Live Direct Marketing logo
Inbox Placement Test
Compliance10 min read

CASL: Canadian anti-spam law for email senders

Canada's anti-spam law is one of the strictest in the world: opt-in by default, narrow implied-consent windows, mandatory sender identification, and CRTC fines up to ten million dollars per violation for businesses.

CASL (Canada's Anti-Spam Legislation) came into force in 2014 and changed cold-email economics in North America overnight. Where CAN-SPAM in the US permits sending until the recipient opts out, CASL flips the default: you may not send a commercial electronic message (CEM) to a Canadian recipient without consent, and the burden of proving that consent is on the sender.

TL;DR

CASL is opt-in. Express consent is the gold standard. Implied consent exists for existing business or non-business relationships and lasts 2 years (or 6 months for inquiries). Every CEM needs sender identification and a working unsubscribe honored within 10 business days. Penalties: up to CAD $1M for individuals, $10M for businesses per violation.

Who CASL covers

CASL applies to commercial electronic messages sent to or accessed from a computer system in Canada. It is the recipient's location, not the sender's, that matters. A sender in Australia emailing a contact in Toronto is in scope.

A "commercial electronic message" is one that, having regard to its content, is intended to encourage participation in a commercial activity. The bar is broad. Cold sales pitches, newsletters with any commercial content, follow-ups to webinar registrants — all CEMs.

A few narrow exemptions: messages to existing employees or contractors of an organisation about that work; quotes or estimates the recipient requested; messages required to facilitate a transaction the recipient previously consented to; safety, recall or warranty information about a previously purchased product.

Express consent — the gold standard

Express consent is what you obtain when someone affirmatively opts in to receive your CEMs. The request for consent must clearly state:

  • The purpose for which consent is sought.
  • The identity of the person seeking consent — and on whose behalf, if different.
  • Mailing address and one of phone, email or web address of the person seeking consent.
  • A statement that consent can be withdrawn.

Express consent has no expiry. Once obtained and documented, it lasts until withdrawn. This is why building an express-consent list is the single highest-value compliance and deliverability investment a Canadian-targeting sender can make.

Pre-ticked boxes are not valid express consent. Bundled consent for unrelated purposes is not valid. The CRTC has been explicit on both.

Implied consent — where senders trip

Implied consent exists in narrowly defined circumstances and has time limits. The two main forms:

  • Existing business relationship. The recipient purchased a product or service from you in the previous 2 years, or has a written contract with you currently or in the previous 2 years, or made an inquiry about your products or services in the previous 6 months.
  • Existing non-business relationship. The recipient is a member of your registered charity, political party or association in the previous 2 years.

Two narrower forms also exist: conspicuous publication of a business address (e.g. on a company website) where the message is relevant to the recipient's business role and the publication does not state that unsolicited CEMs are not wanted; and disclosure of an address by the recipient to the sender for a relevant business purpose without an explicit refusal of CEMs.

The conspicuous-publication form is the closest CASL gets to permitting cold B2B email — but it's strict. The address must be published by the recipient or with their authority, the message must be directly relevant to the recipient's professional role, and the website must not say "no unsolicited email" (many do).

Implied consent is not silent renewal

The 2-year clock on implied consent does not reset on every email you send. It runs from the qualifying event (purchase, inquiry, etc.). Use the implied window to obtain express consent — otherwise you lose the relationship at the deadline.

Required content in every CEM

Beyond consent, every CEM must include:

  1. Identification of the person sending the message and any person on whose behalf it is sent.
  2. Information enabling the recipient to readily contact one of those persons (current mailing address and one of phone, email or web).
  3. An unsubscribe mechanism that is clearly and prominently set out, can be readily performed and is valid for at least 60 days.

The unsubscribe must allow the recipient to opt out at no cost, through the same electronic means by which the message was sent (or any reasonable alternative). It must be processed within 10 business days, with no need for the recipient to follow up. Like CAN-SPAM's 10 business days, the clock matters — and the contact point for unsubscribes must remain valid for at least 60 days after the message was sent.

Enforcement and the penalty structure

The Canadian Radio-television and Telecommunications Commission (CRTC) is the primary enforcer for CASL's email provisions. Penalties (called Administrative Monetary Penalties) reach up to CAD $1 million per violation for an individual and $10 million for a business. The Competition Bureau has separate jurisdiction over misleading representations in CEMs, with its own penalty structure.

Some real cases:

  • Compu-Finder: $1.1M penalty (later reduced) for sending unsolicited CEMs without valid consent.
  • Porter Airlines: $150,000 settlement for missing unsubscribe mechanisms and unsubscribe-validity issues.
  • nCrowd: $100,000 penalty over unsubscribe failures.

Notably, a long-promised private right of action — letting recipients sue senders directly — has been on hold since 2017. Even without it, the regulator-driven enforcement plus deliverability impact create real cost.

Record-keeping that survives a CRTC audit

Burden of proof for consent is on the sender. Practical requirements:

  • Date, time and source of every express consent.
  • Exact language shown to the recipient at the moment of consent.
  • Confirmation email logs (for double opt-in flows).
  • For implied consent: the qualifying event (purchase, inquiry) and its date.
  • Suppression list with timestamps for every unsubscribe.

ESPs that auto-track signup source and consent text simplify this enormously. Senders running their own forms need to build the audit trail themselves — it's the single most common gap when the CRTC asks questions.

CASL-safe sending in practice

For a Canadian-targeting program, the workable pattern:

  1. Build the express-consent list aggressively. Lead magnets, free trials, content downloads — all with unbundled, explicit checkboxes.
  2. Treat existing-customer implied consent as a 2-year window to convert to express consent, not as ongoing permission.
  3. For cold B2B, rely only on conspicuous-publication implied consent and only when the message is genuinely relevant. Document the source URL.
  4. Set every CEM's footer with mailing address, phone or email contact, and unsubscribe link — generated automatically, not editable per send.
  5. Suppression sync runs daily, not weekly.

Frequently asked questions

Does CASL apply if I'm a US sender with no Canadian operations?

Yes, if the recipient is in Canada or accesses the message from a computer system in Canada. The CRTC has cooperated with the FTC on cross-border cases and can pursue foreign senders through international agreements.

Can I assume implied consent because someone is on a public list?

Only if the address was conspicuously published by the recipient or with their authority, the message is relevant to their professional role, and the publication doesn't say "no unsolicited email". Scraping LinkedIn or directories does not satisfy this.

What about transactional emails — receipts, shipping?

If the primary purpose is to facilitate, complete or confirm a previously consented commercial transaction, they fall under exemptions and are not full CEMs. Mixed-purpose messages take the stricter rule.

How long do I have to honor an unsubscribe under CASL?

10 business days, the same as CAN-SPAM. The unsubscribe mechanism itself must remain functional for at least 60 days from the date the message was sent.
Related reading

Check your deliverability across 20+ providers

Gmail, Outlook, Yahoo, Mail.ru, Yandex, GMX, ProtonMail and more. Real inbox screenshots, SPF/DKIM/DMARC, spam engine verdicts. Free, no signup.

Run Free Test →

Unlimited tests · 20+ seed mailboxes · Live results · No account required