Canada: Industry Canada Issues Revised Anti-Spam Regulations

On Jan. 5, Industry Canada published the long-awaited revised version of its Electronic Commerce Protection Regulations. These Regulations, together with the final Regulations previously published by the Canadian Radio-television and Telecommunications Commission (CRTC), will provide the requirements for complying with Canada's Anti-Spam Legislation (CASL) when it comes into force.

The revised Regulations provide important new exceptions that will be essential for businesses in complying with CASL. Industry Canada notes that these have been introduced in areas where "broad application of the Act would otherwise impede business activities that are not within the intended scope of the legislation."

However, the regulatory impact analysis for the Regulations also directly states that some regulatory concerns raised by interested parties in the consultation process were considered but expressly rejected. In particular, Industry Canada has stated that the existing consent that is valid under the Personal Information Protection and Electronic Documents Act (PIPEDA) will not survive CASL in some cases.

Notable aspects of the new Regulations include:

  • New exceptions for the requirements for consent and prescribed disclosure in messages:
    • Sent between employees, representatives, contractors or franchisees of a business and in relation to its affairs;
    • Sent between employees, representatives, contractors or franchisees of separate businesses with an existing business relationship and in relation to their affairs; or
    • Sent in response to a request, inquiry, complaint or solicitation;
  • A new definition of "personal relationship" that removes the requirement to have met in person and to have had a two-way communication in the previous two years;
  • A new — and limited — exception for referral messages sent by an "individual" following a referral from a second individual who has an existing relationship with both the sender of the message and the individual referred.

PIPEDA consent

The regulatory impact statement for the new draft Regulations confirms that Industry Canada takes the position that organizations will not be able to rely on consent (which presumably includes express consent) that was valid under PIPEDA to continue to send messages under CASL when it comes into force.

CASL creates a higher threshold for consent to use information for the sending of commercial electronic messages by requiring specific disclosure set out in the Act itself and the CRTC regulations. Previously obtained consent that did not meet these requirements may not be valid when CASL comes into force and following the transition period.

Instead of relying on existing consent, organizations will have the option to seek additional consent that is valid under CASL or, in more narrow circumstances, to rely on one of the exceptions under the Act. CASL provides a three-year transition period in cases where an organization has an "existing business relationship" as defined in CASL (but without regard to the time limitations typically applicable to the definition) that includes the sending of commercial electronic messages when the Act comes into force.

Prior to CASL coming into force and during the three-year transition period in cases where there is an "existing business relationship," organizations will have an opportunity to confirm that their consent lists are in compliance with the CASL consent requirements. Unfortunately, non-responses to such attempts can be expected to lead to a loss of the ability to use a significant portion of existing consent lists obtained in compliance with the existing law following the transition period when CASL comes into force.

New exceptions

The new draft Regulations create a series of message categories that will be excluded from both the consent and disclosure requirements under CASL. In particular, internal business communications sent between employees, representatives, contractors or franchisees of an organization where the message relates to the affairs of the organization will not be caught. External communications between employees, representatives, contractors or franchisees of separate businesses that are already in a business relationship will also be excluded, provided the message relates to the affairs of the organization or the recipient's role or duties within it.

The draft Regulations also create a broad exception for messages that are sent in response to a "request, inquiry, complaint" or another "solicitation" from the recipient of the message. Previously, businesses would have had to rely on such inquires or solicitations creating an "existing business relationship" stemming from an "inquiry or application" from the message recipient in order to have "implied consent" to respond. However, that approach was problematic in a number of respects, particularly due to the narrow wording "inquiry or application," as well as the requirement that the inquiry or application be specifically related to the purchase, bartering, or lease of products, goods, services, or land, or the acceptance of a business investment or gaming opportunity.

Implied consent in cases of an "existing business relationship" remains in the legislation itself; however, the broader exception now provided for in the draft Regulations will be helpful for manufacturers and other organizations that would typically distribute their products through third parties such as retailers rather than directly to consumers.

For example, a food manufacturer would typically distribute its products through retail grocery stores, which would in turn sell them to consumers. This exception should ensure that responding to questions or comments on a brand's Facebook wall, for example, will not be caught by CASL. That said, it should be noted that Industry Canada expressly declined to create an exception that would bring manufacturers within CASL's definition of "implied consent" based on an "existing business relationship" more generally — unless the manufacturer is able to establish a direct relationship with the message recipient or an exception to the need for consent in the first place.

An organization outside of Canada that sends electronic messages relating to goods, services or organizations outside of Canada will be exempt from the consent and disclosure requirements if the organization "did not know and could not reasonably be expected to know" that the message would be accessed using a computer system in Canada. This provision will provide an exception to general, broad application of CASL, which captures commercial electronic messages that are sent or accessed using a computer system in Canada.

For example, organizations operating solely in the United States are now clearly excluded from the application of the Act in the case of an American customer who receives a commercial electronic message while travelling in Canada. However, if such an entity knew or could be reasonably expected to know that its messages would be received in Canada, the CASL requirements would apply regardless of the fact that the message is sent from a computer in the United States.

However, Canadian businesses sending commercial electronic messages to recipients known to be outside of Canada will still be required to comply with the CASL requirements, regardless of (or in addition to) any local requirements. While Industry Canada indicates that this is a deliberate choice in drafting the Regulations, it appears to impose a significant burden on legitimate businesses — which may now be required to comply with two or more differing standards when sending messages from Canada to other jurisdictions — while failing to deter illegal spammers who would be likely to ignore the law in any event.

Finally, more narrow exceptions to the consent and disclosure requirements will exist in cases where a commercial electronic message is sent to satisfy a legal obligation, or to enforce or provide notice of a legal right.

Family, friends and a very limited referral exception

The revised Regulations also include definitions for "family relationship" and "personal relationship." Commercial messages sent "by or on behalf of" a person with a family or personal relationship will be exempt from both the consent and disclosure requirements of CASL. The definition of "family" relationship tracks that of the 2011 draft of these Regulations, and will include people who have a "blood relationship" descending from a common grandparent, as well as family relationships arising though marriage, common-law partnership and adoption.

The definition of "personal relationship" has been significantly revised and no longer includes a strict requirement for a face-to-face meeting or a two-way communication within the previous two years. Instead, the new proposed definition will apply only to persons who have had "direct voluntary two-way communications," with the number of "communications" required not specified.

If that criterion is met, the individuals will have a "personal relationship" if it is reasonable to conclude their relationship is personal, considering all relevant factors such as shared interests, experiences, opinions, the frequency of their communications and the length of time since they have communicated.

Notably, this definition in now broad enough to capture people who are "friends" through social media, which was a frequent criticism of the previous proposal, which would have excluded pen pals, social media friends, or other friends who had not met in person. However, businesses should note that this definition also relies wholly on factors outside of their direct knowledge and that the Regulations expressly provide that a person may indicate they no longer wish to receive commercial messages from a person even if they remain "friends" through a personal relationship within the definition in the Regulations.

The draft Regulations rely on these definitions to create a new exception to the requirement for consent to send commercial electronic messages following a referral. However, this exception is worded in a narrow manner that would appear to seriously limit its applicability to many "refer a friend"-type promotions if retained in its current form.

As drafted, this exception would apply only to the first message sent by an "individual" to a recipient who was referred to the individual that sends the message by a referrer that has a relationship — either a business or non-business relationship as defined in CASL, or a personal or family relationship as defined in the Regulations — with both the recipient of the message and its sender. Messages sent under this exception would be required to disclose the full name of the person who made the referral.

This exception appears to be severely limited in its application due to the use of the word "individual," which may be read as referring only to natural persons rather than the broader "person," which is defined in CASL to include both "individuals" and legal persons such as corporations and other organizations.

The regulatory impact analysis does not discuss this limitation nor explain the policy basis for excluding corporate entities from an exception that applies only to the first message sent to a recipient following a referral from a person who has an existing relationship with both the sender of the message and its recipient. It is not clear why the Regulations would not recognize that a consumer could as easily and legitimately refer a friend or family member to a trusted corporation as to an individual business person.

Consent sought on behalf of unknown parties

The draft Regulations also detail the permissible uses of a consent obtained on behalf of unknown third parties, such as a commercial email-list broker. The person who obtains such a consent may authorize another to use it on the condition that any commercial electronic messages sent identify the person who obtained the consent and include an unsubscribe mechanism that allows the recipient to withdraw their consent from: a) the person who sent the message, b) the person who obtained the consent, or c) any other person who is authorized to use it.

This provision would place additional compliance requirements on purchasers of commercial email lists, as it would require them to create an unsubscribe mechanism that not only applies to the sender's messages, but also allows the recipient to inform the third-party list provider who initially obtained the consent that it has been withdrawn. Industry Canada states that it has considered this issue but has decided to favour clear disclosure of how consent obtained in this manner is used, as well as a clear consent-withdrawal mechanism.

Comment period

Industry Canada has provided that interested individuals have a 30-day window during which to comment on the draft Regulations, running from Jan. 5 to Feb. 4, 2013.

Following this period of public consultation, final amendments may be made to the Regulations before they are finalized. No coming-into-force date has been published for CASL; however, it is expected to come into force sometime in 2013.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

To print this article, all you need is to be registered on

Click to Login as an existing user or Register so you can print this article.

Events from this Firm
8 Nov 2016, Seminar, Ottawa, Canada

The prospect of an internal investigation raises many thorny issues. This presentation will canvass some of the potential triggering events, and discuss how to structure an investigation, retain forensic assistance and manage the inevitable ethical issues that will arise.

22 Nov 2016, Seminar, Ottawa, Canada

From the boardroom to the shop floor, effective organizations recognize the value of having a diverse workplace. This presentation will explore effective strategies to promote diversity, defeat bias and encourage a broader community outlook.

7 Dec 2016, Seminar, Ottawa, Canada

Staying local but going global presents its challenges. Gowling WLG lawyers offer an international roundtable on doing business in the U.K., France, Germany, China and Russia. This three-hour session will videoconference in lawyers from around the world to discuss business and intellectual property hurdles.

In association with
Related Video
Up-coming Events Search
Font Size:
Mondaq on Twitter
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).
Email Address
Company Name
Confirm Password
Mondaq Topics -- Select your Interests
 Law Performance
 Law Practice
 Media & IT
 Real Estate
 Wealth Mgt
Asia Pacific
European Union
Latin America
Middle East
United States
Worldwide Updates
Check to state you have read and
agree to our Terms and Conditions

Terms & Conditions and Privacy Statement (the Website) is owned and managed by Mondaq Ltd and as a user you are granted a non-exclusive, revocable license to access the Website under its terms and conditions of use. Your use of the Website constitutes your agreement to the following terms and conditions of use. Mondaq Ltd may terminate your use of the Website if you are in breach of these terms and conditions or if Mondaq Ltd decides to terminate your license of use for whatever reason.

Use of

You may use the Website but are required to register as a user if you wish to read the full text of the content and articles available (the Content). You may not modify, publish, transmit, transfer or sell, reproduce, create derivative works from, distribute, perform, link, display, or in any way exploit any of the Content, in whole or in part, except as expressly permitted in these terms & conditions or with the prior written consent of Mondaq Ltd. You may not use electronic or other means to extract details or information about’s content, users or contributors in order to offer them any services or products which compete directly or indirectly with Mondaq Ltd’s services and products.


Mondaq Ltd and/or its respective suppliers make no representations about the suitability of the information contained in the documents and related graphics published on this server for any purpose. All such documents and related graphics are provided "as is" without warranty of any kind. Mondaq Ltd and/or its respective suppliers hereby disclaim all warranties and conditions with regard to this information, including all implied warranties and conditions of merchantability, fitness for a particular purpose, title and non-infringement. In no event shall Mondaq Ltd and/or its respective suppliers be liable for any special, indirect or consequential damages or any damages whatsoever resulting from loss of use, data or profits, whether in an action of contract, negligence or other tortious action, arising out of or in connection with the use or performance of information available from this server.

The documents and related graphics published on this server could include technical inaccuracies or typographical errors. Changes are periodically added to the information herein. Mondaq Ltd and/or its respective suppliers may make improvements and/or changes in the product(s) and/or the program(s) described herein at any time.


Mondaq Ltd requires you to register and provide information that personally identifies you, including what sort of information you are interested in, for three primary purposes:

  • To allow you to personalize the Mondaq websites you are visiting.
  • To enable features such as password reminder, newsletter alerts, email a colleague, and linking from Mondaq (and its affiliate sites) to your website.
  • To produce demographic feedback for our information providers who provide information free for your use.

Mondaq (and its affiliate sites) do not sell or provide your details to third parties other than information providers. The reason we provide our information providers with this information is so that they can measure the response their articles are receiving and provide you with information about their products and services.

If you do not want us to provide your name and email address you may opt out by clicking here .

If you do not wish to receive any future announcements of products and services offered by Mondaq by clicking here .

Information Collection and Use

We require site users to register with Mondaq (and its affiliate sites) to view the free information on the site. We also collect information from our users at several different points on the websites: this is so that we can customise the sites according to individual usage, provide 'session-aware' functionality, and ensure that content is acquired and developed appropriately. This gives us an overall picture of our user profiles, which in turn shows to our Editorial Contributors the type of person they are reaching by posting articles on Mondaq (and its affiliate sites) – meaning more free content for registered users.

We are only able to provide the material on the Mondaq (and its affiliate sites) site free to site visitors because we can pass on information about the pages that users are viewing and the personal information users provide to us (e.g. email addresses) to reputable contributing firms such as law firms who author those pages. We do not sell or rent information to anyone else other than the authors of those pages, who may change from time to time. Should you wish us not to disclose your details to any of these parties, please tick the box above or tick the box marked "Opt out of Registration Information Disclosure" on the Your Profile page. We and our author organisations may only contact you via email or other means if you allow us to do so. Users can opt out of contact when they register on the site, or send an email to with “no disclosure” in the subject heading

Mondaq News Alerts

In order to receive Mondaq News Alerts, users have to complete a separate registration form. This is a personalised service where users choose regions and topics of interest and we send it only to those users who have requested it. Users can stop receiving these Alerts by going to the Mondaq News Alerts page and deselecting all interest areas. In the same way users can amend their personal preferences to add or remove subject areas.


A cookie is a small text file written to a user’s hard drive that contains an identifying user number. The cookies do not contain any personal information about users. We use the cookie so users do not have to log in every time they use the service and the cookie will automatically expire if you do not visit the Mondaq website (or its affiliate sites) for 12 months. We also use the cookie to personalise a user's experience of the site (for example to show information specific to a user's region). As the Mondaq sites are fully personalised and cookies are essential to its core technology the site will function unpredictably with browsers that do not support cookies - or where cookies are disabled (in these circumstances we advise you to attempt to locate the information you require elsewhere on the web). However if you are concerned about the presence of a Mondaq cookie on your machine you can also choose to expire the cookie immediately (remove it) by selecting the 'Log Off' menu option as the last thing you do when you use the site.

Some of our business partners may use cookies on our site (for example, advertisers). However, we have no access to or control over these cookies and we are not aware of any at present that do so.

Log Files

We use IP addresses to analyse trends, administer the site, track movement, and gather broad demographic information for aggregate use. IP addresses are not linked to personally identifiable information.


This web site contains links to other sites. Please be aware that Mondaq (or its affiliate sites) are not responsible for the privacy practices of such other sites. We encourage our users to be aware when they leave our site and to read the privacy statements of these third party sites. This privacy statement applies solely to information collected by this Web site.

Surveys & Contests

From time-to-time our site requests information from users via surveys or contests. Participation in these surveys or contests is completely voluntary and the user therefore has a choice whether or not to disclose any information requested. Information requested may include contact information (such as name and delivery address), and demographic information (such as postcode, age level). Contact information will be used to notify the winners and award prizes. Survey information will be used for purposes of monitoring or improving the functionality of the site.


If a user elects to use our referral service for informing a friend about our site, we ask them for the friend’s name and email address. Mondaq stores this information and may contact the friend to invite them to register with Mondaq, but they will not be contacted more than once. The friend may contact Mondaq to request the removal of this information from our database.


This website takes every reasonable precaution to protect our users’ information. When users submit sensitive information via the website, your information is protected using firewalls and other security technology. If you have any questions about the security at our website, you can send an email to

Correcting/Updating Personal Information

If a user’s personally identifiable information changes (such as postcode), or if a user no longer desires our service, we will endeavour to provide a way to correct, update or remove that user’s personal data provided to us. This can usually be done at the “Your Profile” page or by sending an email to

Notification of Changes

If we decide to change our Terms & Conditions or Privacy Policy, we will post those changes on our site so our users are always aware of what information we collect, how we use it, and under what circumstances, if any, we disclose it. If at any point we decide to use personally identifiable information in a manner different from that stated at the time it was collected, we will notify users by way of an email. Users will have a choice as to whether or not we use their information in this different manner. We will use information in accordance with the privacy policy under which the information was collected.

How to contact Mondaq

You can contact us with comments or queries at

If for some reason you believe Mondaq Ltd. has not adhered to these principles, please notify us by e-mail at and we will use commercially reasonable efforts to determine and correct the problem promptly.