1. Home
  2. Canada's Anti-Spam Legislation
  3. CASL: What every marketer needs to know

CASL: What every marketer needs to know

If you are confused by Canada’s new Anti-Spam law – you are not alone. This Guide was written as an easy way to understand what changes (if any) you need to implement to comply with this new legislation. It was written concisely, in plain English, while still giving you everything you need to make sure you remain compliant.

CASL has taken close to a decade to come to where it is today. It was never meant to stifle business in Canada.

This legislation touches on all aspects of digital communication, including social media, cellphone and email in a “technologically neutral” approach. At its core, CASL is simply a way for Canadians (and those marketing to Canada) to promote e-commerce while reducing the amount of spam, spyware/malware, phishing and identity theft.

Does CASL apply to me?


This is the first question you must answer yourself and the short answer is:
CASL will be enforced on anyone in Canada and anyone that is sending commercial electronic messages (CEMs) to Canadians.

If you own or operate a business in Canada, or if you have emails on your list ending in “.ca” – chances are pretty good that CASL applies to you. If you own or operate a business outside of Canada and the recipient(s) on your list are NOT in Canada, CASL does not apply. However, you must still adhere to the rules and regulations of the foreign state in which you live. For a complete list of foreign states that currently have Anti-spam legislation, see here : http://kb.cakemail.com/en/deliverability/what.spam.laws.should.i.follow/

If you are not certain the recipients on your list reside in Canada, it is up to you to find out.

The country of origin of your recipients is valuable information, and now it could help you make sure you comply with this new law. If you don’t have it, make sure you send a campaign to get it. IP address Geolocation is another useful tool, but don’t rely on this alone, it may not always be reliable as people may be travelling to Canada.

What is a “CEM”?

As defined by the CRTC*, a CEM is any electronic message that “encourages participation in a commercial activity” regardless of whether there is an expectation of profit.

What are the requirements of CASL?

If you are sending commercial electronic messages CEMs to anyone in Canada, you need to make sure you have consent to do so (either “Express” or “Implied”).

Identification

The sender must be clearly identified and include a valid Postal Address, which must be valid for aminimum of 60 days after the message has been sent.

Unsubscribe

You must include a working unsubscribe mechanism which will enable the recipient (at no cost) to remove themselves from the list, and this mechanism must stay valid for a minimum of 60 days after the message has been sent. The unsubscribe request must be processed without delay and must be processed within 10 business days. The recipient must not be asked to provide any information other than his email address.

*Canadian Radio-television and Telecommunications Commission

CASL vs CAN SPAM



The biggest difference between CASL and the CAN SPAM Act in the US is that Canada requires “Express” consent. For this reason, the remainder of this guide will focus mainly on making sure you have proper consent.

Note : While sending to purchased or rented lists in the US is not a violation of CAN SPAM, it is a direct violation of CASL and will not be permitted.


In order for it to be deemed “Express” consent, the individual must take affirmative action to “opt-in” to your list willingly.

You must ask yourself: Did the recipient say “Yes” to receive my CEM?

CONSENT = PERMISSION

“Implied” consent is when a relationship exists, but the recipient is added to your list without any affirmative action.

Note : A message sent seeking consent (such as a Confirmation email) is also considered a CEM and must therefore comply with all the requirements of CASL. Most senders will need to acquire “Implied” consent (for example by making a purchase, at a trade show) prior to sending the confirmation email.

Someone fills out a form on your website with the intent of being placed on your list. A confirmation email is sent which requires the recipient to click a link in order to confirm that he wishes to be placed on the list. When they click the link, the date/time and IP stamp would be recorded as follows:

Name : Kevin Huxham
Email : kevin@mydummyaccount.com
SignupDateTime : 2013-04-21 21:16:58.090 EST
IP : 67.123.234.123
Host : mx3.mydummyaccount.com

Note : The information above in bold is recorded by default for every confirmed opt-in list with CakeMail and can be provided on request.

The form could also be setup to ask for:

Address: 4020, St. Ambroise, #301
City: Montreal
Prov/State: Quebec
Country: Canada
Postal: H4C 2C7
Phone: 555-555-5555

A person gives you their business card at a trade show with the intent of being placed on your list. The problem with this is you need to be able to prove you didn’t pick it up off the floor of the men’s room. Ideally, a confirmation email would be sent at (or shortly after) the event requesting confirmation (where the above information could be recorded). “Express” consent could be proven if you had the recipient provide his consent to be placed on your list on the back of the card. It would then be necessary for you to keep the card as proof.

A person gives you their email address over the phone with the intent of being placed on your list. The same process of sending a confirmation email applies, but “Express” consent could be proven IF you recorded the conversation for each recipient.

Example 4 – Express/Implied

The recipient provides their email address to the sender at checkout after making an online purchase. IF this is accompanied by a clear statement that requires affirmative action (such as by having the recipient check an empty box that states “Yes, please sign me up to receive your newsletter”) it would be deemed “Express” consent under CASL. IF NOT, it would fall under the category of “Implied” consent and would give the sender a period of 24 months to send CEMs and/or acquire “Express” consent so long as they keep the record of purchase and can prove a business relationship exists.

Note : “Express” consent never expires, unless recipient requests to be removed.

If someone expresses interest in your business as part of the sales process or enters their email address on your website to download educational material (like this whitepaper), they are to be considered “prospects” and “Implied” consent is given to send CEMs for a period of 6 months only.

The recipient is added automatically or is required to uncheck a box to opt-out during the checkout process. This method is not considered “Express” consent under CASL and will typically generate a large volume of emails flagged as spam which negatively affects your reputation as a sender and, in turn, your delivery.

Example 7 – Unknow 3rd party affiliate

Affiliate lists are the result of one company sharing an email address (or a list of addresses) with another. If a person signs up to receive emails from Company A, they should receive emails from Company A only (unless stipulated separately during the opt-in process). If they also receive email from Company B, C, and D, they will be more likely to complain.

Under CASL, Company A must clearly show to the recipient that they are signing up to these “unknown 3rd party list(s)” and all parties are accountable for managing that consent. If a recipient no longer wishes to receive emails from Company B, it is Company A’s responsibility to inform and withdraw consent from Company C, D within 10 business days.

What Should I do to Conform to CASL?

DOES CASL APPLY TO YOU

  • Audit of all online communications (Newsletters, Transactional, SMS/MMS, Social Media): are they covered by CASL?
  • Are the emails you send accessed in Canada?

CREATE COMPLIANCE & READINESS TEAMS(S)

  • Learn everything you need to know about CASL
  • Build education and awareness internally (from intern to CEO)
  • Update required documents (Privacy Policy, Sign-up forms, Terms)
  • Ensure current/future contracts, processes are compliant
  • Create roadmap and start update process
  • Do you have “Express” or “Implied” consent for each contact?
  • Burden of proof: make sure you can prove consent
  • Identify input sources ( Points of Sale, Call Center, Web social, Events, 3rd Party signups…)
  • Use the 3 year transition period to obtain “Express” consent from all contacts

CONTENT ANALYSIS

  • Clearly identify yourself with a Valid Postal address
  • Provide an unsubscribe mechanism in every CEM

MANAGE YOUR CONTACT LIST

  • Identify gaps in list data: Consent date, consent level, source IP/host, current status
  • Create a centralized database and keep things clean
  • Be able to process and act on all unsubscribe requests

LIABILITY

  • Review 3rd part contracts
  • Work vicarious liability into all employee contracts, adopt compliance policies and sanctions for employees who do not comply
  • Should you get insurance?
  • Obtain legal advice – Choose a lawyer who respects and understands CASL

Penalties and Enforcement

The enforcement of CASL is done primarily by the Canadian Radio-Television and Telecommunications Commission (CRTC) and the penalties involved are as follows :

VIOLATION PENALTY PRIVATE RIGHT OF ACTION
Sending unsolicited commercial e-messages Maximum per breach:
$1,000,000 for individuals
$10,000,000 for corporations
$200 / day per breach not to exceed $1,000,000 per day
Altering transmission data Up to $1,000,000 / day
Unsolicitated installation of computer programs Up to $1,000,000 / day
Making false and misleading representations in e-messages Up to 1 year imprisonment and up to $200,000 in fines ( on summary conviction )

Up to 14 years imprisonment and a fine at the Court’s discretion ( on indictment )

$200 / day per breach not to exceed $1,000,000 per day
Collecting e-addresses using computer programming Maximum per breach: $1,000,000 for individuals $10,000,000 for corporations Up to $1,000,000 / day
Collecting personal information through unauthorized access to a computer program

Note : A Private Right of Action came into effect July 1st, 2017 allowing class action lawsuits to be filled by anyone against senders that do not comply with CASL.