This site uses cookies to provide you with a more responsive and personalised service. By using this site you agree to our use of cookies. Please read our cookie notice for more information on the cookies we use and how to delete or block them.

Bookmark Email Print this page

Canada’s Anti-Spam Law: Key exemptions

Canada’s Anti-Spam Legislation: Key exemptions

A Commercial Electronic Message (CEM) is any electronic message that encourages participation in a commercial activity, such as an email that contains a coupon or tells customers about a promotion or sale. If your organization sends CEMs, you’ll need “express consent” from recipients before sending them – although certain exemptions exist.

The revised regulations introduce key exemptions for B2B, legal and referral business practices, for telecommunications services (TSPs) and for personal relationships.

Here we summarize these exemptions for you:

Business practices

  • Business-to-business (B2B) communications. CASL applies broadly to all CEMs. However, the new regulations include exemptions for CEMs sent within a business, and CEMs sent between businesses that are in an ongoing business relationship. The messages must be sent by an employee, representative, contractor or franchisee, and be relevant to the business, role, function or duties of the recipients. Similarly exempt are communications sent to third-party business partners, such as marketing agencies, recruiting firms and insurance carriers.

  • Messages sent to consumers in response to a request for information. The new regulations address this unintended consequence by exempting messages sent in response to requests, inquiries or complaints.

  • Messages sent to enforce a legal right. Examples include messages sent for debt collection, licensing and enforcing contractual obligations.

  • Messages sent from outside Canada. These include messages sent by foreign businesses (provided the sender could not reasonably know the message would be received in Canada) and internationally-based Canadian organizations.

  • Third-party referrals. To qualify for the exemption:

    • The individual who sends the message must disclose in the message the ordinary or full name of the person who made the referral.

    • The individual who made the referral must have an existing personal or family or business relationship with both the sender and the person who receives the message.

Telecommunications service providers (TSPs)

The new regulations also include two exemptions for TSPs to permit the installation of computer programs without consent:

  • For the purpose of preventing illegal activities that pose a risk to network security.

  • For network update/upgrading purposes.

Personal relationships

While CASL was never meant to apply to communications sent to family or friends, some stakeholders considered the definitions of personal and family relationships to be too narrow. The revised regulations have now broadened these definitions.

Now a “personal relationship” is defined as one where individuals have had voluntary, two-way communications at any point in the past—whether or not they have met in person. Based on factors such as the sharing of interests and experiences, the relationship is considered personal, unless the recipient has clearly asked not to receive any CEMs from the sender.

The definition of “family relationship” has also been expanded so that CEMs can be sent without consent to family members descending from a common grandparent, including aunts, uncles, first cousins, nieces and nephews.

For a closer look at the requirements set out by CASL, read Managing the message: Canada’s new anti-spam law sets a high bar. Detailed information about the new regulations is also outlined in this FAQ.

We monitor all CASL news as it’s released, so we’ll update you on the developments that matter most. In the meantime, if you have any questions, please don’t hesitate to contact us or to post a comment below.


Miyo Yamashita is the leader of our national Privacy & compliance risk practice. With over 15 years of experience, Miyo has worked with a number of clients, across multiple industries, helping them navigate their privacy and compliance management initiatives.

Sylvia Kingsmill is a senior manager with our Enterprise risk practice. With over 10 years of experience in compliance risk management, privacy and regulatory risk reporting, Sylvia helps clients across many industries navigate their regulatory environments and understand their audit and reporting obligations. Her specialty is implementing consumer protection laws and liaising with regulators on behalf of clients.


Miyo Yamashita
Miyo Yamashita
Partner, Enterprise risk services
Miyo leads the national Privacy and compliance risk practice.

Sylvia Kingsmill
Sylvia Kingsmill
Sr. Manager, Enterprise risk services
Sylvia specializes in consumer protection laws, and liaises with regulators on behalf of clients.

Go social

iDeas blog  iDeas blog

Deloitte LinkedInd  LinkedIn

Twitter  Twitter

deloitte facebook  Facebook

deloitte youtube  YouTube