CMA Guide to Canada’s Anti-Spam Law (CASL)

A recognized leader in ethical marketing and industry self-regulation, the Canadian Marketing
Association’s Code of Ethics and Standards of Practice establishes operating best practices for
marketers in Canada. The following guidelines are intended as a resource to assist members with
understanding and implementing Canada’s Anti-Spam Law.

Contents
PURPOSE .................................................................................................................................. 2
PURPOSE & REQUIREMENTS OF CANADA’S ANTI-SPAM LAW (CASL) .............................. 2
KEY ELEMENTS OF CASL........................................................................................................ 3
Definition of CEM ................................................................................................................................. 3
Practical Considerations for Marketers............................................................................................. 4
Obtaining Consent ............................................................................................................................... 5
Practical Considerations for Marketers............................................................................................. 5
Express vs. Implied Consent .............................................................................................................. 5
Practical Considerations for Marketers............................................................................................. 7
Proof of Consent .................................................................................................................................. 7
Identification Elements of CASL ........................................................................................................ 8
Practical Considerations for Marketers............................................................................................. 9
Unsubscribe Elements of CASL ........................................................................................................ 9
Practical Considerations for Marketers........................................................................................... 10
End of the Transition Period ............................................................................................................. 10
Practical Considerations for Marketers........................................................................................... 11
KEY EXEMPTIONS.................................................................................................................. 11
Personal and Family Relationships ................................................................................................. 11
Business-to-Business Exemption .................................................................................................... 12
Extra-Territorial Exemption ............................................................................................................... 13
Additional Exemptions ....................................................................................................................... 13
SPECIAL CASES ..................................................................................................................... 14
Impact on Purely Transaction and Service Messages – Section 6(6) ....................................... 14
Referral Marketing ............................................................................................................................. 15
Sharing Consents (e.g. list rentals) & Cascading Unsubscribes ................................................ 16
Social Media and Online Advertising .............................................................................................. 18
Private Right of Action ....................................................................................................................... 19
CASL READINESS CHECKLIST ............................................................................................. 21
KEY RESOURCES .................................................................................................................. 21

Not for redistribution except with the express permission of the CMA.

1
PURPOSE
This guide is intended to provide CMA members with an overview of Canada’s Anti-Spam Law (CASL),
which was passed by parliament in December 2010 and came into force, with respect to its commercial
electronic messaging rules, on July 1, 2014. Effective July 1, 2017 CASL’s transition period for implied
consents no longer applies.

In June 2017 CASL’s Private Right of Action provision was indefinitely suspended. While the PRA still
exists as part of the law, this announcement was positive as there are widespread concerns about the
potential negative impacts.

This guide aims to provide members with information on the law’s requirements, key elements and
special cases. Additionally, the guide will provide members with a compendium of important
government and CMA resources that will be essential to review when planning a compliance program.

CASL applies to the sending of commercial electronic messages (CEMs) as well as the installation of
computer programs. This guide will focus solely on the sending of commercial electronic messages, as
this is most relevant for all CMA members. The resources section of this guide will however provide
links to key information on the software provisions of this Act.

Please note that this guideline document does not constitute legal advice. Those with legal
questions specific to their organizations should consult their counsel. Those seeking more information
on the legislation are welcome to contact the Government and Consumer Affairs team at CMA.

PURPOSE & REQUIREMENTS OF CANADA’S ANTI-SPAM LAW

(CASL)
As stated in the Act, “The purpose of this Act is to promote the efficiency and adaptability of the
Canadian economy by regulating commercial conduct that discourages the use of electronic means to
carry out commercial activities...” To fulfill this purpose, the Act prohibits damaging and deceptive
spam, spyware, malicious code, botnets and other related network threats. The Act applies to
messages sent into or out of Canada and therefore has extra-territorial applications.

To meet this mandate, the legislation sets out a series of requirements that must be met before a
commercial electronic message can be sent to an electronic address. For the purpose of the Act, an
electronic address includes any electronic mail account, instant messaging account or similar account.
It is therefore very broad and meant to be technologically neutral, to capture all forms of communication
including text, sound, voice or image. The specific requirements will be outlined in detail further on in
this guide.

The majority of CASL and the accompanying Regulations, notably those applying to commercial
electronic messages, came into force on July 1, 2014.The section of the Act and the Regulations
pertaining to computer programs came into force on January 15, 2015. The provisions of the Act that
allow for a Private Right of Action were indefinitely suspended in June 2017. The law contemplates
possibly applying to voice messaging at a future date, but these provisions have not been proclaimed
into effect at this time.

Enforcement of CASL is split between the Canadian Radio-television Telecommunication Commission

(CRTC), the Competition Bureau and the Office of the Privacy Commissioner of Canada (OPC). The
three bodies have signed a Memorandum of Understanding to facilitate the enforcement process and
2
respect the sharing of information, cooperation and coordination between the enforcement bodies. The
CRTC is responsible for CASL violations that deal with the sending of commercial electronic messages
(CEMs) without consent, that alter transmission data in the course of a commercial activity without
consent and that install a computer program in the course of a commercial activity. The OPC is
responsible for violations regarding the illegal harvesting of data and the Competition Bureau is
responsible for matters relating to false and misleading representations. As this guide deals with
CASL’s regulations as they pertain to the sending of CEMs, the CRTC is the primary enforcement body
referenced throughout.

The consequences for a violation of CASL are significant. The CRTC may issue notices of violation,
Administrative Monetary Penalties (AMP), injunctions, undertakings or impose a negotiated settlement.
The maximum AMP for an individual is $1 million per violation and the maximum AMP for an
organization is $10 million per violation. There are also provisions in the legislation that allow for
extended liability including, employee vicarious liability and director/officer liability.

Members should be familiar with the legislative framework that supports CASL, by making themselves
aware of the requirements of the law itself. The Act is supported by two sets of Regulations – one
published by the CRTC in March 2012 (the “CRTC Regulations”) and the other by the Governor in
Council in December 2013 (the “Industry Canada Regulations”). Combined, the three documents detail
all CASL’s requirements and must be adhered to in their entirety. The CRTC has issued three
Compliance and Enforcement Information Bulletins, which provide guidance as to its interpretation of
CASL with respect to certain key aspects of the law including the required form and minimum content of
CEMs, obtaining consent and corporate compliance programs. It should be noted that these guidance
documents are not legally binding but provide readers with examples of what the CRTC views as
CASL-compliant procedures. The CRTC has published an Enforcement Advisory setting out the
records documenting consent that it expects to be kept. The CRTC also has published on its website a
useful list of Frequently Asked Questions providing additional guidance, including with respect to how
the CRTC views it role in enforcing CASL; the FAQs are updated periodically by the CRTC. A further
document providing guidance is the Regulatory Impact Analysis Statement (RIAS) which accompanies
the Industry Canada Regulations. This document provides insight into the Government’s rationale
behind the CASL Regulatory package and provides information on how it believes the Act should be
interpreted and enforced. It must be emphasized that the RIAS, like the CRTC Enforcement
Bulletins, should be viewed as guidance, but it is not legally binding.

Note: All the documents referenced above are available in the Resources section at the end of this guide.

KEY ELEMENTS OF CASL

Definition of CEM

Canada’s Anti-Spam Law only applies to the sending of commercial electronic messages to Electronic
addresses. “Electronic addresses” are defined in the legislation (CASL) as e-mail accounts, telephone
accounts, instant messaging accounts” or “other similar accounts”. The Act itself defines as CEM as:

... an electronic message that, having regard to the content of the message, the hyperlinks in
the message to content on a website or other database, or the contact information contained in
the message, it would be reasonable to conclude has its purpose, or one of its purposes, to
encourage participation in a commercial activity, including an electronic message that
(a) offers to purchase, sell, barter or lease a product, goods, a service, land or an
interest in or right in land;
(b) offers to provide a business, investment or gaming opportunity;
3
 (c) advertises or promotes anything referred to in paragraph (a) or (b); or
(d) promotes a person, including the public image of a person, as being a person who
does anything referred to in any of the paragraphs (a) to (c), or who intends to do so.

As should be evident, the definition of a CEM is both exceptionally broad and vague, especially when
one considers that the exchange of money is not a requirement for something commercial to have
occurred. The definition as it was written implied that a simple and common email signature block could
render an otherwise innocuous message a CEM. As a result, CMA actively lobbied the Government
and asked for further clarification on what was meant to be covered in the definition of a commercial
electronic message.

The Government states in the RIAS, “The mere fact that a message involves commercial activity,
hyperlinks to a person’s website, or business related electronic addressing information does not make it
a CEM under the Act if none of its purposes is to encourage the recipient in additional commercial
activity.” For example, the simple inclusion of a logo, a hyperlink or contact information in an email
signature does not necessarily make an email a CEM. Conversely, a tagline in a message that
promotes a product or service that encourages the recipient to purchase that product or service would
make the message a CEM.

As a CEM is a message whose purpose is to encourage participation in a commercial activity. CASL

does not apply to:

• non-commercial activity
• voice, facsimiles or auto-recorded voice calls (robo-calls)
• broadcast messaging including tweets and posts

While it will be addressed in Special Cases section of this Guide, it should be noted that language in
Section 6(6) of the Act would seem to imply that certain messages that are not necessarily commercial
in nature, such as warranty information, transaction confirmations and notices of factual information are
actually considered CEMs for the purposes of CASL.

Practical Considerations for Marketers

It is important for organizations to review every message that is being sent to determine if it is a CEM
and subsequently, if CASL applies. The prevalence of commercial content must be assessed when
determining if a message is a CEM. A newsletter that has banner ads, for example, is clearly a CEM
even if the content of the newsletter is purely informative. The Government has urged organizations to
err on the side of caution and that if there is any chance that the message could be interpreted as
having commercial content, then it likely is a CEM.

Key question to ask yourself - is one of the purposes to encourage the recipient to participate in
commercial activity?
Some parts of the message to look at are:

• The content of the message

• Any hyperlinks in the message to website content or a database, and
• Contact information in the message.

4
Obtaining Consent

If a CEM is to be sent, the Act states that consent must be obtained prior to the sending of the
message. Consent may be obtained in a variety of methods and will fall into two categories: express
consent and implied consent. The Act stipulates that certain conditions must be met when seeking
consent for the purposes of sending a CEM.

In clear and simple terms, the sender must outline the purpose or purposes for which consent is being
sought and include prescribed information that identifies the person seeking consent and, if the person
is seeking consent on behalf of another person, prescribed information that identifies that other person.

Included in the CRTC’s Regulations are additional requirements regarding information to be included in
a request for consent. Regulation 4 states:

4. For the purposes of subsections 10(1) and (3) of the Act, a request for consent may be
obtained orally or in writing and must be sought separately for each act described in sections 6
to 8 of the Act and must include

(a) the name by which the person seeking consent carries on business, if different from their
name, if not, the name of the person seeking consent;

(b) if the consent is sought on behalf of another person, the name by which the person on
whose behalf consent is sought carries on business, if different from their name, if not, the name
of the person on whose behalf consent is sought;

(c) if consent is sought on behalf of another person, a statement indicating which person is
seeking consent and which person on whose behalf consent is sought; and

(d) the mailing address, and either a telephone number providing access to an agent or a voice
messaging system, an email address or a web address of the person seeking consent or, if
different, the person on whose behalf consent is sought; and

(e) a statement indicating that the person whose consent is sought can withdraw their consent.

Practical Considerations for Marketers

Organizations must review the methods by which they seek and obtain consent, for example at point of
sale, online or by telephone, and assess it against CASL’s requirements. They will also need to take
into consideration CASL’s retention requirements, which will be discussed in the section on Proof of
Consent.

Anytime an organization seeks consent for the purposes of sending a CEM, they must be sure to
include the prescribed information requirements listed above. Members may wish to take note of the
requirement to include information if consent is sought on behalf of others such as affiliates or unknown
third parties (i.e. for list rentals).

Express vs. Implied Consent

Two different types of consent are contemplated by CASL, they are obtained in different manners and
are valid for different periods of time. Both can be obtained orally and in writing.

5
Express consent is the Government’s preferred type of consent. If express consent is obtained it is valid
indefinitely or until consent is revoked. This form of consent may be preferable for some marketers as
this consent does not expire.

On top of the requirements outlined in the section above, the Government has indicated that
express consent can only be obtained by the potential message recipient taking a positive
action to indicate that they wish to receive commercial electronic messages. The CRTC has
offered guidance on what this means in the Compliance and Enforcement and Information Bulletins
2012-548 and 2012-549. While these Bulletins are not binding, they do offer insight into how the
enforcement body interprets the legislation.

Members should take note of two key points arising from these documents. First, the CRTC indicates
that it expects consent to be sought separately from the terms and conditions of a contract and that if
toggling is to be used as a method to obtain consent, a default toggling of positive consent cannot be
used. A user must actively “check the box” to opt-in. Despite the non-binding status of these
documents, discussions with the CRTC have shown that in order to be CASL compliant, these
guidelines must be adhered to with respect to obtaining consent.

Implied consent can also be used to fulfill CASL’s consent requirements. Unlike express consent,
implied consent isn’t something that is generally sought, but rather something that is triggered and
sustained by a specific set of circumstances, which may change, causing the implied consent to expire.
One of the critical differences between the two types of consent is that implied consent is usually based
on an existing business or existing non-business relationship between the sender and the recipient and
expires two years after the last transaction or six months after an inquiry, according to the Act’s
definition. As a result, marketers must be able to track the date consent was obtained and subsequently
the date that it will expire.

For situations that trigger an implied consent relationship, marketers are advised to refer to Sections
10(9), 10(10) and 10(13) of the Act. In summary, three situations would allow a sender to assume
consent of the recipient:

1. The person who sends the message, the person who causes it to be sent or the person who
permits it to be sent has an existing business or an existing non-business relationship with the
person to whom it is sent.
2. The person to whom the message is sent has conspicuously published, or has caused to be
conspicuously published, the electronic address to which the message is sent (for example, an
online directory), the publication is not accompanied by a statement that the person does not
wish to receive unsolicited commercial electronic messages at the electronic address and the
message is relevant to the person’s business role, functions or duties in a business or official
capacity.
3. The person to whom the message is sent has disclosed, to the person who sends the message,
the person who causes the message to be sent or the person who permits it to be sent, the
electronic address to which the message is sent (for example, by providing a business card),
without indicating a wish not to receive unsolicited commercial electronic messages at the
electronic address, and the message is relevant to the person’s business role, functions or
duties in a business or official capacity.

The Act further details what sorts of circumstances would constitute an existing business relationship
(EBR) or an existing non-business relationship. It is worth noting that the exchange of money is not
necessary to satisfy the requirements of an EBR. Additionally, a contract or subscription service does
constitute an EBR and the two-year time limit begins upon termination of the contract. Section 10(10)

6
also indicates that the EBR established as a result of an inquiry or application is only valid for six
months and not two years.

While the conspicuous publication and disclosure situations do trigger an implied consent relationship,
they are not bound by the same time restrictions as an EBR on existing non-business relationship.

The implied consent provisions, while prescribed, are in practice quite broad and allow for the obtaining
of contact information in a way that is common to regular business activity. For example, were someone
to hand you a business card at an event, you would have implied consent to contact them regarding
their business, as long as they did not indicate that they did not wish to hear from you at that email
address. In the same vein, if someone were to purchase something from you, you have implied consent
to contact them.

The RIAS statement also indicates that consent is renewed with every new transaction. In practice this
means two things. First, the two-year validity for implied consents is applied to the date of the last
transaction, effectively rolling forward with each new transaction. The second understanding that results
from the RIAS statement is that even if someone has withdrawn consent to receive CEMs, if they
establish a new EBR (in practice, if they purchase another product despite having unsubscribed from
your marketing list), implied consent is renewed for another two years. While contemplated in the RIAS,
CMA would urge marketers to carefully consider and assess such cases to decide whether a
resumption of messaging will meet consumers’ expectations and marketing best practices.

Practical Considerations for Marketers

Bearing in mind their current practices, marketers will need to assess their marketing strategies to
determine whether obtaining express or implied consent is the best strategy for them. If marketers wish
to rely on express consent as a means to satisfy the consent requirement of CASL, they will want to be
sure that they can document that a positive and separate action has been taken to indicate the desire to
receive commercial electronic messages.

Depending on an organization’s business practices, obtaining express consent might neither be

necessary nor desired, if the business is confident that they can continually renew an implied consent
relationship within the two-year timeline.

Nothing prevents marketers for utilizing both forms of consent. For example, marketers will want to
develop a strategy regarding the timing of seeking express consent, either upfront or at some point
during the six-month or two-year implied consent time frame. Marketers may also wish to utilize
different types of consent in different situations. The choice of express or implied consent remains with
the organization, the Act simply requires that one of the two be obtained prior to the sending of a CEM.

Proof of Consent

Not only does CASL stipulate that consent must be obtained, be it express or implied, prior to the
sending of a CEM, it also indicates that the burden of proof rests with the organization to demonstrate
that they’ve met the consent requirements. When considering the tracking or recording consent
marketers should consider whether consent was obtained in writing or orally, when it was obtained, why
it was obtained, and the manner in which it was obtained. The CRTC’s Enforcement Advisory - Notice
for businesses and individuals on how to keep records of consent outlines the requirements under
CASL pertaining to record keeping. Marketers should consider keeping a hard copy or an electronic
record of, among others:

7
 • all evidence of express and implied consent from consumers who agree to receive CEMs.
Examples include: date, time, IP address, audio recordings, copies of signed consent forms or
web forms, completed electronic forms, the actual business card that has been obtained.
• documented methods through which consent was collected.
• policies and procedures regarding CASL compliance.
• all unsubscribe requests and resulting actions.

Additional examples on how marketers can prove consent is available in the CRTC’s Canada’s Anti-
Spam Legislation (CASL) Guidance on Implied Consent.

In conjunction with the record keeping requirements stated above, marketers should develop corporate
compliance programs, which may help facilitate compliance, reduce the likelihood of violating CASL,
and help businesses establish a due diligence defense in relation to a violation prescribed by CASL.
The components of a corporate compliance program include senior management involvement, risk
assessment, written corporate compliance policies, record keeping, formal training, auditing and
monitoring, complaint-handling and corrective action practices. Compliance and Enforcement
Information Bulletin CRTC 2014-326 provides detailed guidance.

Identification Elements of CASL

In addition to requiring prior consent to send commercial electronic messages, CASL also requires that
all messages include certain prescribed information requirements about the sender as well as a
functioning unsubscribe mechanism.

The identification requirements are detailed in the CRTC Regulations:

2. (1) For the purposes of subsection 6(2) of the Act, the following information must be set
out in any commercial electronic message:
(a) the name by which the person sending the message carries on business, if different from
their name, if not, the name of the person;
(b) if the message is sent on behalf of another person, the name by which the person on whose
behalf the message is sent carries on business, if different from their name, if not, the name of
the person on whose behalf the message is sent;
(c) if the message is sent on behalf of another person, a statement indicating which person is
sending the message and which person on whose behalf the message is sent; and
(d) the mailing address, and either a telephone number providing access to an agent or a voice
messaging system, an email address or a web address of the person sending the message or, if
different, the person on whose behalf the message is sent.
(2) If it is not practicable to include the information referred to in subsection (1) and the
unsubscribe mechanism referred to in paragraph 6(2)(c) of the Act in a commercial electronic
message, that information may be posted on a page on the World Wide Web that is readily
accessible by the person to whom the message is sent at no cost to them by means of a link
that is clearly and prominently set out in the message.

Every CEM that is sent must adhere to the requirements listed above. Guidance regarding their
application with respect to affiliates and marketing partners some or all of which may have participated
in developing the message is provided by the CRTC’s FAQs: “only the persons who play a material role
in the content of or the choice of the recipients must be identified." The FAQs give the example of an
email service provider that provides a service to its clients to send emails. If the email service provider
8
has no input on the content of the message, nor on the recipient list, it does not need to be identified in
the CEMs sent by clients using its service. However, when a CEM is sent on behalf of other persons,
such as affiliates, all of these persons must be identified in a CEM.” In the case where this is necessary,
but not practicable, marketers may make use of the provision in CRTC Regulation 2(2) whereby the
information may be provided in a readily accessible link.

Practical Considerations for Marketers

Marketers will need to ensure that all electronic marketing communications templates cover the
identification requirements and decisions will need to be made where necessary as to when it will be
acceptable to use a link to permit consumers to access more detailed information. This may be help in
situations where SMS messaging is utilized, or a long list of affiliates is involved.

Unsubscribe Elements of CASL

Under CASL, you must include an unsubscribe mechanism in the commercial electronic messages
(CEMs) that you send. For example, a CEM sent via SMS may state that an end-user can unsubscribe
by texting the word "STOP." Another possibility is a hyperlink that is included clearly and prominently in
an email that allows the end-user to unsubscribe by simply clicking it. The hyperlink may also be to a
webpage that is readily accessible without delay and is at no cost to the recipient.

You can set up your unsubscribe mechanism in many different ways. It can be broad or very granular.
For example, you can offer a choice to the recipient, allowing them to unsubscribe from all or just some
types of CEMs your organization sends.

A key aspect is that an unsubscribe mechanism must be "readily performed." It should be simple, quick
and easy for the end-user.

One example of an acceptable unsubscribe mechanism that meets the criteria for ‘readily performed’
in the view of Commission staff, would be an unsubscribe link in an email that takes the user to a web
page where he or she can unsubscribe from receiving all or some types of CEMs from the sender. In
the case of a short message service (SMS), the user should have the choice between replying to the
SMS message with the word “STOP” or “Unsubscribe” or clicking on a link that will take the user to a
web page where he or she can unsubscribe from receiving all or some types of CEMs from the sender.

One example of a non-compliant unsubscribe mechanism that does not meet the criteria of ‘readily
performed’ in the view of Commission staff, would be an unsubscribe mechanism where the user would
be required to take several steps to unsubscribe. Here is an example of a 6 (six) step approach that
would be considered non-compliant under CASL:

1. The user is required to click on a “unsubscribe” hyperlink within a CEM;

2. The user is then taken to a webpage and must navigate through text that contains multiple links
trying to locate the link that will allow the user to unsubscribe from future CEMs;
3. Once the “unsubscribe” link is found and clicked, the user is redirected to a ‘login’ button;
4. The user is required to log into their existing account with their user name and password;
5. They are then redirected to a page that provides them with a selection to “Quit /Give up/ Delete
Account” or “Unsubscribe’ located at the bottom of the webpage;
6. Only after all these steps are completed, does the user receive a notice that the account has
been deleted or that they are now unsubscribed.

9
For more examples of acceptable unsubscribe mechanisms under CASL, please see Compliance and
Enforcement Information Bulletin CRTC 2012-548

It is required that the unsubscribe mechanism allow the person to whom the CEM is sent to indicate, at
no cost to them, that they no longer wish to receive messages from the person who has sent the
message or, if different, the person on whose behalf the message is sent. The link provided in the
unsubscribe mechanism must be valid for 60 days and the unsubscribe must be processed without
delay, and in any event no later than 10 business days after the unsubscribe request is sent.

Practical Considerations for Marketers

Organizations need to ensure that they have an unsubscribe mechanism built into every message and
that they create a process to either link this to their database automatically or create their own
dedicated suppression list.

Members may wish to utilize a preference centre to help users customize their messaging options.
There is a requirement to allow users to readily unsubscribe from all CEMs, but nothing prevents an
organization from also providing more granular options in an attempt to dissuade users from
unsubscribing from everything.

End of the Transition Period

Effective July 1, 2017, CASL’s transition period for obtaining consents provided under section 66 no
longer applies.

The transition period provides a basis of implied consent that is significantly more flexible than the
standard implied consent rule available for existing business and non-business relationships between
organizations and their contacts (i.e. existing or prior customers, donors, volunteers). In essence it
implies a contact’s consent for a period of three years after the day the Act came into force (July 1,
2014), provided that the organization has an EBR or existing non-business relationship with the contact
and that the relationship has included the sending of CEMs. Under Section 66, the past EBR is not
subject to the 2-year time limit. That is to say that if you had an existing business relationship with an
individual 10 years ago, and that the relationship has included the sending of CEMs, then you may avail
yourself of the transitional provision. The Government has indicated that they view this transition period
as an opportunity for organizations to transform their implied consent database to an express consent
one.

What this means is that if an organization, for example, has sold or leased a product to a contact, at
any time in the past, or – to give another example – a contact has made an inquiry respecting such a
potential transaction, at any time in the past, provided there has been at least some communication via
CEM, consent for the organization to send CEMs is implied. Therefore, while CASL does not
grandfather prior consents obtained under other rules such as PIPEDA, the three-year transitional rule
in effect provides a time-limited grandfathering of relationships extending back in time, without limitation
as to when a relationship was established.

CASL also contains a limited grandfathering provision with respect to express consents. The RIAS
makes this clear by the statement, “Express consents, obtained before CASL comes into force, to
collect or to use electronic addresses to send commercial electronic messages will be recognized as
being compliant with CASL.” This would indicate that organizations would not need to re-qualify their
existing databases where express consent had been obtained by some positive action by the
consumer.

10
Practical Considerations for Marketers

The transition period has served two key functions. Firstly, by the more flexible nature of its
requirements, it has enabled organizations greater scope for satisfying the criteria otherwise applicable
under the EBR and existing non-business relationship rules. Specifically, the open-ended time frame for
establishing relationships provided greater scope than the two-year period for relationships entered into
following July 1, 2014 and which now will apply to all relationships from July 1, 2017. The end of the
transition period dictates for those organizations that have been relying, in effect, on the flexibility
provided by this rule to backstop their intended compliance with CASL’s standard implied consent rules,
and which intend to rely going forward significantly on implied consent, an opportunity to review and
reconfirm their compliance systems. Secondly and very importantly, the transition period has provided
organizations with an additional three-year window in which to obtain express consent or, alternatively,
to ensure compliance with one or other of the Act’s consent exceptions or implied consent rules.

If organizations are going to rely on the limited grandfathering provision for express consents provided
for in CASL, they must consider that the burden of proof regarding consent rests with the organization
and in many cases, organizations may find it difficult to prove express consents for previously obtained
information.

KEY EXEMPTIONS
While CASL is quite complex and intended to cover a broad array of communication situations, there
are also many exemptions to all or parts of the Act. Therefore, while it is essential for organizations to
be aware of CASL’s requirements, before enacting a compliance program, or new messaging
campaign, they will want to ensure that the types of messages they are sending are not excluded from
the Act. The list of full exemptions can be found in Section 6(5) of the Act and are supplemented by
Governor in Council Regulation 3. Some of the key exemptions are discussed below.

Personal and Family Relationships

There is a wholesale exemption from CASL for CEMs that are sent in the context of a personal or family
relationship. These are defined terms in the Governor in Council Regulations:

2. For the purposes of paragraph 6(5)(a) of the Act,

(a) "family relationship" means the relationship between an individual who sends a message and
the individual to whom the message is sent if those individuals are related to one another
through a marriage, common-law partnership or any legal parent-child relationship and those
individuals have had direct, voluntary, two-way communication; and

(b) "personal relationship" means the relationship between an individual who sends a message
and the individual to whom the message is sent, if those individuals have had direct, voluntary,
two-way communications and it would be reasonable to conclude that they have a personal
relationship, taking into consideration any relevant factors such as the sharing of interests,
experiences, opinions and information evidenced in the communications, the frequency of
communication, the length of time since the parties communicated or whether the parties have
met in person.

It is important to note that the definition of "personal relationship" should remain limited to close
relationships, helping to prevent potential spammers from exploiting this concept to send CEMs without
consent.
11
Also, a "personal relationship" is one that exists between individuals. Legal entities, such as
corporations, cannot have a personal relationship. Someone who sends a CEM on behalf of a
corporation may not claim to have a personal relationship with the recipient.

Source:
http://crtc.gc.ca/eng/internet/infograph.htm#cem6

Members will want to take note of these exemptions, especially since it will likely play a large role in the
construction of refer-a-friend marketing campaigns. To reduce liability, it will be crucial for marketers to
include wording that indicates that messages should only be forwarded on to those with whom the
senders have a personal or family relationship. It might be advisable to include reference to CASL and
select excerpts from the definition or a link.

Business-to-Business Exemption

A second key exemption organizations will want to evaluate is with respect to business-to business
communications. Two exemptions have been articulated in the Governor in Council Regulations:

3. Section 6 of the Act does not apply to a commercial electronic message

(a) that is sent by an employee, representative, consultant or franchisee of an organization

(i) to another employee, representative, consultant or franchisee of the organization and the
message concerns the activities of the organization, or

12
 (ii) to an employee, representative, consultant or franchisee of another organization if the
organizations have a relationship and the message concerns the activities of the organization to
which the message is sent;

In the first instance, the requirements of CASL – consent, identification and unsubscribe – do not need
to be adhered to when sending CEMs within an organization as long as the material relates to the
affairs of the organization. The more significant exemption is the second point, where messages sent
between organizations that have a relationship are wholly exempt from CASL provided the message
relates to the business affairs of the organizations. Members will want to take note of the term
‘relationship’ and notice that the term ‘existing business relationship’ has not been used. It is CMA’s
understanding that this choice of wording was intentional on the part of the Government and was
intended to be a very broad term to ensure that regular business communications are not unduly
regulated. Members engaged in business-to-business marketing will need to carefully assess the extent
to which the business “relationship” exemption applies to their activities. Where there has been no
relationship of any kind, organizations will have to rely on the implied consent provisions where a
contact has published or otherwise disclosed their contact information. Failing this, organizations will
need to find a way to seek express consent. Note, if the CEM does not concern the activities of the
organization, or if the organizations do not have a relationship, then the requirements under section 6 of
the legislation apply.

Extra-Territorial Exemption

For section 6 of CASL to apply, a computer system located in Canada must be used to send or access
the CEM. Simply routing a CEM through Canada is not enough to engage section 6.

There is however an exemption in the Governor-in-Council Regulations that is intended for CEMs sent
from Canada to foreign countries. Paragraph 3(f) of the Regulations excludes such CEMs, if certain
conditions are met:

• The foreign country must be listed in Schedule 1 of the Regulations;

• The CEM must be sent in compliance with the foreign law, which addresses conduct that is
substantially similar to the conduct prohibited in section 6 of CASL; and
• The sender (or person who causes or permits the CEM to be sent) must reasonably believe that
the CEM will be accessed in a foreign state listed in Schedule 1.

Therefore if messages are to be delivered to one of the foreign states listed in their schedule (appended
to their final Regulations), then it is required to follow the rules of that state and not CASL. The
scheduled list includes 116 countries all of which are judged to have some form of meaningful anti-
spam regulation. Should marketers be sending to a country not included on the schedule, they will be
required to abide by CASL.

Additional Exemptions

This list of exemptions is not exhaustive. Others include:

• Messages sent over a closed network, such as WhatsApp or BlackBerry Messenger.

• Messages sent to a limited-access secure and confidential account to which messages can only
be sent by the person who provides the account, such as portals operated by financial
institutions. Messages attempting to enforce a legal right or court order.
• Messages sent on behalf of a political organization where the message has as its primary
purpose soliciting a contribution. However, if a political party sends, by e-mail, a newsletter
13
 which also contains advertisements and encourages the recipient to participate in a commercial
activity with the entities being advertised, then section 6 of the CASL may apply without any
exemption, since the primary purpose of the message may not be to solicit contributions for the
political party.
• Messages sent on behalf of a registered charity where the message has as its primary purpose
raising funds for the charity. Examples of this include:

1) A CEM, sent by or on behalf of a charity, which promotes an event and/or the sale of
tickets for an event – where the proceeds from ticket sales flow to the registered charity.
2) A registered charity sends, by e-mail, a newsletter which provides information about the
charity’s activities or an upcoming campaign, but which also contains a section which
solicits donations and may also mention corporate sponsors who supported the charity
(but does not encourage the recipient to participate in a commercial activity with that
sponsor). While this message may be considered a CEM under CASL, the primary
purpose of the message may be viewed as raising funds; therefore, the exemption in the
GiC Regulations would apply.
3) If a registered charity sends, by e-mail, a newsletter which provides information about
the charity’s activities or an upcoming campaign, and does not contain any material that
seeks to encourage the recipient to participate in a commercial activity, then the
message would not be a CEM for the purpose of CASL.
Where the primary purpose is not raising funds, then section 6 of CASL may apply without any
exemption i.e. if a registered charity sends, by e-mail, a newsletter which provides information about the
charity’s activities however, also advertises the corporate sponsors and encourages the recipient to
participate in a commercial activity with that sponsor.

Members should consult the Governor in Council Regulation 3 for a complete list.

SPECIAL CASES
This section is intended to outline additional considerations businesses will want to make with respect
to Canada’s Anti-Spam Law.

Impact on Purely Transaction and Service Messages – Section 6(6)

As mentioned earlier, CASL only applies to the sending of commercial electronic messages, as the
term is defined in the Act. If a CEM is being sent, the consent, identification and unsubscribe
requirements must be met unless the situation calls for an exemption of CASL. Section 6(6) of the Act
introduces a new class, where the messages are exempt from the consent requirements, but still
require the identification and unsubscribe requirements prescribed in the law.

Members are strongly encouraged to review Section 6(6) as this section includes a class of messages
that one would not likely consider to be commercial. It reads:

6. (6) Paragraph (1)(a) does not apply to a commercial electronic message that solely

(a) provides a quote or estimate for the supply of a product, goods, a service, land or an interest
or right in land, if the quote or estimate was requested by the person to whom the message is
sent;

14
 (b) facilitates, completes or confirms a commercial transaction that the person to whom the
message is sent previously agreed to enter into with the person who sent the message or the
person – if different – on whose behalf it is sent;

(c) provides warranty information, product recall information or safety or security information
about a product, goods or a service that the person to whom the message is sent uses, has
used or has purchased;

(d) provides notification of factual information about

(i) the ongoing use or ongoing purchase by the person to whom the message is sent of a
product, goods or a service offered under a subscription, membership, account, loan or
similar relationship by the person who sent the message or the person – if different – on
whose behalf the message is sent, or

(ii) the ongoing subscription, membership, account, loan or similar relationship of the
person to whom the message is sent;

(e) provides information directly related to an employment relationship or related benefit plan in
which the person to whom the message is sent is currently involved, is currently participating or
is currently enrolled;

(f) delivers a product, goods or a service, including product updates or upgrades, that the person
to whom the message is sent is entitled to receive under the terms of a transaction that they
have previously entered into with the person who sent the message or the person – if different –
on whose behalf it is sent; or

(g) communicates for a purpose specified in the regulations.

While prior consent is not necessary, a strict reading of the law suggests that the identification and
unsubscribe requirements be met on these types of messages. Section 6(6) removes the need for
consent, although it does not specifically exempt the sender from the unsubscribe requirement.
However, these “service-type” messages arguably do not constitute CEMs which are not subject to
CASL and therefore do not require an unsubscribe message. While it is arguable that the identification
and unsubscribe requirements are not needed, a more conservative approach is to include an
unsubscribe message which states that recipients can choose to unsubscribe from general marketing
messages (i.e. regular CEM’s) but that they will continue to receive service notices such as that in the
message.

We believe that in the interim organizations can comply with this confusing feature of CASL by ensuring
that such “service” messages include no unnecessary references to other products or services, and that
they include an unsubscribe offer and link that permits recipients “to decline further CEMs, which does
not include communications such as this service message.”

Referral Marketing

A common form of business development involves referral marketing. This is especially true in certain
industry sectors. As a result of the prior consent requirement in CASL, this sort of marketing would be
difficult, if not impossible. The Governor in Council Regulations introduced a provision whereby the prior
consent provision is waived for the sending of the first email provided a certain set of circumstances is
met.
15
 4. (1) Paragraph 6(1)(a) of the Act does not apply to the first commercial electronic message
that is sent by a person for the purpose of contacting the individual to whom the message is sent
following a referral by any individual who has an existing business relationship, an existing non-
business relationship, a family relationship or a personal relationship with the person who sends
the message as well as any of those relationships with the individual to whom the message is
sent and that discloses the full name of the individual or individuals who made the referral and
states that the message is sent as a result of the referral.

This will allow for this common business practice to continue, so long as the person making the referral
has a relationship with both parties and that the person sending the CEM identifies the person making
the referral. This one message is only exempt from the consent provisions of CASL and must still
contain the requisite identification and unsubscribe requirements. A subsequent/follow-up message
cannot be sent without consent.

List Sharing, 3rd Party List Rentals & Cascading Unsubscribes

List Sharing

There are provisions in CASL that allow for organizations to share their marketing contact lists with third
parties that were unknown at the time the organization obtained consent from the consumer(s).
Provided the appropriate form of express consent has been separately obtained by the list owner, an
unknown third party may send a CEM to the person who has provided consent to receive such
messages. The Governor in Council Regulations detail this process:

5. (1) For the purposes of paragraph 10(2)(b) of the Act, a person who obtained express
consent on behalf of a person whose identity was unknown may authorize any person to use the
consent on the condition that the person who obtained it ensures that, in any commercial
electronic message sent to the person from whom consent was obtained,

(a) the person who obtained consent is identified; and

(b) the authorized person provides an unsubscribe mechanism that, in addition to meeting the
requirements set out in section 11 of the Act, allows the person from whom consent was
obtained to withdraw their consent from the person who obtained consent or any other person
who is authorized to use it.

(2) The person who obtained consent must ensure that, on receipt of an indication of withdrawal
of consent by the authorized person who sent the commercial electronic message, the
authorized person notifies the person who obtained consent that consent has been withdrawn
from, as the case may be,

(a) the person who obtained consent;

(b) the authorized person who sent the commercial electronic message; or

(c) any other person who is authorized to use the consent.

(3) The person who obtained consent must without delay inform a person referred to in
paragraph (2)(c) of the withdrawal of consent on receipt of a notification of withdrawal of consent
from the person referred to in that paragraph.

16
 (4) The person who obtained consent must give effect to a withdrawal of consent in accordance
with subsection 11(3) of the Act, and, if applicable, ensure that a person referred to in
paragraph (2)(c) also gives effect to the withdrawal in accordance with that subsection.

While there are also the standard identification and unsubscribe requirements and the new requirement
to indicate the person who obtained consent, undoubtedly the most complex part of this requirement
relates to the extent of the unsubscribe process that must take place when withdrawing from unknown
third parties. The RIAS statement attempts to further clarify what is meant by the Regulation:

“The basic principle for the use of an unknown third-party consent is that any time a third-party
business uses that consent, they must provide the opportunity for the recipient to withdraw
consent from all third parties. Specifically, the Regulations require that the recipient (i.e. the
individual who provided consent) must have the ability to unsubscribe from third party
messages, and the mechanism allowing them to do so must be within the CEMs they receive
from those third parties. This requires that businesses using this form of consent to send CEMs
must be able to alert the original requester that the recipient's consent to receive messages from
unidentified third parties is withdrawn. The Regulations further provide that when consent to
receive messages from a third party has been withdrawn by the individual, the original requestor
must notify each third party to whom the consent was provided that the consent has been
withdrawn.”

For example, a consumer provides unknown third-party consent to a travel agent, who in turn shares
the consumer’s information with an airline company, a car rental company and a hotel company. Each
third party’s message must meet the identification requirements outlined in CASL, identify the person
who originally obtained consent and must offer the consumer the ability to a) unsubscribe from
messages their organization sends, as is generally required by CASL, and b) the opportunity to
unsubscribe from future sharing of their consent to share information with any unknown third parties.

Even with this allowance, the process remains quite complex. Marketers will want to ensure they have
the capability and contract provisions in place to meet the cascading unsubscribe requirements before
they engage in any list sharing activities. Organizations will want to ensure that their list users are using
the appropriate unsubscribes. If the user fails to use the dual unsubscribe process the default will be to
revoke consent from all.

Practical Consideration for Marketers when utilizing 3rd Party List Rentals

Unlike the sharing of lists across multiple organizations, the list rental market has adopted its own
industry best standards with respect to third party marketing. These include:

• Data not being released to unknown third parties for their own marketing initiatives i.e. the data
typically resides in one place - with the List Owner or exclusive deployment house.
• The “from” line clearly states the organization that obtained the express consent from the
Consumer.
• A clear indication of the source of the data (consent) in the opt-out verbiage.
• An opportunity to opt out from all third-party deployments via one opt out link or Customer
Preference page. The link provided in the unsubscribe mechanism must be valid for 60 days
and the unsubscribe must be processed without delay, and in any event no later than 10
business days after the unsubscribe request is sent.
• The List Owner’s corporate mailing address, and either a phone #, email address or website
address.

17
 • The Marketer’s corporate mailing address and either a phone #, email address or website
address (typically in the footer of the message).

Marketers should be wary of organizations that are willing to share their list(s) with unknown third
parties. As the unsubscribe element is so vital to CASL compliancy, it is best to err on the side of
caution and only work with reputable Email List Brokerage companies and/or List Owners directly.

Social Media and Online Advertising

CASL is intended to be neutral in terms of technology and channel/platform and, as a result, many
questions have been raised on how it applies to other forms of electronic advertising such as social
media, banner advertising and online behavioural advertising.

CASL applies to CEMs that are “sent to” an “electronic address”. “Electronic addresses” are defined in
the legislation (CASL) as e-mail accounts, telephone accounts, instant messaging accounts” or “other
similar accounts”.

The CRTC takes this position with respect to the electronic address and Social Media 1:

Some social media accounts may constitute a 'similar account'. Whether a "similar account" is an
electronic address depends on the specific circumstances of the account in question. For example, a
typical advertisement placed on a website or blog post would not be captured. In addition, whether
communication using social media fits the definition of "electronic address," must be determined on a
case-by-case basis, depending upon, for example, how the specific social media platform in question
functions and is used. For example, a Facebook wall post would not be captured. However, messages
sent to other users using a social media messaging system (e.g., Facebook messaging and LinkedIn
messaging), would qualify as sending messages to "electronic addresses".

Websites, blogs and micro-blogging would typically not be considered to be electronic addresses.

Like the CRTC, Industry Canada, in its Regulatory Impact Analysis Statement distinguishes between
merely blogging or micro-blogging and messages that are sent to electronic addresses2:

“Another concern is how CASL might apply to CEMs on popular social networking services or instant
messaging services. Where they are not sent to electronic addresses, the publication of blog posts or
other publications on micro-blogging and social media sites does not fall within the intended scope of
the Act”.

Although some might consider a tweet or a Facebook post a “commercial electronic message”, the act
of publishing is not affected by CASL because it is public, akin to content shared on your own website.
Under CASL, businesses can tweet, update their company status, and post Instagram photos without
consent and identification requirements. See the guidance issued by Industry Canada.

When businesses use direct messaging on social media to contact individuals or groups - for
commercial messages to such electronic addresses, the business would need consent of the individual,
or otherwise would require the communication to fall under one of the exemptions or exceptions. While
there is an exemption for messages sent and received on an electronic messaging service, the
exemption is stated to apply only if “the information and unsubscribe mechanism that are required

1 http://www.crtc.gc.ca/eng/com500/faq500.htm
2 http://fightspam.gc.ca/eic/site/030.nsf/eng/00271.html
18
under subsection 6(2) of the Act are conspicuously published and readily available on the user interface
through which the message is accessed, and the person to whom the message is sent consents to
receive it either expressly or by implication.”

As such, it would follow that many social media messages (including Facebook and LinkedIn) are
exempt from CASL – so long as the messages are between connections, friends, followers, etc. and
meet the 3(d) conditions. This is due to the fact that a) many social media platforms provide sender
identification, b) they offer an ability to unsubscribe (by un-friending, dis-connecting, un-following,
blocking, etc.), and c) there is implicit consent provided when you connect, befriend, follow, etc.

The Government seems to have taken a more clear-cut approach with respect to online advertising and
indicated in the RIAS that, “Insofar as IP addresses are not linked to an identifiable person or to an
account, IP addresses are not electronic addresses for the purposes of CASL.” It is worth once again
pointing out that anything said in the RIAS is not legally binding, but CMA believes the Government’s
interpretation on this matter is consistent with the intent and letter of the law.

Private Right of Action

In June 2017, CASL’s Private Right of Action (PRA) was indefinitely suspended by the Federal
Government. Since the PRA still exists as part of the law and could take effect at a future date, it is still
valuable to understand what it entails.

The PRA provision of the Act provides significant additional sanctions for noncompliance with CASL’s
electronic messaging and computer download prohibitions as well as the provisions adopted under
CASL amending PIPEDA and the Competition Act.

The PRA gives a monetary remedy to persons (i.e. both individuals and businesses) affected by any or
all contraventions of Sections 6 to 9 of CASL, PIPEDA’s e-mail harvesting provisions and the
Competition Act’s false or misleading email reviewable conduct provisions. Section 47 (1) reads as
follows:
47. (1) A person who alleges that they are affected by an act or omission that constitutes a
contravention of any of sections 6 to 9 of this Act or of section 5 of the Personal Information
Protection and Electronic Documents Act that relates to a collection or use described in
subsection 7.1(2) or (3) of that Act — or that constitutes conduct that is reviewable under section
74.011 of the Competition Act — may apply to a court of competent jurisdiction for an order
under section 51 against one or more persons who they allege have committed the act or
omission or who they allege are liable for the contravention or reviewable conduct by reason of
section 52 or 53.
The potential remedies are significant – in addition to actual losses or expenses, persons may recover,
without any proof of loss, monetary amounts of up to $1,000,000 per day for each day that a
contravention or reviewable conduct occurs or continues. Under Section 51(1), the court, if satisfied that
there has been a contravention or reviewable conduct, may order the person or persons against whom
remedies are sought to pay the complainant:

(a) compensation in an amount equal to their actual loss or damages resulting from the
contravention or conduct; and
(b) cumulatively:
(i) up to $200 for each contravention of Section 6 (the CEM rules) to a maximum of
$1,000,000 per day;

19
 (ii) up $1,000,000 per day for each contravention of Sections 7-8 (the computer
download rules);
(iii) up to $1,000,000 per day for a contravention of Section 9 (aiding and abetting in
a contravention of Sections 6-8);
(iv) up to $1,000,000 per day for each contravention of the PIPEDA e-mail harvesting
provisions; and
(v) up to $200 for each occurrence of reviewable conduct involving false or
misleading electronic messages under the Competition Act, up to $1,000,000 per
day.
Protection against liability under the PRA is afforded to a person who has contravened CASL’s CEM or
computer download rules if prior to proceeding court considering an application under the PRA they
have entered into an undertaking with one of the CASL enforcement agencies pursuant to Section
21(1) of CASL or have been served with a notice of violation or if the person is a director, officer or
agent of a corporation that has entered into an undertaking or been served with a notice of violation or if
the person is vicariously liable for a contravention of their employee (pursuant to Section 22(1)) and that
employee has entered into an undertaking or been served with a notice of violation.

Section 51(2) states that the purpose of an order for monetary remedy under the PRA is to promote
compliance with the relevant legislation. This statement is important because it must be taken into
account by the court as a factor in determining the amount of monetary remedy. Section 51(3) makes
this stipulation as well as a list of other factors that the court must take into account in setting the
amount of an order, as follows:

(a) the nature and scope of the impugned conduct;

(b) the person’s history with respect to any previous contravention of any of the relevant CASL or
PIPEDA provisions or any previous reviewable conduct under the relevant provision of the
Competition Act;
(c) the person’s history with respect to any previous undertaking entered into under CASL or a
consent agreement signed under the Competition Act with respect to the false or misleading
electronic messages reviewable conduct provision;
(d) any financial benefit that the person obtained from committing the contravention or the
reviewable conduct, as the case may be;
(e) the person’s ability to pay;
(f) whether the complainant has received compensation, outside of the PRA application, in
connection with a contravention or reviewable conduct, as applicable;
(g) any other “relevant factor”; and
(h) any factors established by regulation.
Until the courts have ruled on applications under the PRA, it is difficult to determine how these factors
will come into play. However, some guidance may be gleaned from the recent CRTC decision in the
Blackstone case in which the CRTC reduced the amount sought under a notice of violation from
$640,000 to $50,000 citing among other factors that the reduced amount was more appropriate for the
purpose of encouraging compliance and taking into consideration Blackstone’s ability to pay.

Irrespective of the amounts that may be awarded under the PRA, it is clear that there is substantial
exposure to class action litigation under the provision. The risks of litigation under the PRA are
significant and potentially out of all proportion to the non-compliant activities. To be noted is that the
provision stipulates monetary remedies beyond simple recovery of damages – which arguably may be
considered a form of penalty and therefore a potentially broader exposure to liability for non-compliance
than is available under CASL’s express provisions for imposition of administrative monetary penalties.
20
CASL COMPLIANCE CHECKLIST
CASL is a complex Act and members are encouraged to read through this guide carefully and ensure
that they fully understand the requirements set out. Members are always welcome to contact the
Government Affairs team at CMA for further clarification, noting once again CMA is not able to provide
legal advice.

Many email service providers or other electronic messaging outsource partners have created useful
guidance documents on how your organization can begin to prepare for CASL implementation. The
purpose of this guide is primarily to review the requirements of the Act, however below is a list of some
key things organizations should be doing to prepare.

1. Become familiar with CASL’s requirements

2. Inventory your current digital marketing programs
3. Review data collection locations
4. Audit existing database and group like consents
5. Update CEM templates with prescribed information requirements and create the capability for an
unsubscribe feature (preference centre if necessary)
6. Build programs and database capabilities to update consents and identify types of consents
moving forward
7. Develop a standard of proof of consent and retain relevant records
8. Review and, as necessary, put in place contacts with outsource partners and affiliates in cases
of “list renting”
9. Develop new policies and procedures around CEM deployment
10. Train all staff re: CASL – even a single CEM sent without consent could be an infraction!

Marketers should take care to transition provisions for implied consents no longer applying as of July 1,
2017. They should also develop corporate compliance programs, which may help facilitate compliance,
reduce the likelihood of violating CASL, and help businesses establish a due diligence defense in
relation to a violation prescribed by CASL.

KEY RESOURCES
For a full copy of the Act, members can view an html copy or download it off the Justice Laws Website.

Members will want to consult the CRTC’s website and the Government’s “Fight Spam” website for key
information and updates, including FAQs and presentation material.

While not legally binding, members will want to consult the Regulatory Impact Analysis Statement
issued by the Government to provide the context for Regulatory decisions.

Regulatory Packages
• Governor in Council
• CRTC

CRTC Compliance and Enforcement Information Bulletins

• Guidelines on the interpretation of the Electronic Commerce Protection Regulations CRTC
2012-548
• Guidelines on the use of toggling as a means of obtaining express consent under Canada’s anti-
spam legislation CRTC 2012-549
21
 • Guidelines to help businesses develop corporate compliance programs: Information
Bulletin CRTC 2014-326
• Enforcement Advisory - Notice for businesses and individuals on how to keep records of
consent
• Frequently Asked Questions about Canada’s Anti-Spam Legislation

Canada’s Anti-Spam Legislation Enforcement Agencies Sign Memorandum of Understanding

Additional CMA Resources

• Q&A
• Webinar Recordings
• Key Wins Bulletin
• CMA submission on CASL’s 3-year parliamentary review
• Proposed vs. Final Regulations
• CMA submission to Industry Canada on CASL (round two)
• Coalition of Business and Technology Associations submission to Industry Canada on CASL
• CMA submission to the CRTC on CASL
• CMA submission to Industry Canada on CASL (round one)

Industry Resources
• Inbox Marketer
• TC Media

Legal Resources
• Access Privacy – Osler, Hoskin & Harcourt LLP
• Fogler, Rubinoff LLP
• Stikeman Elliott’s Communications Law Blog

The CMA Code of Ethics and Standards of Practice and related guidelines do not purport to replace legal advice or to
provide legal guidance. Marketers should inform themselves about relevant laws that apply in their jurisdiction
including, but not limited to, the federal Competition Act and consumer, privacy and language laws in Canada.

These revised guidelines are current as of February 2018.

CMA acknowledges and thanks Helen Leach-Edwards, Brigida Maxwell and David Young for their help in updating
this guide.

© 2018 Canadian Marketing Association

22