OneTrust_Square Banner_300x250_DD_ROS_01_19

Industry Canada published its final regulations under Canada’s Anti-Spam Legislation (CASL), and announced that CASL will be in force on July 1, 2014, leaving about 7 months to prepare. Fortunately, the regulations will make things a bit easier by preserving all but one of the exceptions included in the draft regulations pre-published in January 2013 and introducing several more.

Here are the highlights:

  • CASL will be implemented in three phases: while the majority of CASL comes into force July 1, 2014, the rules that apply to computer programs will come into force January 15, 2015, followed by the private right of action on July 1, 2017.
  • Industry Canada has provided interpretive guidance on several issues under CASL, including the definition of a CEM, the application of CASL to express consent obtained before CASL comes into force, the application of CASL to IP addresses and cookies, and the interaction between the unsubscribe requirement and implied consent.
  • New exceptions have been added for: closed platforms, which would appear to apply to platforms such as Blackberry Messenger and social medial networks; limited-access accounts where organizations communicate directly with recipients (e.g., online banking); messages targeted at foreign persons; and, fundraising by charities and political parties.

Private right of action and rules for computer programs delayed

Industry Canada determined that it was wise to delay the private right of action for three years, not coming into force until July 1, 2017. The rules applying to computer programs will come into force on January 15, 2015. The remainder of the Act comes into force on July 1, 2014 (this includes substantive amendments to the Competition Act and the Personal Information Protection and Electronic Documents Act).

Interpretive guidance

The “Regulatory Impact Analysis Statement,” or “RIAS” published with the regulations explains the regulations and the regulatory process in detail. It also includes interpretive guidance on a number of issues arising under CASL itself, notably: the definition of a CEM, the application of CASL to express consent obtained before CASL comes into force, the application of CASL to IP addresses and cookies, and the interaction between the unsubscribe requirement and implied consent.

Definition of a CEM

There is much confusion around the meaning of a CEM under CASL. This has been complicated by the inclusion of categories of messages in subsection 6(6) of CASL, which, according to the way it is drafted, could be interpreted to imply that messages solely transactional in nature may be CEMs.

Industry Canada has attempted to clarify this, stating that

if the message involves a pre-existing commercial relationship or activity and provides additional information, clarification or completes the transaction involving a commercial activity that is already underway, it would  not be considered a CEM since, rather than promoting commercial activity, it carries out the activity.

Industry Canada also stated that

the mere fact that a message involves commercial activity, hyperlinks to a person’s website, or business related electronic addressing information does not make it a CEM under the Act if none of the purpose is to encourage the recipient [to participate] in additional commercial activity [emphasis added].

This is largely in response to concerns about how broadly the definition of a CEM might be applied.

Application of CASL to existing express consent

Industry Canada stated that express consent obtained before CASL comes into force that is compliant with PIPEDA will be considered compliant with CASL. Note that this will still require some form of express consent, as PIPEDA has been interpreted in the past to require express consent for using personal information for marketing purposes.

Application of CASL to internet protocol addresses

With respect to internet protocol (IP) addresses, Industry Canada clarified that “insofar as IP addresses are not linked to an identifiable person or to an account, IP addresses are not electronic addresses for the purposes of CASL.” This makes it clear that display ads on websites are “not subject to CASL.”

Application of CASL to cookies

Industry Canada has weighed in on the long-standing concern and confusion over the application of CASL to cookies. The confusion arises as a result of subsection 10(8), which could be interpreted to imply that a cookie is in fact a computer program for the purposes of CASL. On this point, Industry Canada states that

insofar as cookies are not executable computer programs, and they cannot carry viruses and cannot install malware, and are simply lines of text or data that are read from a web browser, they are not computer programs for the purposes of CASL.

Although this is inconsistent with guidance provided by the CRTC, which has stated that cookies are computer program, but that CASL does not apply because cookies cannot be installed, the end result appears to be the same.

Interaction between unsubscribe requirement and implied consent

A sender is able to rely on implied consent under CASL based on, among other things, an “existing business relationship”, which is defined under subsection 10(10) of CASL to arise out of such things as a purchase by the recipient from the sender within the previous 24 months, or an inquiry from the recipient about a product or service within the previous six months. This leads to the following common question: what happens if someone unsubscribes from a list, but then initiates a subsequent triggering event, such as a purchase? Industry Canada has clarified this question, stating that “implied consent due to an existing business relationship is reinstated with every new or subsequent transaction that would qualify them under section 10(10) of CASL”. This would also presumably apply to an “existing non-business relationship”.


Exception for response to request, inquiry or complaint

The exemption for any CEM that is “sent in response to a request, inquiry, complaint or is otherwise solicited by the person to whom the message is sent” remains unchanged from the draft regulations.

Exception to enforce rights etc.

The regulations create exceptions for any CEM sent to satisfy a legal obligation or enforce an existing or pending legal right. Industry Canada states that this could apply to messages containing banking statements, or copyright notices. This would also likely apply to debt collection notices.

Conditions for use of consent

The regulations establish the conditions for the use of express consent obtained by one person on behalf of another person, the identity of which is unknown at the time consent is obtained. In other words, these rules apply where an electronic address is collected by one person, and later shared with another person (as opposed to a list owner sending another person’s ad to their own list).  The regulations require the name of the person who originally obtained consent to be identified in any message sent to the recipient, and that the unsubscribe mechanism allow the recipient to unsubscribe from receiving messages from any person who has been provided with their electronic address. The consent management/unsubscribe process therefore requires coordination across users of a given list.

Absent minor wording alterations, this section of the regulations remains unchanged from the previous two versions of regulations published in 2011 and 2012. Industry Canada provided a lengthy explanatory note on this section in the RIAS.


Definitions of family and personal relationships

CASL exempts any CEM sent between two persons who have a personal or family relationship, requiring Industry Canada to define both of these concepts in regulation. The definition of a “family relationship”, which was previously drawn from the Income Tax Act, has been simplified.

Need help determining what subscribers, if any, will require reconfirmation before or after CASL? Check out nNovation’s CASL Database Checklist in the IAPP Resource Center.

A “personal relationship”, which is defined to arise between two people who have had direct, voluntary two-way communications where it would be reasonable to conclude that the relationship is personal, has been amended to remove the requirement that the recipient must not have asked that they no longer receive messages from the sender.

Exception for business-to-business communications

In order to “ensure regular business communications are not unnecessarily regulated” by CASL, the regulations exempt any CEM

(a) that is sent by an employee, representative, consultant or franchisee of an organization

(i) to another employee, representative, consultant or franchisee of the organization and the message concerns the activities of the organization, or

(ii) employee, representative, consultant or franchisee of another organization if the organizations have a relationship and the message concerns the activities of the organization to which the message is sent;

This exception has been reworded, and is made somewhat broader by the removal of the condition that two organizations have a “business” relationship (it is now simply a “relationship”).

Exception from consent for referrals

The exception for referrals will allow a person to send a single CEM without consent based on a third-party referral, so long as the following conditions are met:

  • the person making the referral has an existing business relationship, an existing non-business relationship, a personal relationship or a family relationship with both the sender and the recipient; and,
  • the sender discloses the name of the person making the referral in the message and that the message is sent as a result of the referral.

There is a slight change from the draft regulations as the exception now applies to “persons”. The previous version only applied to “individuals”, meaning that it is now clear that a person can refer an organization as well as a single individual (e.g., a law firm as opposed to a single lawyer).

Specified computer programs

Subsection 10(8) of CASL deems a person to have expressly consented to the installation of certain categories of computer programs where “the person’s conduct is such that it is reasonable to believe that they consent to the program’s installation.” The regulations define three additional categories of computer programs to allow telecommunications service providers (TSPs) to install programs on its customers’ computers or devices in order to prevent protect the security of its network, for the purposes of updating or upgrading a network, or to prevent the failure of a computer system or program. The first category of computer programs (security of TSP networks) has been altered so that it no longer captures activities that are a contravention of law.

Industry Canada has clarified that auto manufacturers may be TSPs for the purposes of CASL, allowing auto manufacturers to rely on these exceptions to upgrade computer software in automobiles.


Five new exceptions from section 6 of CASL have been added in the regulations. Because these provisions create a complete exception from section 6, there is no need to obtain consent or to include prescribed identification information or an unsubscribe mechanism.

Exception for closed platforms

An exception has been added for any CEM

that is sent and received on an electronic messaging service if the information and unsubscribe mechanism that are required under subsection 6(2) of the Act are conspicuously published and readily available on the user interface through which the message is accessed, and the person to whom the message is sent consents to receive it either expressly or by implication.

This exception was added in response to concerns raised by “companies in the telecommunications sector”. It seems clear that this is intended to capture instant messaging services such as Blackberry Messenger and WhatsApp. It would also appear that it could apply to social media platforms such as Facebook and LinkedIn.

Exception for limited-access accounts

An exception has been added for any CEM

that is sent to a limited-access secure and confidential account to which messages can only be sent by the person who provides the account to the person who receives the message.

This exception was added in response to concerns raised by stakeholders in the financial sector to exclude messages sent directly to customers, for example, through an online banking account.

Exception for messages targeted at foreign persons

The regulations will exclude from section 6 any CEM

if the person who sends the message or causes or permits it to be sent reasonably believes the message will be accessed in a foreign state that is listed in the schedule and the message conforms to the law of the foreign state that addresses conduct that is substantially similar to conduct prohibited under section 6 of the Act.

The purpose of this exception is to “reduce regulatory duplication” where a CEM is sent to states that have their own anti-spam legislation. This exception applies to messages sent to 116 foreign states, listed in a schedule to the regulations.

Exception for charities and political parties

Finally, two new exceptions are added for charities and political parties if the primary purpose is “raising funds for a charity” or “soliciting a contribution as defined in subsection 2(1) of the Canada Elections Act“.


Gone from the regulations is an exception that appeared in the draft regulations for any message accessed on a computer system located in Canada where the message is targeted at a non-Canadian, and the sender could not have reasonably known the message would be accessed in Canada. According to Industry Canada, “it was determined that this exemption is not necessary”.

Written By

Shaun Brown


If you want to comment on this post, you need to login.


Board of Directors

See the esteemed group of leaders shaping the future of the IAPP.

Contact Us

Need someone to talk to? We’re here for you.

IAPP Staff

Looking for someone specific? Visit the staff directory.

Learn more about the IAPP»

Daily Dashboard

The day’s top stories from around the world

Privacy Perspectives

Where the real conversations in privacy happen

The Privacy Advisor

Original reporting and feature articles on the latest privacy developments

Privacy Tracker

Alerts and legal analysis of legislative trends

Privacy Tech

Exploring the technology of privacy

Canada Dashboard Digest

A roundup of the top Canadian privacy news

Europe Data Protection Digest

A roundup of the top European data protection news

Asia-Pacific Dashboard Digest

A roundup of the top privacy news from the Asia-Pacific region

Latin America Dashboard Digest

A roundup of the top privacy news from Latin America

IAPP Westin Research Center

Original works. Groundbreaking research. Emerging scholars.

Get more News »

IAPP Communities

Meet locally with privacy pros, dive deep into specialized topics or connect over common interests. Find your Community in KnowledgeNet Chapters, Sections and Affinity Groups.

IAPP Job Board

Looking for a new challenge, or need to hire your next privacy pro? The IAPP Job Board is the answer.

Join the Privacy List

Have ideas? Need advice? Subscribe to the Privacy List. It’s crowdsourcing, with an exceptional crowd.

Find a KnowledgeNet Chapter Near You

Talk privacy and network with local members at IAPP KnowledgeNet Chapter meetings, taking place worldwide.

Find more ways to Connect »

Find a Privacy Training Class

Two-day privacy training classes are held around the world. See the complete schedule now.

The Privacy Core™ Library Has Evolved

Privacy Core™ e-learning essentials just expanded to include seven new units for marketers. Keep your data safe and your staff in the know!

Online Privacy Training

Build your knowledge. The privacy know-how you need is just a click away.

Upcoming Web Conferences

See our list of upcoming web conferences. Just log on, listen in and learn!

Train Your Team

Get your team up to speed on privacy by bringing IAPP training to your organization.

Let’s Get You DPO Ready

There’s no better time to train than right now! We have all the resources you need to meet the challenges of the GDPR.

Learn more »

CIPP Certification

The global standard for the go-to person for privacy laws, regulations and frameworks

CIPM Certification

The first and only privacy certification for professionals who manage day-to-day operations

CIPT Certification

The industry benchmark for IT professionals worldwide to validate their knowledge of privacy requirements

FIP Designation

Recognizing the advanced knowledge and issue-spotting skills a privacy pro must attain in today’s complex world of data privacy.

Certify Your Staff

Find out how you can bring the world’s only globally recognized privacy certification to a group in your organization.


The IAPP’S CIPP/E and CIPM are the ANSI/ISO-accredited, industry-recognized combination for DPO readiness. Learn more today.

Learn more about IAPP certification »

Are You Ready for the GDPR?

Check out the IAPP's EU Data Protection Reform page for all the tools and resources you need.

IAPP-OneTrust PIA Platform

New U.S. Government Agency privacy impact assessments - free to IAPP members!

IAPP Communities

Meet locally with privacy pros, dive deep into specialized topics or connect over common interests. Find your Community in KnowledgeNet Chapters, Sections and Affinity Groups.

Privacy Vendor List

Find a privacy vendor to meet your needs with our filterable list of global service providers.

More Resources »

Europe Data Protection Intensive 2017

The Intensive is sold out! But cancellations do happen—so hurry and get on the wait list in case more seats become available.

Global Privacy Summit 2017

The world’s premier privacy conference returns with the sharpest minds, unparalleled programs and preeminent networking opportunities.

Canada Privacy Symposium 2017

The Symposium returns to Toronto this spring and registration has opened! Take advantage of Early Bird rates and join your fellow privacy pros for another stellar program.

The Privacy Bar Section Forum 2017

The Privacy Bar Section Forum returns to Washington, DC April 21, delivering renowned keynote speakers and a distinguished panel of legal and privacy experts.

Asia Privacy Forum 2017

The Forum returns to Singapore for exclusive networking and intensive education on data protection trends and challenges in the Asia Pacific region. Call for Speakers open!

Privacy. Security. Risk. 2017

This year, we're bringing P.S.R. to San Diego. The Call for Speakers is now open. Submit today and be a part of something big! Submission deadline: February 26.

Europe Data Protection Congress 2017

European policy debate, multi-level strategic thinking and thought-provoking discussion. The Call for Speakers is open until March 19.

Sponsor an Event

Increase visibility for your organization—check out sponsorship opportunities today.

More Conferences »

Become a Member

Start taking advantage of the many IAPP member benefits today

Corporate Members

See our list of high-profile corporate members—and find out why you should become one, too

Renew Your Membership

Don’t miss out for a minute—continue accessing your benefits

Join the IAPP»