Be the King of the CASL

Don’t become a pauper by making a $10 million mistake.

July 1st, 2017 marks a very important birthday in Canada – Pamela Anderson will be turning 50 (still got it Pammy!).

Wait, that can’t be it…oh right, it’s Canada’s 150th birthday as well (still got it Canada!). A day where everyone can look forward to watching the red and white fireworks sparkle (cue the “ooo’s” and “ahhh’s”) as the Canadian flag waves proudly in the air and we munch on poutine and sip on caesars.

However, those who run websites that capture personal information may pass on the celebrations as they deal with the updated law surrounding commercial electronic messages (CEMs), where penalties could cost them as much as $10 million (yikes!).

The what and when

That’s right – on July 1st 2017, Canada’s Anti-Spam Legislation (CASL) is sharpening up and cracking down. Three years ago to the day, CASL was put into effect in order to cut down on the high volume of unwanted CEMs. From those annoying chain emails of yesteryear (no, I did not forward it on) to today’s constant promotions which you don’t remember signing up for, whether this is by email, text, IM, automated voicemail or social media, Canada is trying its best to stomp spam out.

The penalty for not complying to CASL? Up to $200 for each non-compliant CEM, on top of any compensation and expenses incurred, to a maximum $1 million per day for individuals and $10 million for businesses!

The why

Why the change? Well this moment was always going to come. When CASL was first implemented, it was done so with a three-year transition plan in place. This gave businesses a grace period to audit and align their emarketing practices and business processes with CASL. However, this has resulted in some companies getting complacent.

As all previously collected email contacts were grandfathered in and companies given 3 years to acquire the recipient’s consent to receive CEMs, some businesses made little effort to get in alignment with CASL since they didn’t feel the immediate pressure to conform. You know, one of those “I’ll do it later” moments which just happened to span 3 years; talk about procrastination.

Furthermore, the enforcement of CASL was in the hands of the Government and they found themselves too busy juggling other matters to really enforce the legislation properly, leading to companies feeling that they could continue with their old habits without getting penalized (source).

The who and where

However, now all Canadian companies must comply with CASL, but it’s not just them who need to sit up straight and listen. This may come as a shock to some, but the truth is any company that emails a person residing in Canada, even if the company itself it outside Canada, must also abide to the updated legislation.

The how

So how can you make sure you abide by the new rules? Well firstly, let’s take a look at what they are. As of July 1st, 2017, the law will:

  • View any contact to those who have not ‘expressed content’ as a violation of CASL. Although there are a few exceptions, companies who have failed to get the expressed consent of the grandfathered in email contacts will not be allowed to use the data for future communication. This will not only lead to a massive loss in marketing opportunities but can result in a negative impact on future revenue.
  • Allow the private right of action to be enforced. The power to commence a lawsuit will now be given to the private person (a.k.a. the public). Between the large number of vocally disgruntled victims of spam and opportunity grabbing lawyers means companies could quickly drown in a tidal wave of legal costs, settlements and fines as a result of CASL violations.

So again, how do you make sure you are adhering to the CASL legislation? Three requirements must be met:

Consent to sign up

The user must express or imply consent to receive CEMs. When asking for personal information, make sure you provide a checkbox that asks the users if they would like to receive information such as newsletters. Don’t think you can use the opt-out or pre-checked boxes method instead as this does not count as explicit consent and is therefore seen as breaching CASL. So make sure all your pre-checked boxes are updated to be unchecked by default and opt-outs are changed to opt-ins.


The business sending the CEMs must be clearly identifiable in the message. It is highly recommended to clearly state the business name and address both on the sign-up page and delivered email. For best practice, during sign-up the user should be given a description of what they are signing up for and how frequently they should expect to receive emails. Many businesses go as far as offering users several options of what they could sign up for and / or how frequently they would like to be contacted which is a nice touch.


Unsurprisingly, one of the main requirements is providing an “unsubscribe” button on any CEMs sent. No doubt all of us have received unwanted emails and immediately looked for that Holy Grail of a button. Once clicked, the business is responsible for ensuring the former subscriber is fully removed from their list. Services like MailChimp are great for this as they usually automatically remove the subscriber.So if you have already gotten express consent from those on your mailing list and are adhering to all three requirements – great! If not, you have 3 months to implement them and get any outstanding consent from those in your grandfathered in mailing list or you risk losing them as contacts, or worse, face hefty penalties.

Here at Drive, we make sure that any websites we build that collects personal information conforms with the CASL requirements. Although we can’t ensure your CEMs comply with the law, personal information is usually captured via a webpage’s call-to-action such as ‘register now’ or ‘apply here’.  With each one we ensure the business is easily identifiable and the user has the option to opt-in, not opt-out, to future communication. If we didn’t, then the information would be stored in violation of CASL. Although Drive wouldn’t be liable for the breach, we look out for all our clients and ensure our sites include the necessary features to ensure compliancy.

So make sure you’re the King of the CASL by the 1st of July or risk being thrown in the spam moat. If you’re needing to redesign your website to ensure it’s compliant with CASL, get in touch with us at Drive and we’ll help make sure that when the 1st rolls around, you’ll be enjoying the Canada Day fireworks too (with poutine and a caesar in hand).