Compliance Corner: CAN-SPAM, CASL and More

Compliance Corner: CAN-SPAM, CASL and More

Laws around the world regulate how businesses and employers can interact with individuals through emails. While many marketing teams deal with these regulations every day, they also apply to talent acquisition teams that engage with candidates through email. Different countries have different laws, so this post will cover the laws in the United States, Canada and Australia. If you’re emailing candidates in other countries, you should review any applicable anti-spam legislation.

United States: CAN-SPAM

CAN-SPAM, Controlling the Assault of Non-Solicited Pornography and Marketing Act of 2003, regulates commercial messages in the United States. Commercial messages promote a product or a service—including one-off and mass email sends. It does not apply to transactional or relationship content, which are emails about an already agreed upon transaction. Here’s what it requires:

  • You cannot use false or misleading header information, including “From,” “To,” “Reply-To” and routing information must be accurate and identify the person or business who initiated the message.
  • You cannot use deceptive subject lines.
  • The message must include your valid postal address.
  • You must include an option to opt-out of future emails and you must honor those opt-out requests within 10 days.
  • For every email you send in violation of CAN-SPAM, you can be fined up to $41,484.

Canada: CASL

CASL, The Canadian Anti-Spam Legislation applies to commercial electronic messages in Canada. Commercial electronic messages are emails that encourage participation in a commercial activity. Here’s how it works:

  • Commercial electronic mail to Canadian individuals is covered by CASL.
  • The recipient of the email must give express consent, or implied consent to receive the commercial electronic message.
  • Express consent means the person has agreed to receive the message either in writing or orally. An opt-in option, like a website sign up, is considered express consent. An email requesting consent does not create express written consent.
  • Implied consent can be obtained when the person conspicuously publishes their email. That publication cannot be accompanied by a statement that the person doesn’t want to receive the unsolicited commercial electronic messages and the message must be relevant to the person’s business, role, functions or duties in a business or official capacity.
  • An existing business relationship is an exception, which can arise from a purchase or acceptance of a business, investment or gaming opportunity within the past two years. Organizations that don’t comply risk serious penalties, including criminal charges, civil charges, personal liability for company officers and directors, and penalties up to $10 million.

Australia: SPAM Act

The SPAM Act of 2003 prohibits the sending of unsolicited commercial electronic messages with an Australian link.  Commercial electronic messages offer, advertise or promote the supply of goods, services, land or business or investment opportunities. A message has an Australian link if it originates or was commissioned in Australia or was sent to an address accessed in Australia.

  • The recipient of the message must provide express or inferred consent.
  • Examples of express consent include an opt-in box on a form or website, verbal confirmation over the phone or face-to-face or by swapping business cards. An electronic message requesting consent does not qualify.
  • Inferred consent can occur in an existing business or other relationship or by a person publicly publishing their work-related email address and that posting does not include stating that the person doesn’t want to receive commercial messages and the subject of the message must be directly related to the role or function of the recipient.
  • Every email must contain an unsubscribe option that must be honored within five working days.
  • The email must correctly identify the sender or the individual or organization that authorized the email send and it must include information about how the recipient can contact you.
  • Violations of the Spam Act have a maximum penalty of $2.1 million.

The GDPR, or the EU General Data Protection Regulation regulates how businesses use and protect the personal data of European Union citizens. Read our previous Compliance Corner post on the GDPR.

Compliance Corner is a feature on the PeopleScout blog. At least once a month, we’ll be featuring a compliance issue that’s in the news or on our minds. Understanding the patchwork of labor laws across the world is complicated, but it’s part of what we do best. If you have questions on the compliance issue discussed in this post, please reach out to your PeopleScout account team or contact us at

Post by Nicole Fuqua