Frequently Asked Questions about Canada’s Anti-Spam Legislation
How to report spam
Canadians can report spam to the Spam Reporting Centre. Contact your local law enforcement if you have been threatened, are a victim of a crime, or fear for anyone's safety.
Disclaimer
This information has been prepared by Canadian Radio-television and Telecommunications Commission staff to provide general information with respect to Canada’s Anti-Spam Legislation (CASL). This material is not to be considered legal advice nor is it binding on the Commission itself. Further, it does not reflect an interpretation of CASL or its accompanying regulations by the Office of the Privacy Commissioner, the Competition Bureau or Innovation, Science and Economic Development Canada.
General
Does the legislation prohibit me from sending marketing messages?
No. Rather, it sets out some requirements for sending commercial electronic messages (CEMs), to an electronic address.
If you are sending a commercial electronic message, you need to comply with three main requirements. You need to: (1) obtain consent, (2) provide identification information, and (3) provide an unsubscribe mechanism.
When does CASL apply?
CASL applies to (1) a commercial electronic message (CEM) that is (2) sent to an electronic address. If both of these elements are present, then CASL applies.
CASL only applies if the CEM is sent to an electronic address, as defined in the legislation. This includes SMS and other messaging to mobile phones and devices. However, CASL does not apply to unsolicited telecommunications, including live voice and automated telemarketing calls, to telephone numbers, which are regulated under the Unsolicited Telecommunications Rules.
What is a commercial electronic message?
A key question is the following: Is this message I am sending a commercial electronic message (CEM)? Is one of the purposes to encourage the recipient to participate in a commercial activity?
When determining whether a purpose is to encourage participation in a commercial activity, some parts of the message to examine are:
- the content
- hyperlinks in the message to website content or a database, and
- contact information.
These parts of the message are not determinative. For example, the simple inclusion of a logo, a hyperlink or contact information in an email signature does not necessarily make an email a CEM. Conversely, a tagline in a message promoting a product or a service, or encouraging the recipient to purchase a product or service would constitute the message as a CEM.
Some examples of CEMs include:
- offers to purchase, sell, barter or lease a product, goods, a service, land or an interest or right in land;
- offers to provide a business, investment or gaming opportunity; and
- promoting a person, including the public image of a person, as being a person who does anything referred to above, or who intends to do so.
What is an electronic address?
An electronic address is defined in CASL as being: an email account, a telephone account, an instant messaging account, and any other similar accounts.
Some social media accounts may constitute a "similar account." Whether a "similar account" is an electronic address depends on the specific circumstances of the account in question. For example, a typical advertisement placed on a website or blog post would be excluded.
In addition, whether communication using social media fits the definition of "electronic address," must be determined on a case-by-case basis, depending upon, for example, how the specific social media platform in question functions and is used. For example, a Facebook wall post would not be captured. However, messages sent to other users using a social media messaging system (e.g., Facebook Messenger and LinkedIn messaging), would qualify as sending messages to "electronic addresses."
Websites, blogs and micro-blogging would typically not be considered to be electronic addresses.
Has the Commission provided additional guidance for businesses on the Act and Regulations?
For the purpose of providing guidance, the CRTC issued the following:
- Guidelines on the interpretation of the Electronic Commerce Protection Regulations (CRTC), Compliance and Enforcement Information Bulletin CRTC 2012-548;
- Guidelines on the use of toggling as a means of obtaining express consent under Canada’s anti-spam legislation, Compliance and Enforcement Information Bulletin CRTC 2012-549;
- Guidelines to help businesses develop corporate compliance programs, Compliance and Enforcement Bulletin CRTC 2014-326; and,
- Guidelines on the Commission’s approach to section 9 of Canada’s anti-spam legislation, Compliance and Enforcement Information Bulletin CRTC 2018-415.
These information bulletins are guidelines and do not impose binding obligations. They clarify requirements already contained in CASL and its regulations.
Also, the examples provided in these information bulletins are recommended or best practices that, in the CRTC’s view, clearly meet the requirements in CASL. Other practices may satisfy legal requirements imposed by CASL. However, their adequacy will be evaluated on a case-by-case basis in light of the specific circumstances of a given situation.
More information is available in the CRTC’s CASL Guidance on Implied Consent.
When does CASL apply?
Does CASL apply to messages sent from Canada to recipients outside Canada?
Generally speaking, CASL applies so long as the commercial electronic message (CEM) is sent using a computer system located in Canada (s.12(1) of CASL). Messages sent to another country from Canada may, in limited circumstances only, be exempted from the requirements of section 6 of CASL (exemption provided by paragraph 3(f) of the Governor-in-Council Regulations). This exemption may apply if the sender reasonably believes that a) the message will be accessed in certain listed jurisdictions and b) that the message complies with the recipient jurisdiction’s legal requirements, similar to CASL. Outside of such specific circumstances, CEMs sent from Canada must comply with CASL’s requirements.
Therefore, in order to avoid non-compliance, a best practice is to ensure that all CEMs sent, even abroad, comply with section 6.
Does CASL apply to messages received in Canada from other countries?
Yes. Commercial electronic messages (CEM) sent to recipients in Canada from another country must comply with CASL. Senders of CEMs need to: (1) obtain consent, (2) provide identification information, and (3) provide an unsubscribe mechanism.
Does CASL apply only to email? What about messages sent over SMS text messaging or Bluetooth messaging?
Messages that are commercial in nature that are sent over a text messaging service or Bluetooth messaging are subject to CASL, as these messages are transmitted to an electronic address. This means you must have obtained consent before sending the message, must include identification requirements and have a functioning unsubscribe mechanism.
Does CASL apply to federal, provincial, territorial and municipal governments?
CASL does not apply to the activities of the federal, provincial and territorial governments. CASL does apply, however, to crown corporations, including municipal governments, when the corporation is acting in the course of any commercial activity.
Does CASL apply to electronic messages sent by political parties, candidates and third parties?
A message must be commercial in nature for CASL’s requirements to apply (see “What is a commercial electronic message” above). Generally, most political messages are not commercial in nature; those that appear to be tend to solicit contributions. Political messages, where the primary purpose is to solicit a contribution, are excluded from section 6 of CASL, pursuant to the Governor-in-Council Regulations.
This means that text messages or emails asking for your support for a political party or candidate or requesting your opinion on various issues are not subject to CASL, since they are not commercial in nature. This is an increasingly popular approach for political parties and affiliated groups to gauge support and gather data on potential voters. However, in general, CASL does not apply to these types of messages.
Similarly, an electronic message that directly solicits cash donations, or that promotes an event or fundraiser, where the proceeds flow to the political party or candidate, would be excluded from section 6 of CASL, since the primary purpose is to solicit a contribution.
If you do not want to receive political messages, you could ask the sender to remove you from their list. However, if CASL does not apply to the message, there is no requirement for the sender to respect your request.
If you believe that the message you received is commercial in nature and is not soliciting a contribution, report the message to the Spam Reporting Centre. For example, if an email sent by a political party or candidate contains advertisements and encourages the recipient to participate in a commercial activity with the entities being advertised, then section 6 of CASL may apply without any exemption, since the primary purpose of the message may not be solely to solicit contributions for the political party or candidate.
Does CASL apply to messages sent by nomination contestants?
No. Pursuant to the Governor-in-Council (GIC) Regulations, commercial electronic messages (CEMs) sent by or on behalf of a political party are excluded from section 6 of CASL, if the primary purpose of the CEM is to solicit a contribution. The eligibility of nomination contestants are certified by the political party before the process begins and therefore, for the purposes of this exclusion, CEMs sent by nomination contestants, if the primary purpose is to solicit a contribution, are considered to be sent on behalf of the political party.
Does CASL apply to commercial messages sent by friends or family members?
No, CASL does not apply to a commercial electronic message (CEM) sent to an individual with whom the sender has a personal or family relationship, as defined by the Governor-in-Council (GIC) Regulations.
A "personal relationship" means a relationship between the sender and the recipient, where those individuals have had direct, voluntary, two-way communication and it would be reasonable to conclude that they have a personal relationship. The GIC Regulations set out a non-exhaustive list of factors that should be used to determine whether there is a personal relationship (e.g. the sharing of interests, experiences, opinions and information evidenced in the communications; the frequency of the communication, etc.). To prevent potential abuse of this exception to send CEMs without consent, Commission staff intends to strictly interpret the definition of "personal relationship" in determining when a personal relationship exists.
Also, a "personal relationship" is one that exists between individuals. Legal entities, such as corporations, cannot have a personal relationship. Someone who sends a CEM on behalf of a corporation may not claim to have a personal relationship with the recipient.
Does CASL apply to push notifications?
Push notifications are pop-up messages used for marketing purposes instead of email and text messages. There are different kinds of push notifications and they have important technical differences that may influence the application of CASL and its exemptions.
“App-based” push notifications are made possible when the user installs an application or computer program on their device. There are two kinds of these notifications:
- “in-app” notifications that only pop up when the application is open/active, or
- “outside the app” notifications that may appear on any open or locked screen by using the technology built-in to the device’s operating system.
“Web-based” push notifications use technology that is built-in to modern web browsers and sends notifications to users visiting a website.
Push notifications may fall within the scope of section 6 of Canada’s Anti-Spam Legislation if they are commercial in nature. Some notifications, like weather alerts or virus security warnings, may not be commercial and as such, may not fall under CASL.
Exceptions and exemptions could apply to push notifications. For example:
- One exemption applies to limited-access accounts, such as secure banking portals. For example, when a user is logged in to do their banking, a push notification encouraging to apply for a low-interest credit card may be deemed exempt. For more information, see paragraph 3.e) of the Electronic Commerce Protection Regulations, as further explained below on this page “Does CASL apply to limited-access accounts (e.g. secure portals on banking websites) where CEMs can only be sent from the person who provides the account (e.g. the bank)?”.
- Another exemption applies to commercial electronic messages sent to users who have requested or otherwise solicited them. For more information, see paragraph 3.b) of the Electronic Commerce Protection Regulations. Although the application of CASL must be reviewed on a case-by-case basis, this exemption could apply to most push notifications, since their design typically includes the user’s prior request to receive them, and full control to disable them at any time.
However, this technology may also be open for abuse. This exemption is not applicable when the technology is used to send phishing push notifications, malware or web-based ads of third parties while also making it difficult for users to identify the sender, therefore making it difficult to disable.
Consent
There are three general requirements for sending a commercial electronic message (CEM) to an electronic address: (1) obtain consent, (2) provide identification information, and (3) provide an unsubscribe mechanism.
There are two types of consent under CASL – express and implied.
Express consent does not expire; however, the recipient has the right to withdraw their consent at any time.
How can I obtain express consent?
Express consent can be obtained in writing or orally. In either case, the onus is on the person who is sending the message to prove they have obtained consent to send the message.
The CRTC has issued information bulletins to provide guidance and examples of recommended or best practices. Compliance and Enforcement Information Bulletin CRTC 2012-548, among other things, explains what information is to be included in a request for consent and provides considerations with respect to tracking or recording consent that may make it easier to prove consent, if required. Compliance and Enforcement Information Bulletin CRTC 2012-549 provides guidance related to acceptable forms of obtaining express consent.
The examples of recommended or best practices provided in the Bulletin are partial. They may not necessarily be appropriate in every situation. Compliance will be examined on a case-by-case basis in light of the specific circumstances of a given situation.
Can I use pre-checked boxes to obtain express consent?
No. You cannot use a pre-checked box to request consent from a consumer as it assumes consent. Silence or inaction on the part of the end user also cannot be construed as providing express consent.
Rather, express consent must be obtained through an opt-in mechanism, as opposed to opt-out. The end user must take a positive action to indicate their consent. For example, this can be done by providing a blank box which a user can check off to indicate consent.
For more information, please see Compliance and Enforcement Information Bulletin CRTC 2012-549 on the use of toggling to obtain express consent.
If a potential customer provides an email address or a phone number when putting items into an online shopping cart, but does not complete the purchase nor otherwise provide express consent to receive commercial electronic messages (CEMs), can the merchant still send CEMs to the address the potential customer provided?
An abandoned online shopping cart is not a purchase and does not trigger the two-year implied consent period under paragraph 10(10)(a) of CASL.
Depending on the specifics of their checkout processes, some merchants might adopt the interpretation that the steps taken, and information provided by the potential customer before abandoning their cart could be similar to an inquiry or an application related to a purchase. Some merchants might interpret this scenario as triggering the six-month period during which consent to receive commercial electronic messages (CEMs) is implied, according to paragraph 10(10)(e) of CASL. This interpretation could expose merchants to complaints since potential customers might consider that by abandoning a cart, no business relationship was formed under CASL (therefore no implied consent to receive CEMs). In addition, potential customers could question the retention and use of their personal information if they initially provided it only for the purpose of billing and delivery of items, which were ultimately not purchased.
For these reasons, we recommend that merchants secure express consent when an email address or phone number is collected in the checkout process, in accordance with Information Bulletin CRTC 2012-549. It is best not to assume implied consent: if you are unsure, ask for express consent. Remember that the onus is on the person who claims that they have obtained consent to prove it.
How do I show that I have obtained consent to send a commercial electronic message?
The onus is on the person who claims that they have obtained consent to prove that they have such consent. Compliance and Enforcement Information Bulletin CRTC 2012-548 provides a few examples on how one can prove they have obtained express consent, such as maintaining records. Note that the examples provided are practices that the Commission considers to be compliant with the legislation. Other practices may satisfy legal requirements imposed by CASL. However, their adequacy will be evaluated on a case-by-case basis in light of the specific circumstances of a given situation.
Do I need consent to send a commercial electronic message following a referral?
There is an exception to the consent requirement for the first commercial electronic message (CEM) sent following a referral if certain conditions are met. The referral must be made by an individual who has an existing business relationship, an existing non-business relationship, a family relationship or a personal relationship with the sender and any of those relationships with the recipient of the CEM. Also, the full name of the individual who made the referral and a statement that the CEM is sent as a result of a referral must be in the CEM. Only one CEM may be sent without obtaining the consent of the recipient of the message.
The CEM must still respect the other two requirements – it must contain the identification information and an unsubscribe mechanism.
If my business obtained consent to send commercial electronic messages to customers, can I rely on those same consents to continue sending messages after rebranding (i.e., the same legal person/business using a new business name)?
Yes, Canada’s Anti-Spam Legislation (CASL) applies to a person (defined as an individual, partnership, corporation, organization, association, trustee, administrator, executor, liquidator of a succession, receiver or legal representative), not to its business name. A change of business name does not affect the validity of consents obtained by the person if the purpose and scope of the consent is respected.
For example, if the consent initially obtained was limited to certain types of commercial messages, such as a monthly newsletter, or certain types of products or services, you must stay within those limits and avoid sending messages related to other business activities after rebranding.
In addition, it may be advisable to include a statement in your first message to inform your customers about your new business name, so that they can understand who you are, and how you have previously obtained their consent. This may help to avoid unnecessary complaints to the Spam Reporting Centre.
As a reminder, if you are sending a commercial email or text message, you need to comply with three main requirements: (1) obtain consent, (2) provide identifying information, and (3) provide an unsubscribe mechanism.
Someone gives me a business card: Is that clear consent to add them to my distribution list?
It depends. You may have their implied consent to send them commercial electronic messages (CEMs), as long as:
- the message relates to the recipient's role, functions or duties in an official or business capacity; and
- the recipient has not made a statement when handing you the business card that they do not wish to receive promotional or marketing messages (CEMs) at that address.
It is important to remember that the onus is on the sender to prove they received consent.
Recall that consent under CASL is also implied if you have an existing business relationship or existing non-business relationship with the person.
Compliance will be examined on a case-by-case basis in light of the specific circumstances of a given situation.
Does CASL apply to business-to-business CEMs?
Business-to-business commercial electronic messages (CEMs) are exempt in certain situations. The GIC Regulations provide an exemption that CASL does not apply to CEMs sent by an employee, representative, consultant or franchisee of an organization to an employee, representative, consultant or franchisee of another organization if the organizations have a relationship and the message concerns the activities of the organization to which the message is sent.
Therefore, if you are sending a CEM to another business, for the business-to-business exemption to apply:
- the message must be between employees, representatives, consultants or franchisees of your organization and the recipient organization;
- your organizations must have a relationship; and
- the message must concern the activities of the organization you are sending the CEM to.
The focus of the business-to-business exemption is on relationships between organizations. The mere fact that an employee of an organization has a relationship with an employee of another organization does not necessarily result in a relationship between the organizations. The nature of the relationship should be such that it can be demonstrated that the recipient organization had, or intended to create, a relationship with your organization that would allow for a complete exemption from section 6 of CASL. If you meet the business-to-business requirements, consent is not required to send the CEM, nor is there any requirement to add CASL information requirements or an unsubscribe mechanism to the CEM.
Does section 6 of CASL apply to messages sent to my membership?
Yes, section 6 of CASL applies, but consent may be implied where CEMs are sent to members of an association, club or voluntary organization. When sending CEMs to your membership based on implied consent, you should ensure that you are only sending to members.
"Membership" means the status of having been accepted as a member of a club, association or voluntary organization in accordance with its membership requirements. You should also ensure that your organization is a club, association, or voluntary organization that is:
- a non-profit organization,
- organized and operated exclusively for social welfare, civic improvement, pleasure or recreation or for any purpose other than personal profit, and
- no part of its income is payable for the personal benefit of any member, proprietor or shareholder unless that entity is an organization whose primary purpose is the promotion of amateur athletics in Canada.
The CEM must still respect the other two requirements – it must contain the identification information and unsubscribe mechanism.
Does CASL apply to limited-access accounts (e.g. secure portals on banking websites) where CEMs can only be sent from the person who provides the account (e.g. the bank)?
The GIC Regulations state that CASL does not apply to commercial electronic messages (CEMs) sent to a limited access secure and confidential account to which messages can only be sent by the person who provides the account to the recipient.
Within these accounts, the communication must be one-way such that the messages can only be sent by the person who owns or provides the account. Moreover, the account holder must not be able to send messages back to the account owner. As this is a closed messaging system, the only persons who may access such accounts consist of the person who owns or provides the account, and the account holder.
The closed messaging system found on financial services and online banking websites hosted by banks, is an example of such accounts. The one-way CEM, for example sent by the financial institution through the online banking website’s closed messaging system to a customer, is exempt from CASL.
The electronic address to which I want to send a CEM to is published in plain sight, for example, on a website or in a trade magazine. Do I have implied consent under the conspicuous publication exemption under CASL to send CEMs?
The conspicuous publication exemption from consent under CASL provides that consent is implied if:
- the person to whom the message is sent has conspicuously published, or has caused to be conspicuously published, the electronic address to which the message is sent;
- the publication is not accompanied by a statement that the person does not wish to receive unsolicited CEMs at the electronic address; and
- the message is relevant to the person’s business, role, functions or duties in a business or official capacity.
The conspicuous publication exemption sets a higher standard than the simple public availability of electronic addresses. In particular, the electronic address to which the message is sent must not be accompanied by a statement indicating that the person does not want to receive unsolicited CEMs. A “conspicuous publication” online entails that the electronic address is directly available to the public because it is typically indexed by a search engine. Therefore, an electronic address that requires specific queries in a corporate database to be found is not conspicuously published. The requirement that it be relevant to the recipient’s role or functions creates the condition that the address be published in such a manner that it is reasonable to infer consent to receive the type of message sent, in the circumstances.
If a business conspicuously publishes on its website contact information for an employee at an address held by that business, this publication could create implied consent to send messages relevant to that person’s role. If that business chooses to advertise through a third party and provides that employee’s contact information for the purposes of that advertisement, this could also create implied consent to contact that person in relation to that advertisement, or their role, because the account holder caused the publication. However, if a third party were to reproduce this address or sell a list of such addresses on its own initiative, this would not create implied consent on its own, because in that instance neither the account holder nor the message recipient would be publishing the address, or be causing it to be published.
As another example, a company conspicuously publishes on its website the email addresses of its employees, including the chief operating officer (COO) and the marketing officer. There are no accompanying statements that the employees do not want to receive CEMs at those email addresses.
Scenario 1: A training company sends a CEM to the COO. This CEM promotes a course on how to be an administrative assistant. This CEM is irrelevant to the recipient's business, role, functions or duties in a business or official capacity. Accordingly, the training company cannot rely on conspicuous publication as a form of implied consent for the sending of this CEM.
Scenario 2: A training company sends a CEM to the marketing officer. This CEM promotes a course on how to develop social media platforms for e-marketing. In this case, the CEM is relevant to the recipient's business, role, functions or duties in a business or official capacity. Therefore, the training company could rely on conspicuous publication as a form of implied consent for sending this CEM.
The conspicuous publication exemption under CASL does not provide persons sending CEMs with a broad licence to contact any electronic address they find online; rather, it provides for circumstances in which consent can be implied by such publication, to be evaluated on a case-by-case basis.
If you are relying on the conspicuous publication exemption under CASL, you should have supporting information with respect to:
- where or how you discovered any of the recipient address(es);
- when you obtained the address(es);
- whether the address publication was conspicuous;
- whether the address was accompanied by a statement indicating that the person does not want to receive unsolicited CEMs; and
- how you determined that the messages you are sending are relevant to the roles or functions of the intended recipients.
Does CASL apply to electronic messages sent in relation to surveys or market research?
No. CASL only applies to electronic messages sent that are commercial in nature. If the electronic message sent does not contain commercial content, then CASL does not apply.
However, you cannot engage in commercial activity under the guise of a survey. If the message contains a survey and solicitation encouraging the recipient to engage in commercial activity, then CASL would apply.
If I send messages to recruit individuals for employment opportunities, are these messages subject to the requirements of CASL?
Depending on the circumstances, most employment recruitment messaging would not meet the definition of a commercial electronic message (CEM) in CASL as these would not normally offer, advertise, market or promote a product or service. However, some recruitment messages may in fact constitute CEMs and be subject to the requirements of CASL. This determination, of course, depends on the circumstances of a given case, but the participation of a recruitment firm increases the likelihood that the message could be a CEM.
For example, in Commission staff’s view, sending someone a message to inform them of an opening at their organization would not constitute commercial activity as long as the message is solely for the purpose of offering them that position. However, recruitment firms that are hired to email or message individuals to inform them about an open position at an organization that might be of interest to them and, as an example, and include an option to subscribe to their service to be notified about other job opportunities, would likely be considered commercial in nature and subject to CASL.
In cases where the recruitment message is considered a CEM, the sender would be subject to the requirements of CASL: consent, unsubscribe mechanism and sender identification. With respect to obtaining consent to contact the recipient in the case of recruitment messages, express consent may have been obtained at a job fair, through a job placement service, or through a positive action on a recruitment platform (e.g., clicking “apply” or “contact me” on an online job forum). In the absence of such express consent, or an existing business or non-business relationship, the communication may be in contravention of CASL.
Identification
There are three main requirements for sending a commercial electronic message (CEM) to an electronic address. You need 1) consent, (2) identification information, and (3) an unsubscribe mechanism. The questions under this heading relate to the second requirement – identification information.
What identification information is required if I am sending messages on behalf of someone else, including affiliates?
You must identify yourself and the persons on whose behalf a commercial electronic message (CEM) is sent. When a CEM is sent on behalf of multiple persons, then all of these persons must be identified in the CEM.
However, where it is not practicable to include this information in the body of a CEM, then a hyperlink to a webpage containing this information is acceptable as long as the webpage is readily accessible at no cost to the recipient of the CEM. The link to the webpage must be clearly and prominently set out in the CEM.
Also, not every person who is involved in the sending of a CEM must be identified. Rather, only the persons who play a material role in the content of the CEM and/or the choice of the recipients must be identified. For example, an email service provider offering email marketing who has no input on the content of the message, nor on the recipient list, does not need to be identified in the CEMs sent by clients using its service. However, where the email service provider plays a role in the content of the CEMs being sent, for example by adapting messages based on customer profile information and behaviours, then they must be identified in the CEMS.
I conduct my business from home. Do I need to disclose my home address to fulfill the identification requirements?
No, you do not need to provide your home address. You can provide another valid mailing address as long as you can be contacted at that address. Please refer to the Compliance and Enforcement Information Bulletin CRTC 2012-548 for more information. Of note, that Information Bulletin explains that a mailing address consists of not only a street address, but also a P.O. Box, rural route address, or general delivery address. Pursuant to CASL, the address you provide must be valid for a minimum of 60 days after the message has been sent.
I have a limited amount of characters that I can use when sending a message using a given messaging service (e.g., SMS text message). What should I do if I cannot include all the required information in the commercial electronic message (CEM)?
Where it is not practicable to include the required information in the body of a CEM, then a hyperlink to a webpage containing this information is an acceptable practice as long as the webpage is readily accessible and at no cost to the recipient of the CEM. The webpage link must be clearly and prominently set out in the CEM.
For more information, refer to sections 2 and 3 of the Electronic Commerce Protection Regulations (CRTC) and Compliance and Enforcement Information Bulletin CRTC 2012-548.
Unsubscribe
There are three main requirements for sending a commercial electronic message (CEM) to an electronic address. You need (1) consent, (2) identification information and (3) an unsubscribe mechanism. The questions under this heading relate to the third requirement – an unsubscribe mechanism.
What are the requirements for an unsubscribe mechanism?
Under CASL, you must include an unsubscribe mechanism in your commercial electronic messages (CEMs). For example, a CEM sent via SMS may state that an end-user can unsubscribe by texting the word "STOP." Another possibility is a clear and prominent hyperlink in an email allowing the end-user to unsubscribe with a simple click. The hyperlink may send users to a readily accessible webpage at no cost to the recipient.
You can set up your unsubscribe mechanism in different ways. It can be broad or specific. For example, you can offer the recipient a choice, allowing them to unsubscribe from all or just some types of CEMs your organization sends.
A key aspect is that an unsubscribe mechanism must be ‘readily performed’. It should be simple, quick and easy for the end-user.
One example of an acceptable unsubscribe mechanism that meets the criteria for ‘readily performed’ would be an unsubscribe link in an email that takes the user to a webpage where he or she can readily unsubscribe from receiving all or some types of CEMs from the sender. In the case of a short message service (SMS), the user should have the choice between replying to the SMS message with the word “STOP” or “Unsubscribe”. Another option is to provide a link sending the user to a webpage where the individual can readily unsubscribe from receiving all or some types of CEMs from the sender.
One example of a non-compliant unsubscribe mechanism that does not meet the criteria of ‘readily performed’ in the view of Commission staff, would be an unsubscribe mechanism where the user would be required to take several steps to unsubscribe. Here is an example of a six-step approach that would be considered non-compliant under CASL:
- The user is required to click on a “unsubscribe” hyperlink within a CEM;
- The user lands on a webpage and must navigate through text that contains multiple links trying to locate the link allowing the user to unsubscribe from future CEMs;
- Once the “unsubscribe” link is found and clicked, the user is redirected to a ‘login’ button;
- The user is required to log into their existing account with their user name and password;
- The user is redirected to a page offering them options to “Quit /Give up/Delete Account” or “Unsubscribe” located at the bottom of the webpage;
- Only after completing all these steps, does the user receive a notice that the account has been deleted or that they are now unsubscribed.
For more examples of acceptable unsubscribe mechanisms under CASL, please see Compliance and Enforcement Information Bulletin CRTC 2012-548.
Liability
What are the penalties for committing a violation under CASL?
If you commit a violation under CASL, you may be required to pay an administrative monetary penalty (AMP). The maximum amount of an AMP, per violation, for an individual is $1 million. For a business, it is $10 million. CASL sets out a list of factors considered in determining the AMP’s amount.
Can directors and officers be liable too?
Yes, directors, officers, agents and mandataries of a corporation can be liable, if they directed, authorized, assented to, acquiesced in, or participated in the commission of the violation. Such individuals may be liable for the violation whether or not the corporation is proceeded against.
When will a person be liable for “aiding” under section 9 of CASL?
A person will be found liable if they are found to be aiding any act contrary to any of s. 6 to 8 of CASL.
Whether a person has committed the act of aiding under s. 9 of CASL depends on the facts of each case. The following non-exhaustive factors are generally considered: the position of the person in relation to the prohibited activity, how the person contributed to the commission of the activity or facilitated the commission of the prohibited activity (including whether the person failed to take action to stop the prohibited activity from taking place), and the connection between the aid provided and the commission of the prohibited activity.
Accordingly, failing to act in certain circumstances, such as when the person is in a position to allow a CASL violation by others to occur and does not take any action, could render a person liable under s. 9 of CASL. As another example, if a company provides the necessary infrastructure or software to install malicious computer programs (malware), that company may be found liable under s. 9 of CASL.
It is important and useful for a company to have the following in place, as necessary:
- Written contracts and corporate compliance policies or procedures to ensure compliance with CASL
- Measures to monitor how their services are used
Additional information regarding the Commission’s approach to section 9 of CASL is available in Compliance and Enforcement Information Bulletin CRTC 2018-415.
I use third party affiliates to conduct e-marketing – how can I ensure I’m compliant with CASL?
If you are a business using third parties acting as affiliate promoters for your products and services online, you and the third party acting on your behalf may be liable for violations committed under CASL.
Businesses engaging in affiliate marketing networks should, among other things, develop and implement a corporate compliance program and ensure that they, as well as the third party sending CEMs on their behalf, are complying with CASL. This includes:
- having established consent or obtaining express consent;
- providing identification information; and
- including an unsubscribe mechanism.
General guidance on developing such a program can be found in this Compliance and Enforcement Information Bulletin.
Record Keeping
How long should a business retain records to demonstrate compliance with CASL?
There is no prescribed period in the legislation setting out how long records should be kept.
Once you have obtained express consent to send commercial electronic messages (CEMs), it does not expire, though the person may unsubscribe at any time. Therefore, if you believe you have consent to contact a consumer, you need to retain records demonstrating that consent for as long as you will be contacting them. In the event of a request for information from CRTC staff as part of an investigation or a compliance check, the production of documented information management policies, including ongoing and consistent record keeping practices, may support any claim of a due diligence defence.
As noted in Compliance and Enforcement Information Bulletin CRTC 2014-326, the development and proper implementation of a documented and effective corporate compliance program may help businesses facilitate compliance with CASL. Your record retention strategy should reflect the particular nature of your business: your approach to electronic marketing, the number and type of customers you are contacting, the typical duration of your customer relationships, and other factors that may affect your approach to record retention. Record retention practices should be consistent with the policies and procedures set out in your compliance program.
Social media
Does a "personal relationship" apply to social media contacts?
A "personal relationship" requires that the real identity of the individual who alleges a personal relationship is known by the other individual involved in such a relationship (as opposed to instances where a virtual identity or an alias is used). Using social media or sharing the same network does not necessarily reveal a personal relationship between individuals. The mere use of buttons available on social media websites – such as clicking "like", voting for or against a link or post, accepting someone as a "Friend", or clicking "Follow"– will generally be insufficient to constitute a personal relationship. Relevant factors for determining whether a personal relationship exists includes the sharing of interests, experiences, opinions and information evidenced in the communications, the frequency of communication, the length of time since the parties communicated or whether the parties have met in person.
Does CASL apply to communication using social media?
CASL applies to CEMs sent to an electronic address. An electronic address is defined in CASL as being:
- an email account;
- an instant messaging account;
- a telephone account; or
- any similar account.
Some social media accounts may constitute a “similar account” under the definition of “electronic address.” Therefore, whether communication using social media fits the definition of "electronic address" and is captured by CASL must be determined on a case-by-case basis, depending upon, for example, how the specific social media platform in question functions and is used.
In general, CASL does not apply to the one-way general broadcast of a commercial message on social media. For example, this could include the general broadcasting of tweets on Twitter. However, messages sent directly to users through a social media closed two-way direct messaging system, would qualify as sending messages to "electronic addresses" and CASL would apply.
Non-profit organizations and registered charities
Does CASL apply to messages sent by non-profit organizations?
Yes, CASL’s provisions, such as those relating to sending commercial electronic messages (CEMs) and installing computer programs, applies to activities of non-profit organizations. However, there is an exemption under section 3(g) of the Governor-in-Council Regulations for CEMs sent by or on behalf of a registered charity, as defined under the Income Tax Act, where the primary purpose of the CEM is to raise funds for the charity.
Does CASL apply to messages sent by registered charities?
Yes, section 6 of CASL applies to registered charities when sending commercial electronic messages (CEMs). However, there is an exemption under section 3(g) of the Governor-in-Council Regulations for CEMs sent by or on behalf of a registered charity, as defined under the Income Tax Act, where the primary purpose of the CEM is to raise funds for the charity.
Given that legitimate messages sent by registered charities raising funds are exempt under the Act, CRTC staff intends to focus on messages sent by those attempting to circumvent the rules under the guise of a registered charity.
When will a CEM sent by a registered charity be seen as having, as its “primary purpose”, the raising of funds for the charity?
The “primary purpose” of a CEM means the main reason or main purpose of the CEM. There could be a secondary or additional purpose to the message, but the principal purpose of the CEM must be to raise funds for the charity.
Examples
Where the primary purpose is raising funds (CASL may not apply):
Example 1: A CEM, sent by or on behalf of a charity, which promotes an event and/or the sale of tickets for an event – such as a dinner, golf tournament, theatrical production or concert or other fundraising event – where the proceeds from ticket sales flow to the registered charity.
Example 2: A registered charity sends, by email, a newsletter which provides information about the charity’s activities or an upcoming campaign, but which also contains a section which solicits donations for the purpose of raising funds for the charity and mentions corporate sponsors who supported the charity (but does not encourage the recipient to participate in a commercial activity with that sponsor). While this message may be considered a CEM under CASL, the primary purpose of the message may be viewed as raising funds; therefore, the exemption in the GIC Regulations could apply.
Where the primary purpose is not raising funds (CASL may apply):
Example: A registered charity sends, by email, a newsletter which provides information about the charity’s activities or about a particular social issue. If this email also advertises the corporate sponsors of a charity’s event and encourages the email recipient to participate in a commercial activity with that sponsor, then the primary purpose of the message may not be to raise funds for the charity and section 6 of the CASL may apply without any exemption.
Can registered charities rely on implied consent to send CEMs?
Yes, consent under CASL is implied if, among other circumstances, you have an existing business relationship or an existing non-business relationship with the recipient.
An existing non-business relationship, as defined under CASL, is created under certain situations, including when a person makes a donation or gift to the registered charity, or performs volunteer work or attends a meeting organized by the charity. A registered charity would have implied consent to send CEMs to this person for two years following the event that starts the relationship (e.g. gift or donation made).
Installing computer programs
When does section 8 of CASL apply?
Section 8 applies when a computer program is installed in the course of a commercial activity on another person's computer system. The definitions of computer program and computer system come from the Criminal Code (section 342.1(2)).
Also, for section 8 to apply, the person installing or directing the installation of a computer program must be in Canada, or the computer system must be in Canada.
You must have the express consent of the owner or an authorized user of the computer system to install a computer program on that computer system.
What must I do to obtain valid express consent to install a computer program?
When you seek express consent to install a computer program, you must set out clearly and simply:
- the purpose(s) for which consent is being sought,
- information that identifies the person seeking consent (including any person on whose behalf consent is sought), and
- the function and purpose of the computer program.
However, you may need to disclose more information when seeking express consent if the computer program will perform any of the following functions:
- collecting personal information,
- interfering with the user's control of the computer system,
- changing or interfering with settings, preferences or commands already installed or stored on the computer system without the user’s knowledge,
- changing or interfering with data that is stored on the computer system in a manner that obstructs, interrupts or interferes with lawful access to or use of the computer system,
- causing the computer system to communicate with another computer system without authorization,
- installing a computer program that may be activated by a third party without the user’s knowledge, and
- performing any other function listed in the Governor-in-Council (GIC) Regulations.
If the computer program does any of these specified functions when installed, then you must, when requesting consent, clearly and prominently, and separate and apart from the licence agreement:
- describe the program's material elements that perform the specified function(s), including the nature and purpose of those elements, as well as their foreseeable impact on the operation of the computer system, and
- bring those elements to the attention of the user separately from other information provided in a request for consent.
What about web cookies?
CASL deems a person to have provided express consent for the installation of a computer program, if it is reasonable to believe that the person consented to the installation based on the person's conduct, and the computer program is:
- a cookie,
- HTML,
- JavaScript,
- an operating system,
- a program that is executable only though another computer program to which the user has already expressly consented, or
- specified in the regulations.
Can you provide more information about the specified computer programs addressed in section 6 of the Governor-in-Council Regulations?
As noted in the question, "What about web cookies?” CASL deems a person to have provided express consent for the installation of certain computer programs, including those programs specified in the Governor-in-Council (GIC) Regulations. Section 6 of the GIC Regulations identifies three computer programs for which a person is deemed to have provided express consent:
- where a telecommunications service provider (TSP) installs a computer program solely to protect the security of its network from a current and identifiable threat to its network (6(a));
- where a TSP who owns or operates the network installs a computer program to update or upgrade the network (6(b)); and
- where the program is necessary to correct a failure in the operation of a computer system or program, and is installed solely for that purpose (6(c)).
If a program is installed for any purpose other than protecting the network’s security, or correcting a failure in the operation of a computer system or program, then subsections 6(a) and (c), respectively, will not apply.
In subsection 6(c), a failure of a computer system or program means that the system or program functions improperly and is inconsistent with consumer expectations.
In addition, the person’s conduct must also be such that it is reasonable to believe that they consent to the program’s installation. It is insufficient that the specified computer program is named in section 6 of the GIC Regulations.
Formal powers of the commission
What investigative powers does the Commission have?
Commission staff, who are persons designated by the Commission to conduct investigations, may use the following powers to investigate possible violations under CASL:
- Notice to Produce – a notice served on a person requiring them to produce data, information or documents in their possession or control (additional information is available in section 17 of CASL);
- Preservation Demand – a demand served on a telecommunications service provider requiring it to preserve transmission data in that is in or comes into its possession or control (additional information is available in section 15 of CASL); and
- Search Warrant – a judicially pre-authorized warrant that authorizes designated persons to enter a place (business or dwelling-house) to examine, copy or remove documents or things (additional information is available in section 19 of CASL).
What enforcement actions can the Commission take to respond to non-compliance with CASL?
When an entity is found to be non-compliant with CASL, Commission staff may respond by using the following enforcement actions to promote compliance:
- Warning Letter – informs a person that Commission staff have concerns with respect to possible violations of CASL (e.g. due to complaints received), educates about CASL obligations, and encourages auto-corrective action (if warranted);
- Undertaking – an agreement defining compliance obligations to be put in place following an alleged contravention of CASL, and may include a provision to pay a specified amount (additional information is available in section 21 of CASL);
- Notice of Violation (NOV) – a notice served on an entity if it is believed on reasonable grounds that the entity has committed a violation. It may be accompanied by an administrative monetary penalty (additional information is available in section 22 of CASL);
- Administrative Monetary Penalty (AMP) – every person who contravenes any of sections 6 to 9 of CASL commits a violation for which they may be liable to pay an administrative monetary penalty when a notice of violation is issued. Penalties under CASL are up to $1M per violation for an individual and up to $10M per violation for corporations (additional information is available in section 20 of CASL).
The Commission’s objective is compliance with CASL. The determination of which enforcement action(s) to use is made on a case-by-case basis, taking into account this overarching objective as well as the facts relating to the violation(s).
Appeal process
I have been served with a Notice of Violation (NOV) from Commission staff. Can I appeal this decision?
If you are served with an NOV, you have the option of making representations to the Commission with respect to the penalty’s amount or the acts or omissions that constitute the alleged violation. The NOV will inform you that you may make representations to the Commission either within 30 days after the NOV is served or any longer period set out in the NOV. The NOV will also set out the manner for making the representations.
If you make representations in accordance with the NOV, the Commission must decide, on a balance of probabilities, whether you committed the violation and, if so, may impose the penalty set out in the NOV, may reduce or waive the penalty, or may suspend payment of the penalty subject to any conditions that the Commission considers necessary to ensure compliance with CASL.
If you are unsatisfied with the Commission’s decision, you may file an appeal with the Federal Court of Appeal within 30 days after the day on which the Commission decision is made.
If your appeal is on a question of fact, leave of the Federal Court of Appeal is required. The application for leave to appeal must be made within 30 days after the day on which the Commission decision is made. Further, the appeal may not be brought later than 30 days after the day on which leave to appeal is granted.
- Date modified: