FAQs
CASL FAQs
Overview
Commercial Electronic Messages (CEM)
Consent Requirements for CEMs
Content Requirements for CEMs
Model Language for CEMs
Additional Options for Obtaining Express Consent
Exceptions and Partial Exceptions to CASL
Additional Prohibitions
Additional Information
a) What is CASL?
Canada’s Anti-spam Legislation1, known as CASL, is a federal law passed in December 2010.
b) What does CASL do or prohibit?
CASL prescribes consent and content requirements for the transmission of commercial electronic messages (CEM) to organizations and individuals.
The legislation generally prohibits the sending of CEMs without the recipient’s prior consent. Consent must be obtained as outlined in the legislation. In addition to the consent requirements, the content of a CEM must identify the sender of the message and provide a unsubscribe mechanism by which the recipient can opt-out from receiving future CEMs.
CASL also regulates:
- The installation of computer programs without consent
- The unauthorized altering of transmission data
- The provision of false or misleading information in a message
- The harvesting of addresses
- The unauthorized collection of personal information
This FAQ is focused on the transmission of CEMs. For information regarding CASL's other requirements, see 8. below or contact the Data Privacy and Compliance Office.
c) When did CASL enter into force?
The majority of CASL, including the provisions regarding CEMs, entered into force July 1, 2014.
d) Does CASL apply to UWinnipeg?
Yes. Educational institutions are not exempt from CASL. However, most of the messages that UWinnipeg sends are not commercial in nature and therefore CASL does not apply to those messages (see 2.b below).
e) Does CASL apply to messages sent to UWinnipeg employees?2
No. CASL does not apply to electronic messages sent by UWinnipeg to its employees at @uwinnipeg.ca email addresses.
f) Does CASL apply to messages sent to UWinnipeg students?
Yes. CASL applies to CEMs sent to students at @uwinnipeg.ca or personal email addresses.
However, as above, many of the messages that UWinnipeg sends to students are not commercial in nature and therefore CASL does not apply to those messages (see 2.b below).
g) Does CASL apply to messages sent to UWinnipeg alumni?
Yes. CASL applies to CEMs sent to UWinnipeg alumni.
Again, however, many of the messages that UWinnipeg sends to alumni are not commercial in nature and therefore CASL does not apply to those messages.
In addition, alumni have an “existing non-business relationship” (see 3.c below) with UWinnipeg as they are members of the Alumni Association. This relationship assumes we have implied consent (see 3.c below) to send them CEMs related to being a UWinnipeg alumnus in addition to other email communications. The University must still comply with the content requirements (see 5. below) when sending CEMs to alumni.
h) What are the penalties for non-compliance with CASL?
CASL imposes penalties of up to $10,000,000.00 per violation. After July 1, 2017, individuals will also have a private right of action against organizations who they allege have violated the law.
i) Does CASL apply to third-party messaging services?
Yes. CASL applies to CEMs sent by UWinnipeg and also CEMs UWinnipeg “causes or permits to be sent.” As such, email marketing software and other third-party direct mail services utilized by UWinnipeg must comply with CASL.
2. COMMERCIAL ELECTRONIC MESSAGES (CEM)
a) What is a CEM?
A commercial electronic message (CEM) is any electronic message sent to an electronic address that, as one of its purposes, encourages participation in a commercial activity. The commercial aspect can be secondary to the main purpose of the message.
b) What is a commercial activity?
A commercial activity is defined as any transaction, act, or conduct that is of a commercial character whether or not it is done with the expectation of profit.
The core activities of UWinnipeg are not commercial. While UWinnipeg may charge fees for services, it is not, for the most part, engaged in commerce. It provides a public service and is largely dependent on taxpayer funding. As such, UWinnipeg's core activities - those central to its mandate and responsibilities - are not commercial.
As set out in the University of Winnipeg Act, the purposes and objects of UWinnipeg are:
- To establish and maintain such colleges, faculties, schools, institutes, departments, chairs and courses of instruction as the Board of Regents considers appropriate
- To give instruction and training in all branches of learning
- To grant degrees, including honorary degrees, diplomas and certificates of proficiency
- To provide facilities for original research in every branch of learning, and to conduct or facilitate the conducting of such research
- Generally to promote and carry on the work of a university
Accordingly, messages that relate to the above purposes and objects - UWinnipeg's core activities - are generally not commercial in nature and, therefore, CASL does not apply to their transmission. For example, these may include but are not limited to messages that:
- Recruit students and promote UWinnipeg's program and course offerings
- Communicate information about UWinnipeg students and their achievements
- Promote research, teaching, lectures, exhibitions, and performances related to faculty or student work
However, activities undertaken by UWinnipeg that are outside of its core educational / research function are likely to be considered commercial. For example, these may include but are not limited to:
- Selling goods not related to core UWinnipeg activities (such as branded apparel, memorabilia, credit cards, discount cards, other merchandise, etc.)
- Selling tickets for professional arts productions, conferences, concerts, or other events that are not primarily educational / research in nature or that are co-sponsored by third parties
- Offering non-student hospitality, facility rental, housing, and parking services
- Certain fundraising activities
- The licensing and commercialization of research
- Promoting third-party organizations, via logos or links to third party websites, or through direct promotion of third party goods or services
Messages that relate to these activities are likely to be considered commercial and, therefore, CASL is likely to apply.
Additional examples of CASL's applicability to common UWinnipeg activities.
c) What makes an electronic message commercial?
An electronic message may be commercial if any of its content – including any hyperlinks or logos – has, in any way, a commercial character.
Consider if any of the content encourages the recipient to:
- Purchase goods from UWinnipeg or other suppliers
- Patronize specific retailers, service providers, or other organizations or sponsors
- Visit third-party websites that may advertise goods or services
- Attend sponsored events
- View newsletters, blogs, or social media pages that may contain advertisements or otherwise promote commercial activities
It's important to review the entire CEM and watch for "mixed-purpose" messages. This is where the primary purpose of the message is not commercial but some commercial content is also included, such as an advertisement or link for a commercial product or service in an otherwise non-commercial message. This is now a "mixed-purpose" message and CASL may apply.
Note that an electronic message requesting consent to send additional CEMs is itself considered a CEM.
d) What is an electronic address?
Electronic addresses include but are not limited to:
- Email accounts;
- SMS (text) message accounts; and
- Direct instant message accounts.
- Blackberry Messenger (BBM)
- Facebook Messenger
- LinkedIn messages and InMail
- Twitter direct messages
e) How does CASL affect the use of Facebook, Twitter and similar services?
Only direct messages (Facebook Messenger, Twitter direct messages, LinkedIn Messenger and InMail, etc.) are likely to fall within the scope of CASL. Furthermore, direct messages sent to Facebook friends, LinkedIn connections, Twitter subscribers and others who have consented to be friends, followers, contacts or otherwise to receive communications are likely to be exempt from CASL's consent requirements. For this reason public Facebook posts, broadcast tweets, etc. are low risk.
Of possible concern, however, is hybrid activity such as a public post or tweet that includes a tag to an individual's Facebook profile or Twitter handle. Although such messages are public, they also may send a message to an individual's social media address, which may trigger CASL's consent and content requirements. It is therefore prudent to limit the sending of hybrid messages until CASL's regulators provide guidance on this issue.
3. CONSENT REQUIREMENTS FOR CEMs
a) What kind of consent is required to send CEMs?
Before sending a CEM, UWinnipeg must have the consent of the recipient. There are two types of consent under CASL: express and implied. Express consent is the “gold standard” and should be obtained whenever possible.
b) How does UWinnipeg obtain express consent?
Express consent to send CEMs, also known as “opt-in” consent, can be obtained in writing – including by electronic means – or orally.
An electronic message requesting consent to send additional CEMs is itself considered a CEM. Do not send a CEM requesting express consent unless you already have the implied consent of the individual.
The individual must provide explicit, unbundled permission to receive CEMs. To obtain express consent, UWinnipeg must inform individuals of:
- The purpose, or purposes, for which consent is sought
- The business name of the person seeking consent
- The mailing address of the person or business, together with one of:
- A telephone number; or
- An email address or web address of the person seeking consent
- A statement stipulating the recipient can withdraw their consent.
The individual must then perform one of the following actions:
- Check a box on a web form (the box must not be pre-checked)
- Click a link on an email or e-newsletter
- Fill out a consent form
- Send an email to a dedicated opt-in email account
- Provide verbal consent during a telephone call using a standardized “script” to demonstrate, if challenged, the script for a call seeking express consent
Regardless of methodology UWinnipeg must be able to prove, if challenged, that it met the consent requirements.
PRIVACY REQUIREMENT
If this is the first time that the individual has been asked to provide their personal information (name, contact information, email address, etc.) (FIPPA) also requires that UWinnipeg provide the individual a notice of collection statement detailing:
- the purpose for which the information is collected
- the legal authority for the collection; and
- the title, business address and telephone number of an officer or employee of the public body who can answer the individual's questions about the collection.
*More information and a sample notice of collection statement*
c) How does UWinnipeg obtain implied consent?
Implied consent arises from existing business or non-business relationships and should be relied on only if express consent cannot be readily obtained. Implied consents normally expire after 6-24 months. Express consents are valid indefinitely unless revoked.
Existing business relationships arise from:
- The purchase, lease, or bartering of a product, goods, or service within the two-year period immediately before the day on which the CEM was sent
- The acceptance by the recipient of a business, investment or gaming opportunity
- A written contract, if the contract is currently in existence or expired within two years
- An inquiry or application, within the six-month period immediately before the day on which the CEM was sent, in respect of a product, goods, or service
Existing non-business relationships arise from:
- A donation or gift made by the recipient within the two-year period immediately before the day on which the message was sent, where the sender is a registered charity
- Volunteer work performed by the recipient, or attendance at a meeting organized by the sender, within the two-year period immediately before the day on which the message was sent, where the sender is a registered charity
- Membership by the recipient within the two-year period immediately before the day on which the message was sent, where the sender is a club, association or voluntary organization
Implied consent may also apply if:
- The recipient conspicuously publishes their electronic address without stating that they do not wish to received unsolicited CEMs and the CEM relates to the individuals role, functions, or duties in a business or official capacity
- The recipient discloses their electronic address without stating that they do not wish to receive unsolicited CEMs and the CEM relates to the individuals role, functions, or duties in a business or official capacity
Implied consents should be upgraded to express consents whenever possible.
d) What's the transitional period for implied consents?
CASL contains a transitional period beginning July 1, 2014 and expiring June 30, 2017. During this period, the limitation period for existing business and existing non-business relationships is removed. This means that, provided the business or non-business relationship was established before July 1, 2014, and the relationship included the sending of CEMs, the implied consent arising from the relationship may be relied on until June 30, 2017 to send further CEMs. Use the transitional period to convert these implied consents to express consents.
e) Can consent be revoked?
Yes. Even where an existing business or non-business relationship exists, individuals may revoke their consent to receive CEMs at any time.
f) Is it required to keep a record of consents?
Yes, absolutely. It's very important to create and/or maintain a record of all express or implied consents. You must also not dispose of the record while the consent remains valid. Poor recordkeeping can invalidate an entire contact list, so it's crucial to keep good records.
g) How can implied consents be upgraded to express consents?
To upgrade an implied consent to an express consent, simply follow the standard instructions provided in 3.b above.
4. CONTENT REQUIREMENTS FOR CEMs
a) What are the identification requirements?
The content of the CEM must identify the sender. Specifically it must:
- Provide the sender’s name
- If sent by a third party, provide both the name of the sender and the third-party provider
- Provide the sender’s contact information including a mailing address and any one of
- A telephone number
- An email address
- A website address
b) What are the unsubscribe requirements?
The CEM must enable the recipient to readily unsubscribe by electronic means, at no cost to them, from receiving future CEMs.
In emails, this can be achieved by specifying an electronic address or a website to which the unsubscribe request can be sent. Unsubscribe requests must be processed within 10 business days, and the address or website where the unsubscribe request can be sent must be valid for at least 60 days after the CEM is sent.
If sending a CEM by text message, the CEM must offer both unsubscribe options:
- Replying to the message with the word STOP
- Clicking on a link to a website where the individual can unsubscribe
If asking an individual to provide express consent on a form, over the telephone, or by other non-electronic means, the message must meet the identification requirements, state the purpose for which consent is being sought, and provide notice that consent may be withdrawn at any time. For example:
“The (insert business unit) would like (to continue) to contact you with timely news, information and promotions regarding our programs, activities and special events. To ensure we are able (to continue) to keep you informed with relevant content, please provide your consent to receive communications from (insert business unit) by (clicking here/replying to this email/checking this box). You may unsubscribe at any time.”
If sending a CEM, the implied or express consent of the recipient is required. The message must also include the identification and unsubscribe requirements. For example:
“We hope you are enjoying the latest newsletter from (insert business unit). If you wish to unsubscribe from future newsletters, please reply with ‘unsubscribe’ to (insert email address). You may also (click here/check this box). For further information please contact us at (insert mailing address and phone number/email address/web address).”
6. ADDITIONAL OPTIONS FOR OBTAINING EXPRESS CONSENT
The simplest way to obtain express consent is at the time an individual signs up for a service, program or activity. In addition to notice of the party to which consent is being given, the individual must be provided with the purpose for which consent is being sought and informed that they may withdraw consent at any time.
After July 1, 2014, when CASL prohibits the sending of CEMs requesting express consent, consent may be obtained by having an individual fill out a printed form. Express consent may also be obtained verbally, though it is recommended that a standardized “script” be used and a record of the consent created in case UWinnipeg is challenged.
Regardless of how consent is sought, the message must meet the identification requirements, state the purpose for which consent is being sought, and provide notice that consent may be withdrawn at any time.
7. EXCEPTIONS AND PARTIAL EXCEPTIONS TO CASL
a) CEMs exempted from CASL
Certain CEMs are not subject to CASL, even though they may have a commercial character. If a CEM is exempt from CASL, there are no consent or content requirements.
At UWinnipeg, exempt CEMs include:
- CEMs sent between UWinnipeg employees[2] which concern UWinnipeg activities
- CEMs sent from UWinnipeg employees to other businesses or third-party business partners that have an ongoing business relationship with UWinnipeg. CEMs must be relevant to the business, role, function or duties of the recipient
- CEMs sent to a recipient who is engaged in a commercial activity, and relate solely to the recipient’s commercial activities
- CEMs sent to individuals in response to a request, inquiry or complaint
- CEMs sent by a registered charity (such as the Foundation) and the primary purpose of the CEM is to raise funds for the charity
- CEMs sent outside of Canada and the message conforms to the anti-spam laws of the foreign state
- CEMs sent to satisfy various legal obligations
- CEMs sent to an individual with whom the sender has a personal or family relationship.
- A personal relationship means the individuals involved have had direct, voluntary, two-way communications and it would be reasonable to conclude that they have a personal relationship taking into consideration relevant factors such as the sharing of interests, experiences, opinions and information, the frequency of communication, the length of time since the parties communicated or whether the parties have met in person
- A family relationship means the individuals involved are married, in a common-law partnership, or in any legal parent-child relationship and have had direct, voluntary, two-way communication
b) CEMs exempted from consent requirements
Certain CEMs are exempt from the consent requirements of CASL. However, the content requirements (see above) regarding notice of sender and unsubscribe mechanism remain in effect.
CEMs exempt from the consent requirements of CASL include:
- CEMs that provide a quote or estimate for the supply of a product or service if the quote or estimate was requested
- CEMs that facilitate, complete or confirm a previously agreed-upon commercial transaction, including providing products or product upgrades
- CEMs that provide warranty information, product recall information or safety or security information about a product, goods or a service that the recipient uses, has used or has purchased
- CEMs that deliver information directly related to an employment relationship or related benefit plan in which the recipient is currently involved, is currently participating or is currently enrolled
- CEMs that provide factual information about:
- The ongoing use or purchase by the recipient of a product, goods or a service offered under a subscription, membership, account, loan or similar relationship or
- The ongoing subscription, membership, account, loan or similar relationship of the recipient
The first CEM sent to an individual following a referral by an individual who has an existing business, non-business, family or personal relationship with the sender and the CEM discloses the full name of the individual who made the referral and that the CEM is being sent as a result of the referral.
a) Installation of computer programs
Beginning January 15, 2015, CASL prohibits UWinnipeg from installing computer software/programs on individuals' computers, tablets, and mobile devices without their express consent. Express consent will also be required to update existing software/programs or install executable code.
For certain types of software/programs, however, consent may be implied. These include:
- cookies
- HTML code
- Javascript
- operating systems
- software/programs where consent has already been provided
- software/programs that are necessary to correct failures in the operation of a computer system or program
b) Alteration of transmission data
In the course of a commercial activity, CASL prohibits the alteration of transmission data in an electronic message so that the message is delivered to a destination other than or in addition to that specified by the sender unless the alternation is made with the express consent of the sender or in accordance with a court order.
c) False or misleading information
CASL amends the Competition Act to prohibit any person from sending false or misleading information in the sender information or the subject matter of a CEM.
d) Harvesting of personal information
CASL amends the Personal Information Protection and Electronic Documents Act (PIPEDA) to prohibit the collection of electronic addresses by the use of computer programs, or the use of such addresses without permission, known as "address harvesting."
e) Collection of personal information
CASL prohibits the use of computer programs to collect personal information without authority.
For additional information about CASL, please contact the Data Privacy and Compliance Office.