Data Privacy & Security

Canada's Anti-Spam Legislation (CASL): A reminder from the regulator regarding record keeping and consent

On July 1, 2014, most of Canada's Anti-Spam Legislation (CASL) came into force.  On July 27, 2016, CASL's primary regulator, the Canadian Radio-television and Telecommunications Commission ("CRTC") issued an Enforcement Advisory titled "Notice for businesses and individuals on how to keep records of consent", which addresses the CRTC's expectations regarding proof of consent and record keeping.

Under Section 13 of CASL, individuals and organizations must be able to demonstrate, by way of cogent evidence, that they have received valid implied or express consent to send commercial electronic messages ("CEMs") to a recipient. 

According to the CRTC, records substantiating consent must be retained and must be produced upon request. 

Enforcement action already taken by the CRTC highlights the importance of compliance with CASL's requirements.[1]  Individuals and organizations should also be aware that the private right of action under CASL comes into force on July 1, 2017.

The CRTC’s recent EnforcementAdvisory suggests retaining records, in either paper or electronic form, to evidence the following issues:

  • receipt of express or implied consent from recipients of CEMs;
  • methods through which consent was collected;
  • policies and procedures regarding CASL compliance; and,
  • all unsubscribe requests and resulting actions.

CASL provides a limitation period of three years from the date of the regulator's discovery of a violation for proceedings to be commenced.  Given that the discovery of a violation can occur at any time, individuals and organizations subject to CASL should retain the required records for aslong as practicable. 

Dynamic compliance programs can assist with CASL compliance. In this regard, the CRTC's June 19, 2014 Compliance and Enforcement Information Bulletin titled "Guidelines to help businesses develop corporate compliance programs" remains informative.

Given that appropriate record keeping and compliance programs can potentially be integral to a due diligence defence, it is highly recommended that individuals and organizations examine their current policies, procedures and practices to ensure that they are in line with the CRTC's expectations. For those subject to CASL who have not yet developed compliance and record keeping best practices. the CRTC’s recent guidance should serve as a call to action.


[1] See, for example, 3510395 Canada Inc. (dba Compu.Finder) (March 5, 2015), where a penalty of $1.1 million was imposed for having sent CEMs without the recipient’s consent as well as for sending some CEMs containing an unsubscribe mechanism that did not function properly.


Contributors - Jesse J. Bellam and J. Andrew Sprague