Anti-Spam Law Regulations

I just listened to an IT.Can teleconference with Barry Sookman commenting on the final anti-spam regulations. This post summarizes a few key issues that arose.

As you probably know, the CASL regulations are now final. The anti-spam portions of the act come into force on July 1 2014. This is a shorter grace period than many had expected.

Many business were waiting for these regs before figuring out how it affected them. Unfortunately the regs did not remove most of the compliance burden. Businesses need to start working towards compliance very soon.

The provisions that deal with permissions required for software do not apply to January 2015.

Private rights of action, including class actions, are not available until Jan 1 2017. That is welcome, as the thought of class actions with severe potential penalties is a scary one in light of all the uncertainty over CASL’s interpretation.

A RIAS (Regulatory Impact Analysis Statement) was published to try to help with understanding CASL. Other FAQ type stuff has been and will be published. These will be helpful, but don’t have the force of law, and in some cases seem to be more restrictive than what CASL and the regs actually say. Abiding by the RIAS won’t save you if a court or regulator decides to interpret the act differently, but may be helpful to show diligence.

The RIAS tries to help with the definition of CEM, for example. There had been comments by the CRTC that said even a link in an email was enough to make it a CEM. The RIAS tries to soften that, but doesn’t help much as while a mere link doesn’t make it a CEM, anything in it encouraging commercial activity will.

Grandfathering of existing consents under PIPEDA are only partially accepted, depending on the nature of the consent.

The exception in the regs re family and personal relationships will be important particularly for small enterprises. The final regs actually narrowed the definition of family relationships, even though government said they were going to expand it. Those provisions must be read carefully as the definitions are narrower than most people would think would be caught by the family and personal concepts.

Given the broad definition of CEM and the ban all approach, exceptions are crucial.

The regs include some helpful exceptions, such as those that apply to:

  • B to B communications for existing business relationships.
  • Exclusion of certain messaging systems
  • Messages over certain ecommerce portals
  • Some situations where recipients are in foreign states

The software permission parts don’t come into effect for a year, but the concern is that the CASL effect on software is wide ranging and applies not only to typical computer software, but also to any software that is on any device – ranging from thermostats to appliances to cars. There will be huge problems complying with those for many reasons. And they are far beyond anything required in any other country.


  1. David Collier-Brown

    Could you expand on the thermostats comments a bit? I’m a nerd, and am clearly missing something!

  2. CASL has provisions that require disclosure and explicit permission for software to be installed that does certain things. It is intended to stop malicious software and software that unknowingly sends info back to a mothership. It applies to software of any kind, on any device – hence the thermostat comment. Practically everything that runs on electricity has software of some kind in it. These provisions will be a nuisance in practice for software vendors to comply with.

  3. Presumably a device that contains software once and for all at the time of manufacture, that is not subject to upgrades (especially online upgrades), is not going to create a lot of CASL issues. I would think that’s the average thermostat.

    Once the devices are connected to others in a communications or control network (so my electrnoic blanket tells the thermostat ‘I’m on the job now, you can let the rest of the house cool down’), then I suppose they are bound to need upgrades at some point, which is where CASL could come in. Yet another legal issue with the Internet of Things.