Notice and Privacy Policy

As noted above, under statutes specific to electronic marketing and telemarketing, consent is generally required to send CEMs, or unsolicited telecommunications to consumers registered on the NDNCL, and to make “robocalls” for the purpose of solicitation.  Consent is also generally required under private sector privacy laws for any collection, use or disclosure of personal information.  Each of these laws has separate requirements for the form of consent required.

Unsolicited Telecommunications Rules

Under the Unsolicited Telecommunications Rules, express consent is required in order to make telemarketing telecommunications to consumers on the NDNCL (subject to certain exceptions, outlined above) and robocalls to anyone for the purpose of solicitation.  Acceptable forms of express consent are:

  • written consent;
  • oral consent, including
    • when the consent is verified by an independent third party; or
    • where an audio recording of the consent is retained by the telemarketer or client of the telemarketer;
  • electronic consent using a toll-free number or via the Internet; or
  • other methods where a documented record of consumer consent is created by the consumer or by an independent third party.

In all cases, the onus is on the telemarketer and, where applicable, the client of the telemarketer to demonstrate that valid express consent was given by the consumer.  The wording used to obtain the consent must clearly specify the type of marketing communication, including the technology (i.e., voice telephony, fax, robocall) through which it might be received. 

A consumer may withdraw his or her express consent at any time.


Canada’s Anti-Spam Legislation (CASL)

Under CASL, express consent is generally required for the sending of CEMs (i.e., messages that encourage participation in a commercial activity, including messages that generally promote a product, service, person or brand), subject to certain limited exceptions, outlined above.

Express consent can be obtained in writing (including through electronic means) or orally, but may not be based on a failure to uncheck a pre-checked box; rather, a positive affirmation from the individual providing consent is required. In all cases, the onus is on the person on whose behalf the message is sent to prove s/he has obtained consent to send the message.  The wording used to obtain the consent must clearly specify the type of marketing communication in question, including the technology (i.e., email, text message, direct social media message) through which it might be received. 

Any request for consent must include:

  • The name of the person sending the message, and the name of the person on whose behalf the message is sent, if different (identifying which is the sender and which is the party on whose behalf the message is sent);
  • Contact information (mailing addressing and one of a phone number, a web address or an email address) of the person on whose behalf consent is sought; and
  • A statement indicating that consent can be withdrawn.

Unless some other exception or exemption is available, an organization may not send an electronic communication, in order to request consent, since the law deems such a message to itself be a CEM.

The CRTC has issued information bulletins to provide guidance and examples of recommended or best practices, including requirements for collection of consent through mobile devices, including Compliance and Enforcement Information Bulletin CRTC 2012-548, Guidelines on the interpretation of the Electronic Commerce Protection Regulations (CRTC) and Compliance and Enforcement Information Bulletin CRTC 2012-549, Guidelines on the use of toggling as a means of obtaining express consent under Canada’s anti-spam legislation.

Please visit:


Privacy Law

PIPEDA (the federal private sector privacy law) is much less prescriptive than the foregoing direct marketing laws with respect to form requirements, but does generally require disclosure of all of the purposes for which personal information will be collected, used and disclosed.

Where consent is obtained, the wording used to obtain the consent must clearly indicate the intended purposes for processing the individual’s personal information , along with other required information described below, such as contact details for the individual accountable for compliance, an outline of how individuals may access their personal information, a description of the uses of information with respect to which an individual may opt-out and whether personal information will be stored or processed outside of Canada.

Typically, a comprehensive privacy policy describes how organizations will comply with their legal disclosure obligations under privacy laws.  For express consent, a consent statement should provide a high-level outline of the purposes for consent, with a reference to the full privacy policy.  For implied consent, such as where the use of a website is deemed to signify consent to the terms of the privacy policy, reasonable efforts must be made to bring the policy to the attention of the individual, including, as applicable, clearly posting the policy on the organization’s website, making the policy available at point of sale, and mailing a copy to known customers.

Recent guidance by the Office of the Privacy Commissioner of Canada indicates that, in order to satisfy PIPEDA’s requirement that the purposes for and consequences of obtaining personal information  be understood by the individuals, organizations are expected to present their privacy policies and related disclosures in ways that emphasize key elements, provide clear options to individuals, and allow readers to readily focus on the matters of greatest interest to them.

Please visit:

Early in 2019, the Canadian Marketing Association issued its Guide to Transparency for Consumers to help companies respond to new Guidelines for Meaningful Consent issued by the Office of the Privacy Commissioner of Canada.

Please visit: