Frequently Asked QuestionsFor Businesses and Organizations
Canada's Anti-Spam Legislation
For Businesses and OrganizationsWhat is implied consent?There are a few forms of implied consent, including:
Please refer to the legislation and its regulations, as specific conditions may apply. For more information: visit the Express Consent Versus Implied Consent web page. What is express consent?Express consent means that a person has clearly agreed (orally or in writing) to receive a commercial electronic message. It is not time-limited, unless the recipient withdraws his or her consent. Please refer to the legislation and its regulations, as specific conditions may apply. For more information: visit the Express Consent Versus Implied Consent web page. How am I expected to prove that I have implied or express consent?In each case, the onus is on the person sending the message to prove that he/she has obtained consent to send the message. For more information: visit the Know Your Responsibility When Managing Consent web page. What is the consequence for violating Canada's anti-spam legislation?For more information, please consult the CRTC's FAQs and the Competition Bureau's FAQs How can I ensure that my business is in full compliance with CASL?For more information, please consult the CRTC's FAQs and the Competition Bureau's FAQs Can I use my existing mailing list to promote products and services?Yes, you can continue to use email to promote products and services if you have express consent or one of the several different forms of implied consent. Make sure you properly identify yourself in the message and provide an option to unsubscribe from future commercial electronic messages. Does the law apply to promotional emails, text messages, instant messages or posts on social media?For more information, please consult the CRTC's FAQs and the Competition Bureau's FAQs Will CASL be expensive or hinder my small business?Businesses that already comply with privacy laws and use common best practices for email marketing should require little effort to become CASL compliant. The law requires an expression of consent or implied consent under certain circumstances to send commercial messages to individuals' electronic addresses. Does CASL also apply to my business practices outside of Canada?If you are marketing in other countries, you need to comply with their laws. CASL includes a list of countries that have their own spam laws and, as long as you are compliant with their spam laws, you are exempt from CASL. Since CASL sets a new standard for spam laws around the world, being compliant with CASL will help you be compliant with other laws. Can one person provide consent on behalf of the whole organization and all its members/employees?Yes, an individual with the authority to do so may give consent on behalf of an entire organization. It is the responsibility of the organization to determine who has authority. If a client provides consent for one service, does that mean that consent applies to all of our services?In general, consent is not specific to a particular good or service. If you have consent to send somebody commercial electronic messages, whether that consent is express or implied, then that consent will generally apply to any messages from you, unless you received express consent for only specific types of messages. I'm a not-for-profit organization; does CASL apply to me?For more information, please consult the CRTC's FAQs and the Competition Bureau's FAQs I'm a registered charity; does CASL apply to me?For more information, please consult the CRTC's FAQs and the Competition Bureau's FAQs I represent a member-based not-for-profit organization; do I have the same obligations under the new law as a commercial business?Yes, you have the same obligations, but the Act provides a special type of implied consent for these types of organizations. If you are a club, association or voluntary organization and the recipient is one of your members, you have implied consent (existing non-business relationship) as long as they are members and for two years after the end of their membership. Canada's Anti-Spam LegislationWhat has changed as a result of Canada's anti-spam legislation coming into force?Canada's anti-spam legislation protects consumers online against spam, electronic threats and misuse of digital technology while ensuring businesses remain competitive in a global digital marketplace. What is Phase 2 of Canada's anti-spam legislation intended to address?Phase 2 of Canada's anti-spam legislation protects Canadians against the installation of unwanted software or software updates on their electronic devices. These provisions on software installation allow Canadians to avoid unwanted and often damaging software and software updates such as malware and spyware. Why is the Canadian government tackling spam and malware?Unsolicited commercial electronic messages, known as spam, have become a significant social and economic issue and a drain on the business and personal productivity of Canadians. It is estimated that spam costs the Canadian economy more than $3 billion per year. Malware and related electronic threats such as botnets and identity theft have become more sophisticated and widespread, giving rise to concerns over data breaches and impeding the growth and acceptance of legitimate e-commerce. When does CASL apply to the installation of software or computer programs?CASL applies when a person installs software on another person's device. One example is when a website automatically installs software on a computer visiting the site without the knowledge of the computer owner. Another example may be when someone clicks on a link in an email message that causes a program to be installed on the computer. Yet another example is when an update to a previously installed computer program is "pushed" to a device, updating the program automatically. In all of these cases, CASL applies, and the person installing the program, or causing the program to be installed, must first obtain the consent of the device's owner. CASL does not apply in situations where a person or business installs software on their own computers. For example, if you go to an app store to purchase and download an app and you install that app onto your own personal device, CASL does not apply. Similarly, CASL does not apply when the IT department of a small business installs new software on company computers or mobile phones. If CASL applies, what action must be taken by software vendors and providers?If CASL applies, and a software provider is installing a program on another person's computer, the software provider must first obtain the consent of the owner, or authorized user. By requiring software providers to get permission to install programs and updates, CASL helps protect consumers and businesses from hackers and other cyber criminals who steal sensitive information by installing "spyware", "malware" or other computer programs. It also gives them control over their devices, so that programs aren't automatically updated without their knowledge and consent. Are there any other ways that CASL is helping Canadians better control what is happening on their electronic devices?CASL will enable Canadians to make more informed decisions about what they allow to be installed on their computers, tablets, etc. If a computer program performs one or more of the following functions, then the installer must make that clear when seeking consent:
See subsection 10(5) of CASL for more detailed information. Does CASL take into consideration the concern companies have over large-scale security/emergency patches used to keep software up to date?The Government recognizes that companies need to be able to update computer systems in certain instances, such as security patches or bug fixes. These types of installations are permitted to ensure Canadians' computing devices continue to function properly. For example, CASL would allow a company to push an update to the operating system of a GPS device—for example, to fix a problem that is causing the device to crash every time a user leaves a parking garage—without first asking for the consent of each user. Similarly, CASL would allow a telecommunications service provider to push a critical security update to computers on a network to protect users from cyberattack. What is malware?Malware is short for "malicious software" and describes software that is used, predominantly by hackers or cybercriminals, to disrupt the operation of computers, gain access to private computers or computer networks, and gather sensitive information. Does CASL mean an end to all spam and malware?The law will not eliminate all spam, but it does help deter the most damaging and deceptive actions linked to spam and malware, such as identity theft, phishing and the spread of spyware. Additionally, it allows Canadian enforcement agencies to take action against spammers and cyber criminals operating in Canada, and to work with international partners to fight spammers operating abroad. How is spam and malware reported?Spam and malware related violations can be reported to the enforcement agencies through the Spam Reporting Centre at Fightspam.gc.ca. What happens if a company violates the law?Complaints about violations can be submitted through Fightspam.gc.ca and are accessed by the Canadian Radio-television and Telecommunications Commission (CRTC), the Competition Bureau and the Office of the Privacy Commissioner of Canada. Complaints about unsolicited emails or malware may be turned over to the CRTC, which may investigate to determine if the message violates CASL. If the company is in violation, the CRTC has a range of enforcement tools available. The CRTC will assess each case based on a series of factors, including the nature of the violation, the company's history with CASL, whether the company benefited financially from the violation, and the company's ability to pay a penalty. Penalties for the most serious violations of CASL include a maximum penalty of up to $1 million for individuals and $10 million for businesses. How can businesses ensure they are in full compliance with CASL?Businesses should ensure they obtain a consumer's consent prior to sending commercial electronic messages. They must properly identify themselves in the message and provide a functional way for the recipient to unsubscribe from receiving future commercial messages. If a business is installing software or computer programs on another person's computer or device, it must ensure that it seeks consent before doing so. When seeking consent for the installation, the business must ensure that it clearly and simply sets out the information as required under CASL. Will compliance with CASL be expensive for smaller businesses?Businesses that already comply with privacy laws and use common best practices for email marketing or software installation should require little effort to comply with CASL. Does CASL also apply to business practices outside of Canada?If a foreign company is sending commercial electronic messages to Canada or installing software in Canada, CASL applies. If a Canadian company is marketing in other countries, it needs to comply with the laws of that country. CASL includes a list of countries that have their own spam laws and, as long as the company is compliant with the spam laws of the country in question, it is exempt from CASL. If a Canadian company is installing software in other countries, CASL still applies. CASL sets a new standard for spam laws around the world. Complying with CASL will help businesses comply with other laws. What tools are in place to enforce CASL when malware is being sent into Canada from another country?Malware being sent into Canada is still subject to CASL despite its international origin. CASL gives enforcement agencies the authority to share, at an international level, any information that may be relevant to an investigation or proceeding with respect to contraventions under the law. This information sharing will allow enforcement agencies to work in conjunction with their international counterparts to track and prevent the creation and distribution of malware. Can one person provide consent on behalf of his or her whole organization and all of its members/employees?Yes, an individual with the authority to do so may give consent on behalf of an entire organization for the organization's email or devices. It is the responsibility of the organization to determine who has authority. If an organization is operating under a "bring your own device" (BYOD) system, then the employer cannot unilaterally provide consent to the installation of software. How many complaints have been received since CASL came into force in July 2014?As of January 6, 2015 there have been 4,948 submissions made using the online form at Fightspam.gc.ca and 205,227 reports made using the email address spam@fightspam.gc.ca. |