Canada’s Anti-Spam Law (CASL): What you need to know
The Canada Anti-Spam Law (CASL) was introduced in 2010 but came into effect on July 1, 2014. The CASL’s primary purpose is to reduce “the harmful effects of spam and related threats” and “help create a safer and more secure online marketplace”, as per the enforcement agency website.
The CASL is a comprehensive data privacy law created to combat spam and prevents organizations, including foreign ones, from sending unsolicited or misleading commercial electronic messages (“CEM”) or programs to consumers without their consent.
Click here to access the full official text of the CASL.
The CASL went into effect on July 1, 2014.
The regulation applies to any “Commercial Electronic Message” (CEM) sent from or to Canadian computers or devices in Canada. Messages routed through Canadian computer systems are not subject to this law.
A CEM is any message that:
- Is in an electronic format, including emails, instant messages, text messages, and some social media communications,
- Is sent to an electronic address, including email addresses, instant message accounts, phone accounts, and social media accounts, and
- Contains a message encouraging recipients to take part in some type of commercial activity, including the promotion of products, services, people/personas, companies, or organizations.
Fax messages and fax numbers aren’t considered electronic formats or addresses under CASL.
The CASL does not expressly require businesses to display a privacy notice.
Under this privacy framework, express or implied consent is required for all use of data.
Data Protection Assessments
Data protection assessments are currently not required.
The regulation is enforced by the Canadian Radio-television and Telecommunications Commission (CRTC). The CRTC is Canada’s broadcasting and telecommunications regulator and the primary enforcement agency for CASL.
Private Right of Action
The CASL does not have a provision for private rights of action.
Penalties and Damages
A violation under the CASL may require the violator to pay an administrative monetary penalty (AMP). The maximum amount of an AMP, per violation, for an individual is $1 million. For a business, it is $10 million. The CASL sets out a list of factors considered in determining the AMP’s amount.
The CASL does not have a cure period.
- Messages sent by or on behalf of an individual to another individual whom they have a family or personal relationship,
- Messages sent to an employee or consultant of your business or another organization with whom your organization has a relationship,
- Messages sent in response to a request, inquiry, or complaint or that is otherwise solicited by the recipient,
- Messages that will be accessed in a foreign country, including the U.S., China, and most of Europe, as long as the message complies with the anti-spam laws of that foreign country,
- Messages sent by or on behalf of a registered charity or a political party or organization for the purposes of raising funds or soliciting contributions,
- Messages sent to a person to satisfy a legal obligation, provide notice of an existing or pending right, legal, or juridical obligation, court order, or to enforce a legal right, juridical order, or court order.
The CASL also contains an exception to the consent requirement for certain types of transactional messages. These messages still comply with CASL’s message content and unsubscribe requirements. Transactional messages include CEMs that solely:
- Provide warranty, recall, safety, or security information about a product or service purchased by the recipient,
- Provide notification or factual information about a purchase, subscription, membership, account, loan, or other ongoing relationship, including delivery of product updates or upgrades,
- Facilitate, complete, or confirm a commercial transaction that the recipient previously agreed to enter,
- Provide a quote or estimate for the supply of a product, good, or service.
Under the CASL, organizations having personal information under their control must, without unreasonable delay, provide notice to the Commissioner of any incident involving the loss of or unauthorized access to or disclosure of personal information where a reasonable person would consider that there exists a real risk of significant harm to an individual as a result.
Notification to the Commissioner must be in writing and include:
- A description of the circumstances of the loss or unauthorized access or disclosure,
- The date or time period during which the loss or unauthorized access or disclosure occurred,
- A description of the personal information involved in the loss or unauthorized access or disclosure,
- An assessment of the risk of harm to individuals as a result of the loss or unauthorized access or disclosure,
- An estimate of the number of individuals to whom there is a real risk of significant harm as a result of the loss or unauthorized access or disclosure,
- A description of any steps the organization has taken to reduce the risk of harm to individuals,
- A description of any steps the organization has taken to notify individuals of the loss or unauthorized access or disclosure, and
- The name and contact information for a person who can answer, on behalf of the organization, the Commissioner’s questions about the loss of unauthorized access or disclosure.