Canada’s Anti-Spam Legislation
The CRTC is committed to reducing the harmful effects of spam and related threats to electronic commerce and is working towards a safer and more secure online marketplace.
Canada’s new anti-spam legislation will better protect Canadians while ensuring that businesses can continue to compete in the global marketplace.
In order to comply with Canada's anti-spam legislation, what must I include when sending a commercial electronic message (CEM)?
There are 3 simple rules to follow when sending CEMs:
You must have expressed or implied consent to send a message.
You must clearly and simply identify yourselves and anyone else on whose behalf the message is sent.
In every message you send, you must provide a way for recipients to unsubscribe from receiving messages in the future.
Frequently Asked Questions
These FAQs have been prepared by Commission staff in order to provide general information with respect to commonly posed questions about Canada’s Anti-Spam Legislation (CASL). This material is not to be considered legal advice, nor does it reflect a decision, policy or interpretation of CASL and/or its accompanying regulations, by the Commission, Office of the Privacy Commissioner, the Competition Bureau or, Industry Canada. Please note that this information may be subject to change.
CASL: An Act to promote the efficiency and adaptability of the Canadian economy by regulating certain activities that discourage reliance on electronic means of carrying out commercial activities, and to amend the Canadian Radio-television and Telecommunications Act, the Competition Act, the Personal Information Protection and Electronic Documents Act and the Telecommunications Act, S.C. 2010, c. 23, s. 21. There is currently no official short title for this statute, and so it is commonly referred to as Canada’s Anti-Spam Legislation or CASL.
CEM: Commercial Electronic Message
When does the law come into force?
The majority of the legislation comes into force on 1 July 2014. Section 8, the section that deals with the installation of computer programs will come into force on 15 January 2015. The sections that deal with private right of action will come into force on 1 July 2017. Read the order related to the coming into force dates.
Please note that some parts of the law came into force on 1 April 2011, with respect to some amendments to the Personal Information Protection and Electronic Documents Act (PIPEDA). For more information, please see the Office of the Privacy Commissioner of Canada’s Website and the related Order.
For more information on CASL, please refer to www.fightspam.gc.ca.
Will the coming into force date and the compliance dates be different?
There is no difference between the coming into force dates and compliance dates. Once a particular section of CASL comes into force, it is enforceable and compliance is required. Note that different sections of CASL come into force at different times. For details, see the FAQ regarding coming into force, Q1.
Do the CRTC information bulletins 2012-548 and 2012-549 create new legal requirements? Are the examples in the bulletins necessarily exhaustive?
The information bulletins are merely guidelines and do not, indeed, cannot in law impose binding obligations on the public. Rather, they clarify requirements already contained in CASL and its regulations. Furthermore, the examples provided in the Information Bulletins are not meant to be exhaustive. They are simply examples of mechanisms and, in many cases, recommended or best practices that, in the view of the Commission, clearly meet the requirements set out in CASL. Other mechanisms may satisfy the legal requirements imposed by CASL. However, their adequacy will have to be evaluated on a case-by-case basis in light of the specific circumstances of a given situation.
How do I know if section 6 of CASL (sending CEMs) applies to me, and if it does, what am I required to do?
Generally, unless an exception or exclusion is applicable, section 6 of CASL will apply if the message you are sending qualifies as a CEM and it is sent to an electronic address. When section 6 applies, you will need to meet three basic requirements to send your CEM. You need prior consent, and you must provide valid identification information as well as an unsubscribe mechanism. For more details, see CASL and its regulations.
How do I tell if my message is a CEM?
If a message fits within the meaning of “commercial electronic message”, all requirements concerning consent, the prescribed information requirements, and an unsubscribe mechanism must be complied with, unless a particular exception or exclusion applies. Please see subsections 1(1), 1(2) and 1(3) of CASL for the definitions of commercial activity and commercial electronic message. Read CASL and its regulations.
A key question to ask yourself in order to determine if your message constitutes a CEM is whether it would be reasonable to conclude that the purpose or one of the purposes of the message is to encourage participation in a commercial activity. Do not forget to examine:
- the content of the message,
- the hyperlinks in the message to website content or other database, and
- contact information contained in the message.
Whether a message constitutes a CEM and/or a whether a particular exception or exclusion applies must be determined on a case-by-case basis in light of the specific circumstances of a given situation.
With respect to the sending of commercial electronic messages, does express consent obtained prior to CASL coming into force, continue to be valid after CASL comes into force even though the request for consent did not contain all the required information?
If you obtained valid express consent prior to CASL coming into force, you will be able to continue to rely on that express consent after CASL comes into force, even if your request did not contain the requisite identification and contact information. However, all CEMs sent after CASL comes into force must contain the requisite information, meet all form requirements and contain an unsubscribe mechanism. If requesting express consent after CASL comes into force you must meet all form requirements including setting out the identification information. Please keep in mind that the legislation requires you to prove that you have obtained such express consent.
Does CASL contain a transitional provision for implied consent?
Section 66 deems implied consent for a period of 36 months (unless the recipient withdraws consent earlier) where there is an existing business or non-business relationship and the relationship includes the communication of CEMs. During the transitional period, the definition of existing business or non-business relationship is not subject to the limitation periods (6 months and 2 years) that would otherwise be applicable under CASL, for implied consent to exist.
Read section 66 of CASL.
How do I prove I have someone’s consent?
Consent can be obtained either in writing or orally. The onus is on the person who alleges that they have consent to prove that they have such consent. The Compliance and Enforcement Information Bulletins CRTC 2012-548 and 2012-549 illustrate a few examples of proof of consent or how to obtain consent, but are not exhaustive. They are simply examples that the Commission considers to be clearly compliant. Other methods may also be compliant but will have to be examined on a case-by-case basis.
What should I consider in developing methods to obtain or prove consent?
The CRTC Information Bulletins suggest some key considerations that may make tracking or recording consent easier, and therefore, may make it easier to prove consent. They are:
- whether consent was obtained in writing or orally,
- when it was obtained,
- why it was obtained, and
- the manner in which it was obtained.
As the examples and guidelines in the information bulletins are not exhaustive, the above suggestions and considerations are intended as food for thought, but they may not necessarily work for everyone. There is no one-size fits all template or system, and compliance will be examined on a case-by-case basis.
Can pre-checked boxes, unchecked opt-out boxes, or a similar mechanism be used as a means to obtain express consent under CASL?
Mechanisms such as an unchecked opt-out box, or a pre-checked opt-in box, cannot be used to obtain express consent. Express consent must be obtained through an opt-in mechanism; that is, the end-user must make a positive action to indicate that he or she provides consent. Therefore, a default toggling state that assumes consent on the part of the end-user cannot be used as a means of obtaining express consent under CASL. Further, silence or inaction on the part of the end-user cannot be construed as providing express consent. For more information please see Compliance and Enforcement Information Bulletin CRTC 2012-549.
Does clicking on the “unsubscribe” link in a CEM have to automatically unsubscribe the client? Instead, can this link direct the client to a webpage that asks them to confirm his or her desire to unsubscribe?
Under CASL, an unsubscribe mechanism must be 'readily performed.' It is acceptable for an unsubscribe link to direct the consumer to a web page confirming his or her desire to unsubscribe; however, the link must be set out clearly and prominently in the message and the options given to the consumer on this web page be accessed without delay and should be simple, quick and easy for the consumer to use.
For examples of acceptable unsubscribe mechanisms under CASL, please see Compliance and Enforcement Information Bulletin CRTC 2012-548.
How can I include identification and contact information as well as an unsubscribe mechanism in a 140 character text message?
If it is not practicable for you to include identification, contact, and unsubscribe information directly in your message, as with text messages, the information may be posted on a web page on the World Wide Web that is readily accessible and at no cost to the recipient. The link to the web page must be clearly and prominently set out in the message.
For more information, refer to sections 2 and 3 of the Electronic Commerce Protection Regulations (CRTC) and Compliance and Enforcement Information Bulletin CRTC 2012-548.
I conduct my business from home. Do I need to disclose my home address to fulfill the contact information requirements?
No, you do not need to provide your home address. You can provide another valid mailing address as long as you can be contacted at that address. Please refer to paragraph 9 of Compliance and Enforcement Information Bulletin CRTC 2012-548 for more information.
- Date modified: