What is CASL?
CASL is the working name for the Government of Canada’s new anti-spam law. The initials stand for Canada’s Anti-Spam Legislation. However, the new Act does not only apply to spam. It regulates all commercial electronic messages (CEMs) that businesses and organizations send out. It also covers other electronic threats such as the installation of computer programs and the alteration of transmission data without express consent, and the installation of malware, such as computer viruses.
Last Reviewed: June 2014
Who is in charge of regulating CASL?
CASL is regulated by the Canadian Radio- television and Telecommunications Commission (CRTC), the Competition Bureau and the Privacy Commissioner of Canada. Primary responsibility for regulation and enforcement rests with the CRTC.
Last Reviewed: June 2014
Does CASL apply to registered charities and not-for-profit organizations?
Yes. All of the provisions of CASL apply to not-for-profit organizations. There is an exception for registered charities but it is very narrow. A commercial electronic message (CEM) sent by a registered Canadian charity for the “primary purpose of raising funds” is excluded from the requirements of CASL. All other CEMs sent by registered charities must comply with the Act. Also, this narrow exception does not apply to Registered Canadian Amateur Athletic Associations (RCAAAs).
Last Reviewed: June 2014
What is a commercial electronic message?
A Commercial Electronic Message is any electronic message, such as emails, newsletters or information bulletins that encourage participation in a commercial activity whether or not there is an expectation of profit.
Last Reviewed: June 2014
What is a commercial activity?
The Act defines a “commercial activity as “any particular transaction, act or conduct that is of a commercial character whether or not the person who carries it out does so in the expectation of profit.” Some examples include donation requests contained within a newsletter or advertising and promoting a charitable fundraiser or lottery.
Last Reviewed: June 2014
What are the requirements for CEMs to meet CASL’s provisions?
After the Act comes into force, CEMs can only be sent to recipients who have previously consented to receive them (with a few exceptions). The CEM must:
- After the Act comes into force, CEMs can only be sent to recipients who have previously consented to receive them (with a few exceptions). The CEM must:
- clearly identify the name and address of the sender, and either a telephone number, or an email or web address;
- include a statement that the recipient may withdraw consent at any time and must include a mechanism for the recipient to opt out of receiving any further messages. This is called an unsubscribe mechanism;
- contain a readily available unsubscribe mechanism, which the CRTC defines as “a link in an email that takes the user to a web page where they can unsubscribe from receiving all or some types of CEMs from the sender
- the name and address of the sender, and either a telephone number, or an email or web address;
- include a statement that the recipient may withdraw consent at any time and must include a mechanism for the recipient to opt out of receiving any further messages. This is called an unsubscribe mechanism;
- contain a readily available unsubscribe mechanism, which the CRTC defines as “a link in an email that takes the user to a web page where they can unsubscribe from receiving all or some types of CEMs from the sender
Last Reviewed: June 2014
When does the Act come into force?
Most of the Act comes into force on July 1, 2014. On January 1, 2015 the sections dealing with the unsolicited installation of computer programs come into force and on July 1, 2017 it will be possible for consumers to sue in their own names for violations of the Act.
There will be time for charities and not-for-profits to transition into compliance with the Act with regard to obtaining consent. There is a 3-year transition period from July 1, 2014 during which time consent is implied in cases of pre-existing business and non-business relationships. However, the transition period ceases as soon as a recipient indicates that he/she does not want to receive further messages.
Last Reviewed: June 2014
How does our organization obtain express consent?
Requests for express consent may be oral or in writing. “In writing” includes both paper and electronic forms of writing. Note however, that after July 1, 2014, an electronic message asking for express consent will, itself, be a CEM, so that after this date, these can only be sent to people or organizations with whom you already have an implied consent relationship. Requests for express consent must set out:
- The purpose or purposes set out “clearly and simply” for which the consent is sought;
- The name of the person asking for consent and the name of the person on behalf of whom consent is asked, if they are different;
- The mailing address and either a telephone number providing access to a voice messaging system, an email address or a web address of the person asking for consent, and if different, the person on whose behalf consent is asked; and
- a statement indicating that the recipient can withdraw consent at any future time by using the contact information.
Note that the CRTC has published two information bulletins that provide its interpretation of the requirement to obtain consent. (for links see the Additional Resources list)
Last Reviewed: June 2014
How does an organization prove that it has obtained express consent?
The onus is on the senders of CEMs to prove that they have consent. A CRTC Guidance Bulletin states that an acceptable means of obtaining consent would be an icon or an empty toggle box that needs to be actively clicked or checked. The date, time, purpose, and manner of the consent should be stored in a database. An opt-out mechanism and pre-checked boxes are not sufficient. The CRTC suggests that following the receipt of express consent, confirmation of the receipt should be sent to the person whose consent was being sought.
Last Reviewed: June 2014
How does an organization prove oral consent?
CRTC guidelines state that oral consent can be proven by verification by an independent third party, or where a complete and unaudited audio recording of the consent is kept by the person seeking consent or a client of the person seeking consent. Examples of obtaining oral consent could be the use of call centres or point of sale purchases.
Last Reviewed: June 2014
What is implied consent?
Consent can be implied if the recipient of the CEM has:
- conspicuously published their electronic address (e.g. a “contact us” button on a website) and
- has not stated that they do not want to receive unsolicited CEMs; and
- the message is relevant to their business, duties or functions;
- provided contact information to the sender , for example by giving the sender their business card;
- for registered charities, if the recipient has made a donation or performed volunteer work within the previous two years;
- for not-for-profits, if the recipient has been a member of the organization within the previous two years;
- within the previous two years, purchased, leased, bartered a product, goods, services, land or an interest in land; accepted a business, gaming or investment opportunity offered by the sender; or entered into a written contract with the sender.
Last Reviewed: June 2014
What if our registered charity has already obtained consents under the Personal Information Protection and Electronic Documents Act (PIPEDA? Is that sufficient to meet the requirements of CASL?
In most cases, the consents obtained from donors, volunteers, subscribers and members under PIPEDA will not be sufficient to comply with CASL. These consents were often obtained through opt-out mechanisms, where the recipient agreed to receive information from a registered charity or to share their information with 3rd parties unless they opted out from doing so. Opt-out mechanisms are not allowed under CASL.
Last Reviewed: June 2014
Are there any CEMs that are exempt from CASL?
Yes, there are quite a few exceptions. Some examples include CEMs sent to:
- someone with whom the sender has a personal or family relationship;
- employees of the same business or organization and the content is about the recipient’s role within the organization;
- between businesses or organizations that have an existing relationship and the content is about the recipient’s role;
- sent in response to a request, inquiry or complaint;
- sent by a political party for the primary purpose of soliciting funds.
There are also some CEMs that are partially exempted from CASL. These include CEMs sent to:
- provide warranty, product recall or safety information about a product, goods or services the recipient has purchased or used;
- provide ongoing information about a subscription, membership, or loan;
- provide information directly related to an employment relationship or a related benefit plan affecting the recipient; and
- provide upgrades or updates on products, goods or services the recipient may be entitled to.
These CEMs must still comply with the CASL requirements for identification of the sender and the provision of an unsubscribe mechanism.
For registered charities, the most important exception is contained in the Regulations (paragraph 3 (g)) to CASL, which states that there is an exception for a CEM “that is sent by or on behalf of a registered charity as defined in subsection 248 (1) of the Income Tax Act and the message has as its primary purpose raising funds for the charity. Unfortunately for charities, what exactly is meant by “primary purpose” and if there is a difference between the Income Tax Act’s definition of” raising funds” and CASL’S use of the term “fundraising” is not clear at this time. The charitable and not for profit sector hopes that this confusion will be cleared up soon.
Last Reviewed: June 2014
What are the penalties if a registered charity or not-for-profit violates CASL?
The penalties can be quite severe. There can be fines of up to $l million per violation for individuals and up to $10 million for organizations. Also, board members can be held liable for the actions of an organization’s employees, and officers and directors of a corporation can be held liable for wrongful acts done by a corporation. Also, beginning in 2017, recipients of unwanted CEMs will have the ability to bring a private right of action against the sender, with up to $1 million in damages per individual.
Last Reviewed: June 2014
How does someone report an unsolicited and unwanted CEM?
Consumers, businesses and other organizations will be able to report CEMs sent without consent or containing fraudulent or misleading information to the Spam Reporting Centre at fightspam.gc.ca once CASL comes into force on July 1, 2014.
Last Reviewed: June 2014