Data Privacy in Canada

Canada’s Consumer Privacy Protection Act (CPPA)

Canada introduced the Digital Charter Implementation Act in November 2020, reinstating a new data privacy law called Consumer Privacy Protection Act (CPPA) as the core protection for data privacy in Canada. It focuses on modernized consent rules, safe and ethical data mobility, responsible data movement, and transparency. CPPA aims to simplify consent, which plays a key role in ethical data procurement, and facilitate greater data sharing between private and public sectors. It also covers social media and empowers individuals to request permanent deletion of their information.

A Work in Progress

The Consumer Privacy Protection Act (CPPA) and the Personal Information and Data Protection Tribunal Act (PIDPTA) were two components of Bill C-11 which was part of the Digital Charter Implementation Act 2020. The Bill died before it could be passed when a federal election was called for in September 2021. In 2022, work is being done on a new bill.

Canada’s Anti-spam Legislation (CASL)

Known as one of the toughest email and anti-spam frameworks, Canada’s Anti-spam Legislation (CASL) was created in 2014 to reinforce best practices in email marketing and combat spam and related issues. It applies to the wide spectrum of electronic messages that fall under the category of commercial activity. Commercial activity includes all kinds of commercial electronic messages (CEMs) that contain promotional content. It also includes communications that include coupons or codes. CASL covers all electronic communications sent within, from, or to Canadian residents. It does not apply to CEMs that are simply routed through Canada, communications that include hyperlinks to a website, or ones that contain business-related information. The prime objective of CASL is to discourage spam messages that undermine consumer confidence, make personal data vulnerable, and cost consumers and businesses money.

Key Definitions

Commercial Electronic Messages (CEMs)

Any electronic messages designed to encourage someone to participate in a commercial activity, such as buying something. For example, an email that contains a coupon or tells customers about a promotion or sale.


The legal definition of spam encompasses:

  • Unauthorized alteration of transmission data
  • Installing computer programs without consent
  • False or misleading electronic representations (including websites)
  • Harvesting addresses (collecting and/or using email or other electronic addresses without permission)
  • Collecting personal information by accessing a computer system or electronic device illegally

How has CASL helped?

  • Since the inception of CASL, Canadians receive less spam. One study showed that within a year of the legislation being introduced, there was a 37% decrease in Canadian-based spam and 29% less email (spam or legitimate) in Canadians’ inboxes
  • It has helped make companies more disciplined when it comes to electronic marketing as well as more profitable. Email click-through rates have risen and bounce rates have dropped.
  • Between 2014 and 2017, the proportion of commercial electronic messages reaching their designated recipients rose to 90% from 79% in Canada (compared with 80% worldwide). The proportion of commercial emails opened and read also increased to 32% from 26% (compared with 21% in the United States).

Key Principles of CASL


You must have either Express or Implied consent from a contact. Express consent means you have explicit proof of consent from an individual. Implied consent means it’s assumed (with plausible reason and a high level of certainty) you have the due consent of the individual.


You must identify yourself clearly, including your name, phone number, address, and postal code. .


You must include the option to unsubscribe (be removed from the email list) in every digital message sent directly to an individual. The process must be easy to follow and contacts must be removed from lists within 10 days.

The information on this page is provided for educational purposes only and should not be confused with or construed as Annex Cloud’s compliance capabilities or scope. Learn more about Annex Cloud’s enterprise-ready solution, including security, privacy and compliance.

Ready to get started?

Request a demo