Canada Announces Go-Live Date for CASL Anti-Spam Law

In early December 2013 the Canadian government announced that the 2010 Canadian Anti-Spam Law (CASL) will go into effect on July 1, 2014. Although this law covers considerably more ground than just unsolicited bulk email (spam), it is very good news for those who fight spam, and especially good news for those of us who fight spam by otherwise legitimate companies. The reason? CASL requires (with some limited exceptions) that recipients of bulk email give explicit consent to receive the email before it is sent. In other words, CASL requires opt-in. Unlike the U.S. CAN-SPAM law and many other laws in many other countries, CASL actually forbids most spam.

CASL also has teeth. Violations of the CASL opt-in requirement can draw fines as high as $10 million Canadian per infringing email. By all appearances, the Canadian government agencies responsible for enforcement of CASL are prepared to enforce the law vigorously.

CASL applies to “criminal spammers” — the sorts of spammers that use botnets and compromised servers to advertise quack medications, controlled substances, fake luxury goods, or solicit help to move large sums of money out of Africa in return for an up-front fee. I do not expect CASL to be of much assistance reining in criminal spam, however, because I do not expect criminal spam gangs to obey CASL or pay CASL fines. Such spam gangs are often located in countries that offer them safe havens from law enforcement, and the identities of the people that run them are unknown. Other methods than CASL or anti-spam laws (such as blocklists, spam filters, and Interpol) are needed to fight that type of spam.

CASL also applies to what I call mainsleaze spammers — legitimate companies and organizations that use their own IPs or legitimate email service providers (ESPs) to offer legitimate goods and services. Legitimate companies sometimes break the law, but they do not often ignore it entirely. If prosecuted or sued, they and their attorneys normally appear in court to defend themselves. Legitimate companies also send a great deal of solicited bulk email mixed in with the spam, so IP or domain blocks and spam filters cause significant and sometimes-unavoidable false positives. Properly-written and properly-enforced anti-spam laws can target only the spam and be used to punish those who send spam without blocking email that people asked to receive.

A number of people with legal backgrounds have posted blogs detailing the provisions of CASL. I know spam better than I know the law, so I took a look at how this law might apply to a number of actual spams that I have received if either the sender or I were Canadian. Below I discuss three cases where one or more spams was sent either to my spamtraps or to a personal email address of mine. Each of the spams that I discuss was sent by a legitimate U.S.-based or multinational corporation via either their own IPs or a legitimate email service provider (ESP).

  • Telecommunications Giant: Selling Internet & TV Service. In October 2011, a U.S. telecommunications company spammed an email address at a domain of mine that has never had a legitimate email address, advertising its all-in-one TV and Internet package. This email violated CASL. If the company sends a similar email to a Canadian citizen after July 1, 2014 and the citizen reports it, they face a stiff fine.

  • Social Networking Site: Sent Invitations to Non-Members. In early 2012 a large social networking site sent repeated invitations, and reminders, to an email address of mine that did not belong to that social network. After some pressure, the site added an opt-out mechanism, but to this day most social networking sites continue to send invitations to non-members. These emails violate CASL. If the company that spammed me continues to send invitations to Canadian citizen non-members after July 1, 2014 and one reports it, they face a stiff fine.

  • Gourmet Food Company: “Opting-in” customers who previously opted out. I occasionally shop online at an internationally-known gourmet food company. When I first bought from them, I opted out of all offers after the first arrived in my inbox. Since then, I’ve shopped there four times. *Each* time I was opted back in and started to receive offers again, despite repeated opt-outs. As best I can tell, this practice violates CASL. If after July 1, 2014 the company continues to re-opt-in Canadian customers who opted out each time they place an order, they face a stiff fine, in addition to losing at least some customers. (I’ve found somewhere else to buy goodies.)

You would think that companies that obey the laws would also be open to appeals to ethics and simple good manners, but I have found that this assumption is incorrect entirely too often. The companies whose spam I discuss above generally respect the law. Nonetheless, all three of them also demonstrated a fundamental disrespect for the right of individuals to choose whether to receive that company’s email advertisements or not. Unlike many people, I know how to determine who sent me an email. I know who to complain to, and how to complain effectively. I also have a forum where I can complain and be heard: the Mainsleaze Spam Blog. That did not prevent two of these companies from spamming me repeatedly.

These spams illustrate the often-frustrating fact that the threat of losing customers or potential customers is not enough to prevent some companies from spamming. Marketers assume that if they target their advertisements properly, most people that they target will want to receive their offers whether they asked for those offers or not. Many marketers are convinced (rightly or wrongly) that, if they spam, they will sell more goods and services than they will if they do not spam. VPs of marketing and CMOs who think this way often carry the day with company presidents and CEOs, who must answer to their boards of directors when profits or the company’s stock price drop.

Many ESPs have strong antispam policies. Some of these ESPs enforce those policies effectively and consistently. At the end of the day, though, all ESPs depend upon the companies that mail through them to keep them in business. So, when companies are under pressure to spam, their ESPs are under pressure to help them spam or at least to look the other way.

Fortunately good laws can bring their own financial pressures to bear. Legitimate companies do not like to pay substantial fines any more than individuals do. As the saying goes, $10 million here, $10 million there, and pretty soon you’re talking about real money. If companies and ESPs believe that they are likely to be prosecuted and face fines that top out at $10,000,000 Canadian dollars per email, most will stop spamming, even those who are otherwise willing to spam.

CASL also allows non-Canadians to complain about spam that they receive from a Canadian company, although it often defers to the spam laws in the recipient’s country. Canadian prosecutors are expected to act on these complaints, extending the reach of CASL outside of Canada’s borders. As an American who deals with spam, I am most grateful to Canada for helping provide me a level of protection against being spammed by Canadian companies that my own government doesn’t under CAN-SPAM.

CASL isn’t perfect. It has built-in grace periods for many opt-in requirements (see FAQ => About the Law => Regardless of the date set for coming into force, will there be a phase-in period for compliance…), periods that exempt mailers from the full rigor of those requirements for as long as three years in some cases. Given that the law was passed in 2010, I have to wonder whether mailers really need this much time to bring their practices into compliance with CASL. It shows too much respect for the much poorer antispam laws in other countries. It also exempts some political and non-profit organizations that I believe it should cover. As with all laws, its effectiveness also depends on how well it is enforced.

However, it is far and away the best national anti-spam law that I’ve read yet. Kudos to the many legislators, legislative assistants, consulting attorneys, and (not least) antispam activists who made it happen.


[The preceding blog was published as Canada’s Anti Spam Law : Spam isn’t Just Nigerian Princes & Body-part Adjustment on the web site of the Coalition Against Unsolicited Commercial Email (CAUCE).]

3 Responses to Canada Announces Go-Live Date for CASL Anti-Spam Law

  1. Commenting on my own blog, but Mickey Chandler at Spamtacular posted a blog about an interesting and as-yet unanswered CASL legal question. It would be a pity if Canadian regulators and courts allowed the “reasonable belief” to be too widely applied. At the same time, I don’t think we or anybody would benefit from a CASL law that landed people with millions in fines for an innocent mistake.

    Here’s praying for the wisdom of Solomon for Canadian regulators and courts! (And in other countries as well….)

    • We need to have the US law move more to this direction. Sure, we don’t want to punish mistakes. However, our email admins are seeing more and more complaints from our users regarding current mainstream companies with standard anti-spam polices.

      Where there is a problem is the use of lists. For example, in our systems, we are seeing increases in reports of spam that trace back to Marketo customers.

      • From where I sit, the problem covers a lot of ESPs, not just Marketo. I don’t know what to make of this. Despite what appears to be a lot of effort by antispam organizations (Spamhaus, particularly) to push back against ESP spam, it is definitely increasing, not decreasing. It’s gotten to the point where I’ve got ESP outbounds automatically filtered to spam on my personal mail server except for specific whitelistings. Of course, I have a small number of users who all know this and I can watch for signs of legitimate email.

        The problem is use of lists. The problem behind that problem is list sellers, and the fact that many ESPs are owned by companies that also do list sales and email appending. 🙁

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Go back to top