Disclaimer: We are not a solicitors. This is not meant to be legal advice and only reflects our understanding based on the review of public documents. There are these high-level requirements to be compliant with PIPEDA (Canada), CASL (Canada), GDPR (EU), and CAN-SPAM (U.S.A.) legislation.

PIPEDA (Privacy) – Canada

  • Accountability
  • Identifying purposes
  • Consent
  • Limiting collection
  • Limiting use, disclosure, and retention
  • Accuracy
  • Safeguards
  • Openness
  • Individual access

CASL (Anti-Spam/Communications) – Canada

  • Consent to communicate
  • Double opt in
  • Implied consent for specific communications is sufficient
  • Must allow for opt out

GDPR – European Union

  • Everyone in the EU should be allowed to know what data a business is keeping, what it is for, and how long it will be stored.
  • Everyone in the EU has the right to access their own data.
  • Everyone in the EU has the right to “data portability”, the ability to request a copy of their data.
  • Everyone in the EU has the right to be forgotten (request their data be deleted).

CAN-SPAM – United States of America

  • No misleading email header information (no fake email or “spoofing”).
  • No deceptive subject lines (transparency required).
  • Advertisement emails must be clearly identifiable as an ad (transparency required).
  • Must allow for opt out and honour opt out requests.
  • You cannot contract away your responsibility to help prevent spam.


The business guide to PIPEDA that we work against as provided by the Office of the Privacy Commission of Canada here.

CASL is the newest of the large Canadian legislative updates that should be a topic of conversation. It centers on preventing spam in any of the different forms of electronic communications by ensuring consent for communication.

In Canada, we need consent to collect, use, or disclose personal information. Filling in a form on a website is sufficient implied consent to allow a company to contact a person specifically for the requested purpose of the form. We need to be transparent about our goals and intended uses for private information, as well as use a reasonable level of security to prevent the loss of private information. Hosting data on a secure hosting environment, and ensuring sensitive information like credit card details are encrypted before being sent to processors, etc.

If we want to further market to these folks, we need express consent in the form of a checkbox asking for express consent to further contact beyond the initial purpose of the contact form. This double opt in process is built-in as standard with all popular marketing mail tools. (MailChimp, iContact, etc.)

General Data Protection Regulations (GDPR) – EU

This is the new European regulation that enforces the accessibility and protection of private information for those in the EU.

Fortunately, none of these requests needs to be handled instantly, and can be handled on a case by case basis. As such, we feel that a privacy policy that explains that a business understands a person’s data rights, along with contact details as to how that person can have access to or remove their data is sufficient to be compliant.


This is very much parallel to Canadian spam law. Reasonable data use, transparency in advertising, and communications are the end goals of this anti-spam law. Compliance bears the same opt out and consent rules as Canada.


Each business has their own requirements for compliance for these three sets of legislation. Ultimately, in order to remain compliant, the rules we play by are the same across the globe.

  1. Be transparent: no trickery or fraudulent/misleading marketing efforts.
  2. Have consent to communicate (specific or implied, based on use).
  3. Allow for opt out of future marketing efforts.
  4. Protect the information that you handle.
  5. Don’t collect information you do not need.
  6. Allow for the deletion and movement of personal data (upon request).
  7. Honour requests whenever possible.
  8. Alert users to your privacy policies. (Cookie usage, collection, etc.)

How we go about ensuring compliance is different for each business, but often times leveraging a marketing automation platform is the best way to ensure compliance with all laws. These tools are under heavy scrutiny to ensure compliance, and as such, they have driven the industry standard forward.

Contact your team member at CAYK Marketing today at 587-319-0732 to learn more about the steps your business needs to take to achieve compliance of the different legislation that impact your business.