1. Skip to navigation
  2. Skip to content
  3. Skip to sidebar

Canada’s Anti-Spam Law (CASL) applies to Software January 15

Earlier this year we told you that Canada’s Anti-Spam Law (CASL) is not just for Canadians.

CASL is also not just about spam.  Effective January 15, 2015, CASL applies to the installation of “computer programs” – software, apps and other programs – on the computer or device of another person.  This affects software vendors, app developers, gaming and entertainment companies, and others that are in the business of providing software to businesses and individuals in Canada.

Like CASL’s spam provisions:

  • the software provisions apply where a Canadian is the recipient - in this case, the recipient of the software, app, or other program;
  • the regime is based on “express consent”, as defined by the legislation; and
  • significant administrative monetary penalties (maximum $10 million) can be levied for non-compliance.

Our overview presentation walks through CASL’s application to computer programs.

Other resources published by the Canadian Radio-television and Telecommunications Commission (CRTC):

, , , , , , ,

Canada’s Anti-Spam Law (CASL) applies to Software January 15

Canada’s Anti-Spam Law – not just for Canadians

Canada’s Anti-Spam Law (CASL) enters into force on Canada Day, July 1. It was passed in 2010 as a “made-in-Canada” solution to “drive spammers out of Canada“.

Are you outside Canada? It’s important to know that this law reaches beyond Canada’s borders. CASL is already affecting businesses in the United States, Europe and elsewhere as they change their communications practices to send emails and other “commercial electronic messages” into Canada.

As we described in our presentation Comparing CASL to CAN-SPAM, the new law applies to messages that are accessed by a computer system in Canada. That means that messages sent by a person, business or organization outside of Canada, to a person in Canada, are subject to the law.

CASL expressly provides for sharing information among the Government of Canada, the Canadian CASL enforcement agencies, and “the government of a foreign state” or international organization, for the purposes of administering CASL’s anti-spam (and other) provisions. The MOU among the Canadian CASL enforcement agencies (see also our earlier post) similarly references processes to share and disseminate information received from and provided to their foreign counterpart agencies.

In a speech yesterday, the Chair of the Canadian Radio-television and Telecommunications Commission, Jean-Pierre Blais, emphasized the CRTC’s cooperation with its international counterparts to combat unlawful telemarketers, hackers and spammers that “often operate outside our borders“. The Chairman specifically named “the Federal Trade Commission in the U.S., the Office of Communication (OFCOM) in the U.K., the Authority for Consumers and Markets in the Netherlands, the Australian Communications and Media Authority and others”, and noted that the CRTC has led or participated in many international networks on unlawful telecommunications.

Companies should also take note that a violation of CASL might also result in the CRTC exercising its so-called “name and shame” power, by posting the name of the offender and the violation on its online compliance and enforcement list. The CRTC has for years published notices of violation with respect to its “Do Not Call List”, and is expected to take a similar approach for CASL notices of violation as well.

Companies that are working on their CASL compliance programs should take note of the CRTC’s recently published Anti-Spam Compliance and Enforcement Guidelines. A very helpful summary by Tim Banks, with a link to the Guidelines, is available here.


Canada’s Anti-Spam Law – not just for Canadians

New Canadian Anti-Spam Compliance and Enforcement Guidelines

The Canadian Radio-television and Telecommunications Commission (CRTC) has issued new Compliance and Enforcement Guidelines for Canada’s Anti-Spam Legislation (CASL) which will come into force in stages beginning July 1, 2014.

Why is a Compliance Program Important?

A compliance program is a critical element in establishing a due diligence defence to a violation of CASL. The CRTC may take into account an organization’s compliance program in exercising discretion to take enforcement action and in terms of the size of any administrative monetary penalties imposed. Although the Guidelines are late in coming given that the implementation of this complex legislation is coming into force in days, the Guidelines are helpful in understanding what the CRTC considers to be a compliance program and what an organization may need to do to establish due diligence as a defence.

Compliance Programs are Not One Size Fits All.

The CRTC recognizes that compliance programs need to be tailored to the size and resources of a business. The CRTC expects larger organizations to implement more of the elements of a compliance organization than small and medium size enterprises (SMEs). Nevertheless, SMEs are not “off the hook”.

Anti-Spam Compliance Officer

The CRTC wants to see senior management involved in fostering a culture of compliance. It appears that the CRTC would like to see a senior leader in larger organizations named as a “Chief Compliance Officer” with responsibility and accountability for the development, management and execution of a CASL compliance program. In SMEs, a point-person who is responsible or accountable would be appropriate.

Among the duties of a Chief Compliance Officer or point-person is to ensure that a risk assessment for violations of the legislation. This should include an inventory of business functions and the types of communications they send. Dentons recommends paying particular attention to ensuring that “private lists” outside of the corporate client relationship management system and the use of external vendors and employee-sourced tools be reviewed carefully for the risks that they present.

Compliance Policies

Organizations should develop policies tailored to the particular compliance risks of the organization and updated frequently to address new issues, products or services. The CRTC suggests that a compliance policy might address the following points:

  • establish procedures to comply with CASL
  • provide for training on CASL and the policy
  • include auditing and monitoring mechanisms to establish compliance
  • address rules for using third parties to ensure compliance (e.g. contractual and other means)
  • provide for record keeping, especially with respect to consent
  • provide for reporting issues to the Chief Compliance Officer or point person

Record keeping

Record keeping is one of the thorniest issues with respect to CASL. It is a significant burden on organizations to track consent and exceptions to consent in an opt-in anti-spam model. By contrast, an opt-out model (had Canada chosen that route) would have imposed much less burden.

The CRTC has set a high record-keeping threshold. Among the most important points relating to CASL, the CRTC has said organizations should keep the following records:

  • CASL policies and procedures
  • all unsubscribe requests and actions
  • evidence of express consent (audio recordings or forms) by consumers who agree to be contacted via a commercial electronic message
  • commercial electronic message recipient consent logs
  • commercial electronic message scripts
  • actioning unsubscribe requests for commercial electronic messages.
  • campaign records
  • staff training documents

It is unfortunate that the CRTC has returned to suggesting audio logs of express consent. This is impractical. It is also highly intrusive of personal privacy and at odds with an organization’s obligations under Canada’s privacy legislation. A record created in the ordinary course of business that is logged and time stamped should be sufficient. However, organizations are advised to consider the CRTC’s position and seek guidance.


There are no surprises with respect to training. Organizations are expected to provide on-going tailored training with respect to CASL and the organization’s policies and procedures. Training should include refresher programs.

The CRTC suggests that employees provide written acknowledgement that they understand the corporate compliance program. The effectiveness of the training should be evaluated and the organization should monitor and enforce compliance. The CRTC suggests that effective training programs should include the following:

  • CASL requirements
  • potential liabilities
  • the organization’s policies and procedures
  • background information on CASL and the CRTC’s Rules

Non-compliance must be taken seriously. A disciplinary code should include CASL violations. Escalating discipline from refresher training to other more serious action should be included for non-compliance. The CRTC recommends retaining records of contraventions and the response. Dentons recommends seeking legal advice on these issues as they have a number of serious employment law and litigation implications, particularly in view of the private right of action included in CASL.

Audits, Monitoring and Complaints

Organizations are expected to have a system in place to audit and monitor compliance with CASL. Audits do not necessarily have to be conducted by third parties. However, they should include testing a statistically significant percentage of the organization’s telephone or email marketing campaigns. The results of the audit should be retained. Senior management is expected to respond to any deficiencies that are exposed by the audit.

In addition, an organization’s Chief Compliance Officer or point person in the case of a SME, is expected to respond to and resolve CASL-related complaints if they occur. Dentons recommends that procedures for handling and escalating complaints should be included in corporate policies and communicated externally.

The CRTC’s Compliance and Enforcement Information Bulletin CRTC 2014-326 can be found here.


New Canadian Anti-Spam Compliance and Enforcement Guidelines

How Canada’s Anti-Spam Enforcers will Cooperate, Coordinate, Share Information

Canada’s Anti-Spam Legislation (CASL) brings with it new legal violations and penalties, some of which become effective as of July 1, 2014.   The Canadian Radio-television and Telecommunications Commission (CRTC), the Competition Bureau and the Office of the Privacy Commissioner of Canada will have new enforcement roles with respect to these violations and penalties, in the following areas:

CRTC: spamming, traffic rerouting (altering transmission data without authorization);  malware (installation of “computer programs” without consent)

Competition Bureau: fraud (false and misleading representations online, e.g. websites and addresses)

Office of the Privacy Commissioner: harvesting (using computer system to collect addresses without consent); invasion of privacy (unauthorized access to computer system to collect personal information without consent).

On January 23, 2014, the Competition Bureau announced that it had entered into a memorandum of understanding (MOU) with the Office of the Privacy Commissioner of Canada and the CRTC the regarding the implementation of their mandates under CASL.  The MOU is dated October 22, 2013.

Nature of the MOU

The MOU fleshes out the already detailed CASL provisions on “consultation and disclosure of information” among the agencies, and with foreign states.  The provisions of CASL itself, and the requirements of the MOU, suggest that all concerned are aware that coordination will not be an easy task.  For example, CASL requires the agencies to provide the Minister of Industry with “any reports that he or she requests” on how they are co-ordinating efforts on their mandated areas.  The MOU requires agency officials to meet “at least quarterly” to discuss enforcement activities and any other matters “of mutual interest” relating to CASL.

While the MOU is not intended to be legally binding or enforceable by the courts, it does represent these three agencies’ agreement on how they intend to co-ordinate their responsibilities.  Among other things, that will affect how each agency’s staff will approach their enforcement activities on the ground.


Each agency will notify the others with respect to enforcement activities – including the conduct under investigation and CASL provisions at issue – that ”may potentially affect” the others’ interests under CASL.

Enforcement Cooperation, Coordination and Information Sharing

The agencies will consult with each other, and may share information related to their enforcement activities.  Where those activities potentially overlap, they will “seek to coordinate their efforts”, whether jointly or alongside one another.  The agencies will also coordinate involvement in information requests and arrangements with foreign agencies.  Once the Private Right of Action (PRA) becomes effective as of July 1, 2017, when an agency is informed of a PRA initiated by a third party, that agency will notify the others.

Criminal Law Enforcement by the Commissioner of Competition

The Commissioner of Competition has authority under CASL to pursue enforcement activities under CASL’s criminal provisions.  Under the MOU, the Commissioner is to notify the other agencies where a decision has been made on that front.  That will in turn halt any cooperation and information sharing among the agencies on that enforcement activity.

Competing interests and Confidentiality

The MOU is not intended to override an agency’s obligations under existing laws, including the Access to Information Act.  This extends to sharing information.  Agencies will make “best efforts to share what information they can, consistent with their interests and legal obligations”.  The agencies commit to maintaining confidentiality of information received from another agency “to the fullest extent allowed by law”, and will use that information only for enforcement activities under the MOU – unless the agency that provided the information agrees to the use of the information for other purposes.


The MOU is another indication, in a long line of communications, guidelines, and statements, that the implementation process for CASL will be very new territory, not only for stakeholders, but for the enforcement agencies themselves.

, ,

How Canada’s Anti-Spam Enforcers will Cooperate, Coordinate, Share Information

6 Month Countdown to Canada’s Anti-Spam Legislation (CASL)

Canada’s Anti-Spam Legislation (CASL) has been a long time coming.  The Government of Canada announced today that most of CASL’s provisions will enter into force on July 1, 2014.  That will be 10 years from the time the Government of Canada launched its Anti-Spam Action Plan. 

In recent years, a steadily increasing number of organizations within and outside Canada have been monitoring CASL’s status.  Among the reasons:  CASL is a new regime, contains a private right of action,  provides for significant administrative monetary penalties (maximum $10 million), and is broader in scope than the anti-spam laws of the US and other countries.  Some organizations have already begun to take steps and adopt practices intended to allow them to comply with CASL.

As of today, with the publication of the long-awaited Industry Canada Regulations, the CASL “rulebook” now includes the following legislation, regulations and guidance documents.  

Affected organizations will be relying on certain limited provisions under CASL to phase in requirements, intended to allow businesses to get ready and to adjust to the new regime.  These include the 6-month “implementation period” until July 1, 2017, and the 3-year “transitional period” until July 1, 2017, during which existing business relationships will be grandfathered, for consent purposes. 

While the above provide a bit of breathing room, there is a great deal to be done for organizations affected by CASL.  This may involve: auditing online communications processes, contact lists, and database practices; updating forms and procedures that document consent; updating customer service processes; reviewing and updating contracts that deal with third-party communications; and providing information and training for employees, management and the Board of Directors.  Affected organizations should proceed with their review and compliance work as soon as possible. 

We will be updating this blog regularly with posts on compliance tips and new developments.  You may be interested in the Slideshare presentation Comparing CASL to CAN-SPAM, which summarizes how the Canadian and US anti-spam regimes differ, considering their respective scope, standard of consent, application, and penalties.

, ,

6 Month Countdown to Canada’s Anti-Spam Legislation (CASL)