Canada’s New Anti-Spam Act: What You Need to Know


On July 1st, 2014 we’re going to see a dramatic change when it comes to sending out emails to Canadian IP’s. That’s right, it is the inevitable coming of CASL (Canada’s Anti-Spam Act). Most businesses that advertise, sell, or get customers through emails are at the edge of their seats screaming bloody Mary. However, if you know your facts, you can prepare and calmly await the day that changes all.

Before we jump into what you can do to make sure that CASL doesn’t ruin a good nights’ sleep, there are some raw facts that you have to know. For instance, what does CASL mean and what is its purpose? To quote the actual act itself:

“An Act to promote the efficiency and adaptability of the Canadian economy by regulating certain activities that discourage reliance on electronic means of carrying out commercial activities, and to amend the Canadian Radio-television and Telecommunications Commission Act, the Competition Act, the Personal Information Protection and Electronic Documents Act and the Telecommunications Act, S.C. 2010, c. 23.”

To take it a step further, CASL is put in place to make sure that no malicious software is sent in an email and no breach of privacy occurs – unless consent is given. It is a noble and much needed act that has had had success in its differentiated versions in countries like Australia or the United States. Another important thing to know is that after the three year transition period is over (more on that later on), the penalty of a violation by an individual can be up to $1 million, whereas for a business it can be even up to $10 million.


Does CASL concern me?

This act has been put in place with commercial business in mind. If you are a politician sending out information to citizens – you are compliant, unless you send out an email persuading citizens to buy your new neon green merch – well, you are not so compliant anymore. Registered charities are also exempt from this act.

The act concerns those who send out a CEM (commercial electronic message). What exactly constitutes a commercial message?

  1. Advertisement for a product, service, or even a business.
  2. An offer that encourages people to buy any product, information, or service.
  3. Promoting businesses or people. Why? Because in a way that is still ‘selling’.

There are however numerous exemptions. For instance you are ok to send one (yes, only one) email to someone by a mistake, you don’t have to worry about sending emails to employees or contractors of a company whom the CEM concerns, family relationships exempt your messages, and most of all – replies to emails are also ok.

The first step to preparing is figuring out whether your messages are of commercial nature or if they promote any sort of commercial activity. The second is to checking out what you link to in your messages. Why? Well, because any link and pages that people are taken to, are under this act too.


To be compliant or not to be.

Now that you have an idea of what CEM’s are, we’re going to assume that you are sending out commercial material.

There are three key things your messages must contain after July 1st, 2014 strikes:

  1. Provide identification – basically, don’t send an email with random symbols and cheeky nicknames. You need to clearly state who the sender is. If you are emailing on someone’s behalf, you need to state not only your name/company but also the person’s on whose behalf you are writing.
  2. Provide contact – let your recipients know where they can reach you, this makes you less suspicious and more cautious in their eyes. You must provide your mailing address and telephone number, email address, or a web address where you can be reached. Whatever information you provide, it must be accurate for at least 60 days after it has been provided.
  3. Provide unsubscribe mechanism – Whether you like it or not, you have to make sure that there is a visible unsubscribe link and the information provided on the unsubscribe page is valid (look point #2). It is also imperative that once someone has unsubscribed you comply with their request within 10 days.


Consider me in!

The second rule of making sure that you are compliant is consent. In fact, pick a nice typeface and put that on a giant poster in your office – When in doubt: CONSENT. There are two types of consent that will put you on the road to compliance:

1. Express consent – the more obvious type of consent which leaves little room for grey area legal interpretations, as there is no grey area! If you have provided the information stated in the previous section you are half way to the finish line! There are however two more things express consent needs to make it rock solid:

  • No pre-checked boxes, as these can deceive and confuse potential subscribers. They need to make a decision to opt-in on their own.
  • Confirmation links, as these make it clear that you have not barged in on someone with your product or content, they themselves confirmed their consent! – this is why double opt-ins are a great feature to have.

Make sure to keep records of any information, sign ups, IP addresses and other information that proves your “contract” with a customer who has chosen to consent. Remember, once express consent has been, well – expressed, it does not expire unless a recipient explicitly requests a termination of their consent (e.g. by unsubscribing).

2. Implied consent – this is where the grey area settles in. This is more ambiguous and prone to interpretation consent. CASL identifies three types of implied consent:

  • The recipient and sender have an existing ‘business relationship’ or an existing ‘non-business relationship’. Basically, a relationship where the sender and recipient have engaged in business in a period of two years since the date that CASL goes up. Another existing relationship can be CASL compliant if in the period of six months before CASL, the recipient made an inquiry.
  • A recipient who has published their email address publicly and has not underlined that he or she does not want to receive any unsolicited messages and they will receive any messages that are relevant to their field of work or interest.
  • A recipient who openly has given their email address to the sender without specifically requesting that they do not wish to receive messages.


What if I don’t comply?

Unfortunately, the consequences are harsh. Starting July 1st, 2014 the Canadian Radio and Telecommunications Commission has the right to force penalties upon spammers. The maximum amount penalty that an individual can face is $1 million per violation (I repeat – per violation) and $10 million for businesses or other organisations alike. CASL will also allow recipients to apply to court to have a hearing to stop spam.

However, come January 1st, 2017 you can also expect that private rights of action will become available for any recipients. This means that they can then seek compensation for damages caused by a breach of CASL. A mere breach (one singular breach) can cost $200 and may go up to $1 million per day. What’s more – individual damages or expenses do not need to be proven, which means that penalties can be imposed whether you like it or not.


The tidal wave rolling in

There most certainly will be opportunists who will figure out every inch of CASL to gain money. But that is nothing to be afraid of! There is still some time and once July 1st hits, the transitional period (where some minor mistakes won’t cost you a fortune) is 36 months long.

Fear not! Help is on the way!

Fear not! Help is on the way!

Now that you know what is happening, what you can expect, and what you need to look into – take action! It is best to let key people in your email marketing strategy know what is happening, create a list of what type of messages you send and what CEM’s concern you, check what information is missing from your web forms, emails, and other pages, and get to sorting.

Slowly but surely you can check what needs to be changed or added. If you are unsure of where you stand, it is advisable to reach out to a lawyer to consult on your final stages of preparing for CASL. With some checking, lists, and patience, you do not have to fear any tides at all!

  • Liudas

    Sounds silly that you could get 1 million dollar fines for sending an email. I really doubt this will have a great impact on the amount of spam that people receive…

  • Sara-Ruth Wolkiewicz

    That’s a good point Liudas. We will have to watch and see how the law actually play’s out, however it is better to be safe than sorry, which is why it’s good to know all your facts and to prepare.

  • Sam

    Hi Sara-Ruth, will this prohibit unsolicited calling? example, cold-calls for purpose of business?

  • Sara-Ruth Wolkiewicz

    Hi Sam, call are exempt from CASL, however text messages can be considered CEM’s

  • Sara-Ruth Wolkiewicz

    Hello Chad, great question! Unfortunately there is no re-confirm email. However, what I can advise is that you can take your single opt-in contacts and imported contacts and move them into a new campaign where you can click that this campaign requires double opt-ins. If you do that, I recommend creating a newsletter of some sort that tells those contacts that you are sending them a confirmation email in order to check who still wants to receive your messages or that you are sending this email in order to comply with a new law.

    If you are having trouble figuring out which contacts on your list have been imported by you or are single opt-ins, please contact our support team and they will be able to assist you

  • Mark

    This is not a “solution” at all, and doing so will likely result in me losing 90% of my email subscribers since the confirmation emails for imported lists are not customizable (no ability to put my logo, colors, etc). I will be forced to leave GetResponse and move my email marketing to another provider that allows customized confirmation emails. I have already received at least a dozen such emails from other Canadian companies that I receive emails from, all of them have been branded to ensure there’s no confusion as to who the email is coming from.

  • Sara-Ruth Wolkiewicz

    Hi Mark, the reason why these emails are not customizable is that we want our customers to be as genuine and whitelisted as possible. Spammers are not able to get email addresses from people by promising them a free gift and then not giving them anything because all they wanted is an email address.
    The plain text confirmation email prevents trickery and promotes honest businesses 🙂 This is why before sending a confirmation email from a new double opt-in campaign, I have recommended sending a newsletter letting people know that they will receive a confirmation email and that they should look out for that. Hope this clears things up a bit, we do however want to thank you for your feedback, we hope that you stay with us as we value each and every customer.

  • Tim

    I have buyers lists (where people have purchased products from me). I assume this constitutes a prior business relationship and I am in compliance. Is this a correct assumption?

  • Dan

    It seems to me that this change in law means that we really need to stop using single opt-in all together. Is that the case, and if so, will Getresponse eventually stop offering single opt-in as an option?

    Also, how does this new law impact those who build their lists by selling products? What I mean is, many people have it set up so that when someone purchases a product from them, that customer is automatically added to a mailing list. Does this new law mean that we will still have to have someone click a confirmation link to be added to a customer list, even after they have just purchased a product?

  • Sara-Ruth Wolkiewicz

    Good question Tim, this is definitely a business relationship and you are technically compliant. However, this particular business relationship pertains only to buyers from last two years. So, if someone last purchased something from you three years ago, then you cannot email that person without their consent. Another catch is that if someone has been purchasing over the past two years and technically is in a business relationship – you have two years to obtain explicit consent from them if you want to email them after the two year period is up.
    To add to the “two year rule”, if someone makes a purchase from you in the two year period that you have to get their consent, the clock resets and you have two years from the day they made that purchase.
    It’s a little confusing, but nevertheless even with the two year rule, sooner or later you still will need to obtain explicit consent.

  • Sara-Ruth Wolkiewicz

    Hi Dan, single opt-ins will most likely stay as an option, remember that single opt-ins can still be good to go with CASL as someone can choose on their own to sign up.

    For those who built lists based on sold products, there is a temporary “two year rule” (look in the comments below to see how this works). However if someone purchases you cannot simply add them automatically, as I’ve explained in the article – with CASL you will no longer be able to add automatically or have pre-checked boxes. You can send a confirmation email to let people know that their purchase has been processed, but in order to send them any more emails you need to have their consent. You can have boxes for your customers or leave an invitation to subscribe in the purchase confirmation email, but you cannot automatically add subscribers (at least not from Canada).

  • Dan


    I just want to clarify a few things. When it comes to providing your contact information in your messages, I know that a physical address is required. As this is already included in the footer of every Getresponse message, that is not a problem. However, I have two other questions relating to this part of the law:

    1. You also mention the need to provide details like a phone number, contact email address, and web address where we can be reached. Is all of this information required, or can I just include a support email address to be covered?

    I really don’t want to give out my phone number to every email subscriber. Also, I don’t have a dedicated website for every email campaign. Sometimes I just let Getresponse host my opt-in form and send traffic directly to the form. So, in that case there would be no web address to send people to.

    2. How do we include this additional contact information in our messages? Is there a way to automatically include it in the footer of every message, just like our physical address?