Canada’s Anti-Spam Law (CASL): Stay Compliant & Avoid Costly Fines

Canada’s Anti-Spam Legislation (CASL)

On  July 1, 2014, a sweeping piece of legislation called Canada’s Anti-Spam Legislation (CASL) went into effect. After a three-year grace period, it’s now time to comply.

Canadian businesses—or any business that sends electronic messages to Canadian residents—need to understand this law and how it works.

Officer blowing a whistleFines for running afoul of the CASL can range from $1 million to 10 million per instance.

Note: If you’re simply using Apptoto to remind your clients of their appointments, you are perfectly compliant and safe!

We still encourage you to read these guidelines, especially if you do any type of marketing, sales, or other commercial messaging. We’ll go over how to do it safely in this article.

The scope and impact of CASL are far-reaching, restricting businesses from sending commercial messages without specific forms of consent.

And although there’s been a recent suspension on the provision that would have allowed private citizens a right to action against offending businesses, the impacts of the law are no less serious.

We dug into the available information online and called the Canadian governing bodies in order to learn as much as possible about the law and how it will affect business owners.

In the interest of full transparency, we are not lawyers. Nor did we hire a legal professional to write this guide. We simply want to share our research on this subject so you stay informed.

If you have specific questions or concerns about your business and its compliance with CASL, it’s best for you to contact the agencies responsible for the law and its enforcement.

CASL: The Basics

The meat of the legislation is aimed at ending business practices that involve sending unsolicited electronic messages to individuals. The law covers all commercial electronic messages (CEMs), defined as messages promoting commercial activity with a specific product, service, or person.

In other words, any message perceived as promotional or sales-focused message would likely be covered under this law.

CASL regulations apply to any commercial electronic message sent from or to Canadian computers/devices in Canada.

The law establishes four  main requirements regarding CEMs:

  1. Consent – Businesses sending CEMs must obtain express or implied consent in all cases.
  2. Identification – The person or business sending a CEM must be clearly identified. CEMs must include a valid mailing address and a phone number, email address, or web address.
  3. Unsubscribe mechanism – All CEMs must include a mechanism that allows the receiver to opt out of receiving future messages. This mechanism must work for at least 60 days following the receipt of the message.
  4. Truth in advertising – All messages must be demonstrably true and not have misleading information or promotional messages.

Although each of these may seem fairly straightforward, there is actually a bit to unpack for each facet of the law.

What Is a CEM?

To ensure adherence to the rules about sending CEMs, you need to understand how the law defines a CEM.

As the name implies, commercial messages are messages that have commercial intent. That is, they encourage the recipient to take some kind of commercial action with respect to a specific product, service, person, or company.

An example of CEM might be a text message promotion:

Limited-time offer! Book your appointment today and receive 20% off!

In this case, the commercial intent is clear.

There is some gray area for less obvious messages. But in general, it’s best to assume that messages that encourage the recipient to take a commercial action (e.g., make a purchase) would likely be a CEM.

In addition, there is a broad exemption for communications that occur within the scope of a personal relationship. There are many criteria that determine whether a relationship is “personal” in nature. However, this exemption can generally be applied to any sort of casual business communications and non-automated, personal messages sent by individuals.

Express Consent vs. Implied Consent

two intertwined hands with thumbs up symbolizing informed concept, a key component of CASL, to send messages from businesses to customers

Another foundational piece of this law is the definition of consent.

Businesses are allowed to send CEMs to individuals for whom they have received consent. So, it’s important to understand how that is defined.

Per legislative guidelines, your business can receive consent or permission to send messages in two ways.

  1. Express consent – Someone specifically and knowingly agrees to sign up to receive CEMs from you or your company in written or oral form.
  2. Implied consent – Consent is given on the basis of an existing or previous business relationship under certain conditions, as set out in section 10(9) of CASL. Tread lightly with implied consent.

Express consent does not expire. If individuals have a way to withdraw consent (e.g., unsubscribe or opt-out), express consent remains valid indefinitely.

On the other hand, implied consent only lasts for a maximum of two years following a business relationship. This means that businesses are responsible for keeping track of when and how they received implied consent and when it expires.

Keep in mind that in both cases, the businesses are responsible for keeping valid records of how and when consent was established. In the case of an investigation or lawsuit, the business is expected to be able to provide these records.

If you received express consent before CASL was enacted, then that consent is still valid. As long as you adhere to the additional guidelines of the law, you may continue to send CEMs to your existing audience or list.

What CASL Means for Business Owners

There are many ramifications of CASL that will affect business owners, both large and small.

The most obvious thing is that any commercial message sent by your business will be subject to the regulations included in CASL. This means that for most businesses, steps should be taken to ensure clear records of customer interactions and consent.

CASL went into effect on June 30, 2014. Originally, an additional provision would have allowed individual citizens to bring lawsuits against companies that violated the law. As of this article’s publish date, this provision has been suspended.

Even so, there are still repercussions for violating CASL.

Several Canadian government agencies are still charged with investigating complaints regarding CASL violations. And they can bring—and have brought—lawsuits against the companies that violate the legislation.

Furthermore, a revised version of this provision could be enacted in the future to allow private citizens to bring lawsuits directly, following a review by the Canadian parliament.

Appointment Reminders and CASL

Under the current version of CASL, an appointment reminder in and of itself would not qualify as a CEM.

Appointment reminder bell Because of the nature of the existing business relationship, you can continue to send appointment reminders as long as they contain only information related to the appointment and do not include any additional promotional messages. Note that setting an appointment does not qualify as implied consent to send additional CEMs.

If you’d like to send CEMs, there is no problem, granted you follow the rules.

You can ask customers outright if they’d like to receive CEMs, to which they can express consent when they make an appointment. This can be in either written or verbal form. Making it a standard part of your intake process is often a very efficient way to do this.

Given the nature of the law, it’s advisable to have this consent recorded and on file.

If you’d like to use Apptoto to ask for consent, here’s how to do it manually:

  • Create a message that is sent after the initial appointment, asking if they would like to opt into CEMs. Example: “Would you be interested in receiving promotional messages from [insert business name]? “If yes, reply “2.” This would qualify as written consent.
  • Using this method, you have to clearly identify who you are and give them a clear way to unsubscribe. To do the latter, use the “stop” message function, which can be manually chosen when you set up the message.

Or, with a single click, you can now schedule consent messages to be sent to clients automatically before any booking or reminder notifications. Need explicit consent (i.e., the customer must respond “Yes” to receive messages)? Apptoto can do that, too! Learn more about our message consent options in our knowledge base.


If your company has ascribed to best practices regarding privacy and marketing communications, there should be no significant hurdles with CASL.

Rest assured, if you’re simply using Apptoto to remind your clients of their appointments, you are perfectly compliant and safe.

If you have any questions about CASL and using Apptoto, reach out to us!