In 2014, the anti-spam provisions of Canada's Anti-Spam Legislation (CASL) came into force, creating a wide array of compliance requirements for businesses. CASL prohibits a person from sending or causing or permitting to be sent to an electronic address a commercial electronic message unless (a) the message is exempt or (b) the message meets the formality requirements and the person receiving the message has consented to receiving it. While the CRTC has only publicly acknowledged one enforcement action under CASL as of February 26, 2015, this series of posts, "Defending Enforcement under CASL," considers the foundations of a compliance defence to liability under CASL.

A person may be liable for failure to meet the formality requirements of CASL. Generally speaking, CASL provides that a CEM must contain:

  • the name of the sender, the name under which the sender carries on business, and the name of the person on whose behalf the message is sent (if applicable);
  • the mailing address and either (i) a telephone number, (ii) an email address or (iii) a web address; and
  • an effective unsubscribe mechanism.
  • Unless an exemption is available for certain types of commercial electronic messages (see our blog post Defending Enforcement Under CASL: Establishing an Exemption is Applicable), compliance with CASL requires both adherence to message formality requirements and the express or implied acquisition of consent (see our blog post Defending Enforcement Under CASL: Establishing Consent). The burden of proof under CASL falls to the infringing party to demonstrate compliance with the act. If required to prove compliance, an enterprise or individual must retain records of sent messages and show that the unsubscribe mechanism is effective and functional for legislated periods (which may require server logs and a record of unsubscribe requests), and that the mechanism was able to be "readily performed." The mechanism should also establish that, where an individual revoked consent to receive any communications from the sender, this consent was also revoked from any other person who was authorized to use such consent. Under CASL, the sender must have given effect to the unsubscribe request within ten (10) business days of the request being made – bringing forth records of this timeline may also be required if an enforcement action occurs.

Given limitation periods under CASL, server logs and unsubscribe mechanism records should be maintained for at least three years.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.