Understanding Canada's Anti-Spam Legislation (CASL)

The email marketing landscape is always changing as marketers find new and savvy ways to boost engagement, increase conversions, and maximize their efforts. But, beyond the discussion of open rates, click-throughs, subject lines, A/B testing and deliverability is the issue of compliance.

In an overall sense, there are two rulebooks that email marketers follow:

  • "Best Practices"… which are the processes we abide by because we know it treats our customer’s inbox as a special place and that’s a responsibility we take seriously.
  • "Legal Compliance"… which are the specific and mandatory rules we follow because our actions are governed by law [….and because none of us would do well in prison! 🙂 ]

Most marketers are familiar with the US CAN-SPAM Act of 2003. But, now Canada has their own proposed version of anti-spam legislation that in it’s current state goes much further than it’s US counterpart.

It’s important marketers are aware of the new proposed legislation so they can begin taking action well in advance to ensure they remain in full compliance. While there is still a lot of time to make sure your ducks are all in a row to appease CASL, it’s never too soon to get started.

This post will cover the main highlights of Canada’s proposed Anti-Spam Legislation. For a more in-depth summary, you can read my blog post titled “All About CASL (Canada’s Anti-Spam Legislation) in Plain English”.

I’m Not In Canada, So Why Do I Care?

CASL isn’t just focused on Canadian email marketers, but rather extends its coverage to anyone who is emailing someone that will receive that message within Canada.

So, if you run an eCommerce store out of the USA, but you occasionally sell to people north of the border and have those folks on your mailing list, then CASL is in full force for you.

It’s not just those in North America that have to play under these new rules because the people behind CASL are hoping it’s reach will extend to marketers internationally who are contacting Canadians. In an interview, the CRTC’s chief compliance and enforcement officer, Andrea Rosen, said:

If the spammer is offshore, we have the ability under the law to co-operate with foreign governments, to share information and to bring proceedings together against individuals that are offshore.

There is an exemption written into CASL that if the sender does not know or could not expect to know that the receiver would be using a Canadian computer to access the email, then you’re off the hook. So, if your USA-based eCommerce store doesn’t ship to Canada and you have no Canadian’s on your mailing list, but someone has taken the trip to see the Jays play in Toronto and while there they get your email, you don’t have to panic.

Do keep in mind, however, that ignorance won’t be an excuse so even if you don’t think you have Canadian’s in your database, be sure to be on the lookout for that. At Elite Email, we have been prompting people to look at their geo-reports to get a sense of who is engaging with the email in Canada because it might be more than you think.

What are the key requirements of CASL?

The current proposed regulation is really long and if you care to see the whole thing in it’s entirety, you can click here.

For those that are too busy to read the whole law (…and that is probably ALL of us!) here are the primary requirements:

  • You must have permission BEFORE sending an email.
  • You must be able to prove that you have received clear consent (more on “consent” below)
  • You cannot use false or misleading subject lines or sender names.
  • You must have a working unsubscribe mechanisms where manual requests are processed within a 10 day window and any unsubscribe links are valid for at least 60 days after the send date.
  • You cannot pre-check subscription boxes on firms. Valid consent must be an affirmative action.
  • You must include a physical mailing address as well as an alternate way to reach you, which could take the form of an email address, phone number or link to contact form.
  • You cannot confirm unsubscribes by sending a follow-up email.
  • If an email is being sent “on behalf of” another organization, you must clearly identify both parties.
  • If you are a charity, then you are included in CASL if you are selling or soliciting anything.

One key thing I want to highlight is the notion of subscribing to your mailing list as an affirmative action. I see a lot of signup forms where the box is pre-checked and you have to uncheck it to indicate you don’t want to signup for a mailing list. If your organization is doing this, then it’s one of the first things you should consider changing. It’s a quick change that will ensure all new subscriber acquisitions are valid under CASL.

Signup Form With and Without Affirmative Action

Consent, Consent, and More Consent… It’s All About Consent!

While there are lots of different facets to CASL, if I had to boil it down to one thing, I’d say that the most critical factor is ensuring you have obtained consent properly. If you’ve done that, then you’re heading down a good path.

CASL currently outlines four different scenarios that would qualify as consent.

Consent Scenario #1: Implied Consent

This is the scenario that many people will already be familiar with as it’s the one that is based on an existing business or nonbusiness relationship between the recipient and sender. Essentially, if someone has bought something from your organization or entered into a contract with you then you have a “business relationship” with them. Whereas, if someone does volunteer work for you or becomes part of your organization, then you’ve got a “nonbusiness relationship” with them.

The critical part of this type of implied consent is the 2 year time limitation. From the moment someone purchases something from you, a 2 year window commences where you can email them and be in compliance with CASL without needing any other form of consent. On top of that, if that same person buys something from you again during that window, the clock resets and you get another full 2 years. However, as a general rule of thumb, at some point during that 2 year window, you would want (or need) to obtain explicit consent in order to keep emailing them after that window expires.

Consent Scenario #2: Explicit Consent

I suspect most email marketers are already actively engaged in this type of consent where the recipient gives you direct permission to send them emails. Most commonly you will have a signup form on your website that lets people join your mailing list. This direct type of consent is really at the core of CASL, which is why it’s important that you obtain good evidence to support your practices. Doing things like capturing the date stamp and IP address of a new subscriber when they join your list and then when they confirm their subscription (for double opt-in) will help ensure you’ve got a strong case should someone challenge if consent was obtained.

As I mentioned previously, make sure your signup forms require an affirmative action and not an opt-out action. So, if you’ve got a sneaky pre-checked box that auto-enrols people, you’re going to want to change that up ASAP because it won’t count in the eyes of CASL.

According to CASL, you can also get written or oral consent and while that is acceptable, it should be noted that these methods are far more difficult to prove. If you plan on using these tactics, make sure you’ve got a workflow that allows for the careful documentation of when, where and how consent was obtained.

Consent Scenario #3: Conspicuous Publication

This is a rather unique scenario that is very different than the two above. You can send someone an email if you obtained their email address and the following three criteria are also met:

(i) The email address is clearly published for viewing.
(ii) In the location where the email address is published, there is no specific statement saying that unsolicited emails are not allowed.
(iii) The email you’d be sending to that address is related to that person’s business or official role. [For example, you can email a university professor about a new book that is related to their field of expertise/interest, but you cannot email that same person trying to sell them concert tickets. It’s a bit tough to exactly draw the line on what is related and what is not, so we might see this further clarified CASL.]

Consent Scenario #4: Shared Email Address with the Sender

This is the “business card” or “networking” rule under CASL that lets you send someone an email if they willingly share their address with you. CASL doesn’t want to render the email address on a business card useless, so if someone shares their card with you and doesn’t say they do not want to be emailed, then you can email them and be in compliance. Be sure to document the how, when and where they shared their email address with you so you’ve got that on file in case you need supporting evidence. However, do keep in mind that if you want to start sending someone your monthly newsletter (and not just emailing them as a follow-up to a networking event) you should obtain consent using another method as well.

What Happens If I Break The Rules?

Shame on you! Now go sit in the corner and think about what you’ve done!

But, on top of that shame, penalties for violating CASL can range from a maximum of $1 million for individuals and $10 million for companies.

It should be noted that anyone can bring this new law against a sender, it doesn’t have to just be the government or other legal agency against the sender. Of course, if someone goes down this path and it turns out they were wrong, then they are responsible to cover all court and legal fees.

Also, the reason I have been harping in the sections above about keeping evidence for how you obtained consent is because if you can show that you really made strong efforts to follow every aspects of the rulebook, then that will play a factor in any legal proceedings.

When Does All These New Rules Go Live?

There is still no specific date set so at this point everything is an estimate, although there have already been delays so further delays are not out of the question.

Based on the current flow of events, Industry Canada should have the regulations finalized by the middle of this year (2013). After that, there will be a one year grace period for everyone to digest these new rules and prepare for the coming changes, which will result in CASL going live some time in the middle of 2014.

That being said, there’s no need to wait until the final minutes to start ensuring your compliance with CASL. Although certain parts of the proposed legislation may change, the underlying concepts about the ways you can obtain consent probably won’t change much. So, take a good look at your database now and start to figure out who you may need to re-confirm and what evidence you’ve got to support that consent has been obtained properly (in the eyes of CASL). Review all of your signup and capture forms to make sure that it is an affirmative (and not opt-out) action that enrolls someone on your mailing list. Lastly, doing a periodic top to bottom review of your organization’s email practices can usually either confirm you’ve got your best foot forward and are ready for CASL or highlight areas that you need to improve upon… and there’s no time to take those steps like the present!

* Note: This article is intended to provide general comments about Canada’s new anti-spam legislation. It is not intended to be a comprehensive review nor is it intended to provide legal advice. Readers should not act on information in this article without first seeking advice from their lawyer.

Robert BurkoRobert Burko is CEO of Elite Email, a leading email marketing solution and proud member of the Email Experience Council that has been helping businesses of all sizes harness the power of email for 10 years. Robert has been featured extensively in the media for his knowledge of email marketing, social media and digital trends. You can also find him on .  

One thought on “Understanding Canada's Anti-Spam Legislation (CASL)

  1. Why is it important to obtain a users IP address when they sign up for specific permissions? Is it required by CASL?

Comments are closed.