CASL is an anti-spam law that applies to all electronic messages (i.e., email, texts) organizations send in connection with a “commercial activity.” Its key feature requires Canadian and global organizations that send commercial electronic messages (CEMs) within, from or to Canada to receive consent from recipients before sending messages.
There are new consequences for spammers, including fines of $1-10M per violation. It's important to note that individuals and companies, including directors, officers and other agents are responsible and liable for the messages they send.
During the transitional period, the Canadian Radio-Television and Telecommunications Commission (CRTC), the Competition Bureau, and the Office of the Privacy Commissioner of Canada, may investigate and litigate against entities who don't adhere to CASL. After July 1, 2017, any individual will also be able to sue any entity they believe is sending spam messages.
What's covered under CASL?
CASL regulations apply to any "Commercial Electronic Message" (CEM) sent from or to Canadian computers and devices in Canada. Messages routed through Canadian computer systems are not subject to this law.
A CEM is any message that:
- is in an electronic format, including emails, instant messages, text messages, and some social media communications;
- is sent to an electronic address, including email addresses, instant message accounts, phone accounts, and social media accounts;
- contains a message encouraging recipients to take part in some type of commercial activity, including the promotion of products, services, people/personas, companies, or organizations.
Fax messages and fax numbers aren't considered electronic formats or addresses under CASL.
The following types of electronic messages are exempt from CASL:
- Messages to family or a person with an established personal relationship.
- Messages to an employee, consultant or person associated with your business.
- Responses to a current customer, or someone who has inquired in the last six months.
- Messages that will be opened or accessed in a foreign country, including the U.S., China, and most of Europe.
- Messages sent on behalf of a charity or political organization for the purposes of raising funds or soliciting contributions.
- Messages attempting to enforce a legal right or court order.
- Messages that provide warranty, recall, safety, or security information about a product or service purchased by the recipient.
- Messages that provide information about a purchase, subscription, membership, account, loan, or other ongoing relationship, including delivery of product updates or upgrades.
- A single message to a recipient without an existing relationship on the basis of a referral. The full name of the referring person must be disclosed in the message. The referrer may be family or have another relationship with the person to whom you're sending electronic messages.
If your message does not meet one of these criteria, consent is required under CASL.
Implied vs. Express Consent
The law defines two types of consent: implied and express. Implied consent is a looser interpretation, whereas express consent requires action from both sender and recipient.
Implied consent includes when:
- A recipient has purchased a product, service or made another business deal, contract, or membership with your organization in the last 24 months;
- You are a registered charity or political organization, and the recipient has donated a gift, has volunteered, or attended a meeting organized by you; or
- A professional message is sent to someone whose email address was given to you, or is conspicuously published, and who hasn't published or told you that they don't want unsolicited messages.
If your recipients don't meet any of the above criteria, express consent is required before you can send campaigns to them.
Express consent means written or oral agreement to receive specific types of messages. For example: "You want to receive monthly newsletters and weekly discount notifications from Company B."
Express consent is only valid if the following information is included with your request for consent:
- A clear and concise description of your purpose in obtaining consent.
- A description of messages you'll be sending.
- Requestor's name and contact information (physical mailing address and telephone number, email address, or website URL).
- A statement that the recipient may unsubscribe at any time.
The requestor can be you or someone for whom you're asking. If you're requesting consent on behalf of a client, the client's name and contact information must be included with the consent request.
As of July 1, 2017, you may only send to recipients with express consent or whose implied consent is currently valid under CASL— that is, 24 months after a purchase or six months after an inquiry.
In addition to understanding what qualifies as a CASL-regulated message, and what type of consent is needed, there are a few other details to keep in mind.
- You must retain a record of consent confirmations including how and when you obtained consent. If challenged by regulators (or Canadian court) the burden of proof for consent is on the sender, not the recipient.
- When requesting consent, checkboxes cannot be pre-filled to suggest consent. Each subscriber must check the box themselves for consent to be valid.
- All messages sent must include your name, the person on whose behalf you are sending (if any), your valid physical, postal mailing address and your telephone number, email address, or website URL.
- All messages sent after consent must also include an unsubscribe mechanism, and unsubscribes must be processed within 10 days.
- If you aren't already doing so, any unsubscribe requests that come to you via a reply to your email must be honored immediately.
- Unsubscribe requests never expire. You must honor all opt-out requests indefinitely, regardless of future mailing platforms, unless you receive a new explicit opt-in request for that address.
- Make sure your email campaign's "Subject" line is straightforward, not misleading. Enticing a recipient to open a message under false pretenses is in violation of CASL. Best practice is to be truthful and consistent in both the subject line and contents of the message.
- Email addresses obtained with implied permission must be removed after 2 years unless express permission to email them has been received.
Here's the full text of the law, if you’d like to review it for yourself. The Canadian Radio-Television and Telecommunications Commission has also set up an FAQ page and some guidelines for obtaining consent. If you have additional questions, we encourage you to contact an attorney in your area who is familiar with the law.