What is CASL and how does it affect me?

Tuesday 2 January 2018

What is CASL and how does it affect me?

The UK are months away from the EU wide GDPR compliance deadline of May 25th and organisations around the EU and the world are busily preparing their organisation. However, GDPR is not the only legislation that requires organisations to start taking data protection more seriously. One such example is Canada’s ‘CASL’ – hailed as one of the toughest laws of its kind in the world and which has changed the face of digital marketing and how organisations process and manage their data.

What is CASL?

Canadian Anti-Spam Law (CASL) is a new anti-spam law that applies to all commercial electronic messages (CEMs) – such as emails, texts, and social media – that an organization sends promoting a product, service or commercial offering. CASL came into effect in July 2017.

It requires customers to opt-in to CEMs rather than the more traditional approach of requiring an opt-out.

This opt-in is categorised across two permission types – explicit (or express) permission and implied permission. We detail what exactly this means later in this article.

CASL applies to any message accessed within Canada, which covers messages sent from anywhere in the world rather than just within Canadian borders. So as with the GDPR, despite it not being local to your country you still have to comply if Canada makes up part of your target market!

Penalty fines will be given to any non-compliant organisation, ranging from up to $1 million personal liability for company officers and $10 million for organisations.

What is a CEM?

A CEM is any electronic message that encourages the participant to take part in a commercial activity. This could be a voucher, special offer, promotion, or sale.

Please note there is a list of electronic messages exempt from CASL. Examples include messages that contain information regarding a product recall, safety messages, court orders, information regarding a purchase, etc. There are resources available on the web that detail the full list of electronic messages exempt from CASL.

What is the difference between express and implied permission?

Express permission is obtained when you explicitly ask the potential contact for permission to send them information via email. The language used must be clear and you must inform them who will be emailing them. It is also important to log when the data was collected, where it was collected and how they consented.

Implied permission takes place when express permission conditions have not been met but some pervious relationship exists. Examples of implied permission include:

  • If the recipient has bought a product, good or service in the past two years
  • Been involved in an investment opportunity in the past two years
  • Made an inquiry within the last 6 months
  • Donated or gifted to a registered charity or political organisation in the past two years
  • Volunteered with a charity or political organisation in the past two years


What do you need to do comply?

  • All email addresses you send messages to must be permission based
  • All emails must contain an easy-to-find unsubscribe link that is valid for a minimum of 60 days
  • Your subject line must reflect the message held within
  • You must identify yourself and the name of the organisation you work for
  • Data must be processed and handled in accordance with the guideline

The EU’s impending GDPR has some parallels with CASL and is seen as a harsher ruling than CASL, with heavier fines and a more thorough data handling processes.


  GDPR – General Data Protection Regulation CASL – Canadian Anti-Spam Law
EU Canada
  Regulation Legislation
Area Covers any messages sent to or received from the European Union. Covers all messages sent into or out of Canada, but does not include messages simply routed through Canada.
Opt out Unsubscribe must be honoured promptly. Recipients also have the right to be forgotten, or data erasure which requires the organisation handling the data to cease processing. Unsubscribe requests must be honoured immediately or within 10 days. The unsubscribe within a message must be valid for a min of 60 days.
Additional opt out Data processor must make it easy for recipients to opt out of further communications. Data processor must make it easy for recipients to opt out of further communications.
Penalties Fines of up to 20 million Euros or 4% of total annual worldwide revenue – whichever is higher. Up to $10 million per violation. Directors, officers, agents and mandataries of a corporation may face liability under CASL and be subject to an AMP up to $1 million per violation.
Age Parental consent must be provided for children under 16 years of age. Member stats can lower this ago to 13 if they desire. No age restriction requirements
Consent Senders must obtain either express or implied consent before sending CEMs and separate consent is required. The sender must keep a record of what information was shared in the request for consent, when, where and how they consented.

Pre-checked boxes are not permitted as consent.

Senders must gain separate consent requests and must keep a record of what information was shared in the request for consent, when, where and how they consented.

Pre-checked boxes are not permitted as consent.

How are Canada getting on with CASL?

So far only eight public fines have been reported all from organisations within Canada. These organisations are large entities such as Rogers Media Inc and Kellogg Canada Inc. For many though CASL hasn’t yet affected the organisations who are the main culprits – such as scammers and organisations outside of Canada – at whom the legislation was originally aimed at.

A Canadian Chambers Commerce recent survey found that:

  • 42% of business operators agreed strongly that obtaining CASL-compliant consent is too difficult
  • 56% agreed strongly that the CASL legislation to too complicated and confusing
  • 63% agreed strongly that the organisation is concerned about the high penalties under CASL

Canadians had two years to prepare for the compliance deadline and many organisations still feel unprepared and confused about CASL.

Lessons learnt from CASL

There is a large group of Canadians pushing for a review of the legislation to hopefully stop legitimate businesses being punished.

The review pushes for:

  • Making implied consent much broader and therefore more particular.
  • Removing the admin heavy two years and six month ‘existing business relationship’ purge dates.
  • Putting the legal onus on the party that authorizes the creation of sending the CEM instead of intermediaries who may be inadvertently be caught by the process.

The main lesson learnt is that organisations need more information and guidance regarding the do’s and don’ts of how to operate within the guidelines. Organisations themselves need to be more transparent within their data handling and processing so they can show accountability and visibility to both their data and legal bodies.

Data Discovery

Data discovery tools work perfectly to help answer both GDPR and CASL challenges.

The initial step in both cases is to carry out a data audit to understand where compliance is met and not met across the entire data estate – structured, semi structured and unstructured data simultaneously.  Data discovery software removes the need for someone to manually check online and offline systems to perform this data audit, alongside providing a platform to automate this process moving forwards.

Following the audit organisations need to catalogue all data assets that are affected by the legislation. Both GDPR and CASL require users to catalogue where data has come from, what permission/consent rights have been obtained, where the data is stored, and in the case of CASL a data stamp for implied permission. Cataloguing data not only helps organisations to effectively manage their data estate to ensure compliance but to also provide targeted services and promotions moving forwards.

As legislation like CASL continue to mature and GDPR comes into force the world will need to keep up-to-date with the ever-growing legislative requirements regarding data protection.

Get in touch to discuss your requirements further