A Refresher On Canada’s Antispam Legislation (CASL)

Blog / A Refresher On Canada’s Antispam Legislation (CASL)

Understanding CASL rules can save you plenty of headaches.

As regular readers know by now, compliance is a huge part of the cybersecurity domain or job scope. Yes, there’s plenty of patching and updating firewalls for ransom/malware protection, but pretty much every business today offers some kind of online payment program or collects private information, even if just for staff and internal uses. As a result, payment processors and government watchdogs, as well as hackers, are very interested in how secure your IT infrastructure is; that’s to say compliance is a much larger part of the cybersecurity job than many people expect.

Now, it’s not uncommon for us to talk about rules and regulations like Alberta’s Personal Information Protection Act (PIPA) and the Payment Card Industry Data Security Standards (PCI DSS). However, there’s other legislation worth talking about that we don’t hear about (much) anymore, and that’s Canada’s Anti-Spam Legislation (CASL). It made headlines back in 2014 when it was first coming into effect, but has since been mostly forgotten about by the general populace despite multiple updates since then (not that they were particularly newsworthy changes).

To be clear, CASL is about protecting Canadians from spam, making it an expensive offense to distribute commercial electronic messages (texts and emails) to someone without their express permission; it’s not particularly focused on how secure businesses’ marketing email engines are, but rather if they have permission to market to said people. So even though it doesn’t affect them, most hackers and other bad actors know all the rules, backwards and forwards and inside out (that’s one way they find loopholes to exploit). That’s just more reason why anyone concerned about their cybersecurity profile should understand at least the most important aspects of the legislation.

First, just because someone’s email address is openly available to anyone on the internet doesn’t mean you have permission to market to that address. To quote CASL: “It cannot be assumed that people whose electronic addresses are posted online are necessarily interested in receiving commercial offers.” This is just one line from the entire piece of legislation of course, but essentially it means just because you found a publicly-published doesn’t mean you can market to it. The simplest example is basic business information inboxes; they’re meant for potential clients to make inquiries of the business, not for your B2B company to email brochures to.

CASL also explicitly recognizes email addresses as personal information, making them subject to both PIPA and PIPEDA (PIPA’s national big brother). It’s not a substantial complication (at least, it shouldn’t be if you’re set up properly) but it’s enough of a wrinkle that you could be left exposed to legal liability if your marketing program isn’t properly handled and secured.

The last thing to understand about CASL (as we’re talking about it today at least) is that reporting is easy and findings of culpability expensive. Remember, a person (or business or any other legal entity) isn’t giving blanket permission to be marketed to by publicly publishing an email address. So when can you market to an inbox? When (and only when) the owner has given you explicit permission. What’s more, the onus is on the businesses to prove they’ve been authorized to market to an email address, so make sure to precisely document exactly when, where, and how you got their permission. This is because it’s very easy for someone to report a bit of spam is by filling out a form on a government website, then providing a copy of the email.

When it comes to advertising and soliciting through email, compliance is key. You can design a beautiful email campaign with exceptionally effective calls to action, but sending it to even just one email address without permission can potentially cost your company up to $10 million CAD as a penalty. And that’s just in Canada. The European Union’s GDPR (General Data Protection Regulation) is similar to CASL, but also allows victims to prosecute across borders, so a French citizen can sue a German business that’s inappropriately emailing them. In fact the GDPR technically gives EU citizen victims the right to pursue remedies against unauthorized marketing emails from anywhere in the world, though whether non-EU states cooperate is still up to them. Regardless, the point is that protecting people’s privacy isn’t just about keeping information out of the hands of the bad guys; it’s also about making sure the data businesses do have is used properly and with the appropriate permissions.

This week’s newsletter was inspired by this quote from Shakespeare’s Titus Andronicus; “Come, and take choice of all my library, And so beguile thy sorrow.”

If you’d like help ensuring your email marketing program is both secure and compliant with the latest legislation, contact a TRINUS cybersecurity professional and we’ll be happy to help out.


Be kind, courtesy your friendly neighbourhood cyber-man.

/Partners /Systems /Certifications

TRINUS is proud to partner with industry leaders for both hardware and software who reflect our values of reliability, professionalism and client-focused service.