CASL Penalties: Do you have $10 million to spare?

As you hopefully know by now, Canada has started its new anti-spam law (CASL) effective July 1, 2014. While CASL addresses several forms of communications with customers, such as email, mobile texting and application installations/updates – I’d like to address email marketing specifically. 

Note: TailoredMail automates all of the following for its clients. If you need help implementing a CASL strategy, please contact us.

For many businesses, only a few safeguards are required to comply. But for any business that has one or more of the following, it’s time to take action and formulate a three-year-plan (I’ll explain that aspect later in this article):

  • You potentially have Canadian customers, partners or just interested “followers”.  You can do quick checks to see if this is true by positively confirming any the following:
    1. Do any of your email subscriber addresses end in “.ca”?
    2. Do any subscriber profiles contain a Canadian physical, billing or postal address?
    3. Do any of their phone numbers begin with a Canadian area code?
    4. If you collect a user’s IP address at sign-up or when they open/click elements in your email, are those geographically located in Canada?
  • You have ever purchased or imported a list of email subscribers into your email system for which you CAN’T prove where they are from.
  • You have legitimately collected permission-based names in the past, but you do NOT know where they live/ reside and you also don’t have documentation of how, when and where you obtained such permission.
  • Your ESP (email service provider) is based in Canada.

Again, if any of the above is true, then CASL applies to you. If you are confident (and can document), however, that you do not have any potential for Canadian email subscribers in your lists, then you don’t need to worry about this law. There are some very prudent aspects of the law that you might want to go ahead and comply with, however.

First, let’s address the RISK / THREAT to your organization. CASL is one of the first laws to allow private citizens of Canada to sue you (in addition to the Federal Government). And get ready for a feeding frenzy, as they can sue you for up to $10 million per message sent. That should get everyone’s attention.

But – importantly – private citizens can’t do this until July 1, 2017 – three years from now. In the meantime, however, the Canadian governmentcan sue you tomorrow if they wanted to. The Canadian Radio-Television Commission (CRTC) will likely only be going after chronic spammers, however. In other words, if your company is doing its best to adhere to CASL laws and clean up its permission practices – the likelihood of you running into trouble with CASL is very small, at least until July 1, 2017.

While there are some simple things you can do right now, it’s critical to put together a well-thought-out three-year plan to get all your permissions cleared up and mechanisms in place to audit compliance.

What you should do right now:

  1. Sign-up Forms. It Starts Here:
    • Clean up your sign-up forms that add people to your marketing lists. The following is prudent for ANY company, regardless of whether CASL affects you or not. It’s important to know this; a simple email-sign-up form that is so common on websites today is likely NOT going to be good enough, all by itself, to be compliant with CASL.
    • Any page where a sign-up/ opt-in-form is presented to a user that will then send them marketing or promotional content, you must also:
      • Clear language that asks them for permission, as well as text that explains to them that they will be able to unsubscribe at any time.
      • Clearly identify your business. If your form exists within a normal page within your website (with your logo/name in that page), then this is just fine.
      • Provide the following somewhere in the form:
        1. A valid mailing address they can communicate with, and…
        2. One of the following; telephone number, email or web address
        3. Do not include a pre-checked box that confirms their interest in a subscription. This is prohibited by CASL. The purpose of this aspect of the law is to prevent companies from duping people into subscribing as a part of a cart checkout process (and sneaking in a pre-checked box opting them into further emails). If you are using a simple sign-up-form on your website, for example, just be sure to do “a.” above, and you are good to go. Adding a checkbox to perform this function is simply unnecessary and may actually reduce opt-ins.
        4. When the form is submitted, be sure to store as much information as you can to document this “permission”, including the date/time, IP address of the subscriber, and a description of the vehicle used to obtain the permission. For example:
          • Date: 7/1/14 09:15am Pacific Time
          • IP:
          • Description: Sign-up form on company website
  2. Clean up your Email Templates
    • Much like you have to add specific elements in your footers to support CAN-SPAM, the same is true with CASL. You must:
      • Provide the following:
        1. A valid mailing address they can communicate with, and…
        2. One of the following; telephone number, email or web address
      • Include a working unsubscribe link. This link must continue to be active/ working for at least 60 days after the email is sent, and the unsubscribe action must be taken within 10 days of the opt-out request.
      • Clearly identify who is sending the email. This seems obvious, but there might be scenarios where a third party is sending emails on your behalf (e.g. a rented list, or you are combining your list with others), or you co-opt your list for your own partners. In these instances, both parties need to be disclosed in the email.
  3. CONSENT- Get It Documented
    • Create a process to organize, document, and obtain your subscriber’s consent, which CASL requires. If you are sued, you will be required to document each user’s consent; the next section of this article will explain these “consent” levels and how to manage them.
  4. CONSENT- What it is, according To CASL, and why it’s so important
    • We’ll try our best to keep this simple, but it’s important to fully understand both the TYPES of consent, and HOW and WHEN you obtained it.
    • CASL has two kinds of consent:
      1. Expressed
        • This means that the individual has given you clear permission to email them commercial messages – and this permission lasts forever, unless the person specifically unsubscribes.
        • If, for example, you are following the sign-up-form guidelines we posted earlier in this article, each and every submission to that form has given you “Express Consent”.
      2. Implied
        • This means that the person has done business with you within the last two years, such as purchased a product or entered into a contract with your business. Each time they purchase something new, or renew their contract – the two-year-timeframe is extended.


The rules are slightly different for names you already have in your lists PRIOR to July 1, 2014 versus those you are now obtaining today (after July 1, 2014). Now, the next important consideration is: What do you do with people you have in your list prior to July 1, 2014 versus those obtained afterwards?


Before CASL (July 1, 2014), Canada had an anti-spam law in place called the Personal Information Protection and Electronic Document Act (PIPEDA). This is an important thing to understand because if you obtained names in your list prior to July 1, 2014 that complied with PIPEDA, then they are grandfathered in as being in the “Express” category. Here would be your litmus test as to whether you were complying with PIPEDA:

  1. You can document (date, location, method) how the permission was obtained (e.g. sign-up-form on website, trade show, webinar, phone request for information, checked-box as a part of a cart checkout process)
  2. You did NOT import names from third parties
  3. You allowed and honored users requests to opt-out of each and every commercial email campaign you have sent

If you can’t document the above, then you’ll want to pay close attention to our recommended 3-year-plan to get everything cleaned up ahead of the July 1, 2017 timeframe.

If you have knowingly been using purchased lists, or have knowingly been sending emails without any prior permission from the recipient, then we strongly urge you to turn our 3-year-plan into a 30-day-plan. Seriously. You were not only in a tenuous legal situation prior to CASL, but now you’re swimming with the sharks – and it’s time to clean up your practices. (Contact us to help, if you want).

ImpliedConsent, on the other hand, requires more on-going management and documentation because the consent only lasts for two years. Ah, but there’s an asterisk here; if someone has purchased a product or done business with you (e.g. entered into a contract to do business with you) PRIOR to July 1, 2014, you actually can continue to email them until July 1, 2017. The reason for this is to provide some “relief” to companies who need more time to try and convert Implied consent subscribers to Express. But, anyone you’ve added to your lists that fall under the Implied Consent definition after July 1, 2017 will only last for two years since their last purchase or contract renewal date.

So, the key here is to clean up your forms/templates and create a documented process for tracking Express vs. Implied consent from Canadian subscribers. We have developed a process and checklist for you to address over the next three years (if you don’t use TailoredMail), and if you click below, we’ll send it to you. If you are already a TailoredMail client, then you don’t need to worry – the management of this process will be handled automatically for you – and if you have questions on this, simply contact your Account Manager.

Request our checklist:

 Twitter  FaceBook  LinkedIn  

© 2019 by TailoredMail. All Rights Reserved. Privacy Policy