Canada’s Anti-Spam Legislation: What Marketers Need to Know

For the purpose of this POV we will focus on email only and it should be made known that this POV is not intended to be legal counsel.

Canada’s Anti-Spam Law (CASL) is a strict law that applies to any message that originates in or goes to a recipient in Canada and encompasses electronic commercial messages (ie, email, SMS, IM, direct social media, and future innovations).  

Summary of Highlights

  • Marketers communicating with consumers on behalf of brands need to be clear about whom the message is coming from  
  • Senders also need to identify themselves by using business name and postal address
  • Transactional messages and the inclusion of an unsubscribe link are not clearly defined; the Canadian Bar Association will need to provide more clarity on this point. However, these communications can only be messages like shipping confirmations, and must contain no marketing or promotional materials unless the recipient is a current client or has opted in to receive commercial messages
  • Implied consent between persons that have an existing business or non-business relationship has a 3-year grace period for marketers to gain expressed consent
  • All sign-up forms on landing pages must not contain pre-checked boxes that automatically opt in users

Canada Anti-Spam Legislation Overview 

Canada’s Anti-Spam Law (CASL) is a strict law that applies to all email marketers sending messages to Canadian subscribers.  CASL covers more than just email and encompasses electronic commercial messages, SMS, IM and social media.  

CASL will begin rolling out on July 1, 2014, and on January 15, 2015, rules concerning expressed consent in relation to computer software installation on another person’s computer system during the course of commercial activities will be impacted. Followed by Private Right of Action, which will  go into effect on July 1, 2017.  

So how does one identify a Canadian recipient? By keeping accurate records of sign up, such as: date/time of submission, IP address, country and any other demographic information that can be used to established authentic search records, if an email marketer were to be audited. However, the problem is that a subscriber can easily identify himself or herself as being Canadian or not. Ultimately, companies based in the US may still have to comply if emailing Canadian subscribers who present a risk of providing false information about their location.  However, as long as true permission is obtained (opt in) globally, the concern and risk is minimal.  

Marketers sending communications on behalf of brands need to be very clear about whom the message is coming from. CASL also requires that the sender identify himself or herself by using a name and postal address.  If the message is sent on behalf of another person, that person must be identified as well, along with a statement which identifies everyone involved.  For example, if person A sends an ECM on behalf of Brand B, the email message must identify that the email is coming from person A on behalf of Brand B.  

A simple, clear and prominent process for unsubscribing must also be available.  This process can be done through a link, which must stay active for 60 days post-mailing (CAN-SPAM requires 30 days), and it is also acceptable to offer the option for the recipient to “reply to unsubscribe”.  This unsubscribe request must be processed as soon as possible, but in any event, no later than 10 business days after the request is received.  

Transactional messages are a gray area of the law and according to the Canadian Bar Association, clarification on whether or not to use an unsubscribe mechanism is still needed.  However, if the need for an unsubscribe mechanism on transactional emails is called for, businesses may lose the ability to send unsubscribed customers vital information, such as order and shipping confirmations.  However, marketers should be aware that several Canadian regulations might not be met if the customer does not receive some transactional messages (such as purchase confirmation).  

These are the main differences between an ECM and a transactional message, and some specific exceptions that are not considered as ECMs according to CASL: 

Electronic commercial message 

Transactional message and exceptions not considered as a ECMs

Provides an offer to purchase, sell, barter or lease of products, goods and services

Facilitating or confirming a commercial transaction

Offers to provide a business, investment or gaming opportunity 

Providing notification of ongoing use or ongoing purchase of a product, goods or service 

Advertises or promotes the purchase, sellsale, barter or lease of a product, goods and or service 

Providing notification of ongoing subscription

Promotes a person, including the public image of a person, as being a person who does anything mentioned abovein the message.

Providing notification of delivery of a  product, goods or service

Providing a quote or estimate for the supply of a  product, goods or service

Providing warranty information and product recall

If a Canadian recipient receives an unwanted message, a provision in CASL called the Private Right of Action, which will take effect on July 1, 2017, allows the recipient to sue both the brand and company sending the message, along with any marketers sending emails on their behalf, for $200 per email received.  Due to the high court costs to utilize the Private Right of Action, class action law suits are most likely to occur.  

So what happens if a message is accidentally sent to an unsolicited Canadian subscriber? 

Canadian Radio-television Telecommunications Commission (CRTC) and Competition Bureau have a process called an “undertaking,” 

through which, marketers can preemptively say, “We made a mistake and won’t do this again.”  Flat fines may be applied depending on the situation, but if the marketer/company show good faith to not repeat the errors, then they will remain in good standing.  If an email marketer can demonstrate that best practices are in place for its email policies and that its employees and sub-contractors have been duly informed of those policies, this will likely be a reasonable defense against CASL claims.  

Differences in CAN-SPAM vs CASL 

Below please find some high-level differences between CAN-SPAM and CASL: 

CAN-SPAM (USA) 

CASL (Canada)

Not an opt-in law; allows for spam

Opt-in required (Expressed Consent)

“Primary Purpose” standard. Transactional messages do not require an “Unsubscribe.” link.

Any commercial content makes a message commercial. If a transactional message has a side note of commercial content, it i’s considered commercial.

Unsubscribe life: 30 days

Unsubscribe life: 60 days

Marketer has a 10-day grace period to process requests to unsubscribe.

Marketer must immediately process unsubscribe requests “without delay,” but in any event, no later than 10 business days after receipt of the unsubscribe request.

Very limited— almost no Private Right of Action

Has Private Right of Action

Expressed vs Implied Consent 

In order to be compliant with CASL, a business must receive consent. Two types of consent exist, implied vs expressed consent: 

Implied consent covers existing business relationships under the following circumstances: 

  • Existing business relationships: This type of relationship exists when the sender and recipient have engaged in certain specified types of business interactions together in the last 2 years (eg, a purchase or lease of a product, or entering into or continuing a written contract) or when the recipient has made an inquiry to the sender in the previous 6 months  
  • Existing non-business relationship: Exists when an individual has made a donation or gift in the last 2 years, or performed volunteer work in the last 2 years, to or for a registered charity or political party, organization or candidate or where the individual is or was a member of certain clubs, associations or voluntary organizations in the last 2 years
  • Conspicuously published: When a recipient publishes his or her electronic address, and the publication is not accompanied by a statement that the recipient does not wish to receive emails, the communication must also be relevant to the person’s business, role, functions or duties in a business or official capacity
  • Business card exemption: Disclosing addresses to the sender without indicating that the recipient does not wish to receive unsolicited CEMs and the CEM is relevant to the person’s business, role, functions or duties in a business or official capacity. 

Expressed consent is obtained by explicitly asking potential contacts for permission to send them email, and they agree. When asking permission, the following information must be included to fully inform them about who will be sending the emails

If the message is sent by and for your company:

  • The purpose for which the consent is needed
  • Company name
  • Mailing address
  • Company phone number, email address, or website
  • An unsubscribe feature 

If the message is sent by one company on behalf of another company:

  • The purpose for which the consent is needed
  • Company name 
  • The name of the party/company asking for permission (the “client”)
  • Mailing address of the client
  • Either the client’s phone number, email address, or website
  • An unsubscribe feature 

According to CASL, an email sent to request consent to send commercial messages is considered to be a commercial electronic message in itself. Therefore, marketers can only send such an email request either 1) before July 1, 2014, or 2) after July 1, 2014, solely to recipients who have already given an expressed consent or implied consent (existing business or non-business relationship) to receive commercial electronic messages. 

Additionally, toggling is prohibited, which means all sign-up forms on landing pages cannot have pre-checked boxes that automatically opt in users.  People must check that they wish to receive the emails willingly.  For this same reason, consent cannot be obtained through the privacy policy or general terms and conditions language. People must be able to grant or refuse consent, and this cannot be done through the privacy policy or general terms and conditions. The CRTC, which is in charge of the compliance and enforcement of CASL, expressly sets out that there are only 2 mechanisms to obtain a valid expressed consent:

  1. Checking a box to indicate consent; or
  2. Typing an email address into a specific field to indicate consent.

Following the receipt of an expressed consent, a confirmation of this receipt should be sent to this recipient.

To make use of an implied consent, marketers will need to track the rolling window of when the subscriber relationship commenced.  Then, the marketers must gain expressed consent moving forward.  

Under CASL’s implied consent, senders have a 3-year grace period to gain consent from individuals. Implied consent is sufficient during this period, but expressed consent must be gained to continue mailing after that period. 

Marketers should update their privacy policy, to be transparent on how the email addresses are being collected and they should make sure they are recording consent by keeping a copy of the sign-up form.   

Below please find examples of toggling and what is acceptable: 

image2 image3

Strategy and Operational Handling of CASL 

When developing strategy, email strategists and marketers who are already implementing certain best practices will not be impacted dramatically.  As a check list, marketers should make sure that:

  1. Marketing emails should only be sent to recipients who have provided their consent to receive such information.
  2. In all marketing emails, recipients must be provided with an obvious, clear, and efficient email or web-based means to opt out of receiving any further business and/or marketing email messages.  
  3. The process used to obtain consent should be clear and transparent. Records should be kept of the type of consent obtained from recipients. Accurate records of date/time of submission, IP address, country and any other demographic information should be kept.  
  4. Every email marketing communication should clearly identify the sender of the email in the from address field. The subject line and body text in the communication should accurately reflect the content.
  5. Every email should provide a link to the sender’s privacy policy. 
  6. Marketers, list brokers, and list owners should take reasonable steps to ensure that the addresses on their email lists were obtained with proper consent. The databases containing such email lists should be updated automatically to remove expired implied consents (expiration of the 2-year period for implied consent) or recipient that opted out from receiving commercial messages.  If a business is sending its creative through a list broker, and that broker’s list is not CASL compliant, the liability will be linked to that business providing the creative, as there is a “follow the money” régime in CASL.  In other words, the advertiser can be held responsible for a list broker’s non-compliance.  One way to mitigate this risk is by running creatives in existing newsletters that can prove they are CASL compliant. 
  7. Organizations should have in place a system to ensure compliance with this new legislation, such as a monitored reply to the inbox that is fair, effective, confidential, and easy to use.

Key Takeaways

  • Canada’s Anti-Spam Law applies to all email marketers sending messages to Canadian subscribers
  • CASL covers more than just email and encompasses ECM, SMS and IM
  • Collecting subscribers’ demographic information is a good place to start building a profile of their location.  However, it is better to get permission to email them in the first place, provided that a business relationship or non-business relationship already exists 
  • Senders need to identify themselves by using a name and postal address. If the message is sent on behalf of another person, that person must be identified as well
  • Transactional messages must also include an unsubscribe link 
  • Under CASL’s implied consent, senders have a 3-year grace period to gain consent from individuals. Implied consent is sufficient during this period, but expressed consent must be gained to continue mailing after that period  
  • Marketers, list brokers, and list owners should take reasonable steps to ensure that the addresses on their email lists were obtained with proper consent, as each list can be traced back to the marketer, who can be held accountable for a list rental gone wrong  
  • If a message is accidentally sent an unsolicited Canadian subscriber, Canadian Radio-television Telecommunications Commission (CRTC) and Competition Bureau have a process called an “undertaking.” Through the process of “undertaking,” marketers can preemptively say, “We made a mistake and won’t do this again.” 

 Resources 

Leave a Comment