CASL Loophole

In looking at the new regulatory framework for CASL, which was just released late on Tuesday of last week by Industry Canada, I noticed this bit:

3. Section 6 of the Act does not apply to a commercial electronic message…

(f) if the person who sends the message or causes or permits it to be sent reasonably believes the message will be accessed in a foreign state that is listed in the schedule and the message conforms to the law of the foreign state that addresses conduct that is substantially similar to conduct prohibited under section 6 of the Act;

I’m sure this bit was created to prevent American professional spam plaintiffs from using CASL to generate revenue, as we saw when CAN-SPAM was first getting off the ground. But it brings up the interesting question of how you form a “reasonable belief.”¹

In other words, it seems most reasonable to assume that addresses ending in .ca are Canadian. But, what about people who use Gmail addresses? These addresses will end in .com.

I expect that the answer will be fairly fact-intensive. An examination of questions like “Do you have a Canadian mailing address on file?” or “Was the address collected in a Canadian bricks-and-mortar store?” will be a determining factor. But what about websites? Should website owners (especially owners of websites in the US) fairly well disregard CASL when it comes to collecting email addresses on their website if they don’t ask for any other information?

Time will give us the answer to this question, but for now, it looks like the Canadians may have opened up a fairly large loophole.

Footnotes

CASL81000-2-175 (SOR/DORS), Industry Canada, Regulations Amending the Electronic Commerce Protection Regulations (CRTC) (Dec. 3, 2013), http://fightspam.gc.ca/eic/site/030.nsf/eng/00273.html. ↩︎

About the Author

Mickey Chandler is a Consultant & Attorney with over 28 years of experience in Email Deliverability & Privacy Law. He has a strong background in email authentication infrastructure (SPF, DKIM, DMARC), ISP and mailbox provider relations, anti-spam policy and compliance, CAN-SPAM and state anti-spam law gained through overseeing the Abuse & Compliance team at Salesforce Marketing Cloud, originating the ISP relations role at Informz (now part of Higher Logic), and working in the fight against spam since 1997. He holds a B.A. in Government, a B.S. in Computer Information Systems, and a J.D. from the University of Houston Law Center. He is a certified CIPP/US professional and a certified CIPM professional.

crime scene investigator holding a transparent bag with evidence

Authenticating Email Evidence Gets Harder to Contest

13 May 2026

Authenticating email evidence often presents a problem that most counsel underestimate if the opposing party refuses to agree to authenticity.

A DMARC Record Is Only a Suggestion

4 May 2026

A question came up recently on a Slack for email professionals: a message spoofing a domain with a DMARC policy

The SECURE Data Act Moves the Needle, Not the Bar

28 April 2026

On April 21, 2026, Representative Joyce of Pennsylvania introduced the Securing and Establishing Consumer Uniform Rights and Enforcement over Data

Basic Operations

These cookies are necessary for the website to function and cannot be switched off. They are usually set in response to actions made by you such as setting your privacy preferences, logging in, or filling in forms.

Always active

7 cookies in this category

Name	Owner	Duration	Purpose
`comment_author_*`	WordPress	347 days	Saves your name, email address, and website URL when you post a comment so you do not have to re-enter them next time.
`wcc_consent`	WP Cookie Consent	30 days	Stores your cookie consent preferences so you are not asked again on every page visit. Contains only a random identifier — no personal information.
`wordpress_*`	WordPress	Session	Used by WordPress to authenticate logged-in visitors, remember authentication details, and to provide other essential security features.
`wordpress_logged_in_*`	WordPress	Session	Tells WordPress whether you are logged in to the site. WordPress uses this to show you the correct version of the site.
`wordpress_test_cookie`	WordPress	Session	Tests whether cookies are enabled in your browser. Deleted immediately after the test.
`wp-settings-*`	WordPress	1 year	Stores your personal WordPress dashboard and administration interface settings.
`wp_lang`	WordPress	1 year	Remembers your preferred language for the WordPress admin interface.

Content Personalization

These cookies allow the website to remember choices you make and provide enhanced, more personal features. They may also be used to provide services you have asked for.

2 cookies in this category

Name	Owner	Duration	Purpose
`aw_*`	AWeber	1 year	Set by AWeber when you sign up for an email list. Records your subscription status and preferences.
`jetpack*`	Jetpack by Automattic	1 year	Used by Jetpack to provide site statistics, security features, and related functionality.

Site Optimization

These cookies allow us to count visits and traffic sources so we can measure and improve the performance of our site. All information these cookies collect is aggregated and therefore anonymous.

6 cookies in this category

Name	Owner	Duration	Purpose
`_ga`	Google Analytics	2 years	The main Google Analytics cookie. Used to distinguish unique visitors by assigning a randomly generated number as a client identifier.
`_ga_*`	Google Analytics	2 years	Used by Google Analytics 4 to persist session state and measure site usage.
`_gac_*`	Google Analytics / Google Ads	90 days	Contains campaign-related information. Shared between Google Analytics and Google Ads.
`_gat`	Google Analytics	1 minute	Used by Google Analytics to throttle request rate. Expires after 1 minute.
`_gid`	Google Analytics	24 hours	Used by Google Analytics to identify a user session. A new value is assigned each day.
`metricool_visit_*`	Metricool	1 year	Used by Metricool to track page visits and measure website traffic statistics.

Ad Personalization

These cookies may be set through our site by our advertising partners. They may be used to build a profile of your interests and show you relevant adverts on other sites.

1 cookie in this category

Name	Owner	Duration	Purpose
`_gcl_*`	Google Ads	90 days	Used by Google Ads to measure the effectiveness of advertising campaigns and to track conversions.

CASL Loophole

Footnotes

About the Author

Authenticating Email Evidence Gets Harder to Contest

A DMARC Record Is Only a Suggestion

Links

Brands

Connect