Express consent campaigns have been touted as the silver bullet for the consent framework under Canada’s Anti-Spam Law. However, gaining express consent has its own set of challenges. What are the questions organizations need to ask before seeking consent?

Organizations have been waiting nearly two years for regulations that will clarify and put into force Canada’s Anti-Spam Legislation (CASL). For this reason, many organizations are waiting until the fall—when Industry Canada’s regulations are now expected—to evaluate their marketing practices and implement changes. However, given CASL’s broad application and stiff monetary penalties—up to $1 million for individuals and up to $10 million for organizations per violation—smart organizations are launching express consent campaigns before CASL comes into effect.

CASL will apply to any organization that sends a commercial electronic message (CEM) to its customers, prospects or other contacts via e-mail, text or other electronic means such as Twitter, Facebook or LinkedIn—irrespective of size or sector—with the purpose of encouraging participation in a commercial activity. Commercial activities include any transaction, act or conduct that is commercial in nature, whether or not the person who carries it out does so with the expectation of profit; e.g., invitations to events or subscriptions to an industry newsletter. This will include all messages that based on the content, including links and contact information, have as one of the purposes encouraging participation in commercial activity such as selling or advertising a product, promoting an organization or person or gathering market information. In effect, CASL will require recipients to opt in to receiving CEMs—a model that differs from the U.S. CAN-SPAM Act. Organizations will be required to have implied or express consent from recipients in Canada before sending a CEM, unless the relationship or CEM qualifies for an exemption. Organizations will also need to put in place unsubscribe mechanisms or ensure that current unsubscribe practices meet the requirements under CASL.

Not only do Canadian-based organizations need to comply with CASL but also organizations that send messages to Canadian recipients must take note. CASL applies to messages sent from or received in Canada. Practically speaking, if an organization has global presence, its foreign subsidiaries that send electronic messages to Canadian recipients also need to comply with CASL.

Organizations may rely on implied consent under CASL in three main scenarios:

  • With an existing “business relationship” with the recipient; e.g., consumer has purchased a product within the two years prior to the message being sent, entered into an existing written contract with the person or made an inquiry or application within the six months prior to the message;
  • With an existing “non-business relationship;” e.g., charitable, membership and volunteer relationships;
  • The recipient has conspicuously published his or her e-mail contact information or has disclosed it to the sender and has not indicated that he or she does not wish to receive communications and the CEM is relevant to the recipient’s business, role, functions or duties in a business or official capacity.

Currently, prior to sending a CEM, organizations must ensure that consent requirements set out in privacy legislation are met. Privacy legislation requires organizations to inform an individual about the collection, use or disclosure of his or her personal information and obtain the individual’s consent for such collection, use and disclosure. Under federal privacy legislation, organizations rely on implied consent based on “reasonableness” standards. For example, under federal privacy legislation, where a consumer sends a request for information via e-mail, it would be reasonable to conclude that you have that individual’s implied consent to respond to the request using the individual’s e-mail address. Under CASL, this type of inquiry by a consumer would constitute an “existing business relationship;” however, a response would have to be sent within six months from the date of the initial inquiry in order to rely on implied consent under CASL. CASL specifically states that in the event of any conflict between a provision of CASL and a provision of PIPEDA, the federal privacy legislation governing private sector organizations, the provision of CASL would prevail. In other words, an organization cannot necessarily rely on implied consent as currently provided for in federal privacy legislation.

Grandfathering provisions for implied consent

When CASL comes into force, if there is an existing business relationship or an existing non-business relationship, as defined in CASL, there will be an extended period of three years during which implied consent will continue to apply. The transitional period provides an extended timeline for perfecting existing implied consent for an existing business relationship and an existing non-business relationship by seeking express consent in compliance with the legislation.

What makes CASL different from other electronic marketing legislation is that the broad definition of CEM means that CASL will also apply to those electronic communications that may not come from marketing departments well-versed in the rules of consent. For example, a salesperson who contacts a former client, with whom the company has not had a relationship with in more than two years, must have the former client’s express consent or implied consent before sending the CEM. The sales \person’s contact may be something as simple as an e-mail, inbox or text message to touch base, but given CASL’s broad scope, it may still be considered a CEM. This means that organizations will need to track implied consent and ensure everyone in the organization understands the scenarios in which consent is considered to be implied. If the salesperson’s CEM went to 50 people who had not consented to receive the message, regulators could fine the organization $500 million. Additionally, a private right of action is available, which permits individuals to take civil actions against anyone who violates CASL.

When CASL comes into force, CASL may restrict an organization’s ability to use existing express consent that was not obtained in compliance with CASL in some circumstances, leaving senders that thought they had express consent with no consent at all from a CASL perspective.

Implied consent will be necessary, but not easy. Express consent provides some freedom, but not without its own challenges.

Organizations with hundreds or thousands of contacts, in multiple locations, managed by different departments and often with incomplete or duplicative contact information and no knowledge of when a contact may have originated, will have a difficult—if not impossible—job of tracking implied consent. Given the challenges of implied consent, many organizations instead are gaining express consent from recipients. Under CASL, organizations may send CEMs to a recipient who has expressly consented to receive such communications until the recipient opts out. This means that organizations will need to track implied consent and ensure everyone in the organization understands the scenarios in which consent is considered to be implied. Otherwise, an organization could be subject to administrative monetary penalties or even legal action by the recipient of a CEM that is non-compliant.

Seeking express consent

A request for express consent may be obtained orally or in writing. Where consent is being sought on behalf of another person, the request for consent must include a statement indicating which person is seeking consent and which person on whose behalf consent is sought. The request also must identify the name by which the person seeking consent carries on business, if different from their name, otherwise, their name; also, if applicable, the name by which the person on whose behalf it was sent carries on business, if different from their name, otherwise that person’s name. All requests for consent must include prescribed contact information for the person seeking consent or, if applicable, the person on whose behalf consent is sought. Finally, each request must also identify the purpose for which the consent is being sought, as well as a statement indicating that consent may be withdrawn by the recipient.

Express consent campaigns have their own challenges. Before contacting customers, clients or donors, there are a myriad of questions to consider and decisions organizations need to make, which will be helpful within overall CASL preparation. There are generally three ways in which organizations will seek express consent:

  1. Simple consent: Seek express consent to send or to continue sending CEMs.
  2. Consent with updates: Seek express consent and current contact details from recipients. This may involve, for example, sending existing CRM data to the recipient for verification.
  3. Consent with preference management: Seek express consent to send CEMs and capture or confirm recipients’ preferences concerning the type, frequency and format of electronic messages.

Each option raises the following important questions for organizations to consider:

Population: Which programs or groups should the organization contact?

Accuracy: Which contact lists are most accurate?

Are updates necessary for all contacts or just certain populations?

Timing: When should the organization contact recipients?  Several organizations will undergo similar exercises and businesses risk “CASL fatigue” as recipients are asked to expressly consent to receive CEMs from several sources.

Technology: Is the technology in place to manage the express consent campaign?

Can responses be tracked electronically?

What is the effort to manage the campaign manually?

Response: How will the organization handle non-responses?

How many times will the organization re-send a request?

Content: Has the organization prepared a standard template for CEMs? CASL requires that each CEM be in a format prescribed by CASL, which includes opt-out information and information regarding the sender.

What communication preferences does the organization want to offer recipients—timing; e.g. weekly; topic, format; e.g. text message?

Are there technical restrictions on how the organization will communicate with recipients that limit preferences?

Management: How will the organization ensure recipients who do not consent, do not receive CEMs through, for example, a “do-not-contact registry?”

How will preferences be managed long term?

If consent is provided, how will the unsubscribe mechanism be monitored and tracked?

With all three express consent scenarios, the question of timing, target population and technology are important to consider as each organization will have its own set of realities. This means organizations will need to engage frontline business, marketing, legal, privacy and technology teams to implement express consent campaigns effectively.

It is also important to remember that CEMs have their own required content, and one required element of each CEM that is sent is that it must include a readily-performed unsubscribe mechanism, or a link to a website where the unsubscribe mechanism is readily accessible. For the sender, this mechanism will be a tool for keeping track of withdrawals of consent going forward.

Express consent is not a silver bullet for consent management under CASL. However, once express consent is obtained, it provides a less burdensome regime by simplifying the questions that senders need to ask before sending CEMs: Do we still have the recipient’s express consent for this type of communication? If the sender’s organization is tracking consent—and withdrawal of it—via the required unsubscribe mechanism, it should be able to easily move forward with using CEMs as part of its commercial messaging. An express consent campaign also gives organizations the opportunity to renew relationships and update contact information. Most importantly, involving frontline staff who communicate regularly with recipients in the express consent campaign will help educate them on the rules under CASL.

Whether an organization decides to proceed with an express consent campaign or not, evaluating consent management options and making decisions concerning when implied or express consent will be sought will help with overall CASL preparation. It will also clarify current marketing and business practices, which are not always well documented.

Authors’ Note: At the time of publication, final regulations from Industry Canada were not available.

Written By

Megan Brister

Written By

Marta Rzeszowska Chavent

Written By

Katerina Kouretas

Written By

Alain Rocan, CIPP/C


If you want to comment on this post, you need to login.


Board of Directors

See the esteemed group of leaders shaping the future of the IAPP.

Contact Us

Need someone to talk to? We’re here for you.

IAPP Staff

Looking for someone specific? Visit the staff directory.

Learn more about the IAPP»

Daily Dashboard

The day’s top stories from around the world

Privacy Perspectives

Where the real conversations in privacy happen

The Privacy Advisor

Original reporting and feature articles on the latest privacy developments

Privacy Tracker

Alerts and legal analysis of legislative trends

Privacy Tech

Exploring the technology of privacy

Canada Dashboard Digest

A roundup of the top Canadian privacy news

Europe Data Protection Digest

A roundup of the top European data protection news

Asia-Pacific Dashboard Digest

A roundup of the top privacy news from the Asia-Pacific region

Latin America Dashboard Digest

A roundup of the top privacy news from Latin America

IAPP Westin Research Center

Original works. Groundbreaking research. Emerging scholars.

Get more News »

IAPP Communities

Meet locally with privacy pros, dive deep into specialized topics or connect over common interests. Find your Community in KnowledgeNet Chapters, Sections and Affinity Groups.

IAPP Job Board

Looking for a new challenge, or need to hire your next privacy pro? The IAPP Job Board is the answer.

Join the Privacy List

Have ideas? Need advice? Subscribe to the Privacy List. It’s crowdsourcing, with an exceptional crowd.

Find a KnowledgeNet Chapter Near You

Talk privacy and network with local members at IAPP KnowledgeNet Chapter meetings, taking place worldwide.

Find more ways to Connect »

Find a Privacy Training Class

Two-day privacy training classes are held around the world. See the complete schedule now.

The Privacy Core™ Library Has Evolved

Privacy Core™ e-learning essentials just expanded to include seven new units for marketers. Keep your data safe and your staff in the know!

Online Privacy Training

Build your knowledge. The privacy know-how you need is just a click away.

Upcoming Web Conferences

See our list of upcoming web conferences. Just log on, listen in and learn!

Train Your Team

Get your team up to speed on privacy by bringing IAPP training to your organization.

Let’s Get You DPO Ready

There’s no better time to train than right now! We have all the resources you need to meet the challenges of the GDPR.

Learn more »

CIPP Certification

The global standard for the go-to person for privacy laws, regulations and frameworks

CIPM Certification

The first and only privacy certification for professionals who manage day-to-day operations

CIPT Certification

The industry benchmark for IT professionals worldwide to validate their knowledge of privacy requirements

FIP Designation

Recognizing the advanced knowledge and issue-spotting skills a privacy pro must attain in today’s complex world of data privacy.

Certify Your Staff

Find out how you can bring the world’s only globally recognized privacy certification to a group in your organization.


The IAPP’S CIPP/E and CIPM are the ANSI/ISO-accredited, industry-recognized combination for DPO readiness. Learn more today.

Learn more about IAPP certification »

Are You Ready for the GDPR?

Check out the IAPP's EU Data Protection Reform page for all the tools and resources you need.

IAPP-OneTrust PIA Platform

New U.S. Government Agency privacy impact assessments - free to IAPP members!

IAPP Communities

Meet locally with privacy pros, dive deep into specialized topics or connect over common interests. Find your Community in KnowledgeNet Chapters, Sections and Affinity Groups.

Privacy Vendor List

Find a privacy vendor to meet your needs with our filterable list of global service providers.

More Resources »

Europe Data Protection Intensive 2017

The Intensive is sold out! But cancellations do happen—so hurry and get on the wait list in case more seats become available.

Global Privacy Summit 2017

The world’s premier privacy conference returns with the sharpest minds, unparalleled programs and preeminent networking opportunities.

Canada Privacy Symposium 2017

The Symposium returns to Toronto this spring and registration has opened! Take advantage of Early Bird rates and join your fellow privacy pros for another stellar program.

The Privacy Bar Section Forum 2017

The Privacy Bar Section Forum is sold out! But you can still add your name to the wait list, and we'll keep in touch about your status. Good luck!

Asia Privacy Forum 2017

Call for Speakers open! Join the Forum in Singapore for exclusive networking and intensive education on data protection trends and challenges in the Asia Pacific region.

Privacy. Security. Risk. 2017

Call for Speakers open! This year, we're bringing P.S.R. to San Diego. Submit today and be a part of something big! Submission deadline: February 26.

Europe Data Protection Congress 2017

Call for Speakers open! The Congress is your source for European policy debate, multi-level strategic thinking and thought-provoking discussion. Submit a proposal by March 19.

Sponsor an Event

Increase visibility for your organization—check out sponsorship opportunities today.

More Conferences »

Become a Member

Start taking advantage of the many IAPP member benefits today

Corporate Members

See our list of high-profile corporate members—and find out why you should become one, too

Renew Your Membership

Don’t miss out for a minute—continue accessing your benefits

Join the IAPP»