Data Privacy

Canada’s Anti-Spam Legislation (CASL)—A brief history.

minute read

Post Image

Shortly after CAN-SPAM passed into law in 2003, the Canadian government organized a group of professionals from several different industries, including marketing, technology, private business, not for profits, and the legal community, to consider the potential structure of what would ultimately become known as Canada’s Anti-Spam Legislation (CASL). Here’s a brief history of CASL.

The group of stakeholders, known as the Federal Anti-Spam Task Force (FAST-F), held several meetings over the course of a year and produced a highly-regarded document entitled Stopping Spam: Creating a Stronger, Safer Internet in 2005. Many of the recommendations from this initial document went on to become the foundation of CASL passed in 2010.

Excerpt from page iii of Stopping Spam: Creating a Stronger, Safer Internet

Passing CASL into law was more challenging than many of us in the Canadian email community imagined. The Canadian government was forced to restart the process several times between 2005 and 2010.

While the legislative process churned on, the early version of the law bore a couple of other names, including C-27 – The Fighting Internet and Spam Act (FISA) and C-28 – The Electronic Commerce Protection Act (ECPA). During the committee review process, the official name of the law — An Act to promote the efficiency and adaptability of the Canadian economy by regulating certain activities that discourage reliance on electronic means of carrying out commercial activities, and to amend the Canadian Radio-television and Telecommunications Commission Act, the Competition Act, the Personal Information Protection and Electronic Documents Act and the Telecommunications Act – was dropped, and the industry eventually gave the bill a much shorter and more logical nickname: Canada’s Anti-Spam Legislation (CASL)

After finally becoming law, a couple years passed before the regulations from the various enforcement agencies finalized, leading to a 2014 enforcement date.

The most immediate impact on Canadian recipients was the flurry of subscription confirmation emails sent from businesses before the enforcement date, primarily during the Canadian summer of 2014.

After CASL became law, it triggered three deadlines businesses had to meet:

  1. The first deadline was the kick-off for enforcement, July 1, 2014, targeting CEMs and data collection, unsubscribe management, and the message form requirements.
  2. The January 15, 2015, deadline mandated businesses in the software space update their install software for compliance.
  3. The final deadline was July 1, 2017, when the full enforcement of all provisions of the law activated, and the transition period (Section 66) of the act came to a close. This deadline covered the expiration of implied consents collected pre-CASL. Weeks before this deadline, CASL’s Private Right of Action (PRA) was also scheduled for introduction at this time but was delayed indefinitely.

During the transition period, several cases, mostly led by the Canadian Radio-television and Telecommunications Commission (CRTC), were filed with fines ranging from $10,000 (CAD) for the CEO of on organization responsible for various alleged violations to $1.1 million (CAD) against a Quebec corporation.* We also saw one case where the CRTC used its powers under CASL to help the international community take the Dorkbot virus offline by raiding a data center where one of the command nodes was operating.

CASL has now reached its three-year review period and is under the microscope of the review board to determine if any required changes to the legislation are necessary, and to evaluate the effectiveness of the legislation to accomplish the function outlined within its mandate.

Many businesses that completed a proper CASL-compliance exercise may already be much further ahead in their compliance readiness for the E.U.’s General Data Protection Regulation (GDPR), whose implementation date is May 25, 2018.

For more information on CASL, please review the official site FightSpam.gc.cafor more details on the rules and regulations of the law.

Keep coming back to the 250ok blog for more information about CASL, the GDPR, and compliance with both laws, as I share insights into these laws and how they impact your email marketing program.

* On October 19, 2017, this fine was reduced by Commission to $200,000 (CAD).

Comparison of CASL and CAN-SPAM