Canada Adopts Final Regulations, Announces Expansive Anti-Spam Law Will Start Taking Effect July 1, 2014

by Davis Wright Tremaine LLP

Lead Time Given for Companies to Reformulate Electronic Messages and to Obtain Consents for Contacting Canadian Residents

Canada’s Department of Industry has published long-awaited Governor in Council regulations and announced key compliance dates necessary to implement Canada’s anti-spam law (CASL), which was enacted almost exactly three years ago. Key CASL provisions governing commercial electronic messages (CEMs) take effect July 1, 2014, while on Jan. 15, 2015, the sections of the law related to unsolicited installations of computer programs or software come into force. To ease the transition, CASL’s private right of action provisions will not take effect until July 1, 2017.

CASL is far broader and more punitive than US anti-spam law and does not deal solely with email “spam.” The new law also applies to all CEMs sent to instant message and social network accounts, and by short message service (SMS) texts to cell phones, and regulates the installation of computer programs and alteration of transmission data as well. When the new law is fully in force, it will apply to all CEMs sent from or accessed by a computer system located in Canada and thus governs CEMs sent from the other countries, including the United States.

CASL will generally prohibit:

  • Sending CEMs without recipient consent to email addresses, social networking, and similar accounts, and to cell phones by text-message;
  • Altering transmission data in electronic messages to cause delivery to a different destination without express consent;
  • Installing any computer program or software without express consent;
  • Using false or misleading online representations to promote products or services;
  • Collecting personal information by accessing computer systems in violation of Canadian federal law (e.g., the Criminal Code of Canada); and
  • Collecting electronic addresses by using computer programs (address harvesting), or the use of such addresses without consent.

Accordingly, the next 6 to 12 months will be critical for all businesses in Canada—as well as those in the United States who have a presence in Canada, or send CEMs or computer software downloads that will be received or downloaded by Canadian residents—to achieve compliance.

Commercial Electronic Messages (CEMs)
Generally. Under CASL, CEMs are any electronic messages (i) sent by any means, using text, sound, voice, or image(s), (ii) to any “electronic address,” including email or instant message identifiers and phone numbers, or any “similar account,” (iii) to encourage participation in any commercial activity. CASL does not govern interactive two-way voice, faxing, or sending voice-recordings to phone numbers, nor does it govern blog-posting or other publications on microblogging and social media sites if the activity is not directed to specific electronic addresses. Note also that “electronic addresses” do not include IP addresses if they are not linked to an identifiable person or account.

“Encouraging participation in commercial activity” does not require any expectation of profit, and encompasses any message that, based on its content, and/or on contact information and/or included hyperlinks, can reasonably be said to have as one or more of its purposes (even if not a primary purpose) encouraging such participation. This includes offers to sell, purchase, barter, or lease any good, service or land; offers of business, investment, or gaming opportunities; and advertising or promoting any of the foregoing. However, the fact that a message is part of some commercial activity, includes links to a website, or has business-related electronic addressing does not make it a CEM, if none of its purposes include encouraging commercial activity as described above. Thus, messages consisting of newsletters, surveys, polling, and soliciting charitable donations, political contributions, or other political activities are not CEMs.

CASL generally forbids false or misleading subject lines and/or sender information, and requires CEM senders to obtain consent from recipients before sending, i.e., it requires opt-in, and that CEMs include information that identifies the sender (or the entity on whose behalf a CEM is sent) and that enables recipients to withdraw consent. Such withdrawals of consent, i.e., opting out, must be allowed at no cost by replying or clicking on an included link, which mechanism must be active for 60 days after the CEM is sent. Opt-out requests must be processed “without delay,” but in no event beyond 10 days after receipt.

For purposes of the identification requirement, the CEM must include the mailing address and (i) a phone number providing access to an agent or voice messaging system; (2) an email address; or (3) a web address of the sender or the party on whose behalf the message is sent. Such contact information must be valid for at least 60 days after the CEM is sent. Also, in the case of a CEM sent by one entity on behalf of another, the CEM must also have a statement indicating who is sending the message and on whose behalf the message is sent. All told, CASL’s opt-in rule departs from consent rules under Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) that have governed e-mail marketing since 2000, as CASL’s procedures are more stringent than PIPEDA, which is an opt-out regime and does not limit implied consent to specific relationships or transactions, as does CASL.

Exceptions. CASL’s consent, opt-out and sender-ID requirements do not apply to CEMs: 

  • Sent by (or on behalf of) an individual to another individual with whom there is a personal or family relationship;
  • To a person engaged in a commercial activity if the message consists solely of an inquiry or application related to that activity;
  • Responding to a request, inquiry or complaint, or that are otherwise solicited by the recipient;
  • For fund-raising by registered charities or political parties, organizations or candidates;
  • On platforms where the required identification and unsubscribe information is conspicuously published and readily available to recipients on the user interface; or
  • That it is reasonably believed will be accessed in and to be compliant with local law in certain listed countries outside Canada (including the U.S.).
CASL’s consent requirement does not apply (although opt-out and sender-ID rules still apply) to CEMs that:
  • Provide quotes or estimates requested by the person to whom a message is sent;
  • Transmit warranty, recall, or safety/security information;
  • Offer a means of facilitating the use/purchase of a good/service under a subscription, membership, account, loan or similar relationship; or 
  • Facilitate/complete/confirm a transaction the recipient previously executed, and/or that deliver products/services (including updates or upgrades) that the message recipient is entitled to receive under a previously entered transaction. 
The consent requirement also has an allowance that “implied” consent may suffice within specifically defined circumstances, such as a contractual relationship with the recipient. Other circumstances in which CASL’s consent requirement does not apply (although providing opt-out and sender-ID are still required) include where CEM senders have “implied consent” because:
  • An existing business relationship is present based on the purchase, lease, barter for, or receipt/acceptance of any good, service, or land interest within 2 years before the CEM, or based on an application within 6 months before the CEM;
  • There is an existing non-business relationships based on any donation or gift to, membership in, or volunteer work performed for a charity within the 2 years before the CEM; or
  • Prospective recipients post or provide email addresses that invite communications or do not otherwise indicate the prospective recipients’ intent not to receive messages, so long as the CEM sent is relevant to the recipient’s business.

Compliance. Those seeking express consent for CEMs (and other CASL purposes—see below) may do so orally or in writing by setting out clearly and simply the purpose(s) for which consent is sought, the right to withdraw consent, and information that identifies the entity seeking consent (including contact and other information specified above). Express consents obtained before CASL comes into force to collect or to use electronic addresses to send CEMs will be recognized as being compliant with CASL.

Consent also may be obtained by one entity for another party provided the other party is identified or the asking party is identified in subsequent CEMs relying on the consent, as long as opt-outs cover not only the sender but also the entity who originally obtained the consent. Any party with shared consent must notify the others of any opt-out, and all must honor it.

Computer Programs
CASL prohibits installing (or causing to be installed) in the course of commercial activity any computer program on any other person’s computer without express consent of the owner or an authorized user of that computer, and further prohibits anyone, having so installed or caused to be installed a computer program, from causing an electronic message to be sent from another’s computer without such consent. These restrictions apply if one of the parties is located in Canada.

The same rules that apply to obtaining consent for CEMs also apply to computer programs—that is, there must be a clear and simple description of the purpose for which consent is sought and of the identity of the entity seeking consent. In addition, for computer programs specifically, the entity obtaining the consent must also clearly and simply describe (in general terms) the function and purpose of the computer program to be installed, and if the consent is intended to cover future updates or upgrades, it describes them.

Entities seeking consent must describe—clearly and prominently, and separate from any license agreement—the program’s material elements, including its nature, purpose and reasonably foreseeable impact on the operation of the computer if installed. Those elements also must be brought specially to the attention of those from whom consent is sought, if it is known and intended that the program will cause the computer to operate contrary to the reasonable expectations of its owner or authorized user, through any of the following means:

  • Collecting personal information stored on the computer;
  • Interfering with the owner’s or an authorized user’s control of the computer;
  • Changing or interfering with settings, preferences or commands already installed or stored on the computer without the knowledge of the owner or authorized user(s);
  • Changing or interfering with data stored on the computer so as to obstruct, interrupt or interfere with lawful access to or use of the data by the owner or authorized user(s);
  • Causing the computer to communicate with another computer system (or device) without authorization of the owner or an authorized user; or
  • Installing a computer program that may be activated by a third party without knowledge of the owner or an authorized user.

There are also special provisions applicable to withdrawal of consent for the above-bulleted programs that require maintaining and furnishing an electronic address to which consenting persons may send a request to remove or disable the program. If it turns out that the consent was based on an inaccurate description of the material elements of function, the entity who obtained the consent must, on receipt of a request to remove or disable the program, assist the requester in doing so as soon as is feasible.

In addition, express consent is presumed if the owner’s or authorized user’s conduct is such that it is reasonable to believe they consented to installation of certain downloads, limited to:

  • Cookies, HTML code, Java Scripts, and/or operating systems, and other programs executable only through the use of another program whose installation or use was previously express consented to;
  • Programs installed by or on behalf of a telecommunications service provider (TSP) solely to protect the security of its network;
  • Programs installed for purposes of updating or upgrading TSP networks; and 
  • Programs necessary to correct failures in the operation of the computer system.

Alteration of Transmission Data and Address Harvesting
CASL requires consent and the opportunity for withdrawal of consent (opt-out) to alterations of transmission data that occur in the course of a commercial activity, such as when one causes an electronic message to be sent to a destination different from that which the sender intended. The consent must clearly and simply describe the purpose of the alternation and the identity of the requester. As with CEMs, opt-outs must be honored “without delay” and in all cases within 10 business days.

CASL also generally prohibits the use of address-harvested email addresses without consent. Under CASL, “address harvesting,” is the collection of email addresses through such methods as (i) “web crawler” computer programs, and/or (ii) “dictionary attacks,” i.e., computer programs that guess email addresses by methodically trying multiple name variations. Once collected, the email addresses are often sold to spammers as destinations for unsolicited electronic messages.

Enforcement and Phase-In
CASL provides for criminal prosecution, and for administrative and monetary penalties for violations in amounts of up to C$1 million for individuals and C$10 million for other entities, along with a private right of action for those suffering actual loss or damage as a result of non-compliance. The law also creates criminal offenses for obstructing CASL investigations. As to the private right of action, while it will be necessary to prove actual damages, it is possible to envision class actions by multitudinous plaintiffs where damages, even if minor on an individual basis, are collectively significant. Directors and officers who authorized an organization's non-compliance can be personally liable.

CASL allows the Canadian Radio-Television and Telecommunications Commission (CRTC) to impose the administrative monetary penalties, and the Competition Bureau to seek administrative monetary penalties as well, or criminal sanctions under the Competition Act. The Competition Bureau may investigate and take action on false or misleading representations and deceptive market practices. CASL also affords new powers to the Office of the Privacy Commissioner, including enforcement against impermissible collections of personal information.

As noted at the outset, to permit reasonable time for businesses to become aware of and compliant with the CASL and its regulations, most of the law and rules do not take effect until July 1, 2014, though in order to facilitate compliance with the computer program provisions, those do not take effect until Jan. 15, 2015. To further reduce uncertainty regarding how CASL will be interpreted, the statute’s private right of action will take effect after three years, on July 1, 2017. The government cautions that those contemplating such a suit should get legal advice before filing, as legal fees incurred by the alleged violator to defend may be recoverable if a claim is improper or is considered not to have merit.


DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Davis Wright Tremaine LLP | Attorney Advertising

Written by:

Davis Wright Tremaine LLP

Davis Wright Tremaine LLP on:

Readers' Choice 2017
Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign up using*

Already signed up? Log in here

*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Privacy Policy (Updated: October 8, 2015):

JD Supra provides users with access to its legal industry publishing services (the "Service") through its website (the "Website") as well as through other sources. Our policies with regard to data collection and use of personal information of users of the Service, regardless of the manner in which users access the Service, and visitors to the Website are set forth in this statement ("Policy"). By using the Service, you signify your acceptance of this Policy.

Information Collection and Use by JD Supra

JD Supra collects users' names, companies, titles, e-mail address and industry. JD Supra also tracks the pages that users visit, logs IP addresses and aggregates non-personally identifiable user data and browser type. This data is gathered using cookies and other technologies.

The information and data collected is used to authenticate users and to send notifications relating to the Service, including email alerts to which users have subscribed; to manage the Service and Website, to improve the Service and to customize the user's experience. This information is also provided to the authors of the content to give them insight into their readership and help them to improve their content, so that it is most useful for our users.

JD Supra does not sell, rent or otherwise provide your details to third parties, other than to the authors of the content on JD Supra.

If you prefer not to enable cookies, you may change your browser settings to disable cookies; however, please note that rejecting cookies while visiting the Website may result in certain parts of the Website not operating correctly or as efficiently as if cookies were allowed.

Email Choice/Opt-out

Users who opt in to receive emails may choose to no longer receive e-mail updates and newsletters by selecting the "opt-out of future email" option in the email they receive from JD Supra or in their JD Supra account management screen.


JD Supra takes reasonable precautions to insure that user information is kept private. We restrict access to user information to those individuals who reasonably need access to perform their job functions, such as our third party email service, customer service personnel and technical staff. However, please note that no method of transmitting or storing data is completely secure and we cannot guarantee the security of user information. Unauthorized entry or use, hardware or software failure, and other factors may compromise the security of user information at any time.

If you have reason to believe that your interaction with us is no longer secure, you must immediately notify us of the problem by contacting us at In the unlikely event that we believe that the security of your user information in our possession or control may have been compromised, we may seek to notify you of that development and, if so, will endeavor to do so as promptly as practicable under the circumstances.

Sharing and Disclosure of Information JD Supra Collects

Except as otherwise described in this privacy statement, JD Supra will not disclose personal information to any third party unless we believe that disclosure is necessary to: (1) comply with applicable laws; (2) respond to governmental inquiries or requests; (3) comply with valid legal process; (4) protect the rights, privacy, safety or property of JD Supra, users of the Service, Website visitors or the public; (5) permit us to pursue available remedies or limit the damages that we may sustain; and (6) enforce our Terms & Conditions of Use.

In the event there is a change in the corporate structure of JD Supra such as, but not limited to, merger, consolidation, sale, liquidation or transfer of substantial assets, JD Supra may, in its sole discretion, transfer, sell or assign information collected on and through the Service to one or more affiliated or unaffiliated third parties.

Links to Other Websites

This Website and the Service may contain links to other websites. The operator of such other websites may collect information about you, including through cookies or other technologies. If you are using the Service through the Website and link to another site, you will leave the Website and this Policy will not apply to your use of and activity on those other sites. We encourage you to read the legal notices posted on those sites, including their privacy policies. We shall have no responsibility or liability for your visitation to, and the data collection and use practices of, such other sites. This Policy applies solely to the information collected in connection with your use of this Website and does not apply to any practices conducted offline or in connection with any other websites.

Changes in Our Privacy Policy

We reserve the right to change this Policy at any time. Please refer to the date at the top of this page to determine when this Policy was last revised. Any changes to our privacy policy will become effective upon posting of the revised policy on the Website. By continuing to use the Service or Website following such changes, you will be deemed to have agreed to such changes. If you do not agree with the terms of this Policy, as it may be amended from time to time, in whole or part, please do not continue using the Service or the Website.

Contacting JD Supra

If you have any questions about this privacy statement, the practices of this site, your dealings with this Web site, or if you would like to change any of the information you have provided to us, please contact us at:

- hide
*With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name. Or, sign up using your email address.