CASL, GDPR, CEM and Other Letters That Could Spell Trouble

On July 1st, 2017, the Canadian Anti-Spam Law (CASL) is getting an upgrade. Here’s what you need to know come Canada Day as a small business in Canada that uses digital tools as a primary method of marketing or sales.


First, a little history. In 2014, the federal government passed CASL in order to battle the onslaught of spam to Canadians’ inboxes. It set regulations around – and ascribes pretty hefty punishments to – the Commercial Electronic Messages (CEMs) that Canadian organizations can send to consumers, without that consumer’s consent. Basically, if they don’t ask for that email announcing the Spring Flash Sale on open-toed shoes, it is illegal to send it. And CEMs aren’t just emails. Any message with “commercial intentions”, from texts to voice mails, counts. Same with software installed on a device from another computer program, such as those that may include data tracking devices like cookies (but more on that in a minute). Fines from the CRTC can go as high as $1 million for individuals and $10 million for businesses per violation, depending on the nature of the violation and the violator’s history with CASL.

All this was met with an understandable backlash from small Canadian businesses that have found it hard to compete with international brands unconcerned by the threat of fines that can reach into 6-figures. The bewilderment caused by loop holes, broad descriptions of CEMs, and the confusion over ‘implied’ vs ‘express’ consent, have not made navigating CASL any easier.

The last three years have been a transition period for CASL, and it was designed that way to help Canadian businesses adapt. Now, major changes are coming to CASL of which businesses need to be aware to stay out of hot water – and claims court.

Mainly, there will no longer be such a thing as “implied consent”. Previously, certain sales transactions, and email lists grandfathered in from before 2014, could qualify as consent. No more. Organizations will have to remove recipients from their email lists unless the organization has received express consent from a recipient. If express consent came in before 2014, it is still valid, but you better have a record of it. You may have noticed this in your own inbox; while some organizations are hiding the ask behind contests or discount codes, others are simply asking you to allow them to continue to send you their newsletter.

As for cookies, the water gets murky. The rather landmark steps being taken in Europe under the EU’s General Data Protection Regulation (GDPR) effectively ban anyone from installing cookies on another party’s device (in the EU) without—you guessed it—express consent.

Under CASL, it’s not so strict and consent for cookies can be obtained simply by certain online behaviours (like using a website). However, with the GDPR coming into full effect in May 2018, many companies are covering their butts by obtaining express permission to install cookies. This is why you’re seeing so many pop-ups like this one lately:

While Canadian cookies are safe—for now—from CASL, if your organization does business with anyone in the EU, it is important to get started on obtaining that consent from individual consumers. Otherwise, you could be facing fines as high as 20 million euros, or 4% of global revenue. Enough to sink a small company, from just one misstep.

And with the piecemeal way that CASL is unfolding already, and our strong trade ties to the EU, who knows how long before the reins are tightened here in Canada as well.

So it makes sense to have a look at how you communicate with your customers, examine how you collect data from them, and make a clear record of your process and lists. It may seem a mountainous task, so we’ve complied a small list of resources to help you get started.

A quiz to see how up to date you are on CASL

A comprehensive breakdown on 10 key components of CASL

CASL, with pictures!

Cookies, from the horse’s mouth

GDPR in North America

Get help with GDPR

Because of the roll out to CASL and its heretofore lax rules, it has been easy for small businesses to ignore CASL; it was out of sight, for the most part, and over three years out of mind. Time to take a second look.