Message to the mail man by gajman (CC BY 2.0)

Message to the mail man by gajman (CC BY 2.0)


Keep Calm and Get Consent: Canada’s Anti-Spam Law Takes Effect This Week

Canada’s anti-spam legislation takes effect this week, sparking panic among many businesses, who fear that sending commercial electronic messages may grind to a halt on July 1st. The reality is far less troubling. The new law creates some technical requirements for commercial email marketing alongside tough penalties for violations, but left unsaid is that Canadian law has featured rules requiring appropriate consents for over a decade.

My weekly technology law column (Toronto Star version, homepage version)The concern over the new anti-spam law, which mirrors similar worries from 2004 when private sector privacy legislation arrived, suggests that many may not have complied with their existing obligations. As Canadians receive a flood of requests for consent from long-forgotten organizations they never realized had collected and used their personal information in the first place, the controversy over the rollout of the new anti-spam law says more about poor compliance rates with current privacy laws than it does about the new regulations.

PIPEDA already requires organizations to obtain user consent, allow users to withdraw their consent, and provide the necessary contact information to do so. Compliance with the new anti-spam law (CASL) involves much the same obligations since the three primary requirements involving obtaining user consent, providing an unsubscribe mechanism, and maintaining accessible contact information.

So why has the new anti-spam law caused such an uproar?  Three reasons: a shift in approach on consents, the confusion that comes from trying fit into the myriad of exceptions contained in the law, and fear of tough new penalties.

The biggest substantive change in the law comes from the requirement for express consent. Express consent requires disclosing the purposes for why consent is being requested and identifying who is seeking consent. This represents a significant change from current practice, where businesses have frequently relied upon “implied” consent for their use of personal information.

The reality is that users were often unaware that their information was being collected, used, and even disclosed for commercial purposes. The terms were often buried in legal agreements that few bothered to read or presented alongside confusing negative option check boxes that left many bewildered as to whether they needed to check or uncheck the box in order to avoid more email marketing.

Yet business relied upon these approaches to claim they had obtained the necessary implied consent. The shift to express consent represents an important change that has forced many businesses to directly request consent from their users for the first time (if a business already has express consent there is no need to ask again). Those arguing that the new law will have little impact on spam miss the point: the law is shifting privacy expectations in how our information is collected and used.

Given the fears associated with seeking express consent, many businesses are seeking to rely upon exceptions contained in the law. There are many exceptions in CASL with everything from most business-to-business emails to Twitter direct messages excluded. Yet reliance on exceptions creates an assortment of complications that many businesses are finding difficult and has become another source of concern. The exceptions require a close reading and some interpretations, but it is should be remembered that businesses can always seek express consent and avoid the issue altogether.

The third major concern involves the consequences for failing to comply with the law. Failure to comply with the current privacy law results in little more than a non-binding finding from the Privacy Commissioner of Canada with practically no likelihood of financial penalties. On the other hand, CASL’s penalties are significant with the maximum penalty set at $1 million per violation for an individual and $10 million per violation for a business (despite fears of massive penalties for a single slip-up, warnings are far more likely than penalties).

The law also includes a three-year transition period that ensures that as long as an organization already has implied consent, it has until 2017 to upgrade to an express consent. Email marketing will not stop on Canada Day, but the arrival of the anti-spam law after a decade of debate does mean that Canadians are being meaningfully asked for the first time if they give consent to the collection, use and disclosure of their personal information, a change in approach that seems well worth celebrating.

Tags: / /


  1. Devil's Advocate says:

    Oh, well…
    “…sparking panic among many businesses, who fear that sending commercial electronic messages may grind to a halt on July 1st.”

    If only!

  2. pat donovan says:

    and roving IP addresses still live; spam may be illegal, but it isn’t stopped.

    betcha it become part of the IP licenesing.

    like MS updates, eh?

    happy canada day anyway.

  3. Stu Ducklow says:

    Lazy ignormaus
    What if I want to send an unsolicited email to a company that I think could use my services? Can I do that? Do I have to phone first?

  4. Bill Wittur says:

    Anti-spam or anti-social?
    These efforts will do nothing to stop spam. Hackers sitting in some far off location could care less about Canadian rules and will continue to spam Canadians or find some alternative to mess with our inbox.

    The CASL situation has created an unacceptable situation in Canada because the threat of any fine (especially being as excessive as they are) will push any small business into hiding when it comes to outbound communications. As you clearly indicate, PIPEDA rules (and basic common sense) have encouraged organizations to ensure they clearly include a functional ‘unsubscribe’ option with any messages.

  5. Perhaps I am over-reading your detail when you say “the biggest substantive change in the law comes from the requirement for express consent”. I thought it was one of your own columns ( ) which laid out the difference between express and implied consent. If an organization is prepared to (a) only send to those people who have provided the electronic address as part of being a customer and (b) maintain records that prevent ever sending to someone who was last a customer more than two years ago, that (as I understood you at the time) would make that organization compliant. Did I mis-read you then, or now?

    I have become quite annoyed over the last few days with organizations that feel like they are misleading in their request for express consent. From what I have read, they do not need consent for transactional messages (“here is your receipt”), and if I am a regular customer, they have implied consent. Instead, I am asked to hand over what amounts to a free hand to flood my inbox, because they leave you with the impression that they won’t even send you a receipt without consent.

    The only upside appears to be that every message must have an unsubscribe mechanism, which means that any mis-judgements on my part can be rectified.