CASL (Canada's Anti-Spam Legislation) is an opt-in law requiring express or implied consent before sending commercial electronic messages to anyone in Canada. Unlike CAN-SPAM, sending unsolicited commercial email without consent is a per-message violation with penalties up to $10 million for organizations. Compliance hinges on documenting consent, identifying yourself clearly, and providing functional unsubscribe in every message.
If you send commercial email to anyone in Canada, CASL applies to you regardless of where your company is based. The law has been in force since 2014, but enforcement has accelerated meaningfully since 2020, with multiple multi-million-dollar penalties handed down by the CRTC against both Canadian and foreign senders. The rules are stricter than US CAN-SPAM and in some respects stricter than GDPR.
This guide walks through what CASL actually requires, how express and implied consent work, the elements every commercial message must contain, the penalty structure, and a practical compliance checklist for senders with Canadian recipients.
- CASL is opt-in, not opt-out; you must have consent before the first commercial message, with no implied permission for cold outreach to consumers.
- Express consent must be documented with a record of when, how, and what the recipient agreed to.
- Implied consent applies in narrow business circumstances and expires after 24 months.
- Every commercial message must include sender identification, contact information, and a working unsubscribe mechanism that functions for at least 60 days.
- Penalties reach $1 million per violation for individuals and $10 million per violation for organizations, with the CRTC actively enforcing against foreign senders.
What CASL Is and Who It Applies To
CASL governs the sending of "commercial electronic messages" (CEMs) to recipients in Canada. The definition is broad: any message that has as one of its purposes the encouragement of participation in a commercial activity. That includes promotional newsletters, transactional messages bundled with promotion, lead nurture sequences, cold B2B outreach, event invitations from for-profit entities, and almost anything sent by a business to a contact list.
The law applies to messages accessed by a computer in Canada. If your recipient list contains Canadian addresses, you are subject to CASL whether your company is headquartered in Toronto, Tampa, or Tokyo. The CRTC has issued penalties against US-based senders multiple times since 2018.
A few categories are exempt or partially exempt: personal messages, messages between people in a personal or family relationship, messages to recipients who have made an inquiry within the previous six months, and certain messages from registered charities and political parties. Commercial relationships with current customers receive limited carve-outs but do not eliminate the unsubscribe requirement.
Express vs Implied Consent
The cornerstone of CASL is consent. Without it, the message cannot lawfully be sent. CASL recognizes two consent types with very different rules.
Express Consent
Express consent means the recipient affirmatively agreed to receive your messages. The agreement must be unambiguous, separate from other terms, and documented. A pre-checked box does not qualify; the recipient must actively check the box themselves. The consent request must clearly identify your business name, the purpose of the consent, and that the recipient can withdraw at any time.
Express consent does not expire on a schedule. It remains valid until the recipient withdraws it. You bear the burden of proving consent was obtained, which means you need to keep records of when, how, and through what specific opt-in flow each subscriber consented.
Implied Consent
Implied consent applies in narrower circumstances and is time-limited. It exists when:
- You have an existing business relationship: the recipient purchased something from you, leased equipment, entered a written contract, or made an inquiry within the past 24 months. Implied consent expires 24 months after the last triggering event.
- You have an existing non-business relationship: the recipient is a member of a club, charity, or political organization you operate, with the relationship occurring within the past 24 months.
- The recipient conspicuously published their business email address (for example on a company website) without a statement that they do not wish to receive unsolicited commercial messages, AND your message is relevant to their business role.
The conspicuous publication path is what most B2B senders rely on, but it is narrower than commonly understood. The published address must not be paired with an "unsolicited messages not welcome" disclaimer, and your message content must be directly relevant to the recipient's job function. Sending a generic SaaS pitch to a published email address rarely qualifies.
Warning: Purchased lists are effectively useless under CASL. The seller cannot transfer their consent to you, and you cannot rely on consent the recipient gave to a different organization. Sending to a purchased list of Canadian contacts is a per-recipient violation.
What Every CASL-Compliant Message Must Contain
Every commercial electronic message sent to a Canadian recipient must contain three elements:
Sender Identification
The message must clearly identify who is sending it. If multiple parties are involved (an agency sending on behalf of a client), all must be identified. The identification must include the legal name of the sending organization and any name the organization commonly carries on business under.
Contact Information
The message must include either a mailing address that is current for at least 60 days after the message is sent and one of: a telephone number with active response or voicemail, an email address, or a web address. The contact information must allow the recipient to readily reach the sender to ask questions or withdraw consent.
Unsubscribe Mechanism
Every commercial message must include a clearly and prominently displayed unsubscribe mechanism that allows the recipient to opt out using the same electronic means by which the message was sent. The unsubscribe must be no-cost to the recipient, must remain functional for at least 60 days after the message was sent, and the sender has 10 business days to action the request. A one-click unsubscribe link is the cleanest implementation and aligns with the 2024 Gmail and Yahoo bulk sender requirements.
Penalty Structure
CASL is enforced by the Canadian Radio-television and Telecommunications Commission (CRTC), which can issue administrative monetary penalties of up to $1 million per violation for individuals and $10 million per violation for organizations. Each non-compliant message is potentially a separate violation, so penalty exposure scales with list size.
The CRTC has used aggressive enforcement against companies sending without consent, with broken or non-functional unsubscribe links, and with inadequate sender identification. Notable settlements have included multi-million-dollar payments by both Canadian and US-based marketing companies. A planned private right of action that would have allowed individuals to sue senders directly remains suspended, but CRTC enforcement alone is more than sufficient to make non-compliance expensive.
CASL vs CAN-SPAM vs GDPR
| Requirement | CASL (Canada) | CAN-SPAM (US) | GDPR (EU) |
|---|---|---|---|
| Consent model | Opt-in (express or implied) | Opt-out | Opt-in (specific, informed) |
| Cold B2B outreach allowed | Only if conspicuously published and relevant | Yes, with opt-out | Legitimate interest assessment required |
| Unsubscribe deadline | 10 business days | 10 business days | Without undue delay |
| Sender identification required | Yes | Yes | Yes |
| Maximum penalty (org) | $10M CAD per violation | $53,088 USD per email | 4% of global revenue or 20M EUR |
| Records of consent required | Yes, sender bears burden | No | Yes, controller bears burden |
Of the three frameworks, CASL is the most prescriptive about consent and the most aggressive about extraterritorial reach. A sender complying with CASL is generally compliant with CAN-SPAM by default, though GDPR and CASL each have unique requirements that do not fully overlap.
Implementation Checklist
If you send mail to Canadian contacts, work through this checklist before your next campaign:
- Audit your list for Canadian recipients. Use IP-derived signup data, billing country, or explicit "country" fields to identify Canadian contacts. Once identified, those contacts need CASL-compliant consent.
- Implement an explicit opt-in flow. Use a standalone consent checkbox on signup forms with clear language about what the recipient is agreeing to receive. Double opt-in exceeds CASL requirements and provides stronger evidence.
- Build a consent record system. Capture the timestamp, source URL, IP address, and exact wording of the consent request for every subscriber. Retain these records as long as the consent remains active.
- Audit your existing list. For Canadian contacts whose consent you cannot prove, send a single re-permission campaign or remove them from Canadian sends. Continuing to mail without documented consent is the highest-risk position.
- Standardize your message footer. Ensure every commercial message includes legal sender name, mailing address, contact method, and a one-click unsubscribe link.
- Verify your unsubscribe pipeline. Test that opt-out requests are honored within 10 business days and that the unsubscribe page does not require login or additional steps. Add the address immediately to your suppression list across all sending platforms.
- Track implied consent expirations. If you rely on the existing-business-relationship path, automate a 24-month expiration trigger that pauses sends to those contacts unless express consent is collected before the deadline.
If your CRM or ESP does not support per-contact consent records with timestamp and source data, that gap is your single biggest CASL exposure. The first thing the CRTC asks for in an investigation is consent evidence, and "we think they signed up at some point" is not a defense.
Enforcement Trends
CASL enforcement has historically prioritized high-volume senders with broken unsubscribe mechanisms, senders ignoring withdrawal requests, and senders relying on purchased or scraped lists. The CRTC publishes settlement summaries that telegraph current priorities; recent attention has fallen on senders who treat the conspicuous-publication path as a blanket B2B opt-in, which it is not.
Foreign senders should not assume distance from Canadian regulators provides protection. The CRTC has cooperated with US and EU enforcement bodies through international agreements, and several published settlements involve US companies paying Canadian fines.
Frequently Asked Questions
Yes. CASL applies to any commercial electronic message accessed by a computer in Canada, regardless of where the sender is located. The CRTC has assessed penalties against US and other foreign senders, and has cooperation agreements with regulators in other jurisdictions to support enforcement.
Only in narrow circumstances. Implied consent applies if the recipient has conspicuously published their business email address without a "no unsolicited messages" disclaimer, AND your message content is directly relevant to their job function. Generic SaaS pitches to scraped lists do not qualify, even when the addresses appear on company websites.
10 business days. CASL also requires the unsubscribe mechanism itself to remain functional for at least 60 days after the message was sent. Suppression must apply across all sending channels for the same business; you cannot honor an opt-out on one list while continuing to mail the contact from another.
Pure transactional messages (order confirmations, shipping notifications, account warnings) are exempt from most CASL requirements. The exemption disappears if the message also contains commercial content like upsells or promotional banners. The safer practice is to keep transactional and promotional content in separate messages.
At minimum: timestamp of consent, source (URL of the form, name of the offline channel), exact wording the recipient agreed to, and the IP address or other identifier tying the consent to the contact. The sender bears the burden of proof in a CRTC investigation, and gaps in the audit trail are treated as missing consent.