In effect since July 1, 2014, Canada’s Anti-Spam Legislation (CASL) is the strongest in the world, requiring businesses to obtain advance consent for commercial mailings. Violators of CASL can be fined as much as CAD $10 million, and company officers can be held personally liable if they had a hand in the violation or failed to act reasonably to stop it. CASL applies to all email senders who send email to Canadians, whether or not the sender resides in Canada as well. Starting in 2017, CASL will allow Canadians to directly sue companies for violating its provisions - again, regardless of where the sender resides in the world.
Yet, the most significant and surprising part of CASL is a single phrase which I have included below:
6. (1) It is prohibited to send or cause or permit to be sent to an electronic address a commercial electronic message unless
(a) the person to whom the message is sent has consented to receiving it, whether the consent is express or implied; and
(b) the message complies with subsection (2).
This phrase is significant and surprising because it means that companies must not only refrain from sending out non-compliant email, they must also not even permit that to happen under their watch. While Canada’s CRTC (the Canadian equivalent of the FCC, and the organisation that polices CASL) does not hold companies responsible for spam that is sent out because of a security compromise, it’s quite possible that CRTC could bring a ruling against a company on account of even a low level employee or - worse - outside consultant violating CASL provisions while acting for the company. Companies therefore have a duty to audit their email practices from top to bottom in order to ensure full compliance at all levels, and to put processes in place to prevent violation even by third parties working on their behalf.
Recent data from Cloudmark indicates that marketing officers are taking a cautious approach in light of CASL’s potential impact. Overall email volume sent to Canada has fallen in the period following the roll-out of CASL vs. the period prior, as evidenced by Cloudmark’s Q1 2015 threat report. A casual glance at the data presented indicates that volume to Canada is off by 25 per cent - a stunning reduction.
While the majority of judgements will never reach true cybercriminals, CASL has impacted how businesses use email and how they protect against misuse of their infrastructure. The first penalties have already started to roll out with companies like PlentyofFish and Compu.finder Inc. accumulating fines totaling more than $900,000. The number of companies impacted is expected to grow rapidly, both in the short term and long term as additional portions of the law start to come into effect.
Don’t expect this law to stop penis enlargement pill scams or offers of millions of dollars from foreign princes; those types of criminals will always live in the shadows. The biggest impact will be on the grey area of email marketers who don't follow best practices, and whose activities are blatant enough to raise the ire of the CASL police. These grey area guys will either reluctantly crawl into the black, be successfully sued, or leave the industry altogether.
I expect more and more companies to adopt better email practices and protection for their email servers to ensure that all email sent is authentic. Although the law is specific to one country, the impact has the potential to touch every corner of the world.
Ken Simpson, co-founder and CEO, MailChannels
Image Credit: Shutterstock/Peshkova