What CASL regulates
CASL covers three main activities:
- Sending commercial electronic messages (CEMs) such as email, SMS, and direct messages on social platforms.
- Altering transmission data in an electronic message in the course of a commercial activity, without consent.
- Installing computer programs on another person's device in the course of a commercial activity, without consent.
What counts as a commercial electronic message
A CEM is an electronic message that encourages participation in a commercial activity, such as promoting a product, service, business, or opportunity. The message can be promotional, solicitation, or any related electronic communication.
Some messages are exempt, including messages between business-to-business partners with an existing relationship, messages to personal contacts, responses to requests for information, and certain charitable communications.
Consent, identification, and unsubscribe
A CEM must meet three core requirements:
- Consent: Express (opt-in) consent is generally required. Some implied consent applies for existing business or non-business relationships for a limited time window.
- Identification: The sender must identify itself and anyone on whose behalf the message is sent, with current contact information valid for at least 60 days.
- Unsubscribe: The message must include a working unsubscribe mechanism that functions for at least 60 days and processes unsubscribe requests within 10 business days.
Address harvesting and software installation
CASL prohibits using computer programs or automated means to collect email addresses from publicly accessible sources without consent, or to use such addresses to send CEMs.
Installing software on a device (including phones and tablets) in the course of a commercial activity requires express consent, with clear descriptions of the program's features and any functions that could be reasonably seen as contrary to the user's interests.
Enforcement and penalties
The CRTC can issue administrative monetary penalties of up to $1 million per violation for individuals and $10 million per violation for organizations. It can also issue notices of violation, compliance orders, and undertakings.
The Competition Bureau enforces CASL provisions related to false or misleading representations. The Office of the Privacy Commissioner oversees address harvesting investigations.
Note that the private right of action for CASL violations has not been brought into force.
How to report spam
You can forward unwanted CEMs to the Spam Reporting Centre at spam@fightspam.gc.ca. Reports help the CRTC identify patterns of non-compliance and take enforcement action.
Before filing, make sure you used the message's unsubscribe link (if any) and that the sender did not honour it within 10 business days.