Home / Blogs

Implications of Canada's CASL - Toughest Anti-Spam Law the World Has Ever Seen

Susanna Sharpe

Businesses operating in Canada are set to come under one of the toughest anti-spam laws the world has ever seen. While Canada was dragging the chain when it came to introducing anti-spam legislation, it is now making up for lost time. Ottawa's new law — expected to be operational early this year — has severe fines for violations and is viewed by some as too tough.

Known as CASL, the new law aims to crack down on spammers and mailing list companies but in doing so, tightly regulates the way businesses can market to prospective customers via email and online.

In a nutshell, CASL requires a business to obtain consent from the recipient before it sends out commercial electronic messages (CEMs). It isn't limited to email; consent must be given for any electronic message, which could also include messages sent via social media, text messaging, instant messaging, sound or video. If your business operates outside of Canada, you shouldn't assume the Anti-Spam Act doesn't apply to you. If a computer system within Canada is used to send, receive or even route the message, then the law could also apply to you.

It is in obtaining consent before sending an electronic message where the Canadian Anti-Spam Act differs from its American equivalent. The United States' CAN-SPAM Act requires that recipients are given an opt-out option from commercial messages but under CASL, recipients must opt-in to receive electronic messages.

The fines for violating the Anti-Spam Act are hefty. The maximum penalty per violation for an individual is CAD $1,000,000 and $10,000,000 for corporations. With potentially crippling fines waiting in the wings for violators, how can you ensure your company is compliant?

The first thing is to be aware of which messages require consent before they are sent. There are a few exceptions, which include personal relationships or when the company is providing requested information. Consent can usually be implied if there is an existing business arrangement of two years or more, or if an email address has been disclosed in the course of business. You can read more about exceptions to CASL here.

If your electronic message doesn't fall under an exception category, then you will need to obtain consent before sending it. The message should also include an unsubscribe mechanism. To ensure compliance, your company should establish procedures to obtain consent for electronic messages and educate staff on the Anti-Spam Act. The most important thing to remember before you press 'send' is the onus is on your company to prove you received consent.

Do you operate a business in Canada? How do you think the Anti-Spam Act will affect the way you market electronically? Please contribute to the conversation below.

Sources:
Canada's Anti-Spam Legislation: Casting a Wide Net
Anti-spam law draws backlash
Three 2011 developments that changed your inbox forever
Canada: Preparing For Canada's New Anti-Spam And Online Fraud Act
CAN-SPAM Act: A Compliance Guide for Business

By Susanna Sharpe, Social Media Manager. More blog posts from Susanna Sharpe can also be read here.

Related topics: Email, Law, Policy & Regulation, Spam

WEEKLY WRAP — Get CircleID's Weekly Summary Report by Email:

Comments

I see from your profile that you operate a business in Australia Suresh Ramasubramanian  –  Jan 18, 2012 10:07 PM PDT

I would therefore encourage you to review the concept of an "australian link" in the Australian Spam Act of 2003 and compare it with the relevant Canadian provisions.

http://www.acma.gov.au/WEB/STANDARD/pc=PC_310321 says, and I quote -

"Under the Spam Act, it is illegal for unsolicited commercial electronic messages that have an Australian link to be sent, or cause to be sent. A message has an Australian link if it originates or was commissioned in Australia, or originates overseas but has been sent to an address accessed in Australia. The legislation sets out penalties of up to $1.1 million a day for repeat corporate offenders."

Great idea! Susanna Sharpe  –  Jan 20, 2012 12:50 PM PDT

Hi Suresh- yes, SilverDane is based in Australia, but we also have a large Canada and USA client base, hence this blog post. Thanks for this link. I will do some research and compare the two. The key with the Canadian legislation is the 'opt in' clause, so I am interested to read whether the Australian law has the same requirement.

Both the aussie and dutch laws are explicitly optin Suresh Ramasubramanian  –  Jan 20, 2012 4:38 PM PDT

You need a well informed and competent regulator, a clearly defined set of regulations and engagement with the local ISP and marketing community for antispam laws to succeed.  The Dutch OPTA and the Australian Communication and Media Authority both have these, in spades.

Which is why legitimate marketers do comply with these laws, and find it in their interest, as well as in conformity with widely accepted email marketing best practice, to do so.

The aussie law is optin and has been since 2003. 

http://www.acma.gov.au/WEB/STANDARD/pc=PC_310525

Consent
In Australia, commercial electronic messages sent to you must be sent with your consent. The Spam Act provides for two types of consent – express and inferred.

[Express = you specifically opted in, and Inferred = you have a business relationship with the message sender]

Dutch law too is optin - no “advertisement” can be sent without the explicit prior request of a recipient.  All Dutch citizens now have a website that reviews the Dutch antispam law, and where they report any potential violations directly to OPTA, www.spamklacht.nl

The CASL is definitely in line with regulation in several countries around the world.

Differences between Aus & Canada Susanna Sharpe  –  Jan 20, 2012 7:44 PM PDT

I had a read over the ACMA information. You are right- the Aussie and Canadian laws are similar. I did notice a couple of differences though. Inferred consent under the Australian law doesn't specify a time frame for the relationship between the marketer and email recipient, whereas the Canadian law states that consent can be inferred only when the business relationship has continued for two or more years. This seems to be quite strict.

"In some circumstances, message senders may rely on inferred consent if you have consented to your email address or mobile telephone number being on a marketing database that is sold to businesses. " - I didn't notice this exception under the Canadian law.

I found little on Australian spam cases in a search - there appears to have been one and the ACMA has also handed down hefty fines. http://www.caslon.com.au/anzspamprofile4.htm

The view in Canada is that Australia has had success in reducing spam since introducing this law http://www.spamfighter.com/News-17303-Spam-Reporting-Center-Anticipated-as-Canadian-Government-Embarks-Upon-Curbing-Spam.htm

You're right in saying that CASL is just coming into line with other existing regulations. Maybe it is simply a case of Canadian businesses initially being concerned until they learn to operate within its restrictions.

Clarity1 The Famous Brett Watson  –  Jan 20, 2012 9:14 PM PDT

I appeared as a witness in the case against Clarity1 (Wayne Mansfield). This was an unusual case in that Wayne decided to challenge the law head-on. He continued to spam quite brazenly after the act came into law, whereas most other local spammers took the hint and at least went offshore with their activity. My take on the matter is that Wayne thought his prior spamming counted as a business relationship (because he was advertising his business via spam). As you can tell from the size of the fine, the court did not buy into this line of argument.

I have additional notes on the case (from October 2006) here and here.

Note that I have lodged complaints against other companies as well (although not in a while now), but the usual outcome is that the companies shape up their email practices in accordance with recommendations from ACMA, rather than take the matter to court. Wayne fought the law, and the law won.

Is the law effective or not? Susanna Sharpe  –  Jan 23, 2012 5:17 PM PDT

Thanks for sharing your article, it is interesting to get the view of someone who has first-hand experience with the Australian law. In your opinion, has the response to the law been successful? Or could the ACMA take a tougher stance against alleged offenders?

From my perspective the Australian spam act of 2003 is a success Suresh Ramasubramanian  –  Jan 23, 2012 7:41 PM PDT

And it has also served as (and indeed, was intended to serve as) a role model for other countries to base their antispam laws on.

# 11 Reply (max. reply level reached)  |  Link  |  Report Problems
It's effective, all things considered The Famous Brett Watson  –  Jan 24, 2012 12:37 AM PDT

From time to time, I have wished that ACMA would take stronger action sooner. When a party believes that their unsolicited bulk mail is not spamming, they can become a nuisance very quickly. However, my present (and general) lack of anything to complain about reflects well on the law and its enforcement. Note that I only bother lodging complaints where there is an "Australian link" at the sending end: I'm well aware that little can be done about purely international spam, and I let filters deal with it.

Perhaps what's most telling is that I have, for the first time, subscribed to some advertising newsletters in recent years. I don't feel the need to jealously protect my email address any more, or diligently use uniquely tagged addresses when handing them over. I trust ACMA to keep the companies in line, and the trust seems well placed so far. (It also helps that I use a Gmail address.)

# 12 Reply (max. reply level reached)  |  Link  |  Report Problems
Best practices Wout de Natris  –  Jan 20, 2012 2:45 AM PDT

OPTA, the Independent Post and Telecommunication Authority, is vigorously enforcing the Dutch anti-spam and malware legislation since May 2004. Still, the amount of cases started against members of the DDMA, Direct Dialogue Marketing Association, can be counted on the fingers of one hand. I suppose that there will be lessoned learned there. Maybe it's an idea to request information from the people of DDMA how they dealt with the coming of the (then) new law, spam as well as telemarketing. E.g. I remember roadshows for members that included OPTA. Here's a link if someone's interested.

Dutch anti-spam law Susanna Sharpe  –  Jan 20, 2012 1:03 PM PDT

Hi Wout, could you please send the link again as it doesn't seem to work for me. You make a very good point. Do you think there are few cases against DDMA because the law is too difficult to enforce or because it doesn't interfere with legitimate digital marketing?

Link fixed Ali Farshchian  –  Jan 20, 2012 1:39 PM PDT

The link problem was due to format issue in the post which is fixed now.

As long as legitimate digital marketing is explicitly optin or transactional .. Suresh Ramasubramanian  –  Jan 20, 2012 4:42 PM PDT

I don't see why the dutch law should affect any legitimate marketer.

If marketers aren't following either of these - if they use optout, coreg, leads etc - they can fully expect to have citizens who receive such email complain to their regulator, and to have some action taken against them as a result.

The enforcement mechanism in all these countries is graded - you get formal warnings etc before fines come into the picture.  Illegal spam techniques such as using bots or hacked servers, stolen customer databases etc may of course attract jail time as well.

Best practices Australia and The Netherlands Wout de Natris  –  Jan 24, 2012 2:14 AM PDT

Responding to the last comment on Australian anti-spam law by The Famous Brett Weston. It looks like this is probably the best qualification and praise on the effectiveness of an anti-spam law, in combination with the efforts of the regulator and the filtering techniques of the ISPs, he could give. Over here in NL we have reached the same situation. There will be a few more countries in the same spot, but not many. Canada will reach that state over the coming years, after the enforcement agencies have proved their efficiency, which they will.

This leads to two quick conclusion.
1. Spam (and with that the basis of a lot of crimes) can be fought successfully through combined efforts.
2. Those involved should start looking at next steps in the form of analyses of data. I'm not ready to contribute in the form of a blog just yet, but those that have followed me over the past year, won't be surprised by its content.

To post comments, please login or create an account.

Related Blogs

Related News

Topics

Industry Updates – Sponsored Posts

Neustar to Launch usTLD Stakeholder Council

Comments and Questions by DCA Trust on .Africa at the ICANN-47 Public Forum, Durban SA

A Look Inside Dyn's 1.2 Billion Monthly Email Delivery Statistics

INTA 2013: Gearing Up for Dallas

SPECIAL: Updates from the ICANN Meetings in Beijing

Dyn to Host Email Analytics Webinar With Ongage

Dyn Adds Claudia Santoro, Dave Connors and Andrew Sullivan to Technical Team

Comments by DCA TRUST on ICANN Multi-Stakeholder Model and DCA's Contribution to ICANN Africa

SPECIAL: Updates from the ICANN Meetings in Toronto

Dyn Receives $38M Investment from North Bridge

Recommendations Made to Improve Protections at Second-Level in New gTLDs

Thomson Reuters to Acquire MarkMonitor

SPECIAL: Updates from the ICANN Meetings in Prague

ARI Completes TAS Latency Report

DCA Trust and UniForum SA Have Both Applied for the Same 'Africa' Geographic Name String

Reveal Day and Why New Top-Level Domains Are Irrelevant

ARI Registry Asks ICANN to Delay Digital Archery and Batching Processes

Nominum Launches Comprehensive Suite of DNS-Based Security Solutions for Russian Service Providers

Nominum Sets New Record for Network Speed and Efficiency

Implementing a Cyber-Security Code of Conduct: Real-Life Lessons From Australia (Webinar)

Sponsored Topics