fbpx Skip to main content Skip to search

Archives for October 2021

CRA ramps up security in wake of hacks

Canada Revenue Agency ramps up security in wake of hacks

The Canada Revenue Agency is ramping up its security measures for online taxpayer accounts as it deals with continued intrusions by hackers and identity thieves. The security of the CRA’s own systems hasn’t been at issue. Rather, hackers have been using user name and password combinations obtained on other websites to try to access the online accounts of taxpayers, which can be used to apply for income support benefits and contain banking information. If an individual has used the same combination for the compromised site and for their CRA login, their account is vulnerable to being exploited by identity thieves. The CRA says it’s moved to lock down hundreds of thousands of accounts in recent months. Even so, thousands of taxpayers have fallen victim to identity theft related to fraudulently claimed Canada Emergency Response Benefit payments, as I wrote last week. The agency will move to tighten log-in procedures in coming months by eventually requiring all taxpayers accessing their online accounts to use what is called two-step verification. After entering the correct user name and password, taxpayers will be sent a one-use numerical code either by text or by voice that is then used to complete the log-in process. Cybersecurity experts have said two-step verification would reduce the ability of identity thieves to access vulnerable CRA accounts.

Right now, two-step verification is available, but not mandatory (although once you sign up, you have to continue using the process). The CRA says it’s working to enroll users of its My Account service over the next few months, a process it expects will be completed by the end of the summer. Taxing questions If the government makes me pay it money, isn’t that a tax? That’s the question a reader asked on Twitter in the wake of Thursday’s ruling from the Supreme Court that upheld the constitutionality of Ottawa’s legislation to reduce greenhouse gases. In that ruling, the court also held that the system of carbon pricing is not a tax, despite it often being referred to as a carbon tax. The key legal issue isn’t whether a fee is obligatory, but whether it’s aimed at changing behaviour (versus simply raising revenue). Not all fees charged by the government are taxes, according to the strict legal definition. Some are regulatory charges, connected to a “regulatory scheme,” and “designed to proscribe, prohibit, or lend preference to a behaviour.” The court found that the extra costs added to fossil fuel meet that definition of a measure that aims to change behaviour, as opposed to a tax that is intended to raise revenue.

Patrick Brethour – The Globe and Mail 

Read more
Turner Moore: Canada Anti-Spam

Do You Have a Spare Million? What You Need to Know About Canada’s Anti-Spam Laws

Do You Have a Spare Million? What You Need to Know About Canada’s Anti-Spam Laws

Almost every business sends electronic messages. If yours is one of them, you must be familiar with Canada’s anti-spam legislation (CASL). Though the legislation has been fully in effect since July 1, 2014, there remains a lot of confusion around it. CASL affects every type of business from private enterprises to not-for-profit groups and charities.

Who does CASL affect?

CASL’s anti-spam provisions affect everyone who sends commercial electronic messages (CEMs) to, from or within Canada. A CEM is any electronic message that encourages participation in a commercial activity, regardless of any expectation of profit. The term is “tech-neutral;” in other words, it applies to emails, text messages, social media and other similar forms of communication. The general rule is, unless exempt under the legislation, a sender must have the consent (either express or implied) of the recipient before sending a CEM.

Why should you care?

There is a reputational risk if your business or not-for-profit group breaks the law, but CASL also allows for the imposition of rather significant fines. The maximum penalty for a breach by an individual is $1 million and for an organization is $10 million.
In addition to the potential risk posed to your business or not-for-profit group, the legislation also imposes what is called “vicarious liability”. This means that not only is the organization that violates the law held accountable but so are its officers and directors, and employers are responsible for the actions of their employees. This means that any of these individuals may also be fined.

Does the general public care?

The Canadian Radio-television and Telecommunications Commission (CRTC) is responsible for the enforcement of CASL. Between April and September 2018, the CRTC received 137,000 complaints. That’s more than 5,000 complaints each week, which represents a lot of very annoyed consumers.

While not every complaint will result in an investigation and the imposition of a fine, you don’t want to be on the receiving end of either. Significant fines have already been imposed. The first instance occurred in 2014, when a Quebec business was fined $1.1 million for sending emails in violation of the legislation. Very few businesses can survive paying a penalty of that size.


As noted above, unless you fit within one of the exceptions set out in CASL, you must have the recipient’s consent before sending a CEM. There are two categories of exceptions:

• exceptions where neither consent nor mandatory content rules apply
• exceptions where mandatory content rules apply but consent is not required

You can’t request consent if you don’t have consent

Unless you fit within one of the exceptions, you must have the recipient’s express or implied consent in order to send a CEM. It should be noted that a CEM asking for consent is still a CEM. In other words, you need consent in order to send such a request.

Express consent means that you expressly agree to receive CEMs. That consent can be oral but only if it is verified by a third party or recorded. Consent must not be bundled with terms and conditions. This means that, for example, it is insufficient to include the consent in the terms and conditions accepted to buy goods or use a service.

Further, opting-out isn’t enough. People have to opt-in to receive CEMs. In other words, people must take an active step to signify their consent. This could include checking a box or typing in a word or email address.

Implied consent

Examples of implied consent include the following:

  • existing business relationship if you either:
    • purchased services within the past two years
    • made an enquiry within the past six months
  • existing non-business relationship if in the past two years, you either:
    • made a donation or gift to, or performed volunteer work for, a charity registered under the Income Tax Act or a political party
    • were a member in a “club,” “association” or “voluntary organization”

It should be noted that clubs, associations and voluntary organizations are non-profit entities organized and operated exclusively for the social welfare, civic improvement, pleasure, or recreation or for any purpose other than personal profit if no part of their income is payable to any owner, member or shareholder.

Mandatory content of CEMs

Subject to certain exceptions, each CEM must contain the following information:

  • the sender’s name, telephone number and email / web address, as well as their affiliates and beneficiaries
  • a physical mailing address, which remains accurate for at least 60 days after the message is sent
  • an unsubscribe mechanism

The unsubscribe mechanism must be “readily performed.” This means that it must be quickly accessible, simple and easy to use. It is very important to keep the communication distribution lists up to date. If someone has unsubscribed, you must remove them from your distribution list. Any opt-out or unsubscribe request must be honoured “without delay” and, at a maximum, no later than 10 business days after it is received.

Exceptions to consent and mandatory content rules

The exceptions to the requirements for mandatory content and consent are few and narrowly defined. A few such exceptions include the sending of CEMs:

  • solely as an inquiry or application regarding recipient’s existing commercial activities
  • between employees, representatives, consultants or franchisees of an organization regarding the organization’s activities
  • to enforce a right
  • by a charity that is registered under the Income Tax Act and has fund raising as its primary purpose

Exceptions where mandatory content does apply but consent is not required

You are exempt from the consent requirements but must comply with the mandatory content requirements if you are sending a CEM to:

  • provide a requested quotation
  • facilitate, complete or confirm a commercial transaction that the recipient previously agreed to enter
  • provide warranty, recall or safety info about a purchase
  • provide info about an existing employment relationship or related benefits


CASL is complicated legislation. This overview is intended to highlight the most important provisions in a simple way. It does not cover all the details. In order to ensure that you are in compliance with CASL, you must review the legislation and its regulations in their entirety and seek counsel.

BUSINESS MATTERS deals with a number of complex issues in a concise manner; it is recommended that accounting, legal or other appropriate professional advice should be sought before acting upon any of the information contained therein. Although every reasonable effort has been made to ensure the accuracy of the information contained in this letter, no individual or organization involved in either the preparation or distribution of this letter accepts any contractual, tortious, or any other form of liability for its contents or for any consequences arising from its use. BUSINESS MATTERS is prepared bimonthly by the Chartered Professional Accountants of Canada for the clients of its members.
Read more