Canada's Anti-Spam Legislation (CASL) is among the strictest email marketing laws in the world. Unlike the US CAN-SPAM Act which allows commercial email unless recipients opt out, CASL requires consent before you can send commercial electronic messages to Canadians. This comprehensive guide covers everything you need to know about CASL compliance—from consent requirements and content rules to enforcement penalties and practical implementation strategies.
Understanding CASL
Before diving into compliance requirements, let's understand what CASL is, who it applies to, and what messages it covers.
What Is CASL?
Canada's Anti-Spam Legislation, in force since July 1, 2014, is one of the world's toughest anti-spam laws.
CASL's Scope Includes:
- Commercial Electronic Messages (CEMs)
- Software installation and updates
- Alteration of transmission data
- Collection of electronic addresses (harvesting)
Key CASL Principles:
- Consent Required: No sending without permission (express or implied)
- Identification: Clear sender identification in every message
- Unsubscribe: Easy, functional opt-out mechanism
- Accountability: Record-keeping and compliance demonstration
Who Must Comply with CASL?
CASL Applies To:
- Messages sent from Canada
- Messages sent to Canadian recipients
- Messages accessed in Canada
- Any organization with Canadian customers
This Means:
- Canadian businesses must comply for all recipients
- International businesses must comply for Canadian recipients
- Messages routed through Canada may trigger CASL
- Virtual presence in Canada can establish jurisdiction
Practical Implication: If you have any Canadian contacts on your email list, CASL requirements apply to those contacts.
What Messages Does CASL Cover?
Commercial Electronic Messages (CEMs): CASL applies to any electronic message that has a commercial purpose, including:
Covered Messages:
- Marketing emails
- Promotional newsletters
- Sales offers
- Product announcements
- Most B2B prospecting emails
- Text messages (SMS/MMS)
- Social media messages with commercial purpose
Determining Commercial Purpose: Consider whether a reasonable recipient would conclude the message:
- Encourages participation in commercial activity
- Promotes a product, service, or business
- Promotes a person who engages in commercial activity
Exempt Messages:
- Messages to family members (reasonable relationship)
- Messages in response to inquiries
- Quotes or estimates previously requested
- Warranty or recall information
- Messages required by law
- Court-ordered messages
- Messages sent to addresses published without restrictions (with conditions)
The Consent Foundation
Unlike CAN-SPAM's opt-out approach, CASL is built on consent:
Express Consent: Explicit permission before sending. The gold standard.
Implied Consent: Permission inferred from business relationships or other circumstances. Has limitations and expiration dates.
No Consent = No Sending: You cannot send commercial messages to Canadian recipients without one of these consent types.
Express Consent Under CASL
Express consent is explicit, affirmative permission to receive commercial electronic messages. It's the most robust and preferred form of consent.
Requirements for Valid Express Consent
Express Consent Must Be:
Clear and Positive: Active agreement, not passive acceptance. No pre-checked boxes.
Informed: The person must understand what they're consenting to.
Specific: Who will be sending and what type of messages.
Recorded: You must be able to prove consent was obtained.
What You Must Disclose When Seeking Consent
Before obtaining consent, you must clearly provide:
1. Purpose of Consent: Describe what messages will be sent and how often.
Example: "We'll send you weekly email marketing tips, product updates, and occasional promotional offers."
2. Identity of Sender: Name of the organization seeking consent.
Example: "EmailVerify will send you these emails."
3. Contact Information: Mailing address plus one of:
- Telephone number
- Email address
- Web address
4. Statement of Withdrawal: How they can unsubscribe and that they may do so at any time.
Example: "You can unsubscribe at any time by clicking the unsubscribe link in any email."
5. Third-Party Disclosure (if applicable): If consent is sought on behalf of others, name them.
Express Consent Form Examples
Compliant Consent Form:
Email: [________________] □ Yes, I want to receive email communications from EmailVerify, including weekly marketing tips, product updates, and promotional offers. You can unsubscribe at any time using the link in any email. EmailVerify Inc. 123 Main Street Toronto, ON M5V 1A1 info@emailverify.ai [Subscribe]
Non-Compliant Consent Form:
Email: [________________] ☑ I agree to receive emails (pre-checked) [Submit]
Double Opt-In for Express Consent
While not required by CASL, double opt-in provides stronger evidence of consent:
Process:
- User submits email and checks consent box
- Confirmation email sent (this message is exempt under CASL)
- User clicks confirmation link
- Subscription activated
Benefits:
- Stronger proof of consent
- Reduces typos and fake signups
- Better list quality
- Supports defense if challenged
Express Consent Duration
Express Consent Does Not Expire: Once obtained, express consent remains valid until withdrawn.
However, Consider:
- Subscribers who never engage may have changed email addresses
- Very old consent may be harder to prove
- Regular re-engagement helps maintain list quality
Best Practice: Maintain active consent records and periodically confirm interest from long-inactive subscribers.
Implied Consent Under CASL
Implied consent allows sending without explicit permission in specific circumstances, but comes with important limitations.
Types of Implied Consent
1. Existing Business Relationship: You may send to someone you have a business relationship with.
Qualifying Relationships:
- Purchase of goods, services, or business opportunity in past 24 months
- Written contract in effect or expired within past 24 months
- Bartering arrangement within past 24 months
Duration: 24 months from most recent transaction or contract expiration.
2. Existing Non-Business Relationship: For clubs, charities, political parties, and similar organizations.
Qualifying Relationships:
- Membership in club, association, or organization within past 24 months
- Volunteer work within past 24 months
- Donation or gift within past 24 months
Duration: 24 months from most recent interaction.
3. Inquiry Relationship: Someone who inquired about your goods, services, or business.
What Counts:
- Requested quote or proposal
- Asked about products/services
- Made application or inquiry
Duration: 6 months from inquiry.
4. Conspicuously Published Address: Email addresses publicly published without restrictions.
Requirements:
- Address must be "conspicuously published"
- No statement that unsolicited messages aren't welcome
- Message must be relevant to recipient's business role/function
- Identity of sender clearly stated in message
Example: Contacting a business development manager whose email appears on company website, regarding a B2B partnership opportunity.
Limitations: This doesn't authorize bulk emailing everyone whose address appears online. Messages must be relevant to their published role.
Implied Consent Expiration
Critical Difference from Express Consent: Implied consent expires.
| Consent Type | Duration |
|---|---|
| Business Relationship | 24 months from transaction |
| Contract | 24 months after contract ends |
| Inquiry | 6 months from inquiry |
| Membership/Volunteer/Donation | 24 months from activity |
Before Expiration: Convert implied consent to express consent by:
- Including opt-in opportunity in messages
- Running re-permission campaigns
- Clearly requesting ongoing consent
Managing Implied Consent
Documentation Requirements: For each contact with implied consent, record:
- Type of relationship
- Date relationship was established
- When consent expires
- Source documentation
Database Setup:
subscriber_records: - email: contact@company.com - consent_type: implied_business - relationship_date: 2024-12-01 - consent_expires: 2026-12-01 - relationship_source: "Invoice #12345" - converted_to_express: false
Automated Reminders: Set up alerts for consent expiration:
- 60 days before: Run re-permission campaign
- 30 days before: Final opt-in request
- On expiration: Move to suppression list unless express consent obtained
CEM Content Requirements
Every commercial electronic message must include specific content elements.
Required Message Elements
1. Sender Identification: Clearly identify who is sending the message.
Required Information:
- Name of sending organization
- If sending on behalf of another, identify both parties
- Must be truthful and not misleading
Header Requirements:
- Accurate "From" field
- Honest "Reply-To" routing
- No spoofing or impersonation
2. Contact Information: Include valid contact information.
Required:
- Mailing address, AND
- One of: telephone number, email address, or website URL
Contact Information Must:
- Be valid for at least 60 days after message sent
- Enable direct contact with sender
- Be readily accessible (not hidden)
3. Unsubscribe Mechanism: Every CEM must include a working way to unsubscribe.
Requirements:
- Clear and conspicuous
- Easy to use
- Must work for at least 60 days after sending
- Unsubscribe address/link must be valid
- Cannot charge a fee
- Cannot require more than sender's name and address to unsubscribe
4. Unsubscribe Processing: Honor opt-out requests within 10 business days.
After Receiving Request:
- Stop sending within 10 business days
- Add to suppression list
- Cannot sell or transfer the address
- Cannot have others send on your behalf
Email Footer Example
You're receiving this email from EmailVerify because you previously made a purchase from us. To unsubscribe from future marketing emails, click here: [Unsubscribe] Or reply to this email with "Unsubscribe" in the subject line. EmailVerify Inc. 123 Main Street Toronto, ON M5V 1A1 Canada Phone: 1-800-555-0123 Email: support@emailverify.ai
CASL Penalties and Enforcement
CASL carries significant penalties, making compliance essential.
Administrative Monetary Penalties (AMPs)
Maximum Penalties:
- Individuals: Up to $1 million CAD per violation
- Organizations: Up to $10 million CAD per violation
Penalty Calculation Factors:
- Nature and scope of violation
- History of prior violations
- Financial benefit from violation
- Ability to pay
- Voluntary compliance efforts
- Deferred compliance agreements
Personal Liability
Directors and Officers: Can be personally liable if they:
- Directed, authorized, or acquiesced to violations
- Were in a position to prevent violations and didn't
This means executives can face personal fines up to $1 million.
Private Right of Action
Individuals and Organizations Can Sue: CASL includes a private right of action allowing:
- Lawsuits by individuals affected by violations
- Actual damages plus statutory damages up to $1 million per day
- Class action lawsuits for widespread violations
Note: The private right of action provisions have been delayed but may be activated in the future.
Enforcement Agencies
Three Agencies Enforce CASL:
CRTC (Canadian Radio-television and Telecommunications Commission): Primary enforcement for spam and related violations.
Competition Bureau: Handles false or misleading marketing claims.
Office of the Privacy Commissioner: Addresses personal information collection without consent.
Notable Enforcement Actions
CompuFinder ($1.1 million): Sending CEMs without consent, improper unsubscribe.
Porter Airlines ($150,000): Sending promotional emails without proper consent.
Blackstone Learning ($640,000): Misleading email marketing practices.
Compu-Finder: First major CASL penalty, demonstrating enforcement is real.
These cases show regulators actively enforce CASL with significant penalties.
CASL Compliance Checklist
Use this comprehensive checklist to audit your email marketing program.
Consent Management
- [ ] Express consent form includes all required disclosures
- [ ] Consent boxes are unchecked by default
- [ ] Consent records include date, source, and text shown
- [ ] Implied consent types are documented
- [ ] Implied consent expiration dates are tracked
- [ ] Re-permission process exists for expiring consent
- [ ] Double opt-in is implemented (recommended)
Message Content
- [ ] Sender clearly identified in all messages
- [ ] Mailing address included in every CEM
- [ ] Additional contact method included (phone, email, or website)
- [ ] Contact information valid for 60+ days
- [ ] Unsubscribe mechanism in every message
- [ ] Unsubscribe is easy and free to use
- [ ] Unsubscribe works for 60+ days after sending
Unsubscribe Processing
- [ ] Opt-outs processed within 10 business days
- [ ] Suppression list permanently maintained
- [ ] Addresses not sold or transferred after opt-out
- [ ] Staff trained on unsubscribe handling
List Management
- [ ] All addresses have documented consent (express or implied)
- [ ] Consent type and expiration tracked for each address
- [ ] Regular email verification maintains list quality
- [ ] Bounces removed promptly
- [ ] No purchased lists without verified consent
- [ ] List hygiene practiced regularly
Documentation
- [ ] Consent records stored securely
- [ ] Relationship dates documented for implied consent
- [ ] Third-party agreements include CASL compliance requirements
- [ ] Staff training documented
- [ ] Compliance audits performed regularly
CASL vs. Other Regulations
Understanding how CASL compares to other laws helps navigate international compliance.
CASL vs. CAN-SPAM
| Aspect | CASL | CAN-SPAM |
|---|---|---|
| Consent Model | Opt-in (consent required) | Opt-out (consent not required) |
| Consent Types | Express and Implied | N/A |
| Implied Consent Expiration | Yes (6-24 months) | N/A |
| Physical Address Required | Yes | Yes |
| Unsubscribe Required | Yes (60 days valid) | Yes (30 days valid) |
| Unsubscribe Processing | 10 business days | 10 business days |
| Maximum Penalty | $10 million CAD | $51,744 USD/violation |
| Private Right of Action | Yes (delayed) | Limited |
Key Difference: CASL is fundamentally stricter because it requires consent before sending. CAN-SPAM allows sending until someone opts out.
CASL vs. GDPR
| Aspect | CASL | GDPR |
|---|---|---|
| Geographic Scope | Canada | EU |
| Consent Required | Yes | Yes (for marketing) |
| Consent Types | Express/Implied | Consent/Legitimate Interest |
| Data Subject Rights | Limited | Extensive |
| Maximum Penalty | $10 million CAD | €20 million or 4% revenue |
| Documentation | Consent records | Extensive data records |
Both require consent for marketing, but GDPR has broader data protection requirements.
For GDPR guidance, see our GDPR email marketing guide.
Complying with Multiple Regulations
For International Senders:
- Segment lists by recipient jurisdiction
- Apply strictest relevant standard to each segment
- Document consent appropriately for each regulation
- Consider unified approach meeting all requirements
Practical Approach: Build consent processes that satisfy CASL (the strictest for consent) and GDPR (the strictest for data protection), and you'll generally comply with CAN-SPAM and most other regulations.
Best Practices for CASL Compliance
Beyond minimum requirements, these practices support robust compliance.
Building Consent-Based Lists
Organic List Building:
- Website signup forms with proper disclosures
- In-person signups at events (document consent)
- Referral programs (new contacts must consent directly)
- Content upgrades with consent capture
Avoid:
- Purchased lists (can't verify consent)
- Scraped addresses (harvesting violates CASL)
- Assumed consent from business cards
- Adding addresses found online without proper conditions
Converting Implied to Express Consent
Before implied consent expires, convert to express:
Conversion Campaign Example:
Subject: Confirm your subscription to EmailVerify Hi [Name], We've loved having you as a customer, and we'd like to keep sending you helpful email marketing tips and updates. To continue receiving our emails, please confirm your subscription by clicking below: [Yes, Keep Me Subscribed] If you don't confirm, we'll stop sending marketing emails when your subscription lapses next month. You'll still receive important transactional emails about your account. Thank you for being part of our community!
Timing:
- Start conversion campaigns 60-90 days before expiration
- Send 2-3 reminder emails
- Move non-responders to suppression list on expiration date
Email Verification and List Quality
Maintaining clean email lists supports CASL compliance:
Why Verification Matters:
- Invalid addresses suggest poor consent practices
- Bounces indicate outdated consent records
- Clean lists demonstrate data quality efforts
Using EmailVerify: EmailVerify's email verification helps maintain compliance:
- Verify at signup to catch typos and fake addresses
- Regular bulk verification removes degraded addresses
- Identify disposable emails that may be low-quality signups
Staff Training
Train Team Members On:
- CASL basics and why compliance matters
- Consent types and requirements
- Message content requirements
- Unsubscribe processing
- Documentation requirements
- Escalation for questions
Create Reference Materials:
- Quick reference cards for consent requirements
- Approved consent language templates
- Escalation contacts for compliance questions
- Regular compliance reminders
Common CASL Mistakes and How to Avoid Them
Learn from these frequent compliance failures.
Mistake 1: Sending Without Consent
The Problem: Emailing Canadian addresses without express or valid implied consent.
Common Causes:
- Purchasing lists
- Adding contacts from business cards without consent
- Assuming prior relationship equals consent
- Not tracking consent expiration
The Fix:
- Only email addresses with documented consent
- Verify consent type and validity before adding to marketing lists
- Implement consent tracking in your database
Mistake 2: Incomplete Consent Records
The Problem: Unable to prove consent was properly obtained.
Common Causes:
- Not recording consent at time of collection
- Losing records during system migrations
- Insufficient detail in records
The Fix:
- Capture and store consent details immediately
- Include timestamp, source, consent text, and relationship
- Back up consent records securely
- Test record retrieval regularly
Mistake 3: Missing Message Elements
The Problem: CEMs lacking required sender identification, contact info, or unsubscribe.
Common Causes:
- Template errors
- New employee creating emails without training
- Automated sequences missing elements
The Fix:
- Use approved templates with all required elements
- Train all email creators on requirements
- Audit templates and sequences regularly
- Implement pre-send checklist
Mistake 4: Slow Unsubscribe Processing
The Problem: Taking more than 10 business days to process opt-outs.
Common Causes:
- Manual processing delays
- Technical issues
- Suppression list not synced across systems
The Fix:
- Automate unsubscribe processing
- Sync suppression lists in real-time
- Test unsubscribe flow regularly
- Set up monitoring for processing delays
Mistake 5: Ignoring Implied Consent Expiration
The Problem: Continuing to send after implied consent has expired.
Common Causes:
- Not tracking expiration dates
- No conversion campaigns
- System doesn't flag expired consent
The Fix:
- Track consent type and expiration for each address
- Set up automated expiration alerts
- Run conversion campaigns before expiration
- Move expired addresses to suppression
Mistake 6: Improper B2B Prospecting
The Problem: Cold emailing Canadian business contacts thinking CASL doesn't apply to B2B.
The Reality: CASL applies to both B2B and B2C messages.
The Fix:
- Use conspicuously published address exception carefully
- Ensure messages relate to recipient's role
- Consider partnership/referral approaches for initial contact
- When in doubt, find another way to establish relationship first
CASL Compliance for International Senders
If you're based outside Canada but have Canadian subscribers, CASL still applies.
When CASL Applies to International Senders
CASL Applies If:
- Message is sent to a Canadian address
- Message is accessed in Canada
- Computer system in Canada is used to send message
Practical Meaning: If you have Canadian email addresses on your list, you must comply with CASL for those addresses.
Segmenting Canadian Contacts
Options:
1. Apply CASL Standards to Entire List: If CASL is your strictest requirement, apply it universally. Benefits:
- Simpler compliance
- Better engagement (consent-based lists perform better)
- Prepared for stricter regulations elsewhere
2. Segment by Geography: Apply different standards to different regions:
- CASL requirements for Canadian addresses
- CAN-SPAM requirements for US addresses
- GDPR requirements for EU addresses
Implementation:
- Collect country/region at signup
- Use IP geolocation as backup
- Flag addresses by applicable regulation
- Apply appropriate consent requirements
Cross-Border Consent Collection
When Collecting from Canadian Visitors:
- Include all CASL-required disclosures
- Use proper consent form format
- Store consent records appropriately
- Track as express consent
When Collecting from Mixed Audiences: Design forms that satisfy the strictest applicable requirements (usually CASL or GDPR).
Conclusion
CASL sets a high standard for email marketing consent in Canada. Its opt-in requirement, consent expiration rules, and significant penalties make compliance essential for anyone emailing Canadian recipients.
Key Takeaways:
Consent Is Mandatory: You cannot send commercial emails to Canadians without express or valid implied consent.
Implied Consent Expires: Track expiration dates and convert to express consent before implied consent lapses.
Document Everything: Maintain detailed records of when, how, and what consent was obtained.
Include Required Elements: Every CEM needs sender identification, contact information, and working unsubscribe.
Process Opt-Outs Promptly: Honor unsubscribe requests within 10 business days.
Maintain List Quality: Regular email verification supports clean lists and demonstrates data quality practices.
Penalties Are Serious: Up to $10 million per violation for organizations makes compliance a business imperative.
CASL's strict requirements actually align with email marketing best practices. Consent-based lists outperform unsolicited email in engagement and deliverability. By building proper consent processes and maintaining quality lists, you'll not only comply with CASL but build more effective email marketing programs.
For comprehensive guidance on email regulations worldwide, see our complete email compliance guide. Ensure your Canadian subscriber lists contain only valid, deliverable addresses with EmailVerify's email verification service.