Canada's Anti-Spam Law

Posted July 28, 2011, 3:44 pm by Jason Luke

Image of Jason

Jason Luke

In December, 2010, Canada filling passed federal anti-spam legislation, after being the only G8 country not to have one. It was Bill C-28, formerly know as Fighting Internet and Wireless Spam Act (FISA). That name was dropped and now it has a variety of names, including Canada's Online Protection Legislation (COPL)

This law now gives Canada the strictest such law in the world and will have dramatic effects on businesses operating in Canada. Unlike the US, where CAN-SPAM covers only email, this law covers any electronic message, which is defined as "a message sent by any means of telecommunication, including a text, sound, voice or image message." So this would encompass all unsolicited email, text messages, tweets, instant messages sent to a business person. It does not apply to broadcast messages (presumably such as TV ads), phone calls between individuals, broadcast faxes or telephone recordings sent to a telephone accounts, however there is a framework that would allow this law to expand to telemarketing in the future.

Being an anti-spam act, you would think this applies to only bulk email, but you would be incorrect. Bulk email is not a requirement. If you send a single unsolicited email to someone, this law applies to you.


The restrictions set forth in the law are vast and include:

No unsolicited electronic messages unless you have consent. Consent means the receiver has opted-in to your communications by expressly affirming so.  In practice, this will prevent any marketing email to new clients unless you already have consent. The law takes effect in September 2011, so it is recommended that everyone get consent now before the law takes effect. Why, you ask? Because after September, you cannot get consent by emailing the receiver. So in order to email someone, you would need consent, which you cannot get by emailing them. Good luck sales people!

No alteration of the transmission data or rerouting of the data without consent.

No false or misleading headers, such as a spoofed sender or misleading subject line.

It must be clear who sent the message or on whose behalf it was sent. The sender's contact info must be in the message along with an easy and obvious unsubscribe mechanism.

No address harvesting or sending to harvested addresses.



There are always exceptions. Consent is deemed if there is "an existing business relationship or an existing non-business relationship with the person to whom it is sent," or the recipient has conspicuously published their contact info. Existing business relationship has a long definition that is best viewed in the statute itself (see link). This "implied consent" is good for two years, and there are actual requirements in the statute as to what constitutes enough to renew this implied consent. For example, you need to meet the sender in person at least every two years(sorry, inside sales folks).



Civil penalties can reach up to $1 million dollars for individuals and $10 million for businesses. Officers and directors of a corporation may be liable and recipients have a right of class action.


Link to the statutes


Filed under: Uncategorized
Edited January 12, 2018 by Julie
Listed in Communities: Our Site

You must be logged in to post comments.