TOTAL: {[ getCartTotalCost() | currencyFilter ]} Update cart for total shopping_basket Checkout

Privacy Tracker | Industry Canada finalizes regulations under CASL Related reading: A view from DC: White House preps a 'bridge' to AI regulation


Industry Canada published its final regulations under Canada’s Anti-Spam Legislation (CASL), and announced that CASL will be in force on July 1, 2014, leaving about 7 months to prepare. Fortunately, the regulations will make things a bit easier by preserving all but one of the exceptions included in the draft regulations pre-published in January 2013 and introducing several more.

Here are the highlights:

  • CASL will be implemented in three phases: while the majority of CASL comes into force July 1, 2014, the rules that apply to computer programs will come into force January 15, 2015, followed by the private right of action on July 1, 2017.
  • Industry Canada has provided interpretive guidance on several issues under CASL, including the definition of a CEM, the application of CASL to express consent obtained before CASL comes into force, the application of CASL to IP addresses and cookies, and the interaction between the unsubscribe requirement and implied consent.
  • New exceptions have been added for: closed platforms, which would appear to apply to platforms such as Blackberry Messenger and social medial networks; limited-access accounts where organizations communicate directly with recipients (e.g., online banking); messages targeted at foreign persons; and, fundraising by charities and political parties.

Private right of action and rules for computer programs delayed

Industry Canada determined that it was wise to delay the private right of action for three years, not coming into force until July 1, 2017. The rules applying to computer programs will come into force on January 15, 2015. The remainder of the Act comes into force on July 1, 2014 (this includes substantive amendments to the Competition Act and the Personal Information Protection and Electronic Documents Act).

Interpretive guidance

The “Regulatory Impact Analysis Statement,” or “RIAS” published with the regulations explains the regulations and the regulatory process in detail. It also includes interpretive guidance on a number of issues arising under CASL itself, notably: the definition of a CEM, the application of CASL to express consent obtained before CASL comes into force, the application of CASL to IP addresses and cookies, and the interaction between the unsubscribe requirement and implied consent.

Definition of a CEM

There is much confusion around the meaning of a CEM under CASL. This has been complicated by the inclusion of categories of messages in subsection 6(6) of CASL, which, according to the way it is drafted, could be interpreted to imply that messages solely transactional in nature may be CEMs.

Industry Canada has attempted to clarify this, stating that

if the message involves a pre-existing commercial relationship or activity and provides additional information, clarification or completes the transaction involving a commercial activity that is already underway, it would  not be considered a CEM since, rather than promoting commercial activity, it carries out the activity.

Industry Canada also stated that

the mere fact that a message involves commercial activity, hyperlinks to a person’s website, or business related electronic addressing information does not make it a CEM under the Act if none of the purpose is to encourage the recipient [to participate] in additional commercial activity [emphasis added].

This is largely in response to concerns about how broadly the definition of a CEM might be applied.

Application of CASL to existing express consent

Industry Canada stated that express consent obtained before CASL comes into force that is compliant with PIPEDA will be considered compliant with CASL. Note that this will still require some form of express consent, as PIPEDA has been interpreted in the past to require express consent for using personal information for marketing purposes.

Application of CASL to internet protocol addresses

With respect to internet protocol (IP) addresses, Industry Canada clarified that “insofar as IP addresses are not linked to an identifiable person or to an account, IP addresses are not electronic addresses for the purposes of CASL.” This makes it clear that display ads on websites are “not subject to CASL.”

Application of CASL to cookies

Industry Canada has weighed in on the long-standing concern and confusion over the application of CASL to cookies. The confusion arises as a result of subsection 10(8), which could be interpreted to imply that a cookie is in fact a computer program for the purposes of CASL. On this point, Industry Canada states that

insofar as cookies are not executable computer programs, and they cannot carry viruses and cannot install malware, and are simply lines of text or data that are read from a web browser, they are not computer programs for the purposes of CASL.

Although this is inconsistent with guidance provided by the CRTC, which has stated that cookies are computer program, but that CASL does not apply because cookies cannot be installed, the end result appears to be the same.

Interaction between unsubscribe requirement and implied consent

A sender is able to rely on implied consent under CASL based on, among other things, an “existing business relationship”, which is defined under subsection 10(10) of CASL to arise out of such things as a purchase by the recipient from the sender within the previous 24 months, or an inquiry from the recipient about a product or service within the previous six months. This leads to the following common question: what happens if someone unsubscribes from a list, but then initiates a subsequent triggering event, such as a purchase? Industry Canada has clarified this question, stating that “implied consent due to an existing business relationship is reinstated with every new or subsequent transaction that would qualify them under section 10(10) of CASL”. This would also presumably apply to an “existing non-business relationship”.


Exception for response to request, inquiry or complaint

The exemption for any CEM that is “sent in response to a request, inquiry, complaint or is otherwise solicited by the person to whom the message is sent” remains unchanged from the draft regulations.

Exception to enforce rights etc.

The regulations create exceptions for any CEM sent to satisfy a legal obligation or enforce an existing or pending legal right. Industry Canada states that this could apply to messages containing banking statements, or copyright notices. This would also likely apply to debt collection notices.

Conditions for use of consent

The regulations establish the conditions for the use of express consent obtained by one person on behalf of another person, the identity of which is unknown at the time consent is obtained. In other words, these rules apply where an electronic address is collected by one person, and later shared with another person (as opposed to a list owner sending another person’s ad to their own list).  The regulations require the name of the person who originally obtained consent to be identified in any message sent to the recipient, and that the unsubscribe mechanism allow the recipient to unsubscribe from receiving messages from any person who has been provided with their electronic address. The consent management/unsubscribe process therefore requires coordination across users of a given list.

Absent minor wording alterations, this section of the regulations remains unchanged from the previous two versions of regulations published in 2011 and 2012. Industry Canada provided a lengthy explanatory note on this section in the RIAS.


Definitions of family and personal relationships

CASL exempts any CEM sent between two persons who have a personal or family relationship, requiring Industry Canada to define both of these concepts in regulation. The definition of a “family relationship”, which was previously drawn from the Income Tax Act, has been simplified.

Need help determining what subscribers, if any, will require reconfirmation before or after CASL? Check out nNovation’s CASL Database Checklist in the IAPP Resource Center.

A “personal relationship”, which is defined to arise between two people who have had direct, voluntary two-way communications where it would be reasonable to conclude that the relationship is personal, has been amended to remove the requirement that the recipient must not have asked that they no longer receive messages from the sender.

Exception for business-to-business communications

In order to “ensure regular business communications are not unnecessarily regulated” by CASL, the regulations exempt any CEM

(a) that is sent by an employee, representative, consultant or franchisee of an organization

(i) to another employee, representative, consultant or franchisee of the organization and the message concerns the activities of the organization, or

(ii) employee, representative, consultant or franchisee of another organization if the organizations have a relationship and the message concerns the activities of the organization to which the message is sent;

This exception has been reworded, and is made somewhat broader by the removal of the condition that two organizations have a “business” relationship (it is now simply a “relationship”).

Exception from consent for referrals

The exception for referrals will allow a person to send a single CEM without consent based on a third-party referral, so long as the following conditions are met:

  • the person making the referral has an existing business relationship, an existing non-business relationship, a personal relationship or a family relationship with both the sender and the recipient; and,
  • the sender discloses the name of the person making the referral in the message and that the message is sent as a result of the referral.

There is a slight change from the draft regulations as the exception now applies to “persons”. The previous version only applied to “individuals”, meaning that it is now clear that a person can refer an organization as well as a single individual (e.g., a law firm as opposed to a single lawyer).

Specified computer programs

Subsection 10(8) of CASL deems a person to have expressly consented to the installation of certain categories of computer programs where “the person’s conduct is such that it is reasonable to believe that they consent to the program’s installation.” The regulations define three additional categories of computer programs to allow telecommunications service providers (TSPs) to install programs on its customers’ computers or devices in order to prevent protect the security of its network, for the purposes of updating or upgrading a network, or to prevent the failure of a computer system or program. The first category of computer programs (security of TSP networks) has been altered so that it no longer captures activities that are a contravention of law.

Industry Canada has clarified that auto manufacturers may be TSPs for the purposes of CASL, allowing auto manufacturers to rely on these exceptions to upgrade computer software in automobiles.


Five new exceptions from section 6 of CASL have been added in the regulations. Because these provisions create a complete exception from section 6, there is no need to obtain consent or to include prescribed identification information or an unsubscribe mechanism.

Exception for closed platforms

An exception has been added for any CEM

that is sent and received on an electronic messaging service if the information and unsubscribe mechanism that are required under subsection 6(2) of the Act are conspicuously published and readily available on the user interface through which the message is accessed, and the person to whom the message is sent consents to receive it either expressly or by implication.

This exception was added in response to concerns raised by “companies in the telecommunications sector”. It seems clear that this is intended to capture instant messaging services such as Blackberry Messenger and WhatsApp. It would also appear that it could apply to social media platforms such as Facebook and LinkedIn.

Exception for limited-access accounts

An exception has been added for any CEM

that is sent to a limited-access secure and confidential account to which messages can only be sent by the person who provides the account to the person who receives the message.

This exception was added in response to concerns raised by stakeholders in the financial sector to exclude messages sent directly to customers, for example, through an online banking account.

Exception for messages targeted at foreign persons

The regulations will exclude from section 6 any CEM

if the person who sends the message or causes or permits it to be sent reasonably believes the message will be accessed in a foreign state that is listed in the schedule and the message conforms to the law of the foreign state that addresses conduct that is substantially similar to conduct prohibited under section 6 of the Act.

The purpose of this exception is to “reduce regulatory duplication” where a CEM is sent to states that have their own anti-spam legislation. This exception applies to messages sent to 116 foreign states, listed in a schedule to the regulations.

Exception for charities and political parties

Finally, two new exceptions are added for charities and political parties if the primary purpose is “raising funds for a charity” or “soliciting a contribution as defined in subsection 2(1) of the Canada Elections Act“.


Gone from the regulations is an exception that appeared in the draft regulations for any message accessed on a computer system located in Canada where the message is targeted at a non-Canadian, and the sender could not have reasonably known the message would be accessed in Canada. According to Industry Canada, “it was determined that this exemption is not necessary”.


If you want to comment on this post, you need to login.