Become the King (or Queen) of CASL

Oct 16, 2017


There’s a lot of love-hate for Canada’s anti-spam legislation (CASL, for short).

As a consumer, it’s pretty great. No more spam, right? If you’re an organization that sends electronic messages related to “commercial activity”, i.e anything, it’s a real pain in the A.

Which is why we’re here to help.

But before we get into the nitty-gritty of one of the world’s toughest anti-spam laws, let’s look at a few key terms you should be familiar with. So here it is, our CASL glossary. Feel free to refer to it if and when something slips your mind.


Commercial Electronic Message (CEM): CEMs are anything that encourages the recipient to participate in commercial activity. So, what’s commercial activity, you ask? Straight from CASL’s FAQ:

  • offers to purchase, sell, barter or lease a product, goods, a service, land or an interest or right in land;
  • offers to provide a business, investment or gaming opportunity;
  • promoting a person, including the public image of a person, as being a person who does anything referred to above, or who intends to do so.

Image Courtesy of the CRTC

Image Courtesy of the CRTC

Like I said above: pretty much any email you, an organization, would send out is covered under CASL. That’s why it’s important to make sure you’re always CASL-compliant. If not, you could be fined by the CRTC by up to $10 million per infraction. That’s a lot of loot. And definitely not worth the gamble. So like they say: better safe than sorry.

Express Consent: Of the two “consents”, this one’s easy-peasy. It’s when a person has explicitly agreed, either orally or in writing, to receive CEMs. Typically, this happens through some kind of opt-in mechanism.

Remember: you can’t pre-check boxes to toggle a recipient to opt-in. They have to do it themselves. Once someone expressly consents to receiving CEMs, you can email them to your heart’s content for as long as you’d like, unless they decide to opt-out, in which case, bye-bye.

Implied Consent: This one can be a bit confusing. A good way to think about implied consent, at least in a general way, is that it comes from a pre-existing relationship between an organization and a recipient. There are four situations that imply consent, so let’s get more specific.

Conspicuous publication: someone’s address is published in plain sight, either online or in a publication. Important note: if their address specifies that they do not want to receive CEMs, you can’t send them one. Let’s say you find someone’s email address on their Twitter profile and attached to the byline of a blog they wrote. If in one of these instances they request not to receive unsolicited emails, then you have to respect that.

Disclosure: someone gives you their address; for example, a business card.

If someone conspicuously publishes or gives you their address, you have implied consent, but only to send them CEMs that relate to their line of work. In other words, your CEMs must be directly relevant to them.

Existing Business Relationship: someone who has already made an inquiry, transaction, an application or written contract for purchasing or bartering goods, products, or services.

Existing Non-Business Relationship: someone who is a member of your organization, has volunteered or provided you with a gift or donation.

Generally, implied consent is time-limited to two years (six months, if someone has made an application or inquiry to a business). This means you need to track all your consents and have records for each. The onus is on you to provide evidence that consent has been given in ALL instances. CASL’s Guidance on Implied Consent accepts the following as acceptable records:

  • commercial electronic message policies and procedures;
  • all contemporaneous unsubscribe requests and resulting actions;
  • all evidence of express consent (e.g. audio recordings or completed forms) from consumers who agree to receive commercial
  • electronic messages;
  • commercial electronic message recipient consent logs;
  • commercial electronic message scripts;
  • CEM campaign records;
  • staff training documents;
  • other business procedures; and
  • official financial records.

Image Courtesy of the CRTC

Image Courtesy of the CRTC

The Anatomy of a CASL-Compliant CEM

Now that we’re clear on CEMs and the different types of consent you need before sending out a message, let’s take a look at how you can guarantee your commercial electronic messages are CASL-compliant. Each CEM must contain three things: (1) consent, (2) identification, and (3) an unsubscribe mechanism. We’ve already discussed consent, so let’s break down the final two.

Anyone who plays a material role in your CEM must be identified to the recipient. In instances where you’re sending out a message on behalf of a large group of people, it’s okay to link to a webpage identifying those people. Whatever the case, the rule is fairly intuitive. Be clear who the sender is.

Finally, all CEMs must have an unsubscribe mechanism should a recipient want to opt out of receiving future messages. This one’s self-explanatory. If your CEM has consent, either express or implied, identifies who the sender is, and contains an unsubscribe mechanism, it’s good to go.

Image Courtesy of the CRTC

Image Courtesy of the CRTC

Who’s Exempt?

Not everyone has to be CASL-compliant. If you’re:

  1. a political candidate,
  2. a political party, or
  3. a registered charity sending a commercial electronic message “that is sent by or on behalf of a registered charity as defined in subsection 248(1) of the Income Tax Act and the message has as its primary purpose raising funds for the charity”;

CASL doesn’t apply to you. CASL also doesn’t apply in the following circumstances:

  1. Personal/family relationships
  2. B2B communications between organizations with an existing relationship
  3. Employer communications: if you are seeking employment, seeking a candidate, or any messages sent within an organization relating to employment content
  4. Transactional reference: electronic receipts or shipment details

Who Isn’t Exempt?

Everyone, unfortunately (or fortunately, depending on who you ask).

That means if you’re an individual, business, or professional organization, you need to be mindful of your external communications.

Another thing to consider: social media. The same consent rules apply to any CEMs you might send via Facebook messenger, Twitter’s direct messages, or LinkedIn’s InMail. And “Likes” do not imply consent, either, neither does someone accepting an invitation to connect.

While the CRTC hasn’t pursued anyone for social media infractions since CASL was implemented July 1, 2014; it only just fully came into effect July 1, 2017. Something to consider. This can make things extremely difficult for your outbound communications, but not impossible.

Now What?

Knowing the ins and outs is just the beginning when it comes to CASL. Next week we’re going to explore best practices to securing express consent from each of your prospects and tools you can use to track implied consents. Pretty soon you’ll be the King (or Queen) of CASL.

Remember: if you have serious legal concerns regarding Canada’s anti-spam legislation, consult a lawyer!

Other Blog Posts