Frequently Asked Questions about Canada’s Anti-Spam Legislation

The majority of the legislation came into force on July 1, 2014. This includes Section 6, which relates to the sending of commercial electronic messages (CEMs). Section 8, the section that deals with the installation of computer programs, came into force on January 15, 2015. The sections that deal with the private right of action will come into force on July, 1 2017. Read the order related to the coming into force dates.

Please note that some parts of the law came into force on April 15, 2011, with respect to some amendments to the Personal Information Protection and Electronic Documents Act (PIPEDA). For more information, please see the Office of the Privacy Commissioner of Canada's Website and the related Order.

For more information on CASL, please refer to fightspam.gc.ca. Read Canada's Anti-Spam Legislation and its regulations.

No, there is no difference. Once a particular section of CASL comes into force, it is enforceable and compliance is required. Keep in mind that different sections of CASL come into force at different times.

Knowing that people and businesses may need to change their practices when it comes to sending commercial electronic messages (CEMs), the legislation includes a transitional provision that relates to the consent requirement. There are two types of consent – express and implied. The transitional provision set out in section 66 of CASL applies to implied consent.

Under section 66, consent to send commercial electronic messages (CEMs) is implied for a period of 36 months beginning July 1, 2014, where there is an existing business or non-business relationship that includes the communication of CEMs. One-way communication for CEMs (e.g. where a business sends CEMs to a consumer with whom it has an existing relationship) is acceptable for the purpose of subsection 66(b), “includes the communication between them of CEMs”. Note however, that this three-year period of implied consent will end if the recipient indicates that they no longer consent to receiving CEMs. During the transitional period, the definitions of existing business and non-business relationships are not subject to the limitation periods of 2 years or 6 months, that would otherwise be applicable under section 10 of CASL. Businesses and people may take advantage of this transitional period to seek express consent for the continued sending of CEMs.

In contrast, express consent does not expire after a certain period of time has passed. If you obtain valid express consent before July 1, 2014, then that express consent remains valid after the legislation comes into force. It does not expire, until the recipient withdraws their consent.

The EBR or Non EBR must be created prior to the coming into force of section 66 (i.e. 1 July 2014) in order to rely on the 3 year transitional provision. Any EBR or Non EBR created after July 1 2014 is subject to the time periods specified in the EBR and Non EBR exemptions (sections 10(10) and 10(13) ), and the 3 year transitional period cannot be relied upon.

If you commit a violation under any of sections 6 to 9 of CASL, then you may be required to pay an administrative monetary penalty (AMP). The maximum amount of an AMP, per violation, for an individual is $1 million, and for a business, it is $10 million. CASL sets out a list of factors considered in the determination the amount of the AMP.

Yes, directors, officers, agents and mandataries of a corporation can be liable, if they directed, authorized, assented to, acquiesced in, or participated in the commission of the violation.

No. Rather, it sets out some requirements for sending a certain type of message, called a commercial electronic message (CEM), to an electronic address.

If you are sending a CEM to an electronic address, then you need to comply with three requirements. You need to: (1) obtain consent, (2) provide identification information, and (3) provide an unsubscribe mechanism.

Section 6 of CASL applies to a commercial electronic message (CEM) that is sent to an electronic address. If both of these elements exist, then section 6 applies.

Section 6 does not apply if the CEM is not sent to an electronic address, as defined in the legislation. Also, section 6 of CASL does not apply to interactive two-way voice communication between individuals, nor does it apply to faxes or voice recordings sent to a telephone account. However, other requirements outside of CASL may apply in situations like these, such as the Unsolicited Telecommunications Rules.

Also, a computer system located in Canada must be used to send or access the CEM for section 6 to apply. Simply routing a CEM through Canada is not enough to engage section 6.

A key question to ask yourself is the following: Is the message I am sending a CEM? Is one of the purposes to encourage the recipient to participate in commercial activity?

When determining whether a purpose is to encourage participation in commercial activity, some parts of the message to look at are:

• the content of the message
• any hyperlinks in the message to website content or a database, and
• contact information in the message.

These parts of the message are not determinative. For example, the simple inclusion of a logo, a hyperlink or contact information in an email signature does not necessarily make an email a CEM. Conversly, a tagline in a message that promotes a product or service that encourages the recipient to purchase that product or service would make the message a CEM.

Some examples of CEMs include:

• offers to purchase, sell, barter or lease a product, goods, a service, land or an interest or right in land;
• offers to provide a business, investment or gaming opportunity;
• promoting a person, including the public image of a person, as being a person who does anything referred to above, or who intends to do so.

An electronic address is defined in CASL as being: an email account, a telephone account, an instant messaging account, and any other similar account.

Some social media accounts may constitute a 'similar account'. Whether a "similar account" is an electronic address depends on the specific circumstances of the account in question. For example, a typical advertisement placed on a website or blog post would not be captured. In addition, whether communication using social media fits the definition of "electronic address," must be determined on a case-by-case basis, depending upon, for example, how the specific social media platform in question functions and is used. For example, a Facebook wall post would not be captured. However, messages sent to other users using a social media messaging system (e.g., Facebook messaging and LinkedIn messaging), would qualify as sending messages to "electronic addresses."

Websites, blogs and micro-blogging would typically not be considered to be electronic addresses.

For section 6 of CASL to apply, a computer system located in Canada must be used to send or access the CEM. Simply routing a CEM through Canada is not enough to engage section 6.

However, there is an exemption in the Governor-in-Council Regulations that is intended for CEMs sent from Canada to foreign countries. Paragraph 3(f) of the Regulations excludes such CEMs, if certain conditions are met:

• The foreign country must be listed in Schedule 1 of the Regulations;
• The CEM must be sent in compliance with the foreign law, which addresses conduct that is substantially similar to the conduct prohibited in section 6 of CASL; and
• The sender (or person who causes or permits the CEM to be sent) must reasonably believe that the CEM will be accessed in a foreign state listed in Schedule 1.

No. Pursuant to the Governor-in-Council Regulations, commercial electronic messages (CEMs) sent by or on behalf of a political party or a person who is a candidate for publicly elected office, are excluded from section 6 of CASL, if the primary purpose of the CEM is to solicit a contribution.

"Contribution" is defined in subsection 2(1) of the Canada Elections Act, and means a monetary contribution or a non-monetary contribution. Certain other terms are also defined in the Canada Elections Act, such as "political party" and "candidate."

What are some examples where messages sent by political parties and candidates (a) soliciting a contribution is the primary purpose of a CEM? (b) soliciting a contribution is not the primary purpose of a CEM?

a. Where the primary purpose is soliciting a contribution:

In such a scenario, section 6 of CASL would not apply since a CEM, sent by or on behalf of the political party or candidate, that promotes an event and/or the sale of tickets for an event – such as a dinner, golf tournament, theatrical production or concert or other fundraising event – where the proceeds from ticket sales flow to the political party or candidate.

b. Where the primary purpose is not soliciting a contribution:

A political party sends, by e-mail, a newsletter which provides information about the political activities of the party or about a particular social issue. If this e-mail also contains advertisements and encourages the recipient to participate in a commercial activity with the entities being advertised, then section 6 of the CASL may apply without any exemption, since the primary purpose of the message may not be to solicit contributions for the political party.

Section 6 of CASL does not apply to a commercial electronic message (CEM) sent to an individual with whom the sender has a personal or family relationship, as defined the Governor-in-Council (GiC) Regulations.

A "personal relationship" involves direct, voluntary, 2-way communication. The GiC Regulations set out a non-exhaustive list of factors that should be used to determine whether the relationship is personal (e.g. the sharing of interests, experiences, opinions and information evidenced in the communications; the frequency of the communication, etc.). It is important to note that the definition of "personal relationship" should remain limited to close relationships. This will help prevent potential spammers from exploiting this concept in order to send CEMs without consent.

Also, a "personal relationship" is one that exists between individuals. Legal entities, such as corporations, cannot have a personal relationship. Someone who sends a CEM on behalf of a corporation may not claim to have a personal relationship with the recipient.

A "personal relationship" requires that the real identity of the individual who alleges a personal relationship is known by the other individual involved in such a relationship (as opposed to instances where a virtual identity or an alias is used). Using social media or sharing the same network does not necessarily reveal a personal relationship between individuals. The mere use of buttons available on social media websites – such as clicking "like", voting for or against a link or post, accepting someone as a "Friend", or clicking "Follow"– will generally be insufficient to constitute a personal relationship.

No, there is an exemption for persons sending CEMs to other persons within their organization, where the CEMs concern the activities of the organization. Similarly, there is an exemption for persons sending CEMs to persons at another organization, where the CEMs concern the activities of that other organization and the organizations have a relationship. If the CEM does not concern the activities of the organization, or if the organizations do not have a relationship, then the requirements under section 6 of the legislation apply.

There is also an exemption for persons who send CEMs to other persons with whom they have a personal or family relationship, as defined in the Governor-in-Council Regulations. See the question – Does section 6 of CASL apply to messages sent by friends or family members?

For the purpose of providing guidance, the CRTC issued two information bulletins, namely Compliance and Enforcement Information Bulletin CRTC 2012-548 and Compliance and Enforcement Information Bulletin CRTC 2012-549. These information bulletins are merely guidelines and do not impose binding obligations. They clarify requirements already contained in CASL and its regulations.

Also, the examples provided in these information bulletins are not exhaustive. They are simply examples of recommended or best practices that, in the view of the CRTC, clearly meet the requirements in CASL. Other practices may satisfy legal requirements imposed by CASL. However, their adequacy will be evaluated on a case-by-case basis in light of the specific circumstances of a given situation.

CASL does not apply to the activities of the federal, provincial and territorial governments. CASL does apply, however, to crown corporations, including municipal governments, when the corporation is acting in the course of any commercial activity.

Consent can be obtained either in writing or orally. In either case, the onus is on the person who is sending the message to prove they have obtained consent to send the message.

The CRTC has issued information bulletins to provide guidance and examples of recommended or best practices. Compliance and Enforcement Information Bulletin CRTC 2012-548, among other things, helps explain what information is to be included in a request for consent. The Bulletin also suggests some key considerations that may make tracking or recording consent easier, and therefore, may make it easier to prove consent. They are:

• whether consent was obtained in writing or orally,
• when it was obtained,
• why it was obtained, and
• the manner in which it was obtained.

The examples provided in the information bulletin are not exhaustive. They are simply examples of recommended or best practices. They may not necessarily be appropriate in every situation. Compliance will be examined on a case-by-case basis in light of the specific circumstances of a given situation.

The manner in which you request express consent cannot presume consent on the part of the end-user. Silence or inaction on the part of the end-user also cannot be construed as providing express consent. For example, a pre-checked box cannot be used, as it assumes consent.

Rather, express consent must be obtained through an opt-in mechanism, as opposed to opt-out. The end-user must take a positive action to indicate their consent. For example, this can be done by providing a blank box which a user can check off to indicate consent.

For more information, please see Compliance and Enforcement Information Bulletin CRTC 2012-549 on the use of toggling to obtain express consent.

The onus is on the person who claims that they have consent to prove that they have such consent. Compliance and Enforcement Information Bulletin CRTC 2012-548 provides a few examples on how one can prove they have obtained express consent. Note that the examples provided are not exhaustive; they are simply practices that the Commission considers to be compliant with the legislation. Other practices may satisfy legal requirements imposed by CASL. However, their adequacy will be evaluated on a case-by-case basis in light of the specific circumstances of a given situation.

There is an exception to the consent requirement for commercial electronic messages (CEMs) sent following a referral, if certain conditions are met. The referral must be made by an individual who has an existing business relationship, an existing non-business relationship, a family relationship or a personal relationship with the sender and the recipient of the CEM. Also, the full name of the individual who made the referral and a statement that the CEM is sent as a result of a referral must be in the CEM.

The CEM must still respect the other two requirements – it must contain the identification information and an unsubscribe mechanism.

You may have their implied consent to send them CEMs, as long as:

• the message relates to the recipient's role, functions or duties in an official or business capacity; and

• the recipient has not made a statement when handing you the business card that they do not wish to receive promotional or marketing messages (CEMs) at that address.

It is important to remember that the onus is on the sender to prove they received consent.

Recall that consent under CASL is also implied if you have an existing business relationship, existing non-business relationship with the person.

Compliance will be examined on a case-by-case basis in light of the specific circumstances of a given situation.

Yes, section 6 of CASL applies, but consent may be implied where CEMs are sent to members of an association, club or voluntary organization. When sending CEMs to your membership based on implied consent, you should ensure that you are only sending to members.

"Membership" means the status of having been accepted as a member of a club, association or voluntary organization in accordance with its membership requirements. You should also ensure that your organization is a club, association, or voluntary organization that is:

• a non-profit organization,
• organized and operated exclusively for social welfare, civic improvement, pleasure or recreation or for any purpose other than personal profit, and
• no part of its income is payable for the personal benefit of any member, proprietor or shareholder unless that entity is an organization whose primary purpose is the promotion of amateur athletics in Canada.

The CEM must still respect the other two requirements – it must contain the identification information and unsubscribe mechanism.

You must identify yourself and the persons on whose behalf a commercial electronic message (CEM) is sent. When a CEM is sent on behalf of multiple persons, then all of these persons must be identified in the CEM.

However, where it is not practicable to include this information in the body of a CEM, then a hyperlink to a webpage containing this information is acceptable as long as the webpage is readily accessible at no cost to the recipient of the CEM. The link to the webpage must be clearly and prominently set out in the CEM.

Also, not every person who is involved in the sending of a CEM must be identified. Rather, only the persons who play a material role in the content of the CEM and/or the choice of the recipients must be identified. For example, an email service provider that provides a service to its clients to send emails, where the email service provider has no input on the content of the message, nor on the recipient list, does not need to be identified in the CEMs sent by clients using its service. Bear in mind however, that though the email service provider does not need to be identified in this scenario, it still shares its responsibilities with its clients in terms of ensuring that the CEMs are sent with valid consent (either express or implied) and contain an unsubscribe mechanism. Both the email service provider and its clients are sending, causing or permitting to send CEMs, and as such, they both have obligations under CASL.

No, you do not need to provide your home address. You can provide another valid mailing address as long as you can be contacted at that address. Please refer to paragraph 9 of Compliance and Enforcement Information Bulletin CRTC 2012-548 for more information. Of note, that Information Bulletin explains that a mailing address includes not only a street address, but also a P.O. Box, rural route address, or general delivery address.

Where it is not practicable to include this information in the body of a CEM, then a hyperlink to a webpage containing this information is an acceptable practice as long as the webpage is readily accessible at no cost to the recipient of the CEM. The link to the webpage must be clearly and prominently set out in the CEM.

For more information, refer to sections 2 and 3 of the Electronic Commerce Protection Regulations (CRTC) and Compliance and Enforcement Information Bulletin CRTC 2012-548.

Under CASL, you must include an unsubscribe mechanism in the commercial electronic messages (CEMs) that you send. For example, a CEM sent via SMS may state that an end-user can unsubscribe by texting the word "STOP." Another possibility is a hyperlink that is included clearly and prominently in an email that allows the end-user to unsubscribe by simply clicking it. The hyperlink may also be to a webpage that is readily accessible without delay and is at no cost to the recipient.

You can set up your unsubscribe mechanism in many different ways. It can be broad or very granular. For example, you can offer a choice to the recipient, allowing them to unsubscribe from all or just some types of CEMs your organization sends.

A key aspect is that an unsubscribe mechanism must be "readily performed." It should be simple, quick and easy for the end-user.

One example of an acceptable unsubscribe mechanism that meets the criteria for ‘readily performed’ in the view of Commission staff, would be an unsubscribe link in an email that takes the user to a web page where he or she can unsubscribe from receiving all or some types of CEMs from the sender. In the case of a short message service (SMS), the user should have the choice between replying to the SMS message with the word “STOP” or “Unsubscribe”, or clicking on a link that will take the user to a web page where he or she can unsubscribe from receiving all or some types of CEMs from the sender.

One example of a non-compliant unsubscribe mechanism that does not meet the criteria of ‘readily performed’ in the view of Commission staff, would be an unsubscribe mechanism where the user would be required to take several steps in order to unsubscribe.  Here is an example of a 6 (six) step approach that would be considered non-compliant under CASL:

1. The user is required to click on a “unsubscribe” hyperlink within a CEM;
2. The user is then taken to a webpage and must navigate through text that contains  multiple links trying to locate the link that will allow the user to unsubscribe from future CEMs;
3. Once the “unsubscribe” link is found and clicked, the user is redirected to a ‘login’ button;
4. The user is required to log into their existing account with their user name and password;
5. They are then redirected to a page that provides them with a selection to “Quit /Give up/ Delete Account” or “Unsubscribe’ located at the bottom of the webpage;
6. Only after all these steps are completed, does the user receive a notice that the account has been deleted or that they are now unsubscribed.

For more examples of acceptable unsubscribe mechanisms under CASL, please see Compliance and Enforcement Information Bulletin CRTC 2012-548.

Section 8 applies when a computer program is installed on another person's computer system. The definitions of computer program and computer system come from the Criminal Code (section 342.1).

Also, for section 8 to apply, the person installing or directing the installation of the computer program must be in Canada, or the computer system must be in Canada.

You must have express consent in order to install a computer program on another person's computer system.

When you seek express consent to install a computer program, you must set out clearly and simply:

• the purpose(s) for which consent is being sought,
• information that identifies the person seeking consent (including any person on whose behalf consent is sought), and
• the function and purpose of the computer program.

However, you may need to disclose more information when seeking express consent if the computer program will do certain functions, such as:

• collecting personal information,
• interfering with the user's control of the computer system,
• changing or interfering with settings, preferences or commands already installed or stored on the computer system without the knowledge of the user,
• changing or interfering with data that is stored on the computer system in a manner that obstructs, interrupts or interferes with lawful access to or use of the computer system,
• causing the computer system to communicate with another computer system without authorization,
• installing a computer program that may be activated by a third party without the knowledge of the user, and
• performing any other function listed in the GiC Regulations.

If the computer program does any of these specified functions when installed, then you clearly and prominently, and separately and apart from the licence agreement, must:

• describe the program's material elements that perform the specified function(s), including the nature and purpose of those elements, as well as their foreseeable impact, and
• bring those elements to the attention of the user separate from other information provided in a request for consent.

CASL deems a person to have provided express consent for the installation of a computer program, if it is reasonable to believe that the person consented to the installation based on the person's conduct, and the computer program is:

• a cookie,
• HTML,
• JavaScript,
• an operating system,
• a program that is executable only though another computer program to which the user has already expressly consented, or
• specified in the regulations.

As noted in the question "What about cookies?", CASL deems a person to have provided express consent for the installation of certain computer programs, including those programs specified in the GiC regulations. Section 6 of the GiC Regulations identifies three computer programs for which express consent is deemed:

• where a telecommunications service provider (TSP) installs a computer program solely to protect the security of its network from a current and identifiable threat;
• where a TSP who owns or operates the network installs a computer program to update or upgrade the network; and
• where the program is necessary to correct a failure in the operation of a computer system or program, and is installed solely for that purpose.

If a program is installed for any purpose other than protecting the security of the network, or correcting a failure in the operation of a computer system or program, then subsections 6(a) and (c), respectively, will not apply.

In subsection 6(c), a failure of a computer system or program means that the system or program does not function properly and is not consistent with consumer expectations.

Yes, CASL applies to activities of non-profit organizations, such as sending commercial electronic messages (CEMs) and installing computer programs. However, there is an exemption under the Governor-in-Council Regulations for CEMs sent by or on behalf of a registered charity, as defined under the Income Tax Act, where the primary purpose of the CEMs is to raise funds for the charity.

Yes, section 6 of CASL applies to registered charities when sending commercial electronic messages (CEMs). However, there is an exemption under section 3(g) of the Governor-in-Council Regulations for CEMs sent by or on behalf of a registered charity, as defined under the Income Tax Act, where the primary purpose of the CEMs is to raise funds for the charity.

Given that legitimate messages sent by registered charities raising funds are exempt under the Act, the CRTC will focus on messages sent by those attempting to circumvent the rules under the guise of a registered charity.

The “primary purpose” of a CEM means the main reason or main purpose of the CEM. There could be a secondary or additional purpose to the message, but the principal purpose of the CEM must be to raise funds for the charity.

1. Where the primary purpose is raising funds:

   Example 1: A CEM, sent by or on behalf of a charity, which promotes an event and/or the sale of tickets for an event – such as a dinner, golf tournament, theatrical production or concert or other fundraising event – where the proceeds from ticket sales flow to the registered charity.

   Example 2: A registered charity sends, by e-mail, a newsletter which provides information about the charity’s activities or an upcoming campaign, and does not contain any material that seeks to encourage the recipient to participate in a commercial activity, then the message would not be a CEM for the purpose of CASL.

   Example 3: A registered charity sends, by e-mail, a newsletter which provides information about the charity’s activities or an upcoming campaign, but which also contains a section which solicits donations and may also mention corporate sponsors who supported the charity (but does not encourage the recipient to participate in a commercial activity with that sponsor). While this message may be considered a CEM under CASL, the primary purpose of the message may be viewed as raising funds; therefore, the exemption in the GiC Regulations would apply.

2. Where the primary purpose is not raising funds:

   Example: A registered charity sends, by e-mail, a newsletter which provides information about the charity’s activities or about a particular social issue. If this e-mail also advertizes the corporate sponsors of a charity’s event and encourages the recipient to participate in a commercial activity with that sponsor, then section 6 of the CASL may apply without any exemption. The primary purpose of the message may not be to raise funds for the charity.

Yes, consent under CASL is implied if you have an existing business relationship or an existing non-business relationship with the recipient.

An existing non-business relationship, as defined under CASL, is created when a person makes a donation or gift to the registered charity, or performs volunteer work or attends a meeting organized by the charity. A registered charity would have implied consent to send CEMs to this person for two years following the event that starts the relationship (e.g. gift or donation made).

Also, under the section 66 transitional provision, consent to send CEMs is implied for a period of 36 months beginning July 1, 2014, where there is an existing business or non-business relationship that includes the communication of CEMs. During the transitional period, the definition of existing non-business relationship is not subject to the limitation period of 2 years mentioned above. Note however, that this three-year period of implied consent will end if the recipient indicates that they no longer consent to receiving CEMs.

Our goal is to promote compliance with the CASL in the most efficient way possible while preventing recidivism. It is also to deter others who may be tempted to violate the law, so they understand what is required to comply and what the consequences are if they fail. We are looking to achieve a high level of voluntary compliance and deter severe non compliance. The enforcement approach will be dictated by the specific circumstances of each case. So the enforcement response will depend on various factors listed in the law, including the nature, seriousness and impact of the violation, the history of non compliance and the measures taken to prevent the violation from taking place. In short, our approach will be proportionate and measured.

The maximum penalties for CASL are significant. The CRTC has the authority to impose administrative monetary penalties; however there are a number of factors that need to be kept in mind:

• steps you take to show due diligence (such as tracking how you obtain email addresses, or always including an unsubscribe option) will be taken into consideration when assessing a measure or a penalty for non-compliance;
• the CRTC will focus its investigations on cases where there are a significant number of complaints or there appears to be a major transgression;
• the CRTC emphasizes education and compliance, rather than punishment; and
• in the case of a violation, an undertaking with the CRTC eliminates the possibility of private lawsuits.