Wendy J. Wagner
Partner
Co-leader, National Cybersecurity & Data Protection Group
Guide
41
This chapter focuses both on the requirements for sending electronic messages under CASL and the requirements regarding express consent for the unsolicited installation of computer programs, which came into effect on January 15, 2015. Canada's Anti-Spam Legislation, or CASL for short, came into force on July 1, 2014. It is one of the most prescriptive and punitive anti-spam laws anywhere in the world. With penalties of up to $10 million, CASL compliance has become a priority for anyone doing business in Canada.
In 2020, the constitutionality of CASL was challenged before the Federal Court of Appeal. However, following a thorough review of CASL's purposes and effects, the Court unanimously upheld the legislation as a valid exercise of Parliament's power over general trade and commerce affecting Canada as a whole (pursuant to section 91(2) of the Constitution Act).
With respect to spam, CASL imposes two primary obligations. First, CASL prohibits the sending of unsolicited commercial electronic messages. This means that, subject to certain exceptions, before sending an electronic message that encourages participation in a commercial activity - including most standard promotional or advertising emails and texts - the sender must have either the express or implied consent, as defined under CASL, of each recipient. Second, even where consent exists, CASL requires commercial electronic messages to contain certain disclosures and an unsubscribe mechanism. This chapter briefly reviews the essential requirements of the legislation.
CASL's computer software provisions are aimed at preventing the installation of unauthorized malware and spyware computer programs; however, they have varying degrees of impact on all types of software applications. Section 8 of CASL requires express consent to install a computer program on another person's computer system in Canada during the course of commercial activity. Enhanced disclosure and consent requirements apply where the software performs certain prescribed functions.
CASL applies specifically to "commercial electronic messages." A CEM is defined as any message sent to an "electronic address" that has as its purpose, or one of its purposes, the encouragement of participation in a "commercial activity." This includes, but is not limited to, messages that:
An electronic message that requests the recipient's consent to receive further electronic messages is itself a CEM and, as such, may only be sent with prior consent.
To constitute a CEM, the message must be sent to an "electronic address" by any means of telecommunication. This includes email, texting, instant messages, messages to telephone accounts, or messages sent to any "similar account", such as certain forms of social media messaging or other digital messaging systems where a message is sent by one person to one or more specific electronic addresses. However, CASL does not apply to interactive two-way voice communications between individuals, voice recordings sent to telephone accounts or to the transmission of facsimiles (note such are separately regulated under the Unsolicited Telecommunications Rules of the Canadian Radio-television and Telecommunications Commission).
CASL also does not apply to electronic messages that are displayed to the general public rather than sent to an electronic address. For example, CASL will not apply to display advertisements such as banner or box advertisements, or to social media messages that are published through means more akin to a one-way general broadcasting such as a Facebook wall post. It will, however, apply to private messages sent through those social media platforms to one or more recipients, such as messages sent directly to other users through a two-way direct messaging system.
CASL applies to any CEM that is either sent from a computer within Canada or accessed by a computer in Canada. Because of this, even organizations operating solely outside of Canada will, in most cases, be required to comply with CASL if they communicate with Canadian clients or customers.
Consent is the cornerstone of CASL and most of the legislation's complexity lies here. In order to send any CEM, unless the message is otherwise exempt - as discussed later in this chapter - the sender must have the consent of the recipient to send the message. It is important to note that under CASL, the onus is always on the sender to prove consent.
There are two principal types of consent under CASL: express consent and implied consent.
Once express consent is obtained, the sender may continue to send messages of the type identified in the request for consent until the recipient withdraws their consent. The regulator, the Canadian Radio-television and Telecommunications Commission (CRTC) has indicated that "valid, express" consents provided prior to January 1, 2014, with respect to the sending of CEMs may continue to be relied on until the message recipient withdraws consent.
1. The recipient has conspicuously published or caused to be conspicuously published their electronic address;
2. The publication is not accompanied by a statement that the recipient does not wish to receive CEMs; and
3. The CEM is relevant to the business, role, functions or duties of the recipient individual or organization.
Even where a sender has obtained express consent or has implied consent to send a CEM, any CEM sent pursuant to that consent must clearly and prominently include prescribed information within the message. It must also include an unsubscribe mechanism, allowing the recipient to easily opt-out of future CEMs from the sender.
There are a small number of complete exemptions from the application of CASL, the most important of which are discussed below. Please note that additional exemptions, such as for charitable solicitations and political messages, are not discussed here.
CASL does not go so far as to eliminate the possibility of using third-party electronic address lists. However, those using such lists must take caution, as CASL imposes a number of requirements on the use of third-party electronic address lists with respect to opt-outs and disclosure, in addition to those discussed previously in this chapter. A robust agreement is required between the list-provider and user to ensure that these requirements are satisfied, and to provide the list user with assurances that all necessary consents have been obtained and have not been withdrawn. Such an agreement might provide for indemnities against third-party claims arising in connection with misrepresentation or failure to comply with the agreement or with CASL.
CASL also amended the Competition Act in two important ways. First, the amendments make it an offence to send a CEM that is false or misleading in a material respect. Second, the amendments make it an offence to send or make a false or misleading representation in the sender information, subject matter information, uniform resource locator (URL) or other locator of a CEM. This latter amendment may make it difficult for businesses to include claims that require qualification, or a disclaimer, in the subject lines or URLs of CEMs, as it may be impossible to effectively include such qualifying language in the limited space.
Additionally, CASL amended PIPEDA to ensure that PIPEDA's exceptions to the requirement for consent to collect, use and disclose personal information do not apply where electronic addresses are collected by the use of a computer program created primarily for that purpose, or where any personal information is collected or used by accessing a computer system in contravention of an act of Parliament. CASL requires the Office of the Privacy Commissioner of Canada, Competition Bureau and CRTC to consult one another and to co-ordinate their CASL enforcement activities.
Since CASL came into force, the CRTC has received hundreds of thousands of complaints. The CRTC has indicated it will review these complaints, and will take action where appropriate.
i. Notice of violations and decisions
The CRTC enforces CASL, including issuing one notice of violation that imposed a $1.1-million penalty for an alleged violation of the consent requirement under CASL and for using an unsubscribe mechanism that did not function. This penalty was ultimately set at $200,000 in the resulting compliance and enforcement decision. Since CASL came into force, enforcement efforts have resulted in penalties of over $1.75 million.
In July 2018 the CRTC took enforcement action to combat the installation of malicious software through online ads for the first time under CASL. This was also the first enforcement action against an organization for aiding CASL violations committed by its customers. The two online advertising companies involved were required to pay $100,000 and $150,000 in penalties, respectively.
In April 2019 the CRTC issued an enforcement decision imposing a fine on an individual personally for corporate violations when it found that a company involved in the sale of electronic coupons violated CASL for sending emails to Canadian consumers without their consent or a proper unsubscribe mechanism. The company's director was found vicariously liable for acquiescing to these violations and received an administrative monetary penalty of $100,000.
In 2021, the CRTC issued a notice of violation imposing a $75,000 administrative penalty on an individual for sending 671,342 CEMs without consent. During the investigation, however, the CRTC identified potentially several million CEMs sent without consent as part of a spam campaign. Indicators of non-compliance included several mailing lists and millions of records of failed email delivery attempts, while no records of consent were found.
In 2023, the CRTC issued a notice violation imposing an administrative monetary penalty of $40,000 on an individual who sent 31,925 phishing CEMs without consent using fraudulently obtained telephone numbers. In the course of its investigation, the CRTC gathered evidence from multiple sources using its power to issue Notices to Produce under section 17 of CASL.
ii. Undertakings
The CRTC has also entered into a series of undertakings with companies for violations of CASL. In particular, it alleged that each of these companies had sent CEMs to individuals - including in some instances their own registered users - that included an unsubscribe mechanism that was not "clearly and prominently set out" and that could not be "readily performed," as well as a variety of consent defects. The penalties imposed via undertaking have ranged from $48,000 to $200,000. In June 2017, a CEO was found personally liable for noncompliant CEMs by a group of companies under his direction.
In September of 2020 a company was subject to an undertaking whereby it had to pay a $100,000 penalty and implement effective corrective measures, among other obligations. The CRTC found that the company was sending CEMs without consent in addition to installing a computer program, a Google Chrome Extension, without consent and contrary to computer owners' and users' reasonable expectations. The Extension collected users' personal information, such as user names and passwords, contrary to their reasonable expectations.
In 2018, two companies were subject to undertakings that included the implementation of a compliance program and in one case monetary compensation of $100,000. In the former case, the CRTC found that it was not possible to unsubscribe from all messages with just one operation, contrary to CRTC regulations. In the latter case, the request for consent was alleged to have contained a number of deficiencies.
In June of 2017 the government indefinitely suspended the commencement of a private right of action that was scheduled to come into force on July 1, 2017. The private right of action would have allowed any individual or organization who alleged they had been affected by a CASL contravention to bring an action seeking their actual loss or damages, and a penalty of $200 for each contravention, not to exceed $1 million for any day on which a contravention took place. The government explained its decision was in response to broad-based concerns raised by businesses, charities and the not-for-profit sector. CASL then underwent a parliamentary review, with the House of Commons Standing Committee on Industry, Science and Technology issuing a report in December 2017 titled "Clarifications Are in Order". The Committee recommended changes to CASL to clarify the scope and application of CASL and to reduce the cost of compliance and better focus enforcement. The report encouraged the government to: adopt a short title for the Act; clarify certain definitions and provisions in the Act; increase education and transparency regarding its CASL enforcement process; investigate further the impact of a private right of action and for the CRTC to share information with domestic law enforcement agencies. The government responded in April 2018 stating it would work further on these issues with a diversity of stakeholders to identify concrete solutions, while maintaining a balance between protecting Canadians from spam and other electronic threats, and at the same time minimizing the cost and administrative burden of compliance for Canadian organizations subject to CASL. To date, CASL has not been amended in response to the report.
Section 8 of CASL requires anyone who installs, or causes to be installed, a computer program on another person's computer system, in the course of commercial activity to obtain the prior express consent of the owner, or an authorized user, of that system in the manner prescribed by CASL.
The CRTC considers CASL not to apply where the owner or authorized user of a computer system intentionally installs software on their own computer system. CASL applies, however, where a computer program or a subset of a program is installed without the knowledge of the owner or authorized user of the computer system. CASL also applies where a previously installed computer program causes updates to be installed automatically without the user's knowledge and consent.
The application of CASL's software provisions does not stop at Canada's borders. Section 8 applies to anyone who installs software in Canada, and to persons inside Canada who install software on computer systems outside of Canada. In both cases, the installation must be done in the course of commercial activity for CASL's software provisions to apply.
CASL uses the terms "computer system" and "computer program" broadly. Under CASL, a "computer system" means a device - or a group of interconnected or related devices - that contains computer programs or other computer data, and that performs a logic and control function pursuant to computer programs. As a result, computer systems may include automobiles, industrial equipment, smart appliances and other consumer products that may not normally be considered to constitute "computer systems." CASL considers "computer programs" to include data that when executed in a computer system cause it to perform a function, including both software applications and updates to them.
CASL requires the following information to be clearly and simply set out when consent to install a computer program is sought:
The person who obtains consent should keep a record of it, as that person will bear the onus of proving the consent once the computer program is installed.
CASL deems the computer system's owner or authorized user to have expressly consented to the installation of a computer program if that person's conduct is such that it is reasonable to believe that he or she did consent to the installation, and the computer program is:
CASL imposes additional disclosure and consent obligations where the computer program being installed performs any one of a list of prescribed functions - provided that the person installing the computer program knows and intends such functions will cause the computer system to operate in a manner that is contrary to the reasonable expectations of the owner or authorized user of the computer system.
The prescribed computer program functions are:
When the foregoing applies, the person seeking to install the computer program must provide the computer system's owner or authorized user with a description of the material elements of the computer program that perform the specified function(s) - including the nature and purpose of those elements, and their foreseeable impact. These elements must be brought to the attention of the owner or authorized user of the computer system clearly and prominently - separate from other information provided in a request for consent, and separate from the software license agreement.
The person seeking to install the computer program must also obtain written acknowledgement (in paper or electronic form) that the person from whom consent is sought understands and agrees that the program performs the specified functions. The request for consent must not be bundled with requests for consent to general terms and conditions of use or sale, and must be separate from any consent requested under CASL's CEM provisions.
CASL provides an exception to these enhanced consent and disclosure requirements where the specified computer program function only collects, uses or communicates transmission data. For CASL's purposes, "transmission data" means data that:
CASL imposes additional obligations on a person or organization that installs a computer program on another person's computer such that the "enhanced disclosure and consent" requirements outlined above apply.
For one year after such installation, the person who installed the computer program must ensure that the consenting person is provided with an electronic address through which they can request to remove or disable the program if they believe that its function, purpose or impact was not accurately described when consent was requested.
If the consent was given based on an inaccurate description of the program's material elements, then the person who installed the program must assist the person who gave the consent to remove or disable the computer program as soon as feasible, without cost to the person who gave the consent. This assistance is required where the person who gave the consent requests it within one year after installation.
Software updates and upgrades involve the replacement or supplementation of a computer program's software with newer software in order to improve the program or bring it up to date. In the course of commercial activity, where an update or upgrade is being installed on someone else's computer, the consent of the owner or authorized user of the computer must be obtained in accordance with CASL.
Learn more about Gowling WLG services in CASL »
1The full name of the Act is: An Act to Promote the Efficiency and Adaptability of the Canadian Economy by Regulating Certain Activities that Discourage Reliance on Electronic Means of Carrying out Commercial Activities, and to Amend the Canadian Radio-television and Telecommunications Commission Act, the Competition Act, the Personal Information Protection and Electronic Documents Act and the Telecommunications Act, SC 2010, c 23.
NOT LEGAL ADVICE. Information made available on this website in any form is for information purposes only. It is not, and should not be taken as, legal advice. You should not rely on, or take or fail to take any action based upon this information. Never disregard professional legal advice or delay in seeking legal advice because of something you have read on this website. Gowling WLG professionals will be pleased to discuss resolutions to specific legal concerns you may have.