Compliance · Canadian email law

CASL Explained: What Canada’s Anti-Spam Law Is and How It Works

CASL, Canada’s Anti-Spam Legislation, is the federal law that governs commercial electronic messages sent to people in Canada. In force since July 2014 and enforced by the CRTC, it prohibits three things: sending a commercial message without consent, altering transmission data to misroute messages, and installing software on someone’s device without permission. For email it is an opt-in law — you need consent, express or implied, before the first message — which makes it stricter than the US CAN-SPAM Act. It applies whenever the recipient is in Canada, regardless of where the sender is, and the burden of proving consent always rests on the sender.

Key takeaways

  • It governs commercial electronic messages. Email, SMS, and social messages whose purpose is to encourage commercial activity.
  • Three prohibitions. Unconsented commercial messages, altering transmission data, and installing software without consent.
  • Opt-in for email. Consent must come before the first message, unlike the opt-out US model.
  • It reaches across borders. If the recipient is in Canada, CASL applies wherever the sender is based.
  • Two consent types. Express consent is durable; implied consent comes from defined relationships and expires.

CASL is often described as the world’s toughest anti-spam law, which makes it sound more mysterious than it is. At its core it is a simple idea applied strictly: don’t send people commercial messages they didn’t agree to receive, and be honest about who you are. This explainer walks through what the law actually is, what it covers, and how its pieces fit together, so the rules make sense before you try to follow them. For the step-by-step of complying, see our CASL compliance guide; this is not legal advice.

What is CASL?

CASL stands for Canada’s Anti-Spam Legislation, a federal law that came into force on the first of July 2014 and is enforced by the Canadian Radio-television and Telecommunications Commission — the CRTC, the same regulator that oversees Canadian broadcasting and telecom. Its stated aim is to deter the most damaging forms of electronic threat: not only spam, but also software installed without permission and the malicious rerouting of internet traffic. Email is the part most marketers meet, but the law is broader than email alone.

What makes CASL distinctive is its starting assumption. Many marketing laws begin from the premise that you may contact people until they object; CASL begins from the opposite premise that you may not contact them until they agree. That inversion is the source of both its reputation for strictness and its underlying logic — the law treats a person’s inbox as something you are invited into, not something you may enter by default. Everything else in CASL follows from that one principle.

What counts as a commercial electronic message?

The unit CASL regulates is the commercial electronic message, or CEM, and getting this definition right matters because it decides whether the law applies at all. A CEM is any electronic message — email, text, or social message — where one of its purposes is to encourage participation in a commercial activity, whether that’s a sale, a promotion, an offer, or even content on a commercial website. The CRTC points to indicators like offers to buy or sell, promotion of a person or business, and links to commercial content as signals that a message qualifies.

The reach is wide, and subtlety doesn’t exempt you. A message that looks informational but carries a promotional tagline or a discount link can still be a CEM, because the test is purpose, not packaging. This breadth is why senders cannot rely on calling a message a “newsletter” or an “update” to escape the rules; if any real purpose of the message is commercial, CASL treats it as a CEM and its requirements attach. The flip side is that genuinely non-commercial messages fall outside the law entirely, which we return to below.

is-it-a-cem
# CASL applies only to commercial electronic messages (CEMs)
Promotional newsletter, sale offer, product launch  -> CEM (needs consent)
Branded “update” with a discount link               -> CEM (purpose is commercial)
 
# Outside CASL or exempt from consent (ID + unsubscribe may still apply):
Order receipt / shipping confirmation               -> transactional (exempt)
Message to a friend or family member                -> personal (not a CEM)
Email between two employees of one company           -> internal (not a CEM)
# Test = the PURPOSE of the message, not what you call it.

What CASL actually prohibits

Although email dominates the conversation, CASL is built around three distinct prohibitions. The first and most familiar is sending a commercial electronic message without the recipient’s consent and without the required content — the identification and unsubscribe details every CEM must carry. This is the rule that governs email marketing. The second prohibits altering the transmission data in a message so it is delivered somewhere other than where the sender intended, without consent — aimed at the malicious rerouting of traffic.

The third prohibits installing a computer program on someone else’s device in the course of commercial activity without their express consent, with extra requirements when the software does something invasive. Together these three target the spam, the unsolicited redirection, and the unwanted software that the law was written to curb. For a legitimate email sender only the first prohibition usually applies day to day, but understanding all three explains why CASL is framed as broad anti-threat legislation rather than a narrow email-marketing rule.

Because CASL is opt-in, consent is the concept everything turns on, and the law recognises two kinds. Express consent is a deliberate, positive agreement: the person actively opts in, in writing or orally, with full knowledge of who you are and what they’re agreeing to. Conceptually it is the strong form — it does not expire, lasting until the person chooses to withdraw it, because they made a clear affirmative choice. The law asks for that clarity precisely because express consent is the foundation a sender can most reliably stand on.

Implied consent is the weaker, conditional form, and it exists only in situations the law specifically defines — chiefly an existing business relationship, such as a recent purchase or inquiry, where the law infers a reasonable expectation of contact for a limited time. It expires precisely because it was never an explicit choice, only a reasonable inference that fades as the relationship ages. The conceptual point is that CASL would rather you have a real yes than a presumed one, and it builds in an expiry on presumption to push senders toward genuine consent. The mechanics of capturing and tracking each type live in the compliance guide.

Does CASL apply to your message?Purpose commercial?(the CEM test)No -> outside CASLpersonal / internal / infoYes -> it’s a CEMrequirements attachTransactional only?exempt from consent,still needs ID + unsubOtherwise:consent + ID + unsubscribe
The CEM test decides whether CASL applies; the transactional question decides whether you also need consent.

What’s exempt or excluded from CASL

Not every message you send falls under CASL, and the exclusions follow naturally from the commercial-purpose test. Purely personal messages between friends or family, internal messages between employees of the same organisation, and messages sent solely to satisfy a legal or contractual obligation are not commercial electronic messages at all, so the law simply doesn’t reach them. A message whose only purpose is to inform, with no commercial angle, sits outside as well.

A separate category is exempt from the consent requirement but not from everything: transactional and relationship messages — receipts, shipping confirmations, warranty notices, account updates — can be sent without prior consent, but they must still carry identification and a working unsubscribe. There is also a narrow business-to-business exemption: a message between representatives of two organisations that already have a relationship, concerning the recipient organisation’s activities, is exempt. That exemption is real but limited, and it does not turn general cold outreach to businesses into fair game.

How does CASL compare to CAN-SPAM and GDPR?

Placing CASL beside its peers is the fastest way to feel its character. The US CAN-SPAM Act is its mirror image: opt-out, permitting commercial email until the recipient unsubscribes, with no consent required up front. CASL inverts that into opt-in, which is the single biggest practical difference a sender encounters when expanding from the US into Canada. What was legal by default in one country becomes prohibited by default in the other.

The EU’s GDPR, covered in our GDPR for email guide, is stricter again but along a different axis: it governs the personal data behind the message rather than the message itself, demanding a lawful basis to process an address and granting individuals broad rights over their data, with fines reaching tens of millions of euros. CASL sits between the two in scope — message-focused like CAN-SPAM, consent-based like GDPR — and the practical lesson for any cross-border sender is to design to the strictest law their audience touches rather than the most permissive.

How CASL and PIPEDA work together

CASL rarely operates alone, because the act of emailing involves both sending a message and handling personal data, and Canada regulates those separately. CASL governs the sending: whether you may transmit a commercial message to a given recipient. Canada’s privacy law, PIPEDA, governs the data: how you may collect, use, store, and protect the email address in the first place, including rules against harvesting addresses. A single email-marketing program typically has to satisfy both at once.

The two laws are connected at the seam of consent. Express consent obtained in a way that meets PIPEDA’s standard can satisfy CASL, but weaker forms of PIPEDA consent do not automatically clear the CASL bar, so the safe approach is to obtain consent that satisfies the stricter of the two. Our PIPEDA explainer covers the data side in depth; the takeaway here is that CASL compliance is necessary but not sufficient on its own.

Why is CASL considered so strict?

Several features compound to earn CASL its reputation. The opt-in default is the foundation, but three further design choices sharpen it. First, the burden of proof sits on the sender: you must be able to demonstrate you had valid consent, so a missing record is effectively a missing consent. Second, the penalties are severe — up to ten million dollars per violation for a business, with directors and officers personally exposed — which raises the stakes well above a routine cost of doing business.

Third, the law reaches across borders: it applies whenever the recipient is in Canada, so a sender in another country gets no shelter from distance. Add the fact that Quebec’s Law 25 layers additional privacy obligations on top within that province, and the Canadian picture becomes one of the most demanding in the world. The strictness is deliberate; the law was written to make consent the path of least resistance rather than an obstacle senders route around.

What CASL means for senders today

For a practitioner, the honest summary is that CASL rewards the habits good senders already want. Because it forces genuine consent, the lists it produces are smaller but markedly more engaged, and engagement is exactly what drives inbox placement — so the law that looks like pure friction quietly improves deliverability. The senders who struggle with CASL are usually the ones whose model depended on emailing people who never asked to hear from them, and that model was fragile regardless of the law.

The work itself is contained: understand what makes a message a CEM, get real consent before you send, identify yourself, and make leaving easy. From there the compliance guide turns the concepts here into a working routine, and owning your sending infrastructure gives you the control over consent records and suppression that compliance depends on. Understood properly, CASL is less a barrier to Canadian email than a description of how to do it well.

Frequently asked questions

What does CASL stand for?
CASL is Canada’s Anti-Spam Legislation, a federal law in force since July 2014 and enforced by the CRTC. It governs commercial electronic messages sent to recipients in Canada and also prohibits installing software without consent and altering transmission data to misroute messages. For email, its defining feature is that it requires consent before sending.
What is a commercial electronic message under CASL?
A CEM is any electronic message — email, SMS, or social — where one of its purposes is to encourage participation in a commercial activity, such as a sale, promotion, or link to commercial content. The test is the message’s purpose, not what you label it, so a “newsletter” with promotional content still counts as a CEM.
Is CASL stricter than CAN-SPAM?
Yes, considerably. CAN-SPAM is opt-out, allowing US commercial email until the recipient unsubscribes, while CASL is opt-in, requiring consent before the first message. CASL also puts the burden of proof on the sender and carries much higher penalties, up to $10 million per violation, making it one of the strictest anti-spam laws in the world.
Does CASL apply to messages I send from outside Canada?
Yes. CASL applies based on where the recipient is, not the sender. If a commercial electronic message is sent to someone in Canada, the law applies even if your business is in the US, UK, or elsewhere. There is a narrow foreign-message exception, but the practical assumption should be that mailing Canadians means complying with CASL.
What’s the difference between CASL and PIPEDA?
CASL governs the sending of commercial messages — whether you may email a given recipient. PIPEDA governs the personal data: how you collect, use, store, and protect the email address itself. Most email programs must comply with both, and express consent meeting PIPEDA’s standard can also satisfy CASL.