Canada’s Anti-Spam Legislation (CASL) – What you need to know

What is it?

Canada’s Anti-Spam Legislation (CASL) – What need to knowAt one point or another everyone has opened up their inbox and has found unwanted emails. Sometimes called junk email or unsolicited bulk email (UBE), the Canadian government is implementing a new law, Canada’s Anti-Spam Legislation (CASL), to crack down on unwanted emails and texts. This law will have a major impact on businesses, because now businesses and organizations will need to prove they have consent to reach out to new, existing, or potential customers using electronic messages.

CASL will take effect on July 1, 2014. Non-compliance will result in penalties for each violation that can reach as high as $1 million for an individual and $10 million for organizations.

Commercial Electronic Messages (CEMs)

Any commercial electronic message (CEM) sent by any medium falls under CASL.  A CEM includes any message sent by email, text message, voicemail, social media, etc. if the purpose of that message is to encourage participation in a commercial activity.

Under CASL, there are three general requirements for sending a CEM to an electronic address. You need:

  1. Consent
  2. Identification Information
  3. An Unsubscribe Mechanism

Obtaining Consent

Implied consent may be obtained through an existing business relationship but implied consent has an expiry date as outlined below. Express consent may be acquired through written or oral methods. For instance, a business may opt to receive express consent electronically via email. These opt-in emails must be delivered by the July 1st deadline (unless you already have implied consent). Any electronic communications without consent sent after the July 1st deadline constitutes an offence under CASL. Industry Canada has also noted that express consent that is compliant with PIPEDA will also be compliant with CASL.

To acquire consent after the deadline, companies will need to employ other methods of communication such as by mail or telephone. In any case, the onus is on the person sending the message to prove they have the consent to do so.

Consent Considerations

In order to make it easier to prove consent, we recommend you record or track:

  1. Whether consent was obtained written or orally
  2. The date consent was obtained
  3. The purpose of the consent (ie. express consent to email product updates)
  4. The manner in which you obtained consent
    Expressed consent must be obtained by an opt-in mechanism.

Implied Consent

Implied consent has an expiry date and needs to be converted into express consent. If you obtain implied consent before July 1, 2014, it will expire on July 1, 2017 (three years after CASL goes into effect). If you obtain implied consent after July 1, 2014, it will expire two years after consent was obtained, but only if the contact doesn’t buy something new or doesn’t renew their subscription, loan, account or contract.


All of the parties who play a material part in the content of the CEM must be identified. A hyperlink to a webpage may be used instead of listing a party. If you’re sending messages on behalf of someone else, you must identify this party.

Unsubscribe Mechanism

All of your CEMs should contain an unsubscribe mechanism. It should be simple, quick, and easy for the end user. You can also set up this function so that the end user can choose whether or not they want to unsubscribe from all or just some types of CEMs your business sends.

For emails, you can provide a clear and prominent hyperlink that allows your end user to unsubscribe. For text messages, the end user should be allowed to unsubscribe by texting the word “STOP”.

Putting CASL into practice

If you already send CEMs, such as email blasts, or would like to send CEMs to existing contacts, determine whether you have implied or express consent to do so. If you have implied consent, you have three years after July 1, 2014 to get express consent (such as by an opt-in email) to continue with CEMs. And if you already have express consent and can prove it, you don’t have to do anything to continue sending CEMs.

Steps to take

Assemble a list of contacts who you do not yet have express consent for and send an email asking for express consent. If you are unsure if you have express consent, add these contacts to the list so you will have proof of express consent in the future. If you are going to continue sending CEMs after July 1st with implied consent, express this in your message as well and let recipients know when you will stop communicating with them if express consent isn’t given. Be thoughtful in your messaging and make your contacts aware of the benefits of continuing to receive CEMs from you.

After July 1st, work to get express consent from any new or existing contact. If you are given implied consent (someone gives you a business card or you enter into a business relationship for example), have a plan to convert that contact to express consent within two years (and to remove them from any CEM list if this isn’t achieved).

If you don’t have a mechanism for tracking when implied consent has been given, we recommend you NOT send CEMs to any contact except those on your express consent list. After each instance of implied consent (business transaction, or business card received), send a single message asking if they’d like to be on your emailing list.

And remember that no matter what, implied consent ends as soon as your contact indicates that they no longer wish to receive CEMs.

If you need help getting this addressed – Kobayashi Online can handle this for you. Contact to become compliant.