CASL Anti-Spam Legislation

Posted: June 23, 2014
By: Jim Donovan

As you are probably aware, the new Canadian Anti Spam Legislation takes effect on July 1, 2014.

In order to better understand the legislation, we have reviewed several interpretation bulletins published by the Government, IP Lawyers, and E-mail Marketing Firms (full bibliography below).

Here is our interpretation of how the legislation affects our clients:

  1. The very first section of the Government FAQ titled "General", seems to set out what is covered by the legislation in the two following questions and answers.
    Does Canada's anti-spam law deal only with spam?
    No. It also deals with other electronic threats to commerce, such as the installation of computer programs and the alteration of transmission data, without express consent. These threats also include the installation of malware, such as computer viruses.

    What does "spam and other electronic threats" mean?
    Under Canada's anti-spam legislation, there are various types of violations including the sending of unsolicited commercial electronic messages, the unauthorized alteration of transmission data, the installation of computer programs without consent, false and misleading electronic representations (including websites), the unauthorized collection of electronic addresses and the collection of personal information by accessing a computer system in contravention of an Act of Parliament.
    These violations include, but are not limited to, spam, malware, spyware, address harvesting and false and misleading representations involving the use of any means of telecommunications, Short Message Services (SMS), social networking, websites, URL's and other locators, applications, blogs, Voice over Internet Protocol (VoIP), and any other current and future internet and wireless telecommunication threats prohibited by Canada's anti-spam legislation.

    As a general observation, it seems clear from the above that the primary intent of the legislation is to crack down on egregious spamming activity rather than to interfere with the normal course of business correspondence.
  2. There are six specific activities listed in the answer to the second FAQ mentioned above.  Our interpretation of the legislation is that only two of these activities pertain to our website clients as outlined here:
    1. Sending of Unsolicited Commercial Electronic Messages - this applies to all of our clients and we will elaborate below.
    2. Unauthorized alteration of transmission data - none of the websites that we have built for any of our clients engage in any activities of this nature.
    3. Installation of computer programs without consent - while some of our client's websites do install "cookies" on the user's computer, an interpretation by Nnovation LLP, a technology law firm in Ottawa has stated that "cookies" are not subject to the legislation (see Bibliography). Other than "cookies", none of our client websites install any computer programs on the user's computer.
    4. False and misleading electronic representations (including websites) - in most cases, all of the content on our clients' websites has been provided by the client and we trust that our clients have taken steps to ensure that none of the information is false or misleading.  In some cases we provide content authoring services to our clients and it is ultimately the client's responsibility to ensure that any content we publish does not contain false or misleading information about your products or services.
    5. The unauthorized collection of electronic addresses - most of our clients' websites do facilitate the gathering of electronic addresses and we will elaborate below.
    6. The collection of personal information by accessing a computer system in contravention of an Act of Parliament. - none of the websites that we have built for any of our clients engage in any activities of this nature.
  3.  Many of our clients' websites contain a "web form" which allows users to provide contact information including their email address to our client.  Our interpretation of the legislation is that when a user voluntarily submits an online form and provides an electronic address, that user has provided express consent to be contacted, provided that the website clearly explains how their contact information will be used.

    On or before July 1, 2014, we will be adjusting all of the web forms on all of our clients' websites by adding a "check-box" beside the "Submit" button of all web forms.  In order for the user to Submit the web form, it will be necessary for the user to click on the check-box using his mouse or keyboard, and there will be clear wording that explains how the contact information will be used.

    For example:
    In the case of a one-time request for services from a lawyer or other service provider:
    |X| I consent to being contacted by the company about the specific matter at hand.  I understand that my contact information will not be used by the firm for any other purposes.

    In the case of a subscription to a Newsletter from a Publicly Traded Company or other Company that maintains an electronic mailing list:
    |X| I consent to having my email address added to the company's electronic mailing list. I understand that I will periodically receive news releases and other information from the company and that I can unsubscribe at any time.

    We believe that the addition of this check-box and wording will ensure that the user has provided Express Consent to be contacted in accordance with the wording provided.

    In addition to requiring each user to check the checkbox, we will also be gathering the following information for each submitted web form: [Date], [Time], and [IP Address of User].  This information will be added to the footer of each web form that is submitted by a user so that you will have a permanent electronic record of this information.

  4. Some observers believe that it is necessary to obtain a "double opt-in" in order to to receive the Express Consent of a user who fills out a web form.  The double opt-in process requires a confirmation email to be immediately sent to each user upon submission of a web form.  If the user does not "confirm" his original submission then the entire process is aborted and the original submission is cancelled.  This double opt-in process is considered an industry best practice in the "email marketing industry" when dealing with "mass mailing lists".

    The Government FAQ specifically states that an "opt-in" mechanism is sufficient to obtain express consent, and we were unable to find any documentation from the Government that implies that a "double opt-in" is mandatory.  The following FAQ has been taken directly from the "Consent" section of the Government FAQ:
    Can I use pre-checked boxes in order to obtain express consent?
    The manner in which you request express consent cannot presume consent on the part of the end-user. Silence or inaction on the part of the end-user also cannot be construed as providing express consent. For example, a pre-checked box cannot be used, as it assumes consent.

    Rather, express consent must be obtained through an opt-in mechanism, as opposed to opt-out. The end-user must take a positive action to indicate their consent. For example, this can be done by providing a blank box which a user can check off to indicate consent.

    It is our opinion that if you are operating a "mass mailing list" then you should follow the industry best practice and require the "double opt-in" regardless of the absence of a legislative requirement to do so.  However, we believe that in the case of a "one-time" web form submission which is essentially a "request for service", it would be overkill to require a "double opt-in" for several reasons:
    • many people do not check their email frequently and would not immediately reply to the "double opt-in" message leading to a high percentage of "lost" requests.
    • many people would see the "double opt-in" process as an annoyance in the situation where they are simply making a one-time request for service.
    • presumably the service provider will be replying to the request within 24 hours in any event and if there is erroneous information on the original request it can be determined/rectified at that time.
  5. Many of our clients are unsure about what steps (if any) must be taken with respect to obtaining consent to contact individuals whose information has been gathered via web forms on their websites over the past several years.

    The Mailchimp article does a good job of outlining when consent is and is not required so I have quoted it verbatim:
    According to the new law, consent is NOT required if you are:
    • Sending to a family member or someone with whom you have an established personal relationship.
    • Responding to a customer or correspondence from the recipient within the previous six (6) months.
    • Sending to an employee or individual associated with your business like a consultant or franchisee.
    • Attempting to enforce a legal right or court order.
    • Sending a message that will be opened or accessed in a foreign country, including the United States, China, and the majority of Europe. (For the complete list of the 116 CASL exempted countries, please visit this website
    • Sending on behalf of a charity or political organization for the purposes of raising funds and soliciting contributions (yes, this is allowed under the law).
    • Providing information about a warranty, recall, safety or security about a product or service purchased or used by a recipient.
    • Providing information about an ongoing use, purchase, subscription, membership, account, loan, or other ongoing relationship.
    • Delivering product updates or upgrades.
    • Sending a single email to a recipient who does not know you, but on the basis of a referral, if you disclose the full name of the person who made the referral. In addition, the person who made the referral can be a family member or have a personal or business relationship with the recipient to whom you are sending.
    If you do not meet any of the above criteria, then consent is required.

    Consent can be implied in the following situations:
    • The recipient has within the previous 24 months purchased a product, service, or made some other business deal with you, been a party to a contract with you, or has had a membership with your organization.
    • You are either a registered charity or political organization and the recipient has made a donation or gift, volunteered for, or attended a meeting organized by you.
    • The message sent is related to the recipient’s professional or official role, and the recipient has not told you or published that they don’t want to receive unsolicited messages, and the recipient has either directly given you their address or has conspicuously published it.

    If you do not meet any of the above criteria, then you must obtain express consent before you can send.

    Express Consent can be obtained only by giving the recipient:
    • A clear and concise description of your purpose in obtaining their consent (tell them what you will be sending).
    • Your name
    • Both the physical mailing address and either a telephone number, email address or web address of the person seeking consent or the person on whose behalf it is sought.
    • A statement that the recipient may unsubscribe at any time.

    Our interpretation of this is as follows:

    If you are simply using the contact information to contact the party about the one specific matter that caused them to initially reach out to you, then you are free to do this provided you do so within 6 months of receiving the original inquiry.  If more than 6 months have passed then you should contact the individual via telephone.  Once you have established a "business relationship" with the party, you can continue to correspond with them up until 2 years following the termination of the business relationship. A business relationship is established by either selling a product or service, making a business deal, or signing a contract with the party

    If you maintain a "mailing list" that is used to send electronic messages about your business or its products or services, then all future messages must contain: i) the ability for the recipient to Unsubscribe, and ii) the identity and contact information of the Sender (the legislation is not clear if this must be an individual or can simply be be "the company" itself.  We have received several "opt-in" messages that do not identify any specific individual so presumably there are lawyers who believe this is acceptable).  According to the legislation, any recipient who has had a "membership" with your organization in the past 24 months has provided "implied consent.  However, we believe that it is better to be "safe than sorry" in this situation and therefore we are recommending that any clients who maintain a "mailing list" should send an "Opt-in" email to each member of their mailing list prior to July 1, 2014 asking the recipient to confirm his willingness to continue receiving correspondence from the firm.  Effective July 1, 2014, we recommend that your electronic mailings should only be sent to those recipients who have provided their express consent by opting-in.  Please note that the iContact system that we use to manage our clients' mailing lists automatically includes the "Unsubscribe" feature and automatically "removes" any recipient who elects to Unsubscribe.

    Here is the process that we plan to follow for our clients who maintain a mailing list:
    • By June 24, we will update the web form on your website so that all new members on or after that date will have provided their Express Consent via a Double Opt-in process.  This means that first they will be required to check a checkbox to submit their information and secondly they will need to reply to a confirmation email that will automatically be sent by iContact.
    • We will create a duplicate copy of your current mailing list as of June 24 in which all of the members will be assumed to be "Unconfirmed".  At this point we will delete your "old" mailing list.
    • On June 24, we will send an "opt-in" confirmation message via iContact to all members of the "new" mailing list.  
    • On July 1, we will delete all the list members who are not confirmed.
  6. In summary, we believe that the steps outlined above will be sufficient for our clients to comply with the new legislation.  If you have a different interpretation please contact me to discuss.


Jim Donovan
1-800-231-1020 x38


1. FAQ prepared by the Federal Government

2. Article about "cookies" by nNovation LLP, a technology law firm

3. June 17 article by Mailchimp (an email marketing company)

4. YouTube video provided by CRTC about the legislation (48 minutes long)

5. FAQ from Constant Contact (an email marketing company)

6. Article in Lawyer Magazine by a Technology Lawyer

7. Article by Miller Thomson

8. Article by Cox and Palmer

Posted under CASL
Back To Blog Index