Compliance · Canadian email law
CASL Compliance Guide: How to Send Legal Commercial Email in Canada
CASL — Canada’s Anti-Spam Legislation — requires consent before you send a single commercial message to a Canadian recipient, making it an opt-in law unlike the US CAN-SPAM. Every message must contain three things: valid consent, clear identification with contact details, and an unsubscribe mechanism that works for at least 60 days and is honoured within 10 business days. Consent is either express (a positive opt-in that never expires until withdrawn) or implied (from an existing relationship, which does expire). The sender always bears the burden of proving consent, and penalties reach 10 million dollars per violation for a business.
Key takeaways
- It’s opt-in. You need consent before the first message — you cannot email a Canadian recipient and hope they don’t object.
- Three elements, every message. Consent, identification with contact info, and a working unsubscribe valid for at least 60 days.
- Express beats implied. Express consent never expires; implied consent runs out — 24 months after a purchase, 6 months after an inquiry.
- You must prove consent. The burden is on the sender, so consent records are not optional bookkeeping — they are your legal defence.
- Penalties are real. Up to $10M per violation for a business, with directors personally liable.
CASL has a reputation as one of the strictest anti-spam laws in the world, and for senders used to the permissive US model it can feel daunting. It needn’t. The law reduces to a short list of obligations that, once built into your sending process, run quietly in the background. This guide is the practical version: not a tour of the statute, but a working playbook for capturing consent, sending compliant messages, and keeping the records that protect you. None of it is legal advice — for your specific situation, consult a lawyer familiar with CASL.
What is CASL, and how is it different from CAN-SPAM?
CASL is Canada’s federal anti-spam law, in force since July 2014 and enforced by the Canadian Radio-television and Telecommunications Commission, the CRTC. It governs commercial electronic messages — CEMs — which include email, SMS, and social messages whose purpose is to encourage participation in a commercial activity. If your recipient is in Canada, CASL applies to you regardless of where your business sits, so a US or European sender mailing Canadians is fully on the hook.
The defining difference from the American CAN-SPAM Act is consent. CAN-SPAM is opt-out: you may email until someone unsubscribes. CASL is opt-in: you must have consent before you send the first message. That single inversion changes everything downstream — it means a purchased list is unusable under CASL, that a scraped address is not a lead but a liability, and that your compliance work happens at the moment of collection rather than at the moment of complaint. Build for consent first, and the rest of CASL follows naturally.
The three things every message must contain
Whatever else you do, every CEM you send must carry three elements, and missing any one makes the message non-compliant even if your consent is perfect. The first is valid consent, which we cover in detail below. The second is identification: the message must clearly say who is sending it, on whose behalf if relevant, and include contact information — a mailing address plus at least one of a phone number, email address, or web address — that stays valid for 60 days after sending.
The third is a working unsubscribe mechanism. It must be clear and easy to use, it must let the recipient opt out at no cost and with minimal effort, and it must remain functional for at least 60 days after the message goes out. When someone unsubscribes, you have 10 business days to stop sending. These three together — consent, identification, unsubscribe — are the non-negotiable spine of every compliant Canadian message, transactional exemptions aside.
Express versus implied consent: which do you have?
Consent under CASL comes in two forms, and knowing which one you hold for each contact is the heart of compliance. Express consent is a positive, deliberate opt-in: the recipient actively agrees to receive your messages, in writing or orally, through an unchecked box or an equivalent affirmative step. It does not expire — once given, it lasts until the recipient withdraws it — but the request must disclose your identity, the purpose, the mailing address, and the right to withdraw. One trap worth flagging: an email asking for express consent is itself a CEM, so you cannot cold-email someone to request permission you don’t yet have.
Implied consent is narrower and temporary. It exists only in specific situations the law defines: an existing business relationship such as a recent purchase, which carries implied consent for 24 months, or an inquiry, which carries it for 6 months; an existing non-business relationship; a conspicuously published address with no statement against receiving messages; or an address the person disclosed to you directly. Because implied consent expires, relying on it is a clock you have to watch. The safe default, always, is to convert implied consent to express consent before it runs out.
How do you capture and prove consent?
Under CASL the burden of proof sits entirely on the sender: if the CRTC investigates a complaint, you must be able to demonstrate that you had valid consent at the moment you sent. That makes consent records the centre of gravity for compliance, not an afterthought. For every express consent, log when it was obtained, how it was obtained, exactly what the recipient was told at the time, the specific address it covers, and any limits on it. For implied consent, record the date of the triggering event — the purchase or the inquiry — because that date is what determines when the consent expires.
In practice this means wiring consent capture into your systems rather than trusting memory. A CRM that timestamps and stores each opt-in, paired with tamper-evident logs, gives you the evidential trail the CRTC expects and supports a due-diligence defence if something slips through. The law sets no fixed retention period, but keeping records for around three years after a relationship ends is a sensible floor. The discipline that protects you is simple to state and easy to neglect: if you cannot prove the consent, for CASL purposes you do not have it.
# Express consent: an UNCHECKED opt-in with full disclosure [ ] Yes, I agree to receive commercial emails from Acme Inc. (4711 Yonge Street, Toronto ON · support@acme.ca). I can withdraw consent anytime via the unsubscribe link. # What you log for every opt-in (proof rests on YOU): consent_type: express date: 2026-06-16T14:22Z method: web_form address: user@example.ca disclosed: identity+purpose+address+withdrawal # Every CEM footer: identification + 60-day unsubscribe Acme Inc., 4711 Yonge Street, Toronto ON · [ Unsubscribe ]
Building a compliant unsubscribe process
The unsubscribe mechanism is where CASL enforcement most often bites, so treat it as a system rather than a link. It has to be clear and prominent, cost the recipient nothing, and work for at least 60 days after the message was sent — a link that dies when a campaign ends is a violation waiting to happen. Once a request comes in, the law gives you 10 business days to act, though honouring it faster protects both your compliance posture and your sender reputation.
The detail that catches senders is scope. An unsubscribe must actually stop the mail across every list and every system, not just the one campaign it arrived from. The Compu-Finder case — which drew a 1.1 million dollar penalty — turned in part on recipients who unsubscribed yet kept receiving messages. Synchronise opt-outs across your CRM, your sending platform, and any partner lists so that one withdrawal removes the address everywhere, and verify periodically that your platform is genuinely processing requests within the window.
Tracking implied consent and re-consent
If any part of your list runs on implied consent, you are managing a set of expiry dates, and ignoring them is how compliant senders quietly drift out of compliance. An address acquired through a purchase is good for 24 months from that purchase; one from an inquiry, 6 months. When the clock runs out and you have not obtained express consent, you must stop sending to that contact. That means your system needs to know, per contact, both the consent type and the date it started.
The remedy is a re-consent campaign run before expiry, while you still have the right to email. A well-timed message that explains the value of staying subscribed and offers a simple express opt-in converts your most engaged implied contacts into durable express consent and lets the rest lapse cleanly. Done early, it is a routine list-hygiene task; done late, it is impossible, because the very email asking to re-consent would itself be a non-compliant CEM. Our consent management guide covers building this into your lifecycle.
Does CASL apply to B2B and cold email?
Mostly yes, with one narrow exception that is easy to overstate. Unlike CAN-SPAM, which has no business-to-business carve-out at all, CASL does exempt one specific case: a message sent between employees or representatives of two organisations that already have a relationship, where the message concerns the activities of the recipient organisation. That is a genuine exemption, but it is narrow — it does not cover general B2B cold outreach to companies you have no relationship with, and work email addresses are not categorically exempt.
For cold email the bottom line is blunt: without consent or a qualifying relationship, you cannot send a commercial message to a Canadian recipient, full stop. You especially cannot mail a purchased or scraped list, since by definition you have neither express nor implied consent for those addresses — and purchased-list sending is one of the most common triggers for CRTC enforcement. If your outreach model depends on emailing strangers, CASL is a wall, not a hurdle, and the compliant path is to build consent before the first message rather than after the complaint.
Penalties, enforcement, and the due-diligence defence
The numbers are what make CASL impossible to ignore: administrative monetary penalties run up to 10 million dollars per violation for a business and 1 million for an individual, and directors or officers who authorised or participated in a violation can be held personally liable. The CRTC enforces actively — its 2025 actions included penalties from a few thousand to a few hundred thousand dollars — and the landmark Compu-Finder case showed it will reach the millions for flagrant, unrepentant non-compliance.
There is genuine room to breathe, though, for senders acting in good faith. CASL provides a due-diligence defence: if you took reasonable steps to prevent a violation and can prove those steps with tangible evidence, that defence is available to you — which is, again, why your consent records matter so much. The CRTC also frequently resolves minor first-time issues through compliance undertakings rather than penalties when the sender demonstrates good faith. A note on private lawsuits: CASL contains a private right of action, but its coming-into-force was suspended and has not been reinstated, so for now enforcement runs through the regulator rather than the courts — a latent risk worth tracking, not a current one.
A practical CASL compliance checklist
Pulling it together, compliant Canadian sending is a short, repeatable routine. Default to express consent with an unchecked opt-in that discloses your identity, purpose, mailing address, and the right to withdraw. Log every consent with its type, date, and method, and store those records where you can produce them on demand. Put identification and a working 60-day unsubscribe in every message, process opt-outs within 10 business days, and synchronise them across all your lists. Track implied-consent expiry and re-consent before the clock runs out. Never mail a purchased list, and train anyone who sends commercial messages on these rules.
The reframe worth keeping is that CASL is not only a constraint — it is a forcing function for a clean, consented, engaged list, which is exactly what earns inbox placement in the first place. For the neighbouring obligations, the PIPEDA compliance guide covers how you may collect and handle the addresses behind your consent, the GDPR email guide covers your European recipients, and the data residency guide covers where that data is allowed to live. Owning your sending infrastructure gives you the control over suppression and record-keeping that turns all of this from a burden into an advantage.