Privacy Advisor

How to save $10 million

July 1, 2012

By Megan Brister, Marta Rzeszowska-Chavent, Katerina Kouretas and Alain Rocan

Express consent campaigns have been touted as the silver bullet for the consent framework under Canada’s Anti-Spam Law. However, gaining express consent has its own set of challenges. What are the questions organizations need to ask before seeking consent?

Organizations have been waiting nearly two years for regulations that will clarify and put into force Canada’s Anti-Spam Legislation (CASL). For this reason, many organizations are waiting until the fall—when Industry Canada’s regulations are now expected—to evaluate their marketing practices and implement changes. However, given CASL’s broad application and stiff monetary penalties—up to $1 million for individuals and up to $10 million for organizations per violation—smart organizations are launching express consent campaigns before CASL comes into effect.

CASL will apply to any organization that sends a commercial electronic message (CEM) to its customers, prospects or other contacts via e-mail, text or other electronic means such as Twitter, Facebook or LinkedIn—irrespective of size or sector—with the purpose of encouraging participation in a commercial activity. Commercial activities include any transaction, act or conduct that is commercial in nature, whether or not the person who carries it out does so with the expectation of profit; e.g., invitations to events or subscriptions to an industry newsletter. This will include all messages that based on the content, including links and contact information, have as one of the purposes encouraging participation in commercial activity such as selling or advertising a product, promoting an organization or person or gathering market information. In effect, CASL will require recipients to opt in to receiving CEMs—a model that differs from the U.S. CAN-SPAM Act. Organizations will be required to have implied or express consent from recipients in Canada before sending a CEM, unless the relationship or CEM qualifies for an exemption. Organizations will also need to put in place unsubscribe mechanisms or ensure that current unsubscribe practices meet the requirements under CASL.

Not only do Canadian-based organizations need to comply with CASL but also organizations that send messages to Canadian recipients must take note. CASL applies to messages sent from or received in Canada. Practically speaking, if an organization has global presence, its foreign subsidiaries that send electronic messages to Canadian recipients also need to comply with CASL.

Organizations may rely on implied consent under CASL in three main scenarios:

  • With an existing “business relationship” with the recipient; e.g., consumer has purchased a product within the two years prior to the message being sent, entered into an existing written contract with the person or made an inquiry or application within the six months prior to the message;
  • With an existing “non-business relationship;” e.g., charitable, membership and volunteer relationships;
  • The recipient has conspicuously published his or her e-mail contact information or has disclosed it to the sender and has not indicated that he or she does not wish to receive communications and the CEM is relevant to the recipient’s business, role, functions or duties in a business or official capacity.

Currently, prior to sending a CEM, organizations must ensure that consent requirements set out in privacy legislation are met. Privacy legislation requires organizations to inform an individual about the collection, use or disclosure of his or her personal information and obtain the individual’s consent for such collection, use and disclosure. Under federal privacy legislation, organizations rely on implied consent based on “reasonableness” standards. For example, under federal privacy legislation, where a consumer sends a request for information via e-mail, it would be reasonable to conclude that you have that individual’s implied consent to respond to the request using the individual’s e-mail address. Under CASL, this type of inquiry by a consumer would constitute an “existing business relationship;” however, a response would have to be sent within six months from the date of the initial inquiry in order to rely on implied consent under CASL. CASL specifically states that in the event of any conflict between a provision of CASL and a provision of PIPEDA, the federal privacy legislation governing private sector organizations, the provision of CASL would prevail. In other words, an organization cannot necessarily rely on implied consent as currently provided for in federal privacy legislation.

Grandfathering provisions for implied consent

When CASL comes into force, if there is an existing business relationship or an existing non-business relationship, as defined in CASL, there will be an extended period of three years during which implied consent will continue to apply. The transitional period provides an extended timeline for perfecting existing implied consent for an existing business relationship and an existing non-business relationship by seeking express consent in compliance with the legislation.

What makes CASL different from other electronic marketing legislation is that the broad definition of CEM means that CASL will also apply to those electronic communications that may not come from marketing departments well-versed in the rules of consent. For example, a salesperson who contacts a former client, with whom the company has not had a relationship with in more than two years, must have the former client’s express consent or implied consent before sending the CEM. The sales \person’s contact may be something as simple as an e-mail, inbox or text message to touch base, but given CASL’s broad scope, it may still be considered a CEM. This means that organizations will need to track implied consent and ensure everyone in the organization understands the scenarios in which consent is considered to be implied. If the salesperson’s CEM went to 50 people who had not consented to receive the message, regulators could fine the organization $500 million. Additionally, a private right of action is available, which permits individuals to take civil actions against anyone who violates CASL.

When CASL comes into force, CASL may restrict an organization’s ability to use existing express consent that was not obtained in compliance with CASL in some circumstances, leaving senders that thought they had express consent with no consent at all from a CASL perspective.

Implied consent will be necessary, but not easy. Express consent provides some freedom, but not without its own challenges.

Organizations with hundreds or thousands of contacts, in multiple locations, managed by different departments and often with incomplete or duplicative contact information and no knowledge of when a contact may have originated, will have a difficult—if not impossible—job of tracking implied consent. Given the challenges of implied consent, many organizations instead are gaining express consent from recipients. Under CASL, organizations may send CEMs to a recipient who has expressly consented to receive such communications until the recipient opts out. This means that organizations will need to track implied consent and ensure everyone in the organization understands the scenarios in which consent is considered to be implied. Otherwise, an organization could be subject to administrative monetary penalties or even legal action by the recipient of a CEM that is non-compliant.

Seeking express consent

A request for express consent may be obtained orally or in writing. Where consent is being sought on behalf of another person, the request for consent must include a statement indicating which person is seeking consent and which person on whose behalf consent is sought. The request also must identify the name by which the person seeking consent carries on business, if different from their name, otherwise, their name; also, if applicable, the name by which the person on whose behalf it was sent carries on business, if different from their name, otherwise that person’s name. All requests for consent must include prescribed contact information for the person seeking consent or, if applicable, the person on whose behalf consent is sought. Finally, each request must also identify the purpose for which the consent is being sought, as well as a statement indicating that consent may be withdrawn by the recipient.

Express consent campaigns have their own challenges. Before contacting customers, clients or donors, there are a myriad of questions to consider and decisions organizations need to make, which will be helpful within overall CASL preparation. There are generally three ways in which organizations will seek express consent:

  1. Simple consent: Seek express consent to send or to continue sending CEMs.
  2. Consent with updates: Seek express consent and current contact details from recipients. This may involve, for example, sending existing CRM data to the recipient for verification.
  3. Consent with preference management: Seek express consent to send CEMs and capture or confirm recipients’ preferences concerning the type, frequency and format of electronic messages.

Each option raises the following important questions for organizations to consider:

Population: Which programs or groups should the organization contact?  

Accuracy: Which contact lists are most accurate?

     Are updates necessary for all contacts or just certain populations?

Timing: When should the organization contact recipients?  Several organizations will undergo similar exercises and businesses risk “CASL fatigue” as recipients are asked to expressly consent to receive CEMs from several sources.

Technology: Is the technology in place to manage the express consent campaign?

        Can responses be tracked electronically? 

        What is the effort to manage the campaign manually?

Response: How will the organization handle non-responses? 

      How many times will the organization re-send a request? 

Content: Has the organization prepared a standard template for CEMs? CASL requires that each CEM be in a format prescribed by CASL, which includes opt-out information and information regarding the sender.

   What communication preferences does the organization want to offer recipients—timing; e.g. weekly; topic, format; e.g. text message? 

   Are there technical restrictions on how the organization will communicate with recipients that limit preferences?

Management: How will the organization ensure recipients who do not consent, do not receive CEMs through, for example, a “do-not-contact registry?” 

          How will preferences be managed long term?

          If consent is provided, how will the unsubscribe mechanism be monitored and tracked? 

With all three express consent scenarios, the question of timing, target population and technology are important to consider as each organization will have its own set of realities. This means organizations will need to engage frontline business, marketing, legal, privacy and technology teams to implement express consent campaigns effectively.


It is also important to remember that CEMs have their own required content, and one required element of each CEM that is sent is that it must include a readily-performed unsubscribe mechanism, or a link to a website where the unsubscribe mechanism is readily accessible. For the sender, this mechanism will be a tool for keeping track of withdrawals of consent going forward.

Express consent is not a silver bullet for consent management under CASL. However, once express consent is obtained, it provides a less burdensome regime by simplifying the questions that senders need to ask before sending CEMs: Do we still have the recipient’s express consent for this type of communication? If the sender’s organization is tracking consent—and withdrawal of it—via the required unsubscribe mechanism, it should be able to easily move forward with using CEMs as part of its commercial messaging. An express consent campaign also gives organizations the opportunity to renew relationships and update contact information. Most importantly, involving frontline staff who communicate regularly with recipients in the express consent campaign will help educate them on the rules under CASL.

Whether an organization decides to proceed with an express consent campaign or not, evaluating consent management options and making decisions concerning when implied or express consent will be sought will help with overall CASL preparation. It will also clarify current marketing and business practices, which are not always well documented.

Authors’ Note: At the time of publication, final regulations from Industry Canada were not available.


Megan Brister is a senior manager in Deloitte’s National Privacy Practice. Marta Rzeszowska-Chavent the senior manager of Deloitte’s Privacy Office. Katerina Kouretas is an associate with Gowling Lafleur Henderson LLP. Alain Rocan is an associate partner within Deloitte’s Enterprise Risk Management Practice.