CASLAre you prepared?

An overview of Canada’s Anti-Spam Law

90%of global email traffic is spam

Spam statistics

Spam statistics

over one trillionspam emails sent globally per day

Spam statistics

1 in 24emails contains malware

1 in 24emails contains malware

Spam statistics

1 in 445emails are phishing emails

Spam statistics

One Canadian FSI reported that it deletes around

SPAM emails per hour during peak email times

150,000

Spam statistics

The same Canadian FSI deletes approximately

spam messages in a typical day

2 million

Canada’s Anti-Spam Law (CASL) is a new regulation designed to reduce spam, spyware/malware, email address harvesting and network rerouting.

So, what is CASL?

CASL applies to all commercial electronic messages (CEMs) in Canada.

These include:• Commercial emails• Text messages• Social media messages

Which communications does CASL cover?

What constitutes a CEM?

Simply put, for a piece of communication to be considered a CEM, it has to have two components:

It must be sent to or from an electronic address

Its content, hyperlinks or contact information must be designed to sell, promote or advertise a product or service

CASL also applies to global organizations that send CEMs to Canada.

1

2

CASL applies to any organization that sends commercial emails, text messages and social media messages from or to an electronic device in Canada.

These include:• Businesses • Non-profits • Trade associations • Schools, universities

Which organizations does CASL impact?

What are the timelines for CASL?

CASL will be rolled out in three stages:• July 1, 2014 – All CEMs must meet CASL’s

anti-spam requirements• January 15, 2015 – Consent is required to

install spyware or software on another person’s computer

• July 1, 2017 – Organizations that violate CASL can be sued for actual or statutory damages under a private right of action

Do penalties exist for non-compliance?

Penalties for non-compliance are severe and include:• Hefty fines• Criminal charges• Civil charges • Personal liability

CASL rules, simplified

Consent. The sender must have implied or express consent to send a CEM.

Identification.CEMs must identify the sender and include contact information.

Unsubscribe. Every CEM must include an option to unsubscribe or opt-out.

Unless exempt, all CEMs accessed on a computer system or electronic device must include all of the above.

1

CASL demands that all CEMs meet three basic requirements. These are:

2

3

Are there exemptions?

The list of exemptions is long – and it’s always best to read the fine print. There are both full and partial exemptions that exist under CASL.

The following pages detail summaries of both the full and partial exemptions that exist under CASL.

Full exemptions

Full exemptions fall into five categories:• Family or business relationships• Business inquiries• Legal• Closed loop or secure messaging• Designated groups

Family or business relationship exemptions

Full exemptions for:• CEMs exchanged between family and friends • CEMs exchanged within or between

organizations, provided they have an existing relationship and the CEM concerns the activities of an organization

Business inquiry exemption

Full exemptions for:

CEMs providing a response to a request, inquiry or complaint (provided there is no upselling)

Legal exemptions

Full exemptions for:• CEMs sent to satisfy or enforce a legal obligation• CEMs sent to listed foreign countries, where it

is reasonable to believe that the message will be opened in a listed foreign state

Closed loop or secure messaging exemptions

Full exemptions for:• CEMs sent from messaging platforms (e.g.

BBM messenger, LinkedIn) where the required identification and unsubscribe mechanisms are clearly published on the user interface

• CEMs sent and received within limited-access secure accounts (e.g. banking portals)

Designated group exemptions

Full exemptions for:• CEMs sent by or on behalf of a registered charity

for the primary purpose of fundraising• CEMs sent by or on behalf of political parties

seeking contributions

Partial exemptions

Partial exemptions can be classified in three parts including:• Customer-initiated interactions• Information about an existing business

relationship• Third-party referrals

Customer-initiated interactions

Partial exemptions:

You do not need consent for a CEM that is sent to fulfil the request of a recipient, such as:• Providing a quote • Facilitating a commercial transaction • Delivering a product or service

For more information on the electronic commerce protection regulations and its exemptions, read our FAQ

Partial exemptions:

CEMs can be sent if they provide information about an ongoing business relationship, such as:• Warranty, product recall or safety alerts • Factual information about the ongoing use of a

product/service • Information about an existing employment

relationship

For more information on the electronic commerce protection regulations and its exemptions, read our FAQ

Information about an existing business relationship

Third-party referrals

Partial exemptions:

A single CEM can be sent to a prospective customer without prior consent on the basis of a third-party referral (e.g. “refer a friend” or “suggest us” emails), so long as:• The referral is by a person who has an existing

personal, business or family relationship with the sender and recipient

• The message discloses the full name of the person who made the referral

• The message clearly identifies the sender and person making the referral, and includes both contact information and an unsubscribe option

What is implied consent?

In certain situations, organizations don’t require express consent to send a CEM – implied consent is enough. Consent is implied if:• There is an existing business or non-business

relationship• The recipient is part of a published directory• The recipient has voluntarily disclosed their email

address, such as by handing out a business card

In all situations, the CEM must be relevant to the recipient’s business or role. If the recipient indicates, that they do not want to receive electronic communication, consent is no longer implied.

Obtaining express consent

For all non-exempt CEMs, recipients must offer express consent by actively and positively indicating that they want to receive your CEMs. Recipients can express consent in a number of ways, including:• Checking a box to indicate consent in the form of

“opting in”• Typing an email address into a field• Providing “unbundled” consent that is separate from

the general terms and conditions of use or sale

Please note: while pre-checked consent boxes are no longer permitted as a form of consent, those that existed on email communications before July 1, 2014 will be grandfathered in.

Requesting consent

Just as CASL includes rules for sending CEMs, all outgoing requests for consent must include a few basic elements.

These are:• The name of the sender and the third party

seeking consent (if different)• A physical mailing address• A telephone, email or web address• A statement indicating that consent may be

withdrawn

Preparing for CASL: Immediate steps

Designate a CASL working group to review your current CEM processes and identify compliance gaps.

Develop an implementation plan.

Reach out to contacts in your database in an effort to turn implied consent into express consent.

1

2

3

CASL compliance: Questions to note• How will you manage your unsubscribes if you

share content lists?• How will you prospect if you rely on the B2B

exemption?• Will you rely on a centralized unsubscribe model

or federated model to build a CASL-compliant database?

• Will you rely on the transitional period to convert all implied consent to express consent?

The technology perspective

Ensuring compliance with CASL – both immediately and over time – requires designing and implementing technology platforms that perform a variety of functions, including:• Managing and tracking opt-outs and consents• Recording subscribe and unsubscribe histories • Producing reports

All of the above information is needed for you to illustrate your due diligence.

Customizing technology

Your company’s platform will need to take your specific situation into account. For example, simply building an unsubscribe mechanism requires consideration of factors such as:• Should the process be manual?• Will you keep a federated unsubscribe database

or a web page that allows unsubscribes from certain services?

After July 1

While CASL’s Anti-Spam provisions take effect on July 1, here are a few helpful tips to keep in mind after the deadline:

There is a grace periodBusinesses that have existing relationships benefit from a three-year grace period to verify and confirm implied consents.

You can no longer send an email to ask for consentAfter July 1, senders can only offer check boxes to acquire a recipient’s express consent.

Proving compliance

You must keep strong records of all consents and unsubscribes so that they are:• Documented• Amalgamated • Stored

Remember, if you’re sending CEMs, the proof of consent burden is on you.

Learn more at

www.deloitte.ca/CASL

Deloitte, one of Canada’s leading professional services firms, provides audit, tax, consulting, and financial advisory services. Deloitte LLP, an Ontario limited liability partnership, is the Canadian member firm of Deloitte Touche Tohmatsu Limited.

Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee, and its network of member firms, each of which is a legally separate and independent entity. Please see www.deloitte.com/about for a detailed description of the legal structure of Deloitte Touche Tohmatsu Limited and its member firms.

© Deloitte LLP and affiliated entities.Designed and produced by the Deloitte Design Studio, Canada. 14-2191H