Business Checklist for CASL Compliance: Canada’s Anti-Spam Legislation

How to prepare for Canada’s New Anti-Spam Legislation:

1.      Business Awareness

Identify a key individual or individuals in your business and form a committee of one or a committee representative of each department affected to address CASL going forward.


Responsibility of

Identify a key individual or CASL Team in your business.



Training on CASL Compliance.



Develop and document a CASL compliance plan




2.     CEM (Commercial Electronic Message)  Inventory and Review

Identifying what kinds of CEMs are currently being sent, what form these CEMs take, to whom they are sent, and why are they sent?


Responsibility of

Take inventory of all databases: CRM (customer), email marketing lists and databases.



Review all online forms that capture data (e.g. newsletter signup form)



Review all offline forms for data capture (e.g. trade shows, phone leads, received business cards, etc.)



Review all email marketing campaigns, manual email marketing campaigns and automated email notifications.



Review all social media notifications and messages.



3.     Know Your Exemptions

Identifying Exemptions – categorizing (with appropriate supporting information) CEM recipients who fall under one or more of the exceptions to CASL; such as,  where the sender (a) has a family or personal relationship with the recipient, (b) is responding to the recipient’s request, inquiry or complaint, (c) is enforcing a legal right, (d) is sending a business-to-business CEM (within and between firms) in the context of an ongoing business relationship, or (e) is a foreign business sending a CEM to a foreign recipient who accesses the CEM while roaming in Canada.


Responsibility of

 Identify all of your exemptions.




4.      Consent Reconfirm and Tracking

Once CASL comes into force (July 1st , 2014), you can’t send an electronic message requesting consent because it will be considered a CEM.

Should there be any question about compliance with CASL, you need to be able to say when, where and how you received permission. The easiest way to track permission is to have people electronically grant permission – then the database shows a date, time and method of permission. The onus is on you to clearly prove permission.


Responsibility of

Review all your current contacts for express or implied consent.



Consent check – Send out email re-confirmations to achieve opt-in express consent.  So, email to your implied contacts to supersize them to express consent. E.g. Language like “We want to make sure our subscribers receive the right information. Please verify your address here.”



If you are recording signup manually, maintain those records.



5.     Database Review and setup for CASL.

Some changes should be made to the technology you use for the purpose of tracking  CASL consents and related information.


Responsibility of

Create a database/tracking system to track express and implied consent. CRM solution, email marketing solution, Excel etc. Maintain records for three years.



Segment all databases by their consent level: express and implied consent.



If implied consent you will need to tract the two year rule. What is their “stop send” date?



Make certain your email marketing system has captured the date/time of the new signup, along with the subscriber’s IP address.




6.     Process Review

Under CASL there will be requirements for your business to change certain business message processes.


Responsibility of

Prescribed Information – make certain that all outgoing CEM’s comply with the prescribed information. The message: identifies the sender, includes the required contact information.



Unsubscribe mechanism – making sure you have a working unsubscribe mechanisms and notices are in place and meet all existing CASL requirements. The mechanism is functional for at least 60 days.



No pre-checked opt-in boxes on any web forms.



Consider a double opt-in for email marketing subscribers.