Home > Learning Hub > Data Intelligence > CASL: Protecting the ‘Right to Privacy’ Around the Globe

CASL: Protecting the ‘Right to Privacy’ Around the Globe


“Privacy is not an option and it shouldn’t be the price we accept for just getting on the internet. Our voices matter and our actions matter even more,” stated by Gary Kovacs in his speech ‘Tracking our online trackers’ at the TED 2012 event highlights the importance of privacy as our fundamental right.

Not many were much aware of this fundamental right until Edward Snowden, a former National Security Agency subcontractor made headlines in 2013 when he leaked top-secret information about NSA surveillance activities.

Privacy is not only the right but it is also the freedom for any individual. In other words, “Privacy is the freedom to be ourselves,” says author Maritza Pick.

The 2018 Facebook–Cambridge Analytica data scandal revealed that Cambridge Analytica had harvested the personal data of millions of people's Facebook profiles without their consent and used it for political purposes.

On account of this, stringent privacy laws like CAN-SPAM, GDPR, PECR, has come into effect. While Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR) and ePrivacy Regulation (ePR) are almost outdated, these laws have been replaced by GDPR and CASL. These information privacy laws or data protection laws prohibit the disclosure or misuse of information about private individuals. Information collected from an individual cannot be disclosed to other organizations or individuals unless specifically authorized by law or by consent of the individual. And if these laws are violated, organizations are subjected to hefty fines.

In the first major example, the French data protection authority had fined Google about $57 million, for not properly disclosing to users how data is collected across its services — including its search engine, Google Maps, and YouTube — to present personalized advertisements. The penalty is the largest to date under the European Union privacy law General Data Protection Regulation.

The EU General Data Protection Regulation (GDPR) is the most significant change in data privacy regulation since 1995. This new regulation was designed to harmonize data privacy laws across Europe and to protect and empower all EU citizens’ data privacy and to reshape the way organizations across the region approach data privacy. This directly impacts businesses involved with EU personal data, regardless of where the business is conducted. Those not compliant with the new regulation can be subjected to up to 20 million EUR in fines.

Although many such ‘data protection and privacy laws’ have been implemented by different countries around the world, Canada's Anti-Spam Law (CASL) remains to be one of the toughest laws of its kind making its application and interpretation particularly problematic and with so many rules, it’s hard to be sure, if you’re compliant. Canada's anti-spam legislation (CASL) protects consumers and businesses from the misuse of digital technology, including spam and other electronic threats. It also aims to help businesses stay competitive in a global, digital marketplace.

Let’s dive-in to learn more about this law.

Canada’s Anti-Spam Legislation (CASL) is created to reinforce best practices in email marketing and combat spam and related issues. These issues include identity theft, phishing and the spread of malicious software, such as viruses, worms, and trojans (malware).

Frequently Asked Questions (FAQs) about Canada’s Anti-Spam Legislation:

1. What is CASL?

CASL is Canada’s Anti-Spam Legislation also known as ‘Fighting Internet and Wireless Spam Act’, which took effect on July 1, 2014. Spam is an unsolicited or undesired electronic message like email spam, instant messaging spam, web search-engine spam, online ads spam, etc. The purpose of CASL is to prevent spam, hacking and malware (malicious software).

2. Who does the CASL affect?

This law will have a sizeable impact on marketers all-round the globe who wish to target the individuals of Canada through Commercial Electronic Messages (CEMs) and other electronic mediums.

3. What is CASL consent?

All senders must obtain either express or implied consent before sending Commercial Electronic Messages (CEMs) such as emails promoting a product or service to individuals. Each organization must comply with CASL's requirements to: obtain consent, provide identification information and include an unsubscribe mechanism in each message.

4. When is the CASL pertinent?

Commercial electronic messages (CEM) sent to recipients in Canada from the country and other countries must comply with CASL, however, CEMs sent from CANADA to the recipients outside the country are not required to comply with CASL but may require to follow the data protection laws of the respective country.

5. What is the opt-out duration?

Any unsubscribe requests must be honored immediately or within 10 days. The unsubscribe must be valid for a minimum of 60 days after the message has been sent.

6. What are the Penalties for non-compliance?

Hefty penalties up to $10 million per violation. Directors, officers, agents and mandataries of a corporation may face individual liability under CASL and be subject to an Administrative Monetary Penalty (AMP) up to $1 million per violation.

7. Who Enforces CASL?

CASL is enforced by three organizations: The Competition Bureau, the Canadian Radio-television and Telecommunications Commission (CRTC) and the Office of the Privacy. In their role as an enforcement agency, the CRTC has broad investigatory powers and the ability to impose administrative monetary penalties (AMPs).

8. What are the age restrictions?

No age restriction requirements are part of CASL.

9. How does CASL affect marketing strategies?

Data plays a critical part in both digital and direct marketing strategies and therefore marketers must ensure they have demonstrated clear compliance and consent. CMOs and marketers are required to obtain consent, provide identification information and maintain records like

  • commercial electronic message policies and procedures
  • all contemporaneous unsubscribe requests and resulting actions
  • all evidence of express consent (e.g. audio recordings or completed forms) from consumers who agree to receive CEMs
  • commercial electronic message recipient consent logs
  • commercial electronic message scripts
  • CEM campaign records

10. What are the guidelines for businesses on the Act and Regulations?

  • Canadian Radio-television and Telecommunications Commission (CRTC) has provided with certain guidelines as Guidelines on the interpretation of the Electronic Commerce Protection Regulations (CRTC), Compliance and Enforcement Information Bulletin CRTC 2012-548;
  • Guidelines on the use of toggling as a means of obtaining express consent under Canada’s anti-spam legislation, Compliance and Enforcement Information Bulletin CRTC 2012-549;
  • Guidelines to help businesses develop corporate compliance programs, Compliance, and Enforcement Bulletin CRTC 2014-326; and,
  • Guidelines on the Commission’s approach to section 9 of Canada’s anti-spam legislation, Compliance and Enforcement Information Bulletin CRTC 2018-415.


CASL is well compliant with the necessary guidelines on the Act and Regulations. The American Bar Association (ABA) has called CASL "the toughest anti-spam law in the world." On the contrary, CASL legislation doesn’t prohibit marketers from sending marketing messages rather it just sets out some requirements for sending commercial electronic messages (CEMs), to an electronic address. It ensures that these data append services are intact. Hence, it is requisite for all the marketers around the globe to abide by the guidelines in order to protect these laws and the individuals also have a moral responsibility to defend these laws.