A Guide to Canadian Anti-Spam Compliance

Share Post:

By Julian Dobre

Primer on Canadian Anti-Spam Legislation (CASL)

Canadian Anti-Spam Legislation (“CASL” or the “Act”) is a regulatory framework designed to protect Canadians from the misuse of digital technology, including identity theft, phishing, malicious software, and unsolicited marketing. Businesses that market their products and services to Canadians are caught in the anti-spam framework and must learn to navigate it. CASL is very easy to breach. If your business uses digital marketing, you need a plan to avoid significant monetary and other penalties.

CASL is only concerned with consent. It is otherwise uninvolved when it comes to the substance or content of digital advertisements. As discussed by the Federal Court of Appeal in 3510395 v Canada (Attorney General) (2020), CASL does not protect consumers from any unfair business practices beyond the sending of unsolicited commercial messages. Once the consent requirements are satisfied, as far as CASL is concerned, businesses are at liberty to send CEMs at will.

The penalties for breaching CASL are severe. Violations can result in Administrative Monetary Penalties of up to $10 million CAD per violation for a business or $1 million per violation for an individual.

CASL Compliance at a Glance

To comply with CASL, a business that sends Commercial Electronic Messages to Canadians must:

  1. obtain consent;
  2. provide their business’ identification information for withdrawal of consent; and
  3. include an unsubscribe mechanism.

What is a Commercial Electronic Message (CEM)?

Defined in article 1 of the Act, a CEM is an electronic message that hyperlinks to content on a website or other database that reasonably has as its purpose to encourage the recipient to engage in a commercial activity. A CEM may include an electronic message that offers, advertises, or promotes:

  1. the purchase, sell, barter, or lease a product, good, service, land, or an interest or right in land; or
  2. a business, investment, or gaming opportunity.

Consent Requirement

Without consent, a CEM is considered an Unsolicited Electronic Message, as prescribed by article 6 of the Act. It is prohibited to send a CEM unless the person to whom the message is sent has consented to receive it, whether express or implied.

Whether express or implied consent has been obtained is determined by a number of factors, including the sender’s familiarity and proximity to the recipient and the relevance of the message to the recipient’s business or official role or capacity.

Express Consent is obtained for the purposes of article 10 of the Act, only if, when requesting consent, the sender sets out clearly and simply the following information:

  1. the purpose for which the consent is being sought; and
  2. the prescribed Business Contact Information of the seller.

Implied Consent is obtained for the purposes of article 9 of the Act, if at least one of the below scenarios are found to be true: 

  1. whether the sender has an existing business or non-business relationship with the recipient; or
  2. the contact information was published by the recipient online without a statement that they don’t want to receive a CEM, and the message is relevant to them.

Contact Information Requirement

To comply with CASL, a business must accompany any request for express consent with the following information:

  1. a description of the types of messages that will be received and the purposes for which consent is being sought;
  2. the legal name of the person or organization requesting consent;
  3. the mailing address, telephone number, email address and/or web address of the person or organization seeking consent; and
  4. a statement indicating that consent may be withdrawn at any time.

Unsubscribe Mechanism Requirement

Any business sending a CEM must include an unsubscribe mechanism to comply with CASL. It must be easy to use and not require too many unreasonable steps. Don’t be the business that makes it purposely difficult to unsubscribe. If the recipient must complete more than two steps to unsubscribe, it is not easy enough.

Article 11(1) of the Act sets out requirements for the unsubscribe mechanism. Its requirements include enabling the recipient of a CEM to indicate, at no cost to them, that they no longer wish to receive any CEMs from the sender. The unsubscribe mechanism must further specify an electronic address, or a link to a page on the internet that can be accessed through a web browser, to which the request to unsubscribe may be sent.

11 tips for CASL Compliance

The following 11 tips cannot substitute for the advice of a knowledgeable lawyer, but can help businesses evaluate their own practices and identify deficiencies:

  1. Don’t Use Hyperlinks. If the definition of a CEM is an “electronic message that hyperlinks to content…” there is seemingly a gap for marketing content that has no hyperlinks. If it’s not a CEM, it’s not covered by CASL. You may consider going back to the days before embedded hyperlinks, where URL text was copied and pasted right onto the page. You should further consider removing the links from your social media icons as this could make your message a CEM.
  2. Use email distribution software. Third-party software like MailChimp and Constant Contact (for those banned from MailChimp) make CASL compliance easier. MailChimp adds CASL ‘guard rails’ that help you to avoid breaching the rules. While MailChimp’s AI will scan the emails you’re trying to send and flag it if there’s a problem, care should still be given to ensure CASL compliance with each marketing campaign.
  3. Opt-in, not out. It’s a CASL faux pas to pre-check the consent box. This puts the onus on the user to take action to indicate that he or she does not consent. CASL instead wants the user to indicate he or she does consent. Accordingly, express consent cannot be obtained through opt-out consent mechanisms; only yes means yes.
  4. Use forms and user submissions to get express consent. Express consent is obtained when the recipient has clearly agreed to receive a CEM. The recipient must take some proactive action to indicate their express consent, such as by joining your mail list. Consent should be requested in any instance where the user provides a submission to the website, such as in contact requests, user registrations, form submissions, comments, polls, or surveys.
  5. Don’t rely on partially completed forms. A website form can track anything a user types into a field, whether they submit the form or not. Many users partially fill out a form and then change their mind, usually when they see that payment or extensive personal information is required. While the CASL Commission has stated that entering an email into a field may indicate consent, there is little guidance on whether typing in an email into a field and then not submitting the form will constitute consent.
  6. Use software to create your consent form. Use software such as Microsoft Forms or SurveyMonkey to create a form request for express consent and send this to your recipient of choice. Make sure to include the CASL requirements, including a clear opt-in, the required business contact information, and the unsubscribe mechanism. In some instances, your third-party email distribution software may have an integration with your form software, in which case the consent will be applied directly to the emailing software. If there is no integration, you may use the recipient’s form submission as proof of consent if the email software company asks for it.
  7. Your Christmas email may be a CEM. It is clear that sales emails and advertisements are CEMs. But communication that aim to build rapport and keep clients up to date with your business, such as your company Christmas email, may not be. If the goal of your email is to promote the sale of your products or services, then it is possibly a CEM. Consent may be implied by the nature of your relationship with the recipient, and the message must be relevant to them.
  8. Be wary of time limitations. If a recipient asks to stop receiving CEMs, you must respect their request and stop sending them within ten business days. Once you have obtained express consent, you are able to send CEMs until the recipient notifies you that they no longer wish to receive them. On the other hand, there is a time limit attached to the life of implied consent of typically two years.
  9. Public information is fair game. The CASL guidelines explain that if the recipient made their email address conspicuously publicly available by publishing it on a website, there is implied consent. Note that the publishing of their email must not be accompanied by a statement that they do not wish to receive CEMs, and any CEM must still be relevant to them commercially. So, does that mean you can send CEMs to strangers’ emails you find online? Maybe, if it’s relevant to them, and they didn’t ask you not to.
  10. Put it in the TOS. While this may not be enough to ensure CASL compliance, your Terms of Service and privacy policy should clearly state things such as your methods of data collection, what the data is used for, and a statement that any email submitted to one of your websites’ forms will be added to your mail list. Don’t let the user submit any personal information without first checking a box confirming they have read and consent to your TOS and privacy policy.
  11. Keep good records. If dealing with a CASL compliance issue or investigation, you should be prepared to produce the following records:
  • commercial electronic message policies and procedures;
  • all contemporaneous unsubscribe requests and resulting actions;
  • all evidence of express consent (e.g. audio recordings or completed forms) from consumers who agree to receive commercial electronic messages;
  • commercial electronic message recipient consent logs;
  • commercial electronic message scripts;
  • CEM campaign records;
  • staff training documents;
  • other business procedures; and
  • official financial records.

Additional CASL Resources

For more information on CASL requirements and prohibitions, please see CASL’s anti-spam page for existing FAQs and information bulletins.

You may also have obligations relating to the collection, use and disclosure of electronic addresses under the Personal Information Protection and Electronic Documents Act (“PIPEDA”), including with respect to address harvesting. For more information on PIPEDA, as well as address harvesting, please refer to the website of the Office of the Privacy Commissioner of Canada and the OPC Address Harvesting E-Guide.


Julian Dobre is a lawyer at Donna Purcell QC Law who practices Corporate, Entertainment, Internet & Social Media, and Technology & Innovation Law.


This article is of an informational nature only and should not be relied upon as business, legal, or other professional advice. It is not exhaustive of the possible rights or remedies available to you. Laws may change over time and the those listed above may not be up to date. This article and all materials provided are not intended to be relied upon without further consultation. Readers should consult a legal professional for specific advice in any particular situation. Please Contact Us to set up a consultation. Please see our Terms of Service for more information.

Stay Connected

More from DPQC Law

New Tort of Harassment: Alberta Health Services v Johnston

Alberta Health Service employees experienced the brunt of the anti-vaccine and anti-masking sentiments triggered by the COVID-19 pandemic. Former Calgary mayoral candidate Kevin Johnston in particular was a prominent agitator against the employees of AHS not only expressing anti-vaccine and anti-masking rhetoric in-person and online, but also calling AHS employees terrorists and criminals. As a result of his treatment of AHS employees, particularly his treatment of the plaintiff Sarah Nunn, the tort of harassment has been officially recognized in Alberta. I summarize here the test for the new tort and what damages can flow from it.

Alberta Firms Make the Season Bright

As we enter the 2023-2024 holiday season, we at Law Matters would like to recognize and celebrate law firms that give back to the community. Across the province and every year, members of the legal community take numerous initiatives that serve and support the wider community. Beyond legal work, the legal community acts to improve the lives of those around them. This is particularly evident in smaller regions around Alberta, where law firms are an important part of the fabric of their communities. This year, we are spotlighting two regional firms as fine examples of the positive impact of the legal community on greater society.

Does my Employer Own my Side Project?

Employees generate some of an employer’s most valuable intellectual property (“IP”) in the course of their employment. But an enterprising employee may develop a side project or hustle that blurs the lines of ownership. In this blog, we discuss important considerations to determine ownership of a side project, including the different types of IP, contract considerations, use of employer’s resources, and how to protect a side project.