Canada: Key Differences Between US And Canadian Anti-Spam Laws

Canada's Anti-Spam Law (or "CASL") will be in effect in July 2014, about ten years after the U.S. has enacted its anti-spam law. As a matter of fact, the U.S. enacted anti-spam legislation, entitled Controlling the Assault of Non-Solicited Pornography And Marketing Act of 2003 (the "CAN-SPAM" Act) on December 16, 2003.1

While the U.S. has enacted an anti-spam law promoting an opt-out model, Canada has adopted an opt-in model. The main difference between these systems is the fact that under an opt-out model, businesses can send promotional email messages unless the recipient informs the sender that it no longer wishes to receive such emails, or "opts out" of receiving them. Business groups, for the most part, tend to prefer the opt-out approach because it is easier to imply consent and thus create mailing lists. Under an opt-in model, the recipient of the promotional email must affirmatively give the organization permission to send information about new products or sales. Generally, a consumer must click on web site boxes or send an email request to the organization in order to authorize consumer email.

How will CASL impact U.S. businesses that want to send promotional emails throughout North America?

The U.S. CAN-SPAM Act does not expressly address messages sent from out of jurisdiction. However in Canada, under section 12 (1) of CASL, a person contravenes section 6 (pertaining to the sending of promotional messages), if a computer system located in Canada is used to send or access the electronic message. Therefore electronic messages sent to persons in Canada have to comply with CASL. The exceptions to this are if the message is accessed here but the sender had reasonable cause to think that it would be opened in another country that has legislation that is substantially similar to CASL,2 or if the electronic message is routed through Canada on its way to a recipient in another country.3

As this provision imposes the stringent CASL opt-in requirements for U.S. businesses when sending promotional emails to Canadians, we have summarized the key differences between CASL and CAN-SPAM as the following ones:

1. CEMs versus CEMMs: CAN-SPAM applies to commercial electronic mail messages (or "CEMMs") which are defined as any commercial email with a "primary purpose" of commercial advertisement or promotion of a product or service, which is not an email relating to a business transaction or relationship.4 Unlike CASL which applies to "commercial electronic messages" (or "CEMs"), which are defined as "any means of telecommunication, including a text, sound, voice or image message," CAN-SPAM applies to "commercial electronic mail messages," i.e., email only. CASL also applies to computer programs in that it prevents a sender from installing or "caus[ing] to be installed" a computer program that causes CEMs to be sent from that computer system, without either consent or a court order.5 CAN-SPAM on the other hand, does not expressly apply to the installation of computer programs.

2. Opt-In versus Opt-Out Consent: The main difference between these two pieces of legislation mostly has to do with the different type of model for consent. CAN-SPAM is based on an opt-out consent model, whereby consent to receive email is considered implicit unless the recipient "opts out," thereby indicating a unwillingness to receive such emails.6 CASL allows CEMs only if: i) the sender has the express consent of the recipient, or ii) consent is not required (because it is implied or because the message falls under the listed exemptions). Therefore, U.S. businesses, unless they have express consent, an "existing" business relationship with Canadians or their messages are exempt (for instance if the CEM is sent by an employee to another employee of the organization and that concerns the affairs of the organization),7 will have to use caution before contacting Canadian email or electronic addresses for promotional purposes.

3. Existing Business Relationship: One of the exceptions to compliance with the consent requirements of CASL8 is if there is an existing business relationship between the parties, which is defined as a business relationship between the recipient and the sender of the message — arising from any of the following activity taking place within the two-year period immediately before the day on which the message was sent:

  1. the purchase or lease of a product, goods, a service, land or an interest or right in land, by the person to whom the message is sent from the sender;9
  2. the acceptance by the person to whom the message is sent, of a business, investment or gaming opportunity offered by sender;10
  3. the bartering of anything mentioned in paragraph (a) between the person to whom the message is sent and sender;11
  4. a written contract entered into between the person to whom the message is sent and sender in respect of a matter not referred to in any of paragraphs (a) to (c), if the contract is currently in existence or expired within the two-year period; or12
  5. an inquiry or application, within the six-month period immediately before the day on which the message was sent, made by the person to whom the message is sent to sender, in respect of anything mentioned in any of paragraphs (a) to (c) above.13

Therefore, if any of these relationships can be made out then there is deemed to be implied consent and the sender does not have to comply with the opt-in consent requirements. However the obligation to include all the mandatory content still remains.

4. Unsubscribe Mechanism: The CAN-SPAM Act requires that every CEMM contain an unsubscribe mechanism for the recipient to use to opt-out of receiving further emails. The unsubscribe mechanism can be in the form of a "functioning return electronic mail address or other Internet based mechanism" contained within the CEMM or a "list or menu" from which the recipient may chose not to receive further messages from the sender, and must remain active for the recipient to use for at least 30 days after the original CEMM was sent.14 Under CASL, the unsubscribe mechanism "must be able to be readily performed" such that it "should be accessed without difficulty or delay, and should be simple, quick, and easy for the consumer to use,"15 and the unsubscribe mechanism must remain active for at least 60 days.16 Under the CAN-SPAM Act, the sender of the communication or "any person acting on behalf of the sender" must act on the request to unsubscribe within 10 business days of receiving it,17 which requirement is identical under CASL, s. 11(3).

5. Content Requirements: Apart from the unsubscribe mechanism described above, which both CASL and the U.S. CAN-SPAM Act require, they also both require that the sender provide certain contact information. CAN-SPAM requires that a CEMM include "clear and conspicuous" identification that the message is an advertisement or solicitation18 while CASL prohibits unsolicited CEMs, unless the recipient has consented to receiving it (by express or implied consent).19 CAN-SPAM requires that a CEMM include a valid physical postal address of the sender20 while CASL requires that the CEM "clearly and prominently" disclose the mailing address, and either a telephone number with active response voicemail or an email address or a web address.21

6. Liability: CASL includes potential vicarious liability for directors and officers of corporations and employers of employees acting within the scope of their employment, and CAN-SPAM is silent on the issue of a director's, officer's or employer's liability. CASL also provides a private right of action to individuals affected by a violation, while CAN-SPAM provides no such right to ordinary individuals. Apart from a state attorney general, only ISPs who have been "adversely affected by a violation" can bring an action under CAN-SPAM.

7. Penalties: If there is a breach of CAN-SPAM, there are administrative, civil and criminal penalties available, depending on which provisions are violated.

  • Administrative actions are initiated by the Federal Trade Commission. This includes the ability to issue administrative orders, including injunctions, or to prosecute certain cases before the courts.22
  • Civil actions may be brought in the courts either by a state attorney general, or by an Internet Service Provider (or "ISP") under certain conditions.23 Criminal prosecutions are dealt with by the federal Department of Justice. Statutory damages of up to either $1,000,000 or $2,000,000 may be awarded, depending on whether the action is brought by an ISP or a state attorney,24 plus aggravated damages where warranted.25
  • Criminal violations of CAN-SPAM, including various fraudulent acts such as falsifying email header information and gaining unauthorized access to computers to use them for spamming, are punishable by fines under the criminal provisions of Title 18 of the United States Code and/or a prison term of up to five years, three years or one year, depending on the nature of the offence.26 It is also possible to seek forfeiture of a spammer's assets in criminal cases.27

Higher monetary penalties appear to be in place for violations of CASL, which provides for a maximum penalty of $1,000,000 per violation in the case of an individual, and $10,000,000 per violation "in the case of any other person."28

These differences between the U.S. and Canadian legislation in the area of anti-spam highlight the fact that U.S. businesses should be careful when sending out mass emails or other forms of electronic communication for a commercial purpose. The laws in Canada are more stringent, and the penalties for a breach are potentially severe.


1 Controlling the Assault of Non-Solicited Pornography and Marketing Act of 2003, 15 USC 7701 ["CAN-SPAM"].

2 Electronic Commerce Protection Regulations 81000-2-175 (SOR/DORS) ("Electronic Commerce Protection Regulations"),section 3(f)

3 See Industry Canada Regulatory Impact Analysis Statement published January 5, 2013.

4 CAN-SPAM, section 3(2)(A).

5 CASL, section 8(1).

6 CAN-SPAM, section 5(a)(5)(A)(ii).

7 Electronic Commerce Protection Regulations, SOR/2013-221, section 3(a).

8 Compliance with the content requirements of CASL is still required.

9 CASL, section 10(10)(a).

10 CASL, section 10(10)(b).

11 CASL, section 10(10)(c).

12 CASL, section 10(10)(d).

13 CASL, section 10(10)(e).

14 CAN-SPAM, section 5(a)(3)(A)(ii).

15 Electronic Commerce Protection Regulations (CRTC), SOR/2012-36, section 23.

16 CASL, section 11(2).

17 CAN-SPAM, section 5(a)(4)(A)(i).

18 CAN-SPAM, section 5(a)(5)(A)(i).

19 CASL, section 6(1)(a).

20 CAN-SPAM, section 5(a)(5)(A)(iii).

21 Electronic Commerce Protection Regulations (CRTC), SOR/2012-36, section 3(2).

22 CAN-SPAM, section 7(f)(2).

23 CAN-SPAM, sections 7(f) and (g).

24 CAN-SPAM, sections 7(f) and (g).

25 CAN-SPAM, section 7(3)(c)

26 CAN-SPAM, section 4(b).

27 CAN-SPAM, section 4(c).

28 CASL, section 20(4).

The foregoing provides only an overview and does not constitute legal advice. Readers are cautioned against making any decisions based on this material alone. Rather, specific legal advice should be obtained.

© McMillan LLP 2014

To print this article, all you need is to be registered on

Click to Login as an existing user or Register so you can print this article.

Sharon E. Groom
In association with
Related Video
Up-coming Events Search
Font Size:
Mondaq on Twitter
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).
Email Address
Company Name
Confirm Password
Mondaq Topics -- Select your Interests
 Law Performance
 Law Practice
 Media & IT
 Real Estate
 Wealth Mgt
Asia Pacific
European Union
Latin America
Middle East
United States
Worldwide Updates
Check to state you have read and
agree to our Terms and Conditions

Terms & Conditions and Privacy Statement (the Website) is owned and managed by Mondaq Ltd and as a user you are granted a non-exclusive, revocable license to access the Website under its terms and conditions of use. Your use of the Website constitutes your agreement to the following terms and conditions of use. Mondaq Ltd may terminate your use of the Website if you are in breach of these terms and conditions or if Mondaq Ltd decides to terminate your license of use for whatever reason.

Use of

You may use the Website but are required to register as a user if you wish to read the full text of the content and articles available (the Content). You may not modify, publish, transmit, transfer or sell, reproduce, create derivative works from, distribute, perform, link, display, or in any way exploit any of the Content, in whole or in part, except as expressly permitted in these terms & conditions or with the prior written consent of Mondaq Ltd. You may not use electronic or other means to extract details or information about’s content, users or contributors in order to offer them any services or products which compete directly or indirectly with Mondaq Ltd’s services and products.


Mondaq Ltd and/or its respective suppliers make no representations about the suitability of the information contained in the documents and related graphics published on this server for any purpose. All such documents and related graphics are provided "as is" without warranty of any kind. Mondaq Ltd and/or its respective suppliers hereby disclaim all warranties and conditions with regard to this information, including all implied warranties and conditions of merchantability, fitness for a particular purpose, title and non-infringement. In no event shall Mondaq Ltd and/or its respective suppliers be liable for any special, indirect or consequential damages or any damages whatsoever resulting from loss of use, data or profits, whether in an action of contract, negligence or other tortious action, arising out of or in connection with the use or performance of information available from this server.

The documents and related graphics published on this server could include technical inaccuracies or typographical errors. Changes are periodically added to the information herein. Mondaq Ltd and/or its respective suppliers may make improvements and/or changes in the product(s) and/or the program(s) described herein at any time.


Mondaq Ltd requires you to register and provide information that personally identifies you, including what sort of information you are interested in, for three primary purposes:

  • To allow you to personalize the Mondaq websites you are visiting.
  • To enable features such as password reminder, newsletter alerts, email a colleague, and linking from Mondaq (and its affiliate sites) to your website.
  • To produce demographic feedback for our information providers who provide information free for your use.

Mondaq (and its affiliate sites) do not sell or provide your details to third parties other than information providers. The reason we provide our information providers with this information is so that they can measure the response their articles are receiving and provide you with information about their products and services.

If you do not want us to provide your name and email address you may opt out by clicking here .

If you do not wish to receive any future announcements of products and services offered by Mondaq by clicking here .

Information Collection and Use

We require site users to register with Mondaq (and its affiliate sites) to view the free information on the site. We also collect information from our users at several different points on the websites: this is so that we can customise the sites according to individual usage, provide 'session-aware' functionality, and ensure that content is acquired and developed appropriately. This gives us an overall picture of our user profiles, which in turn shows to our Editorial Contributors the type of person they are reaching by posting articles on Mondaq (and its affiliate sites) – meaning more free content for registered users.

We are only able to provide the material on the Mondaq (and its affiliate sites) site free to site visitors because we can pass on information about the pages that users are viewing and the personal information users provide to us (e.g. email addresses) to reputable contributing firms such as law firms who author those pages. We do not sell or rent information to anyone else other than the authors of those pages, who may change from time to time. Should you wish us not to disclose your details to any of these parties, please tick the box above or tick the box marked "Opt out of Registration Information Disclosure" on the Your Profile page. We and our author organisations may only contact you via email or other means if you allow us to do so. Users can opt out of contact when they register on the site, or send an email to with “no disclosure” in the subject heading

Mondaq News Alerts

In order to receive Mondaq News Alerts, users have to complete a separate registration form. This is a personalised service where users choose regions and topics of interest and we send it only to those users who have requested it. Users can stop receiving these Alerts by going to the Mondaq News Alerts page and deselecting all interest areas. In the same way users can amend their personal preferences to add or remove subject areas.


A cookie is a small text file written to a user’s hard drive that contains an identifying user number. The cookies do not contain any personal information about users. We use the cookie so users do not have to log in every time they use the service and the cookie will automatically expire if you do not visit the Mondaq website (or its affiliate sites) for 12 months. We also use the cookie to personalise a user's experience of the site (for example to show information specific to a user's region). As the Mondaq sites are fully personalised and cookies are essential to its core technology the site will function unpredictably with browsers that do not support cookies - or where cookies are disabled (in these circumstances we advise you to attempt to locate the information you require elsewhere on the web). However if you are concerned about the presence of a Mondaq cookie on your machine you can also choose to expire the cookie immediately (remove it) by selecting the 'Log Off' menu option as the last thing you do when you use the site.

Some of our business partners may use cookies on our site (for example, advertisers). However, we have no access to or control over these cookies and we are not aware of any at present that do so.

Log Files

We use IP addresses to analyse trends, administer the site, track movement, and gather broad demographic information for aggregate use. IP addresses are not linked to personally identifiable information.


This web site contains links to other sites. Please be aware that Mondaq (or its affiliate sites) are not responsible for the privacy practices of such other sites. We encourage our users to be aware when they leave our site and to read the privacy statements of these third party sites. This privacy statement applies solely to information collected by this Web site.

Surveys & Contests

From time-to-time our site requests information from users via surveys or contests. Participation in these surveys or contests is completely voluntary and the user therefore has a choice whether or not to disclose any information requested. Information requested may include contact information (such as name and delivery address), and demographic information (such as postcode, age level). Contact information will be used to notify the winners and award prizes. Survey information will be used for purposes of monitoring or improving the functionality of the site.


If a user elects to use our referral service for informing a friend about our site, we ask them for the friend’s name and email address. Mondaq stores this information and may contact the friend to invite them to register with Mondaq, but they will not be contacted more than once. The friend may contact Mondaq to request the removal of this information from our database.


This website takes every reasonable precaution to protect our users’ information. When users submit sensitive information via the website, your information is protected using firewalls and other security technology. If you have any questions about the security at our website, you can send an email to

Correcting/Updating Personal Information

If a user’s personally identifiable information changes (such as postcode), or if a user no longer desires our service, we will endeavour to provide a way to correct, update or remove that user’s personal data provided to us. This can usually be done at the “Your Profile” page or by sending an email to

Notification of Changes

If we decide to change our Terms & Conditions or Privacy Policy, we will post those changes on our site so our users are always aware of what information we collect, how we use it, and under what circumstances, if any, we disclose it. If at any point we decide to use personally identifiable information in a manner different from that stated at the time it was collected, we will notify users by way of an email. Users will have a choice as to whether or not we use their information in this different manner. We will use information in accordance with the privacy policy under which the information was collected.

How to contact Mondaq

You can contact us with comments or queries at

If for some reason you believe Mondaq Ltd. has not adhered to these principles, please notify us by e-mail at and we will use commercially reasonable efforts to determine and correct the problem promptly.