Canada’s Anti-Spam Law

Most online marketers doing business in Canada today are already familiar with PIPEDA. But many are not aware that a new law, known in Parliament as Bill C-28 and later renamed Canada’s Online Protection Legislation (COPL) was given Royal Assent on December 15, 2010. The law imposes onerous opt-in and other responsibilities on marketers doing business online in Canada. It covers items such as the sending of commercial electronic messages (CEM), prohibition of installing computer programs without consent, and sending messages with false or misleading information in the content or header. Enforcement of the law is expected to commence in September 2011, which should give marketers ample time to comply.

COPL is effectively Canada’s first anti-spam law, which removes the distinction of Canada being the only G8 nation without one. The provisions of PIPEDA already covered opt-in, however, enforcement actions were limited. Under the new law, a definitive set of requirements and enforcement actions are laid out and penalties for violation of the law can be severe. Unlike CAN-SPAM, which covers only e-mail, COPL covers CEM, which is defined as any commercial “message sent by any means of telecommunication, including a text, sound, voice or image message.” Effectively, this includes:

  • E-mail
  • SMS
  • Instant messages
  • Social media postings such as tweets
  • Some voice communications

There are a number of requirements set forth in the law regarding CEM, most notably:

  • Express affirmative (opt-in) consent
  • No false or misleading headers, including sender and subject line
  • Cannot alter transmission data
  • Must provide a conspicuous unsubscribe mechanism
  • Must include postal address of sender
  • Cannot perform address harvesting to obtain e-mail addresses or send to harvested addresses
  • Liability for entities who knowingly allow spam to be sent on their behalf, even if the message was not directly initiated by those entities

Exemptions to the opt-in requirement exist under certain circumstances. Consent is deemed if there is an existing business relationship, an existing non-business relationship (such as sending to a family member), conspicuous posting of an electric address such as on a “Contact Us” page (provided there is no statement near the address indicating that it should not be mailed), or where the recipient has provided the electronic address to the sender. In most cases, this implied consent is valid for two years, after which the sender must gain affirmative consent.


Computer systems located in Canada used to send or access an electronic message fall under the COPL umbrella. This means that any CEM that leaves or enters Canada is subject to the regulation. COPL is primarily enforced by the Canadian Radio-television and Telecommunications Commission (CRTC), and imposes fines of up to $1 million per violation for individuals and $10 million per violation for businesses. There is also a provision for private right of action, allowing individuals and businesses to seek actual and statutory damages.

Enforcement does take into account “honest mistakes,” and for that reason, it is important to undertake clearly defined actions to comply with the law. Willful violations are the primary focus of enforcement.

Next Steps

Businesses will need to scrub their lists and remove any covered address for which there is no affirmative opt-in to receive e-mail and other CEM. It is expected that many e-mail lists will be significantly reduced in size as a result. Privacy policies and form collection on websites should be updated to ensure proper consent. In the case of forms, this includes moving from an opt-out (pre-checked) to an opt-in (not pre-checked) methodology.

I recommend that businesses meet with their legal, compliance, and marketing teams to determine the full scope of changes to their business practices in order to comply with the new law, as there are a number of key considerations and requirements not provided in this column which may apply. We also encourage affected parties to read the full text of the law, which can be found here.

(Note that the purpose of this post is to provide general information about Canada’s Online Protection Legislation. It does not constitute legal advice. Please consult your legal counsel for full requirements and implementation recommendations.)

Related reading

Flat business devices communication with cloud services isolated on the light blue background.