by the CASL.
  • Take advantage of the CASL’s three-year window to get express consent from current e-mail subscribers or, at minimum, from those in Canada. The three-year period began on July 1, 2014; thus, move quickly while the law allows direct contact.[7]
  • Document the CASL changes.
  • Update your privacy policy and specifically refer to the CASL. The policy will evidence due diligence efforts in an action alleging a CASL violation.
  • Keep records of recipient consent. For example, collect screen shots of e-mail sign-ups in which people disclose their e-mail address and affirm their consent. Alternatively, adopt a written policy detailing how your business obtains, maintains, and respects consent.


Those sending marketing messages received in Canada must take immediate action to fully understand and comply with Canada’s new anti-spam legislation. Once businesses understand the law’s substance and reach, they can systematically review and revise their practices. By taking the steps suggested, businesses will be well on their way to becoming CASL compliant. Doing so in a thoughtful, methodical manner will allow companies to evidence compliance—and avoid that pound of cure.

[1] CASL § 6.

[2] CASL § 8.

[3] Pages that solicit e-mail addresses for marketing purposes must include the business name, contact information (mailing address and telephone, e-mail or web address),
purpose for consent, and a notice that consent may be withdrawn.

[4] At a minimum, apps must include the app sponsor’s name, contact information (mailing address and telephone, e-mail or web address), the purpose of the app, and a notice that the recipient may revoke consent or delete the app. Additional information may be required depending on the app’s function.

[5] Position consent in a separate pop-up and include the sponsor’s name, contact information (mailing address and telephone number, e-mail, or web address), reason for the push, and a notice that the recipient may revoke consent. For example, the consent could state, “I agree to receive push notifications from this application. [Business name] will send promotional or informational push notifications from time to time. You may choose to stop receiving these notifications by changing your settings.”

[6] At a minimum, push notifications should contain a link that has the sponsor’s name and contact information (mailing address and telephone number, e-mail, or web address), and instructions to unsubscribe or turn off the push.

[7] The CASL exception for existing business relationships should allow businesses to use e-mails collected at the point of sale (POS) for marketing messages without additional consent. The POS information detailing customer visits/transactions is a good way to prove the presence of an existing business relationship. If sub-contractors or franchisees are involved, however, these records may be harder to produce on demand.

The articles on our Website include some of the publications and papers authored by our attorneys, both before and after they joined our firm. The content of these articles should not be taken as legal advice.