Publication

Canada’s Anti-Spam Legislation (CASL): 10 FAQs

Published:

July 9, 2025

Author(s):

• David Fraser
• Sarah Anderson Dykema, CIPP/C, CIPM, AIGP

Share

Print

Canada’s Anti-Spam legislation (CASL) – arguably the toughest anti-spam legislation in the world – took effect in two parts:

• The CASL sections and regulations dealing with anti-spam took effect on July 1, 2014.
• The CASL sections dealing with the unsolicited installation of computer programs or software took effect on January 15, 2015.

To help you comply, here are the answers to 10 frequently-asked questions about CASL.

1. What’s the effect of CASL’s anti-spam provisions?

CASL implemented a significant paradigm shift in Canada’s digital marketing regime. Canada previously functioned in an “opt-out” regime: anyone could send an electronic message to anyone else – without their permission – unless the recipient “opted-out”. CASL moved Canada to an “opt-in” regime for all electronic-based commercial communications: with few exceptions, if a person or business wants to send a “commercial electronic message” (a CEM) from, within or into Canada, the sender needs the recipient’s prior consent. CASL is a permission-based regime, providing extreme protection of consumers against organizations in the business of compiling and selling email lists to third parties – and catches all CEM senders in the process.

CASL shares some similarities with anti-spam laws in other countries – but has some significant differences. For example:

• The US CAN-SPAM is opt-out legislation; CASL is opt-in.
• The US CAN-SPAM allows an initial email seeking consent (with some requirements); under CASL, an email seeking consent is itself a CEM – so must comply with CASL.
• Unlike any other anti-spam legislation, CASL doesn’t only prohibit “harmful” electronic messages – it applies to all electronic messages relating to “commercial activity”.

CASL does contain an exception for commercial electronic messages that are sent to certain other countries listed in the Act, where the commercial electronic message complies with the laws of the destination country.

2. What is a “commercial electronic message” (a CEM)?

CASL only covers “commercial electronic messages” (CEMs), so understanding what a CEM is crucial to CASL compliance – and it’s not as clear as you might hope. There are some inclusions and exclusions, but essentially a CEM is any electronic message that it’s reasonable to conclude has encouragement of participation in a “commercial activity” (broadly, any transaction, act or conduct of a commercial character – whether or not carried out for profit) as one of its purposes, considering the:

• Message content.
• Hyperlinks in the message to content on a website or other database.
• Contact information in the message.

Commercial Activity. Broadly, “commercial activity” is any transaction, act or conduct (or regular course of conduct) of a commercial character – whether or not carried out for profit.

A CEM explicitly includes an electronic message that does any one of:

• Offers to purchase, sell, barter or lease a product, goods, a service, land or an interest or right in land.
• Offers to provide a business, investment or gaming opportunity.
• Advertises or promotes any of the first two, or promotes a person (including the public image).

A message involving a pre-existing commercial relationship or activity and providing additional information, clarification or completes the transaction involving a commercial activity already underway, is not a CEM because it carries out – rather than promotes – commercial activity.

However, the Regulations add that certain categories of messages could imply that a solely transactional message may be a CEM. The Regulatory Impact Analysis Statement doesn’t help: it says a message is not a CEM merely because it involves commercial activity, hyperlinks to a person’s website, or contains business-related electronic addressing information, if none of its purposes is to encourage the recipient in additional commercial activity – but it may be if it would be reasonable to conclude one of the purposes is to encourage the recipient to engage in additional commercial activities based on, for example, the prevalence and amount of commercial content, hyperlinks or contact information.

Direct messages sent via social media sites (for example, Facebook and LinkedIn direct messages) that promote a commercial activity qualify as a CEM and must comply with CASL.

3. What requirements does CASL impose on CEM senders?

There are two key components: consent and mandatory content.

4. What are the consent requirements under CASL’s anti-spam provisions?

The CASL regime imposes a tricky consent management process on organizations, requiring complex coordination of all the users of any one e-mail list: if an electronic message falls into the definition of a CEM, the sender must obtain the recipient’s consent before she can deliver it. The consent can be express or – in certain specified circumstances – implied. Notably, express consent under the Personal Information Protection and Electronic Documents Act (PIPEDA) will satisfy CASL – but other forms of PIPEDA consent (such as implied consent) won’t.

Express Consent. Basically, a recipient gives express consent if she has actively agreed to receive CEMs from the sender orally or in writing:

• Oral Consent. A person can ask for and obtain oral consent where information is collected over the phone (e.g. call centres) or when an individual uses a product or service (e.g. point of sale purchases).

• Written Consent. Written consent includes both paper and electronic forms of writing. Acceptable ways to obtain written consent include checking a box on a web page to indicate consent where a record of the date, time, purpose, and manner of that consent is stored in a database, and filling out a consent form at a point of purchase.

Implied Consent. There are two broad relationships in which the recipient’s consent to receive a CEM from the sender is “implied” – meaning the sender doesn’t need the recipient’s express consent to send it:

• “Existing Business Relationships”. CASL is not intended to catch regular business communications in furtherance of an “existing business relationship” – relationships that involve or arose out of one of the following:
  • The purchase, lease or bartering of product, goods, or services within the immediately preceding two (2) years.
  • A written contract that is either in force, or that expired within the immediately preceding two (2) years.
  • A recipient’s inquiry within the immediately preceding six (6) months.

• “Existing Non-Business Relationships”. There is an “existing non-business relationship” between:

• • Registered charities and people who have either donated and/or volunteered within the prior two (2) year period.

• • Registered political parties and/or political candidates who have either donated and/or volunteered within the prior two (2) year period – but if the purpose of the CEM is primarily fundraising then the CEM falls within the “Exceptions” below.

• • Clubs and Associations. A non-profit club, association or voluntary organization that has a purpose other than personal profit, and a person who is or was a member within the prior two (2) year period – but there are some finicky rules, and amateur athletic associations have special rules.

5. What are CASL’s anti-spam mandatory content requirements?

Every CEM must still include certain content – even if the sender has the recipient’s consent to send it:

Disclosure. All CEMs must disclose all of the following information:

• The sender’s business name (if different from the sender’s name).
• If the sender sends the CEM on another person’s behalf, the name of the person on whose behalf the message is sent or by which that person carries on business (if different).
• If the CEM is sent on another person’s behalf, a statement indicating who is sending the CEM and the person on whose behalf the message is sent; a CEM sent on behalf of multiple people (i.e. affiliates), the CEM must identify all such people.
• The sender’s mailing address and one of: the sender’s phone number (that provides access to an agent or voice messaging system), email address or web address – and the detailed contact information of the person on whose behalf the CEM was sent (if different).

Unsubscribe Mechanism. All CEMs must include a working “unsubscribe mechanism” allowing recipients to indicate they no longer want to receive CEMs from the sender. The CRTC says the unsubscribe mechanism must be consumer‐friendly, accessible without difficulty or delay, and quick and simple for consumers to use. The Regulations say it must meet all of the following criteria:

• Use the same electronic means by which the CEM was originally sent.
• Be capable of being “readily performed”.
• Function at no cost to the recipients.
• Include an electronic address or website that remains valid for at least 60 days after each CEM is sent.
• Allow the recipient to unsubscribe from receiving messages from any person who has been provided with the recipient’s electronic address.
• Be implemented without delay – by 10 business days at most.

6. Who does CASL’s anti-spam provisions apply to?

CASL applies to just about every type of organization – from sole proprietors and independent contractors to multinational corporations and not-for-profits and registered charities – and every person who sends a CEM to, from or within Canada. For example, CASL applies to you if you answer “yes” to any of these questions about common activities:

• I use e-mail to solicit donations or sponsorships – but only to fundraise for charities, or for political contributions.
• I use e-mail to send customers newsletters – but they provide information about my products/services, and don’t ask them to contact me.
• I only send emails to customers/contacts who asked me to, and they can e-mail me if they want me to stop sending them.
• In my business, I rely on referrals and contact prospects via e-mail.
• All of the customers/contacts that I e-mail are businesses or business people – not individual consumers.
• I do one (or more) of these things, but I use instant messaging, text messaging, social media or web forums – not e-mail.
• I use a third party company to communicate by email with my customers/contacts on my behalf.
• I communicate directly with my customers/contacts by email, instant messaging, text messaging, social media or web forums – I don’t use a third-party company to do it on my behalf.
• I purchase electronic mailing lists from third parties; the people on the lists know their e-mail information could be given to others.
• I use “closed systems” like LinkedIn to reach out to prospective customers.

7. Where does CASL’s anti-spam provisions apply?

CASL purports to apply to any CEM that is either:

• “[A]ccessed using a computer in Canada”.
• “[S]ent using a computer in Canada”.

If a person or organization is sending a CEM from outside of Canada to someone in Canada, CASL says it applies.

This approach is tenable under Canadian law. Canadian laws can apply to non-Canadians operating outside of the country where there is a “real and substantial connection to Canada”. The Canadian Radio and Television Commission (CRTC) – the main agency charged with administering and enforcing most of CASL – can investigate a Canadian resident’s complaint of a breach by a non-Canadian resident, even though the effectiveness of the investigation could be limited by the ability to access information (like documents and witnesses) residing outside of Canada. For example, the Federal Court of Canada has decided that Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) can apply and the Privacy Commissioner of Canada still has jurisdiction to investigate complaints from Canadian residents against non-Canadian residents. Read the Court’s decision in Lawson v. Accusearch Inc., 2007 FC 125.

The tougher question is how Canada will enforce CASL outside of Canada. The CRTC has said it will work closely with its international counterparts to enforce CASL and has specifically named:

• The US Federal Trade Commission.
• OFCOM in the UK.
• The Authority for Consumers and Markets in the Netherlands.
• The Australian Communications and Media Authority.

It’s an open question whether an administrative monetary penalty for breaching CASL that is imposed in Canada would be enforced outside of Canada – particularly in the U.S., given concerns that CASL impinges on freedom of expression. The question will likely remain open until the first enforcement attempt. But where the foreign company has a significant reputation or goodwill in Canada, “naming and shaming” could be an equal or even greater deterrent.

8. Are there any exceptions to CASL’s general anti-spam rules?

Yes. There are two main categories of “exemptions”:

Consent & Content Exemptions. CASL expressly says it doesn’t apply to these CEMs, so they don’t have to comply with either the consent requirement or the content requirements:

• “Family” Relationships. CEMs sent to someone with whom the sender has a “family relationship” don’t require any kind of consent, and don’t have to comply with the content requirements – but the final Regulations have a narrow definition of a “family relationship”: it includes people connected by marriage, common-law partnership or any legal parent/child relationship, but not extended family members like siblings, aunts and uncles. Thus a person who sends her extended family a CEM must comply with both the consent and content requirements.

• “Personal” Relationships. CEMs sent to someone with whom the sender has a “personal relationship” also don’t need to comply with either of the consent or content requirements. These include relationships where the sender and the recipient have direct, voluntary, two-way communications, while taking into consideration factors such as the sharing of interests, experiences, opinions, the frequency of communication, the length of time since the parties communicated, and whether the parties have met in person.

• Response to Complaints & Inquiries. CEMs sent in response to a request, inquiry or complaint or are otherwise solicited by the person to whom the message is sent don’t need to comply with the consent or content requirements.
• Business-to-Business Messages. The “messages between organizations” exception includes CEMs between organizations that “have a relationship”, as long as the message concerns the recipient organization’s activities. What is “a relationship” is undefined and remains unclear.
• Charitable Fundraising Purposes. CEMs that a registered charity sends (or that are sent on behalf of one) primarily for fundraising purposes.
• Closed Platform CEMs. CEMs sent on a closed platform – like instant messaging through an on-line customer service website – where the content requirements and unsubscribe mechanism are conspicuously published and readily available on the user interface through which the message is accessed, and the recipient either expressly or implicitly consents to receive the message.
• Limited Access Accounts. CEMs sent within an online portal and to a limited access account – like an online banking account – where messages can only be sent by the person who provides the account to the recipient.
• Some Foreign-Bound CEMs. CEMs sent from Canada to a recipient who resides in a foreign state with its own anti-spam legislation and regulatory requirements that prohibit conduct substantially similar to the conduct that CASL prohibits, where the message conforms to the law of the foreign state.

Consent Exemption. These CEMs are exempted from the consent requirements – but they must still comply with the content requirements:

• Business-to-Consumer Messages. CEMs sent from a business to a consumer for the purpose of any one of:

• • Providing a requested quotation.
  • Facilitating, completing or confirming a commercial transaction that the recipient previously agreed to enter.
  • Providing warranty, recall or safety info about a purchase.
  • Providing info about existing employment relationship or related benefits.
• Referrals. A single CEM sent to a referral by someone who has one of these relationships with both the sender and the recipient: an “Existing Business Relationship”, an “Existing Non-Business Relationship”, a “Family Relationship”, or a “Personal Relationship”. The CEM must also disclose the full name of the person who gave the sender the referral.

9. What are CASL’s software installation provisions?

CASL’s software provisions impose equally broad and onerous procedural requirements for companies and individuals installing computer programs on computer systems.

10. What are the consequences of failing to comply with CASL?

Individuals and organizations that don’t comply with CASL risk significant penalties imposed by the Canadian Radio and Television Commission (the CRTC, the main agency charged with administering and enforcing most of CASL), including:

Monetary Penalties. The CRTC can impose penalties of up to $1M on individuals and $10M on other entities for a CASL contravention. The CRTC must take into account certain factors – including prior violations and financial benefit to the sender – when setting the amount.

Vicarious liability. Employers could be liable for violations by employees acting in the scope of employment.

Personal Liability. CASL expressly extends legal responsibility to both an organization’s directors and its officers. CASL says that an organization’s officers, directors and agents can be personally liable if the organization contravenes CASL, regardless of whether the CRTC proceeds against the offending organization itself. To be personally liable, the officer, director, or agent must have done any one of these things:

• Directed the violation.
• Authorized the violation.
• Assented (somehow agreed) to the violation.
• Acquiesced in the violation (knew about it and allowed it to happen).
• Otherwise participated in the violation.

Obstruction of CASL Investigation. It is a criminal offence to fail to comply with a demand to preserve transmission data or produce documents when required.

The first penalty the CRTC imposed on March 5, 2015, was an eye-opener: it issued a $1.1M administrative monetary penalty to Compu-Finder. Compu-Finder is primarily a business-to-business operator. The CRTC said Compu-Finder complaints accounted for 26% of all complaints received for its industry sector. Compu-Finder had obtained e-mail addresses from publicly available websites, but recipients who complained said its offerings weren’t relevant to them. Email recipients were unsubscribing but were still getting emails; some even tried to contact the Compu-Finder to tell them this, but they still got emails. The CRTC decided Compu-Finder violated CASL in two ways:

• Sending commercial electronic messages (CEMs) without consent.
• Failing to meet its “unsubscribe” obligations.

In issuing the $1.1M administrative monetary penalty on Compu-Finder, the CRTC’s chief enforcement officer is quoted as noting the “flagrant nature of the violation” and the company’s failure to make any effort to change its business practices as the rationale for the significant penalty.

While still a far cry from the $10M maximum penalty the CRTC can impose for a CASL violation, the Compu-Finder penalty was enough to get people’s attention and to make it clear the CRTC wouldn’t mess around when it comes to CASL violations.

Due Diligence Defence. CASL does provide a “due diligence” to an organization or an individual for a CASL violation if it both:

• Took reasonable steps to prevent the CASL violation.
• Can prove that it took those reasonable steps with tangible evidence that clearly demonstrate the steps it took to avoid violating CASL.

“Reasonable Belief”. Foreign organizations might also be able to rely on section 3(f) of Canada’s Electronic Commerce Protection Regulations, which says that the consent and content requirements of CASL don’t apply to a CEM if both:

• The sender “reasonably believes” it “will be accessed” in a foreign country listed in the schedule.
• The CEM complies with the law of that foreign country that addresses conduct substantially similar to that prohibited under section 6 of CASL.

For example, if a U.S.-based organization sends a CEM to a customer which it reasonably believes is in the U.S. – but happens to incidentally be in Canada – and complies with CAN-SPAM, the organization may be in a position to rely on both its due diligence defence (and this is key) and section 3(f) in its defence.

Please contact your McInnes Cooper lawyer or any member of our McInnes Cooper CASL Team to discuss whether and how CASL applies to you.

Share

Print