What is CASL?

Jump to Maintaining Compliance

Canada’s Anti-Spam Law (CASL) is designed to keep digital marketers and data collection in connection with commercial activities regulated to protect the rights of consumer privacy in Canada. Designed as one of the most stringent anti-spam laws in the history of Federal internet regulation, making CASL’s application particularly bothersome for businesses caught participating in bad practices.

Accessibility and data privacy policies that concern public safety need to be taken into consideration before deploying digital assets that do not meet the compliance requirements for CASL consent.

CASL Consent

When sending Commercial Electronic Messages (CEM) to members of a newsletter or mailing list, professional corporations must meet strict compliance requirements. Most importantly, any commercial activity (such as an email that contains a coupon or promotion offer) requires meeting user consent compliance from all recipients to meet CASL requirements. This includes oral or written consent, must include the name of the person or organization requesting user consent, a valid physical mailing address, phone number, email, website, and automated message systems where users can reach an agent or business representative.

Core Components of CASL Compliant Messages

  • The ability to opt-out, unsubscribe or request an organization from ceasing any future communications
  • Provide identity, contact details, phone number, mailing address, email, and process to contact an agent of the organization requesting user consent
    • This includes any third-party partners
    • The information must be up to date and reliable
    • Exemptions can be made (such as communications with existing relationships, complaints, inquiries, or legal obligations)

CASL Updated Exemptions

  • CEMs used by political parties seeking contributions
  • Limited-access, confidential secure portals (i.e banking confirmation)
  • Registered Non-Profits using CEMs for the primary purpose of charity fundraising
  • Instant Message, Social Media, SaaS platforms that use SMS, and e-mail communications with clear EULA that outline the terms of use

Obtaining Consent for CASL Compliance

  • Determine if your organization needs to worry about CASL, and do any communications meet the threshold of Commercial Electronic Messages (CEMs)
  • Public Facebook or Twitter accounts do not apply unless there are private messages being communicated between the organization and the individual

It’s important to understand that the legislation does not protect against unsolicited telecommunications such as live voice or automated telemarketing calls as they fall under a different act. The Canadian Radio-television and Telecommunications Commission (CRTC) provide an interpretation of CASL in regards to general information.

CASL includes several accompanying regulators, such as the Competition Bureau, the Office of the Privacy Commissioner, and Innovation, Science and Economic Development Canada. Similar to PHIPA, there are multiple organizations involved in the policing of privacy protection laws.

CRTC Interpretation Guidelines for Consent

  • Under the CRTC guidelines, there are three general requirements for sending commercial electronic messages (CEMs)
  • The first is to obtain consent
  • The second is to provide reliable identification information
  • The third is to provide a clearly accessible unsubscribe mechanism
  • There are two types of consent under CASL:
    • Express consent
    • Implied Consent

Exemption Considerations for CEMs (CASL)

  • Any CEMs solicited or sent in response to inquiries, complaints or requests
  • Any CEMs sent due to a legal obligation, enforce a right
  • Any CEMs sent within or between organizations with existing relationships (B2B)
  • Any CEMs sent by registered non-profits for the purpose of charity fundraising

Record Keeping

It’s important to understand where the data is located, who has access to the data and how long it can be stored before breaching any CASL violations. By asking the right questions to obtain consent, most CEMs do not expire until the user reinitiates the subscription process to cancel consent. Keeping records of every user consent event will protect an organization from potential CRTC investigations or compliance checks if a complaint is filed.

This record recording process should include the nature of the business, usage of electronic marketing tools, number of customers being contacted as well as any other factors related to record retention. The development of a documented corporate compliance policy can help reduce questions when complying with CASL or other privacy laws in Canada. When dealing with compliance challenges such as CASL, there is an opportunity to adapt and meet user consent goals.

Application of CASL on Average Website

The legislation only applies to the request and record-keeping processes of private data that fall under the category of CEMs within the legal boundaries of Canada. For the average website, CASL deems a person to have provided express consent for any installation of computer programs. If it is reasonable to believe the person provided consent to the installation based on user behaviour, not limited to:

  • HTML,
  • JavaScript,
  • a cookie,
  • an operating system,
  • a program that is only executable through another program to which consent was already expressed, or
  • anything further specified in CASL regulations

eCommerce Requirements for CASL

For most websites, CASL is not something to be concerned about however eCommerce websites often collect personal data during the checkout process. This data is later used for remarketing campaigns or follow-ups for future engagements with the customer. If eCommerce websites are found to be breaking the laws when contacting customers by failing to provide reliable contact information or breaking the rules of engagement, there are several outcomes that the Commission can take:

Enforcement for Notice of Violations for CASL complaints that reveal compliance breaches

  • A Notice of Violation (NOV), is served if it is believed on reasonable grounds that the entity has committed a CASL violation. May also be accompanied by monetary penalties.
  • An undertaking is when an agreement is made to define the compliance obligations that will be put in place following an alleged breach of CASL and may include AMP fees.
  • A warning letter is typically used to inform a person when the Commission has concerns about possible violations. Legitimate complaints must be received and the initial course of action can include education about CASL obligations, auto-corrective action or further investigation if needed.
  • An Administrative Monetary Penalty (AMP) is required for anyone who contravenes sections 6 to 9 of CASL, committing a violation which may be liable to an administrative monetary penalty when the NOV is issued. Penalties can include up to $1M per violation for an individual and up to $10M per violation for corporations.

Maintaining Compliance

In order to respond to an NOV, representations must be made to the Commission in regards to the acts or omissions that constituted the alleged violation, as well as any penalty amounts. The policies of CASL are designed to protect perpetual spam or illegal data collection of website visitors. Big brands and corporations have accountability to meet CASL standards or respond to the Commission within 30 days after any NOV is served. In order to appeal the Commission’s decision, you must apply with the Federal Court of Appeal within 30 days after the day on which the decision was made. Registered charities are particularly complex as they have exemptions for CEMs that can be tricky to navigate when sending commercial messages for fundraising. The CRTC is especially strict with charities that attempt to circumvent the stringent rules around CASL.

Looking for assistance with compliance? Contact our team for affordable help.