Frequently Asked Questions

For Consumers

Canada's Anti-Spam Legislation


For Consumers

What has changed as a result of the legislation?

The new anti-spam legislation will protect consumers against spam, electronic threats and the misuse of digital technology while ensuring businesses remain competitive in a global digital marketplace.

What is considered spam under the new legislation and how can I recognize it?

Canada's anti-spam legislation covers commercial electronic messages that are sent without consent and damaging and deceptive actions linked to spam, such as:

  • identity theft
  • phishing
  • spread of spyware and malware

To identify a spammer, look for these five things:

  1. Asks for sensitive information
  2. Impersonates companies or people you know
  3. Uses scare tactics
  4. Asks for money in advance
  5. Seems too good to be true

Will CASL eliminate all spam from my inbox?

No, the law will not eliminate all spam, but it will help deter the most damaging and deceptive actions linked to spam, such as identity theft, phishing and the spread of spyware and malware. Additionally, it allows Canadian enforcement to take action against spammers operating in Canada.

How do I report spam?

Spam and related violations can be reported to the enforcement agencies through the Spam Reporting Centre at fightspam.gc.ca.

Does CASL apply to social media?

For more information, please consult the CRTC's FAQs and the Competition Bureau's FAQs

Am I in violation of CASL if I forward an email to a friend or family member?

No, promotional messages sent among friends and family are not covered by CASL. How do you determine whether the relationship is personal? Consider the following:

  • frequency of communications
  • nature of past communications (did you share interests, experiences, opinions or information?)

More information is available on the CRTC website.

Should I be concerned about protecting my personal contact information online?

If you publish your business address, CASL allows people to send you promotional messages related to your work. If you do not want marketers to use that address to send you promotional messages, you can publish a statement to that effect along with your address. If you include such a statement, CASL prohibits anyone from relying on that publication of your address to send you promotional messages.

As we connect online more and more, it is also possible that we may be the target of malicious individuals and software. Unfortunately with spam, there is no way to know for sure whether a message is safe. If it looks suspicious, it may be malicious spam.

To reduce your risk:

  • Use a primary email address only for your trusted personal and business contacts.
  • Create a secondary email address to use for online activities such as filling out forms or joining communities. This address may be changed if you start getting too much spam.
  • If posting your email address to a website, do not use the @ symbol. Instead use a format such as "jane at myDomain dot com". This can help prevent spambot software, which is often used to extract email addresses, from recognizing it.

I haven't received any confirmation emails from my favourite retailers. How do I make sure I keep getting the emails I want to receive?

Leading up to July 1, many Canadian businesses contacted their clients inviting them to opt in to receive future electronic communications. If you did not receive any such message and are no longer receiving any new communications, you will likely need to sign up again to your favourite mailing lists.

How will I know if I have given consent to a business?

Canada's anti-spam legislation requires businesses to obtain your consent to continue contacting you after July 1. This means that you need to give clear consent that you wish to continue receiving further communications.

I accidentally clicked a link / opened an attachment that was part of a spam email. What do I do now?

Unfortunately, opening links or attachments in spam email can have malicious effects on your computer system—even if there is no obvious change in how your computer functions. If you think that your computer may be infected, the first step should be to update your anti-virus and anti-spyware software and run a scan of your system.

Maintaining updated software is the best way to protect yourself against these kinds of threats. Anti-spam software can scan an email before it is received and automatically get rid of known spam. Anti-virus programs protect against malicious software such as malware, adware, spyware, viruses and trojans.

Recently, I was asked to confirm the use of cookies on many of my favourite websites. Is this related to CASL?

Cookies are small, temporary files created by a website and stored on your computer. These files are often used to remember your past activity on the site and tailor your experience, for example, storing items saved in a shopping cart. Many notable websites around the world have been seeking confirmation from users to use cookies following the May 2012 decision by the EU requiring user confirmation to better protect privacy.

Under CASL, individuals are considered to have provided consent to accept or install certain files based on their online conduct. Such files are typically temporary information files, including cookies, HTML and JavaScript.


Canada's Anti-Spam Legislation

What has changed as a result of Canada's anti-spam legislation coming into force?

Canada's anti-spam legislation protects consumers online against spam, electronic threats and misuse of digital technology while ensuring businesses remain competitive in a global digital marketplace.

What is Phase 2 of Canada's anti-spam legislation intended to address?

Phase 2 of Canada's anti-spam legislation protects Canadians against the installation of unwanted software or software updates on their electronic devices.

These provisions on software installation allow Canadians to avoid unwanted and often damaging software and software updates such as malware and spyware.

Why is the Canadian government tackling spam and malware?

Unsolicited commercial electronic messages, known as spam, have become a significant social and economic issue and a drain on the business and personal productivity of Canadians. It is estimated that spam costs the Canadian economy more than $3 billion per year.

Malware and related electronic threats such as botnets and identity theft have become more sophisticated and widespread, giving rise to concerns over data breaches and impeding the growth and acceptance of legitimate e-commerce.

When does CASL apply to the installation of software or computer programs?

CASL applies when a person installs software on another person's device.

One example is when a website automatically installs software on a computer visiting the site without the knowledge of the computer owner. Another example may be when someone clicks on a link in an email message that causes a program to be installed on the computer. Yet another example is when an update to a previously installed computer program is "pushed" to a device, updating the program automatically.

In all of these cases, CASL applies, and the person installing the program, or causing the program to be installed, must first obtain the consent of the device's owner.

CASL does not apply in situations where a person or business installs software on their own computers.

For example, if you go to an app store to purchase and download an app and you install that app onto your own personal device, CASL does not apply. Similarly, CASL does not apply when the IT department of a small business installs new software on company computers or mobile phones. 

If CASL applies, what action must be taken by software vendors and providers?

If CASL applies, and a software provider is installing a program on another person's computer, the software provider must first obtain the consent of the owner, or authorized user.

By requiring software providers to get permission to install programs and updates, CASL helps protect consumers and businesses from hackers and other cyber criminals who steal sensitive information by installing "spyware", "malware" or other computer programs. It also gives them control over their devices, so that programs aren't automatically updated without their knowledge and consent.

Are there any other ways that CASL is helping Canadians better control what is happening on their electronic devices?

CASL will enable Canadians to make more informed decisions about what they allow to be installed on their computers, tablets, etc. If a computer program performs one or more of the following functions, then the installer must make that clear when seeking consent:

  1. collects personal information (such as accessing a mobile phone's GPS to track the location of the phone);
  2. interferes with the user's control of the device (for example, preventing someone from using the Wi-Fi on his or her mobile phone);
  3. changes or interferes with the user's settings, preferences or commands without his or her knowledge (for example, changing the default web browser on a computer);
  4. changes or interferes with the data stored on the device in a way that obstructs, interrupts or interferes with the user's access to the data (for example, encrypting data on a computer so that the owner can't access it);
  5. causes the computer system to connect to or send messages to other computer systems without the user's authorization (for example, causing a computer to automatically send out email messages to an individual's list of contacts); or
  6. installs a program that may be activated by a third party without the user's knowledge.

See subsection 10(5) of CASL for more detailed information.

Does CASL take into consideration the concern companies have over large-scale security/emergency patches used to keep software up to date?

The Government recognizes that companies need to be able to update computer systems in certain instances, such as security patches or bug fixes. These types of installations are permitted to ensure Canadians' computing devices continue to function properly.

For example, CASL would allow a company to push an update to the operating system of a GPS device—for example, to fix a problem that is causing the device to crash every time a user leaves a parking garage—without first asking for the consent of each user. Similarly, CASL would allow a telecommunications service provider to push a critical security update to computers on a network to protect users from cyberattack.

What is malware?

Malware is short for "malicious software" and describes software that is used, predominantly by hackers or cybercriminals, to disrupt the operation of computers, gain access to private computers or computer networks, and gather sensitive information.

Does CASL mean an end to all spam and malware?

The law will not eliminate all spam, but it does help deter the most damaging and deceptive actions linked to spam and malware, such as identity theft, phishing and the spread of spyware. Additionally, it allows Canadian enforcement agencies to take action against spammers and cyber criminals operating in Canada, and to work with international partners to fight spammers operating abroad.

How is spam and malware reported?

Spam and malware related violations can be reported to the enforcement agencies through the Spam Reporting Centre at Fightspam.gc.ca.

What happens if a company violates the law?

Complaints about violations can be submitted through Fightspam.gc.ca and are accessed by the Canadian Radio-television and Telecommunications Commission (CRTC), the Competition Bureau and the Office of the Privacy Commissioner of Canada. Complaints about unsolicited emails or malware may be turned over to the CRTC, which may investigate to determine if the message violates CASL. If the company is in violation, the CRTC has a range of enforcement tools available.

The CRTC will assess each case based on a series of factors, including the nature of the violation, the company's history with CASL, whether the company benefited financially from the violation, and the company's ability to pay a penalty.

Penalties for the most serious violations of CASL include a maximum penalty of up to $1 million for individuals and $10 million for businesses.

How can businesses ensure they are in full compliance with CASL?

Businesses should ensure they obtain a consumer's consent prior to sending commercial electronic messages. They must properly identify themselves in the message and provide a functional way for the recipient to unsubscribe from receiving future commercial messages.

If a business is installing software or computer programs on another person's computer or device, it must ensure that it seeks consent before doing so. When seeking consent for the installation, the business must ensure that it clearly and simply sets out the information as required under CASL.

Will compliance with CASL be expensive for smaller businesses?

Businesses that already comply with privacy laws and use common best practices for email marketing or software installation should require little effort to comply with CASL.

Does CASL also apply to business practices outside of Canada?

If a foreign company is sending commercial electronic messages to Canada or installing software in Canada, CASL applies.

If a Canadian company is marketing in other countries, it needs to comply with the laws of that country. CASL includes a list of countries that have their own spam laws and, as long as the company is compliant with the spam laws of the country in question, it is exempt from CASL.

If a Canadian company is installing software in other countries, CASL still applies.

CASL sets a new standard for spam laws around the world. Complying with CASL will help businesses comply with other laws.

What tools are in place to enforce CASL when malware is being sent into Canada from another country?

Malware being sent into Canada is still subject to CASL despite its international origin. CASL gives enforcement agencies the authority to share, at an international level, any information that may be relevant to an investigation or proceeding with respect to contraventions under the law. This information sharing will allow enforcement agencies to work in conjunction with their international counterparts to track and prevent the creation and distribution of malware.

Can one person provide consent on behalf of his or her whole organization and all of its members/employees?

Yes, an individual with the authority to do so may give consent on behalf of an entire organization for the organization's email or devices. It is the responsibility of the organization to determine who has authority. If an organization is operating under a "bring your own device" (BYOD) system, then the employer cannot unilaterally provide consent to the installation of software.

How many complaints have been received since CASL came into force in July 2014?

As of January 6, 2015 there have been 4,948 submissions made using the online form at Fightspam.gc.ca and 205,227 reports made using the email address spam@fightspam.gc.ca.