Canada’s Anti-Spam Legislation: What you need to know to comply with CASL

Canada’s Anti-Spam Legislation (“CASL”), which came into force on July 1, 2014, introduced prohibitions on sending commercial electronic messages without the recipient’s consent, installing computer software without consent, altering the transmission data of electronic messages, and making misrepresentations in commercial electronic messages. This legislation is intended to protect the public from online hazards and nuisances such as spam, malware, and phishing.

CASL is accompanied by two sets of regulations, the Industry Canada regulations and the Canadian Radio-television and Telecommunications Commission (“CRTC”) regulations. The Industry Canada regulations define important terms and concepts and set out exemptions for certain categories of commercial electronic messages. The CRTC regulations set out the contact information that must be included in commercial electronic messages and requests for consent.

CASL also includes provisions creating a private right of action that would allow lawsuits against organizations that contravened CASL. Under these provisions, any person affected by a contravention may apply to court for an order that the person contravening the legislation pay compensation for the applicant’s actual loss or damages and an additional penalty of up to $1,000,000 per day in which a contravention occurred. These provisions were intended to come into force on July 1, 2017. However, following public concern about the scope of the intended private right of action, on June 7, 2017 the Government of Canada suspended the coming into force of these provisions pending further review.

Anti-Spam Provisions in CASL

CASL prohibits the sending of any commercial electronic message unless the recipient consents or an exemption applies. It also requires every commercial electronic message to contain an unsubscribe mechanism and information that allows the recipient to identify and contact the sender.

What is a commercial electronic message?

An electronic message is defined in CASL as a message sent by any means of telecommunication including a text, sound, voice, or image message. The definition is intended to apply to emails and text messages but is not intended to apply to telephone or fax messages.

An electronic message is commercial if it would be reasonable to conclude that the message’s purpose, or one of its purposes, is to encourage participation in a commercial activity.

What content must be in a commercial electronic message?

A commercial electronic message must include the sender’s name, on whose behalf the message is sent, a physical mailing address, and either a telephone number, an email address, or a web address at which the sender may be contacted. If it is not practicable to include all of this information in the message itself, the sender can instead include a link prominently set out in the message to a website that displays all of this information.

A commercial electronic message must also contain an unsubscribe mechanism. The unsubscribe mechanism must be set out clearly and prominently in the message and must be able to be readily performed by the recipient. The sender must give effect to the unsubscribe request within 10 business days.

How do I obtain consent to send a commercial electronic message?

A request for consent may be oral or written and must contain the same contact information that must be in a commercial electronic message. It must also contain a statement indicating that consent may be withdrawn at any time.

The CRTC’s administrative position is that the person whose consent is sought must actively and positively consent – for example, by checking a box on a website or by typing an email address into a field. A pre-checked box on a website form is insufficient to indicate consent as it does not require an action on the part of the person whose consent is sought.

A sender of a commercial electronic message may rely on implied consent where there is an existing business or non-business relationship between the sender and the recipient. An existing business relationship exists when the recipient purchased a product or service from or was subject to a written contract with the sender of the message within the last two years, or when the recipient made an inquiry or application to the sender in respect of a product or service within the last six months.

Consent will also be implied if the recipient has conspicuously published his or her electronic address online or has provided the electronic address to the sender and the message is relevant to the person’s business or official capacity.

What messages are exempt from these requirements?

Non-commercial messages are not regulated by CASL. Furthermore, certain categories of commercial electronic messages are exempted from the requirements of CASL, including:

  • messages sent by an individual to another individual with whom they have a personal or family relationship
  • inquiries about a commercial activity that the recipient is engaged in
  • messages sent within organizations or between organizations that have a business relationship if the message concerns the affairs of the organization
  • responses to requests, inquiries, or complaints
  • messages sent to satisfy, provide notice of, or enforce a legal right or obligation
  • messages sent by registered charities or political parties for the purpose of raising funds
  • messages that are otherwise solicited by the recipient

For certain other kinds of messages, consent is not required but messages must still comply with the contact information and unsubscribe requirements. This exemption includes any message that:

  • provides a quote or estimate that was requested
  • facilitates, completes, or confirms a transaction
  • provides warranty or recall information for a product that the recipient purchased
  • provides information about an employment relationship or benefit plan
  • delivers a product, goods, or a service
  • is an introductory message to a recipient who was referred to the sender by someone who had an existing relationship with the recipient

Computer Software Provisions

CASL prohibits the installation of software on a person’s computer system without the express consent of the owner or an authorized user of that computer system. These prohibitions do not apply if a person installs software on their own computer system, for instance by downloading an app and then installing it.

How do I obtain consent to install a computer program?

A request for consent for the installation of a computer program must include the same information that must be in a request for consent to send a commercial electronic message: the name of the person requesting consent, a physical mailing address, and either a telephone number, email address, or web address at which the person seeking consent may be contacted.

A request for consent must clearly and simply describe the overall function and purpose of the program. It must also separately describe the program’s material elements that perform any of the following prescribed functions:

  • collecting personal information
  • interfering with the owner’s control of the computer system
  • changing settings, preferences, or commands without the owner’s knowledge
  • causing the computer system to communicate with another computer system without the authorization of the owner
  • installing a computer program that may be activated by a third party without the owner’s knowledge

The owner or authorized user must acknowledge in writing that they understand and agree that the program performs these prescribed functions.

If the owner consented based on an inaccurate description of the program’s functions, then within one year after the program was installed the owner may request that the program be removed and the person who provided the program must assist the owner to remove it.

What computer programs are exempted from these requirements?

Certain computer programs may be installed without the express consent of the owner or an authorized user if it is reasonable to believe that they consent:

  • software that is installed solely to correct a failure in a computer program or system, such as a patch or a bug fix
  • software updates or upgrades, if the user consented to receive updates or upgrades when installing the program
  • cookies
  • HTML code
  • Java Scripts
  • operating systems
  • a program that operates only through another program, such as an add-on

Other Prohibitions

In addition to prohibiting spam and unsolicited computer software, CASL prohibits the alteration of transmission data in an electronic message so that it is sent to a different destination than the sender intended. This provision is intended to address the practice of ‘phishing’, which is an attempt to collect personal information online by pretending to be a trustworthy company or someone that the recipient knows.

Penalties for Non-Compliance

Under CASL, the person who alleges that they had consent to send a message or install software has the burden of proving consent.

A person who violates the anti-spam or computer software provisions may be subject to administrative monetary penalties issued by the CRTC of up to $1,000,000 for an individual or up to $10,000,000 for a corporation.

For violations of the new Competition Act provisions against misleading information, the Competition Bureau may impose administrative penalties or criminal sanctions.

Tips on Complying with the New Legislation

Practical steps that businesses can take to comply with CASL include:

  • review current email lists to ensure that you have consent within the meaning of the legislation
  • obtain consents from current customers so that you can continue to send them messages without being subject to the two-year expiration period for an existing business relationship
  • develop a system for recording how each consent was obtained, keeping in mind that the onus is on the sender to prove consent
  • require customers to consent actively, such as by clicking a check-box or entering their email into a field
  • when requesting consent, include a statement indicating that the person whose consent you are seeking can withdraw their consent at any time
  • ensure that all commercial electronic messages contain the required contact information and an unsubscribe mechanism
  • simplify unsubscribe mechanisms and ensure that unsubscribe links are active for at least 60 days after a message is sent
  • ensure that the functions of computer software are clearly and accurately set out in a request for consent to installation
  • if computer software performs any of the prescribed functions, ensure that the user consents to these functions explicitly and separately from the licence agreement