CASL-Compliant Email Infrastructure
CASL-compliant email infrastructure is a sending stack built to satisfy Canada's Anti-Spam Legislation: consent before sending (express or implied, tracked and provable), clear sender identification and contact information in every message, and a functional unsubscribe honoured within the legal window. CASL is an opt-in regime — unlike the US opt-out model — and it follows the recipient, so it applies to anyone emailing people in Canada regardless of where the sender sits, with penalties up to $10 million per violation. MCSNET runs the infrastructure on Canadian soil from Toronto, with consent records, identification and suppression wired into the stack rather than left to the marketer.
Key takeaways
- CASL is opt-in: you need consent — express or implied — before the first message, unlike the US CAN-SPAM opt-out model.
- Every message needs three elements: sender identification, contact information, and a working unsubscribe that is honoured within 10 business days.
- The burden of proof is on the sender — you must be able to prove consent, so it has to be tracked, dated, and retained.
- CASL follows the recipient: it applies to anyone emailing people in Canada, wherever the sender is, with penalties up to $10 million per violation.
- We build consent tracking, identification and suppression into the infrastructure, on Canadian soil from Toronto, so compliance is structural — not a footer afterthought.
CASL — Canada’s Anti-Spam Legislation — is stricter than most senders expect, and it does not care whether you meant well. It is an opt-in law in a world where many senders are used to opt-out, it follows the recipient rather than the sender, and it puts the burden of proving consent squarely on you. The penalties run to ten million dollars per violation, the regulator enforces actively, and “we didn’t know” has never been a defence. The good news is that almost everything CASL asks for is an infrastructure problem with an infrastructure solution — consent you can prove, identification on every message, and suppression that actually holds — and building those in is far easier than retrofitting them after a complaint.
What does CASL actually require?
At its core, CASL requires three things, and the first is the one that surprises people. Before you send a commercial electronic message to someone in Canada, you need their consent — express or implied — which makes CASL an opt-in regime, unlike the opt-out model of the US CAN-SPAM Act. Then, in every message, you need two more things: clear identification of who is sending (your business name and anyone you send on behalf of) with valid contact information, and a functional unsubscribe mechanism that you honour promptly. That is the whole shape of it — consent first, then identification and an easy way out in every message — but each part has detail that matters, and the burden of proving you have met them falls on you, not on the recipient or the regulator. Compliance is less about the footer text and more about whether you can stand behind every send if asked.
Express versus implied consent
The consent rule has two forms, and knowing which you hold for each contact is the heart of CASL compliance. Express consent is a positive opt-in — an unchecked box someone ticks, a form they complete, an oral agreement — and its great advantage is that it does not expire; it lasts until the person withdraws it. Implied consent comes from a relationship and is time-limited: two years from a purchase, lease, contract or donation, and six months from an inquiry, after which it lapses. A third basis, conspicuous publication, applies when someone has publicly posted their address without saying they don’t want messages, and it is what most B2B outreach to Canada leans on. The practical implication is that implied consent is a depreciating asset — it expires — so a compliant program tracks not just whether consent exists but what kind it is and when it runs out. Express consent is the safer foundation precisely because it does not decay.
| Express consent | Implied consent | |
|---|---|---|
| How obtained | Positive opt-in (box, form, oral) | Existing relationship or publication |
| Expiry | Does not expire | 2 years (purchase) / 6 months (inquiry) |
| Proof burden | On the sender | On the sender |
| Best for | A durable, low-risk list | Time-limited, must be tracked |
Why is the burden of proof on you?
Because CASL is built around the sender’s responsibility, and this single fact shapes how the infrastructure has to work. Under CASL, if you send a commercial electronic message, the onus is on you to prove you had consent — the recipient never has to prove they didn’t give it. That means consent cannot just exist; it has to be recorded in a way you can produce later: the date it was obtained, the method, the source, and for implied consent the expiry. If the regulator asks and you cannot show the record, you are treated as not having had consent, regardless of whether you actually did. This is why consent tracking is not paperwork but a core function of compliant sending — and why a corporate compliance program with proper records also gives you a due-diligence defence if something does go wrong. The law assumes you can prove your basis for every send; the infrastructure has to make that true.
The three elements every message needs
Every commercial electronic message has to carry three things, and they apply even to messages sent under a consent exception. The first is sender identification: your business name, and the name of anyone else on whose behalf the message is sent. The second is contact information: a mailing address plus at least one of a phone number, email address or web address, and that contact route must stay valid for at least 60 days so someone reading the message later can still reach you. The third is a functional unsubscribe that is simple to use, clearly presented, and honoured within 10 business days of the request. In email these usually sit in the footer, but “usually in the footer” understates the requirement — they must be present, accurate and working on every single send, and the unsubscribe has to be wired to actually stop the mail, not just display a confirmation. The identification builds trust as much as it satisfies the law; an anonymous-looking message draws complaints, and complaints draw enforcement.
CASL follows the recipient, not the sender
One feature of CASL trips up more foreign senders than any other: it applies based on where the message is received, not where it is sent. A commercial electronic message accessed in Canada is governed by CASL no matter where the sending business sits, so a company in the US, the UK or anywhere else emailing a person in Canada is fully subject to its consent, identification and unsubscribe rules. This is broader than people assume — a single salesperson emailing a contact in Toronto is sending a CASL-governed message — and being located outside Canada provides no exemption. The combination of this reach and the active enforcement is what makes CASL a real obligation rather than a theoretical one for anyone with Canadian recipients. It is also an argument for running your infrastructure on Canadian soil with compliance built in: if you are going to be subject to Canada’s law anyway, an infrastructure designed around it is a simpler position than one improvising compliance from abroad.
Why isn’t a compliant footer enough?
It is tempting to think CASL compliance is a matter of the right footer text, and that mistake is where violations come from. The footer — identification, contact, unsubscribe link — is the visible surface, but the substance is in the infrastructure behind it. Consent has to be tracked, dated and retained so it can be proven. Unsubscribe requests have to be honoured across every list, segment and automation, not just the campaign that generated them, and they have to be durable so an unsubscribed contact is never re-mailed by some other list later. Implied consent that has expired has to actually stop being used, which means tracking expiry dates and suppressing lapsed contacts automatically. None of that is footer text; it is the same global, durable suppression and record-keeping discipline that reliable bounce handling needs, pointed at a legal requirement. A perfect footer on top of a system that re-mails unsubscribed contacts or cannot prove consent is not compliant — it just looks compliant until it is tested.
CASL alongside PIPEDA, CAN-SPAM and GDPR
CASL rarely operates alone, and how it interacts with other laws matters for anyone sending across borders. CASL governs the act of sending the message; PIPEDA, Canada’s privacy law, governs how you collect, use and protect the email addresses themselves — most senders to Canada need to satisfy both, and notably express consent under PIPEDA can satisfy CASL while other PIPEDA consent forms do not. Across borders, the US CAN-SPAM Act is opt-out where CASL is opt-in, and the EU’s GDPR adds its own consent and data-protection requirements. The workable rule when these overlap is to follow the strictest applicable requirement: a sender with recipients in Canada, the US and the EU who builds to CASL and GDPR consent standards generally satisfies CAN-SPAM in the process. Designing the infrastructure to the strictest standard, rather than the minimum for each jurisdiction, is what keeps a multi-country program compliant without separate machinery for every law.
How we build CASL compliance into your infrastructure
With MCSNET, CASL compliance is structural, wired into the sending stack rather than left to a marketer’s memory. We run the infrastructure on Canadian soil in Toronto, and we build in the functions compliance actually depends on: consent tracking that records type, source, date and expiry so your basis for every send is provable; identification and contact details applied correctly to every message; and unsubscribe handling that feeds global, durable suppression honoured well within the legal window, across every list and automation, so an opt-out is permanent. Expired implied consent is suppressed automatically, and records are retained so a due-diligence position exists if you ever need it. Because the same discipline protects your reputation — clean lists, honoured unsubscribes, low complaints — compliance and deliverability pull in the same direction here. You get infrastructure where doing the compliant thing is the default, not an extra step someone has to remember.
# mcsnet · casl compliance · brand.ca consent express 41,208 · implied 6,330 (tracked, dated) expiry 312 implied lapsing <30d → flagged for re-consent identity sender id + mailing address on every send ok unsubscribe one-click · honoured in 0-1 biz days (limit 10) suppression global · durable · 2,841 opt-outs across all lists residency data in canada (toronto) ok audit consent records retained · due-diligence ready
Why work with us?
Because we treat CASL as an infrastructure requirement, not a legal footnote to paste into a footer. Anyone can format an unsubscribe link; far fewer wire consent tracking, expiry handling and durable global suppression into the stack so compliance holds up under scrutiny, and run it on Canadian soil where data residency and CASL align. We bring that, in Toronto under PIPEDA, with the same suppression and record-keeping that protects deliverability doing double duty for compliance. We are not your lawyers, and we will say so — CASL has detail that warrants legal advice for your specific situation — but the infrastructure that makes compliance provable and reliable is exactly what we build. The result is a sending stack where the compliant path is the built-in one.
Who this is for, and who it is not
It is for senders with recipients in Canada who need compliance to be reliable rather than hopeful — Canadian businesses, and foreign senders who have realized CASL applies to them because they email people in Canada, especially those who want data residency and compliance handled together. It is for teams who would rather have consent tracking and suppression built into the infrastructure than bolt them on per campaign. It is not a substitute for legal advice on your specific obligations, and it is not for a sender who simply wants to blast a purchased list at Canadians, which CASL prohibits outright and no infrastructure can make lawful. CASL-compliant infrastructure pairs with the Canadian hosting and PIPEDA it sits beside, and the suppression and reputation work that serves both compliance and deliverability. Built in from the start, on Canadian soil, CASL compliance stops being a risk you carry and becomes a property of the infrastructure you send on.