Canada’s new anti-spam law: Is your mailing list worth $10 Million?

Viktor Kis

Have you heard? The new Canada Anti-Spam Legislation (CASL) is coming into effect on July 1st, 2014, affecting the way Commercial Electronic Messages (CEM) are sent to recipients. These messages include emails, SMS, social media messages and more (a full list of CEMs is available on the Canadian Anti-Spam website). The law also contains rules regarding the (altering of) electronic transmission of information and installing software on devices. In this post, we focus on CEMs and what you can do to comply with the new rules.

By the way, if you aren’t a fan of reading and have 47 minutes and 46 seconds of spare time, this video also explains the anti-spam law.

Why is the new law necessary?

Spam messages are widely thought of as unsolicited emails filling up your inbox that are impossible to unsubscribe from. However, spam can also include activities used to mislead the recipient online and either steal personal or private information, or literally turn your computer into a “zombie” station serving as a resource to large hacker networks without you even knowing it. Here is a top 10 list of all sorts of scams in 2014. Astroturfing or catfishing, anyone?

According to the Cisco 2008 Annual Security Report, Canada was ranked fourth on the Spam by Originating Country list for 2008. That is a shameful statistic by any standard. This law is to the benefit of all of us, let it be businesses, marketers or individuals.

What happens if I don’t comply?

One of the governing bodies of this regulation, the Canadian Radio-television Telecommunications Commission (CRTC) says  “The CRTC will have a number of compliance tools; one such being administrative monetary penalties (AMPs). The maximum AMP is $1 million per violation for an individual and $10 million per violation for entities, such as corporations.”

Well, they say money is the root of all evil, but these are serious numbers. Let’s see how you can avoid these fines!

What do I have to do?

To understand what you need to do, let’s learn about the three requirements regarding the sending of electronic messages as stated by the new regulations:

1. Express consent of the recipient

There are two types of consent: express and implied.

Express consent: a potential recipient takes positive action to subscribe to your electronic messages. This means green light for messages as long as the recipient knows they can unsubscribe or contact you at any time.

Implied consent: a potential recipient provided contact information in order to gain value, like in a pre-existing business relationship between the two parties or handing over a business card. In this context, you can message them only if the content of the message is directly related to the business purpose the contact information was shared for. For example: if you get a card at an online marketing tradeshow, you can send a message about your online campaigns or a special offer related to that. However, you if you want to sell them TVs or cars or your old sofa that would be considered spam.

It is important to note that Canada is setting the bar high by requesting senders to pertain an opt-in consent from recipients (in the US, an option for opting-out is enough to avoid legal woes). This means that the user has to take positive action to initiate the relationship between you and them. It has always been a best practice to require express consent from your list members by asking them to toggle a checkbox or click on a link in an email sent to them.

To Dos:

  • Send out a message to your mailing list (and any other types of lists you may have) before July 1st, 2014 explaining the change and why you need their express consent.

Keep this short and sweet, a few lines about the law and detailing why your messages are valuable to the recipients (great tips, exclusive discounts, interesting articles etc.). Provide a fool-proof way for them to opt-in  linking to a landing page on your site prepared with information and a form. We have provided a best-practice example for this landing page below.

  • Make sure you have a record of the expressed consent stored in a database.

Mass mailing providers like Mailchimp or Constant Contact will have built-in options to make this easy on you. If you aren’t sure how this information will be collected, contact your mail provider or web developer. Oral or written consent are both accepted, either on paper or electronically. If the consent is verbal, it has to be recorded or a third-party has to be able to prove it. For example, a person may request and obtain oral consent in situations where information is collected over the phone (e.g. call centres), or consent may be given at the time that individuals use a product or service (e.g. point of sale purchases).

  • Finally, when asking potential recipients to opt-in, you are required by law to let them know that in the future they have the option to opt-out.


  • You are not allowed to pre-toggle checkboxes implicating that the person would want to opt-in when they submit information. The potential recipient has to take that step themselves.

Toggle noToggle yes


  • Requests for consent must not be bundled with requests for consent to the general terms and conditions of use or sale. You have to have a separate checkbox for message opt-in if you are using the same page.
  • You can add recipients from pre-existing business relationships but can’t send them messages unrelated to the relationship. No funny cat videos or selling vacuums unless that’s your business (and if it is your business, Spark would love to help you with your online campaigns).

2. Identification information

Any parties involved in sending the email have to be named as long as they contributed to your content. Although the regulation is a bit confusing on this topic, in short if you write your email newsletter (or link to content you wrote) then you just name yourself (most companies do this anyway). However if someone contributed to the content of your message you have to name them as well. If for example, an agency like Spark writes your newsletter but you send it out, both parties have to be mentioned.

You are also obliged to provide a physical mailing address where recipients can reach you. You are allowed to place a link in the message leading to your website where contact information is available. And if you’re already linking to the site, a Privacy Policy also comes handy stating how you are using information collected via your website. Take a look at this form showing a best practice for your opt-in form:

best practice opt in form


3. Clear unsubscribe options

Basically, you have to provide clear and easy unsubscribe options. None of those “Check this box if you don’t want us to not unsubscribe you” kind of games.

As set out by the law, the unsubscribe mechanism has to be featured clearly and prominently. It has to be able to be “readily performed,” meaning it must be accessed without difficulty or delay, and should be simple, quick, and easy for the consumer to use. Oh and did I mention it has to be free of charge?



That is all! If you comply with all three points, you are up-to-date with the new legislation.

Fancy more facts?

These are bits relevant to most businesses:

  • Purchased email lists: if you bought an email list (we never think this is a good idea), you are allowed to keep using it as long as your list complies with the rules the new law sets out.
  • Social media messaging: interestingly, liking a page or performing any action indicating interest on social media does not allow you to send messages to your fans and followers. However, because you aren’t messaging them directly, you are just posting on your own channels, this is exempt from CASL. Watch out: if you were to DM someone on Twitter or message a fan of your page on Facebook, CASL kicks in and you have to comply with the rules.
  • Business-to-business (B2B) communications.  You are exempt for CEMs sent within your business, or to businesses that you are in an ongoing business relationship. The messages must be sent by an employee, representative, contractor or franchisee, and be relevant to the business, role, function or duties of the recipients. Similarly exempt are communications sent to third-party business partners, such as marketing agencies, recruiting firms and insurance carriers.
  • Even your personal relationships (friends and family) were considered when sending CEMs. A personal relationship will be determined based on the interests and shared experiences in a two-way communication that happened in the past. If it is a personal relationship, you obviously don’t have to comply.

Finally, are you worried about unsubscribes or people not opting-in? At Spark, we always recommend that our clients and partners maintain a healthy list of recipients by requesting express consent and keeping up with best practices for electronic messaging. A user who doesn’t want to receive your messages anymore most probably won’t become a lead anytime soon, so why bother wasting your efforts? Keep building your list by creating and sharing great content and your mailing list will always be a bountiful resource of prospects.

We spent a lot of time combing through the law. Why should you? If you have any questions about the new Canadian anti-spam law, please call us or let us know in the comments!

Viktor Kis

Running projects during the day and reports at night (yeah we never sleep), Viktor is a Client Manager who fights it out with numbers to get clients the leads they’re looking for.

Newsletter Sign-Up

Share the knowledge!