CASL vs. CAN-SPAM: Differences in Email Compliance Law

Jessie Sight Blog, Compliance

Canada’s Anti-Spam Law (CASL) went into effect on July 1, 2014, and has since changed how many businesses, like AdStation, are able to support Canadian traffic. CASL applies to all commercial emails that companies send to users in Canada. Read on to understand the differences between CAN-SPAN and CASL compliance.

1. Consent

CAN-SPAM: CAN-SPAM is technically an opt-out law, not an opt-in law. There are no specific legal rules around obtaining consent. However, you agreed in your AdStation Integrated Agreement that all users on your list have provided their express consent to receive commercial emails.

CASL: After July 1, 2014, all users must have provided express consent before they can be mailed to (unless there is a prior business relationship). When you request consent, the publisher must provide users:

  • Their business name.
  • The reason for asking for consent.
  • The name of the company who received the original consent (if the user was acquired from another source).
  • A postal address and one of the following: a phone number, email address, or website where users can find out more information about the product.
  • A free unsubscribe mechanism that allows users to opt-out of not only the publisher’s emails but also any emails sent by a third-party.

2. Email Requirements

CAN-SPAM: Every email must include your business name and a valid, text-based postal address that correspond with your domain registration, along with a valid, text-based opt-out link.

CASL: Every email must include your business name and postal address, an opt-out link, the name of the company who obtained the original consent of the user, and the advertiser name.

3. Opt-Out Requirements

CAN-SPAM: The opt-out must occur within 10 business days. The opt-out link must unsubscribe the user from receiving the publisher’s emails.

  • The opt-out mechanism must remain active for 30 days.

CASL: The opt-out must occur within 10 business days. The opt-out link must unsubscribe the user from receiving the publisher’s emails.

  • If the publisher received the user from a third-party source, they must notify them of the opt-out. The company who obtained the original consent of the user must then notify each third-party who uses the consent of that user.
  • The opt-out mechanism must remain active for 60 days.

4. Penalties

CAN-SPAM: The Federal Trade Commission enforces CAN-SPAM. Each email can be subject to penalties of up to $16,000.

  • The Department of Justice can seek criminal penalties (such as further fines or imprisonment) for accessing someone’s computer to send spam, using fake information to register for domains or email accounts, retransmitting emails to mislead people about the origin of an email, harvesting email addresses, or taking advantage of open relays/proxies.
  • Certain private entities can bring lawsuits if they think someone violated CAN-SPAM, but individuals cannot.

CASL: The Canadian Radio-television and Telecommunications Commission, the Competition Bureau, and the Office of the Privacy Commissioner of Canada will investigate and bring action against companies that don’t follow CASL. This could include fines between $1-$10 million per violation.

  • The individual employees at the companies can be held liable for the messages that are sent.
  • After July 1, 2017, individuals and companies in Canada will be able to sue any company they allege has violated CASL.

As you can see, CASL has much more complex requirements than CAN-SPAM. Because the legislation is still fairly new and has only recently started being enforced, we don’t yet know the full consequences of non-compliance and how to fully ensure compliance. We are continually monitoring the updates on CASL, and will keep you informed if our stance or practices regarding mailing Canadian users changes in the future.

Share this Post

About the Author
Jessie Sight

Jessie Sight

Jessie is the Compliance Lead for AdStation and is responsible for ensuring the channel and its partners remain compliant with industry regulations. She is a Certified International Privacy Professional (CIPP/US) based at the Kansas City headquarters.