CASL Compliance Guide for Email Senders
Canada's Anti-Spam Legislation is the world's strictest anti-spam law — an opt-in regime with CAD$10M fines and active enforcement. What you can send, to whom, and what happens when you get it wrong.
CASL vs CAN-SPAM: The Critical Difference
The single most important thing to understand about CASL: it is an opt-in law, not opt-out. Under CAN-SPAM, you can email anyone until they ask you to stop. Under CASL, you cannot send a commercial electronic message (CEM) to anyone without obtaining consent first — unless you can rely on a specific implied consent basis. This distinction applies even to B2B email. There is no "cold email is always fine" exception under CASL the way there is under CAN-SPAM.
CASL jurisdiction follows the recipient, not the sender. If you are a US, EU, or UK company emailing a person in Canada, CASL applies to you. The CRTC has taken enforcement action against non-Canadian companies. Being outside Canada is not a defence.
CASL covers commercial electronic messages broadly: emails, SMS, instant messages, and social media direct messages that encourage participation in a commercial activity. A message is a CEM if even one of its purposes is commercial — a newsletter that mentions a product for sale is a CEM, even if most of its content is editorial.
Express vs Implied Consent — The Foundation of CASL
Every CEM sent to a Canadian recipient requires either express or implied consent. The onus of proving consent rests entirely on the sender. "We didn't know we needed consent" is not a defence — the $1.1 million fine issued to a company that sent emails without proper consent was upheld even though the company claimed ignorance.
✓ Express Consent
The person has clearly and proactively agreed to receive CEMs from you. Must be: specific to your organisation, unchecked by default, accompanied by identification information and notice of purpose.
Never expires. Express consent remains valid until withdrawn.
⏱ Implied Consent — Expiry Rules
- ✓ Existing business relationship (purchase/contract): expires 2 years from last transaction
- ✓ Written inquiry or application: expires 6 months from date of inquiry
- ✓ Conspicuously published email address: no fixed expiry — but message must relate to recipient's business role
- ✓ Business card given at event: expires 6 months
Conspicuous Publication — The B2B Cold Email Basis
The most commonly used implied consent basis for B2B cold email under CASL is "conspicuous publication." This applies when a person's email address is publicly posted (on a company website, LinkedIn, a directory) without a statement refusing unsolicited messages, AND the message relates to the recipient's business role.
The three-part test all conditions must be met: (1) email is publicly posted, (2) no notice refusing unsolicited messages accompanies it, (3) your message is relevant to their business function. Finding a CMO's email on a company About page does not permit you to send them anything — only communications relevant to their actual role as CMO. A pitch for office furniture to a software CMO would not qualify.
Required Elements in Every CEM
Regardless of consent basis, every commercial electronic message sent to a Canadian recipient must include three elements:
The name of the person or organisation sending the message, and on whose behalf it is sent if different. Contact information: a mailing address and either a phone number, email address, or web address where the sender can be reached.
A functioning unsubscribe link or mechanism that allows the recipient to opt out at no cost and with no more information than their email address. The mechanism must remain functional for a minimum of 60 days after the message is sent (stricter than CAN-SPAM's 30 days). Opt-outs must be processed within 10 business days.
You must be able to prove consent at the time of sending. This means maintaining records of: when consent was given, what the person consented to, the consent language shown, and whether implied consent has expired. The burden of proof is on the sender — not the recipient to prove they didn't consent.
CRTC Enforcement — 2024–2025
CASL enforcement is active and escalating. The CRTC's Spam Reporting Centre received 152,603 complaints in just six months of 2025 — a volume that has increased year over year. The CRTC's enforcement activity in 2024–2025 included:
In November 2024, the CRTC specifically targeted approximately 25 companies with notably high complaint volumes — assessing whether their consent practices and unsubscribe mechanisms met CASL requirements. Warning letters were sent, with explicit notice that non-compliance would result in further enforcement action.
The pattern is consistent: the CRTC starts with warning letters and escalates to monetary penalties for repeat or egregious violations. Directors and officers can be held personally liable for CASL violations by their organisations — a provision that distinguishes CASL from most other anti-spam laws globally.
CASL, GDPR, and CAN-SPAM — Managing Multiple Jurisdictions
Many senders have recipients in Canada, the US, and the EU simultaneously. The practical approach: comply with the strictest requirement that applies to each recipient segment. For any given message, the strictest relevant law governs.
| Requirement | CAN-SPAM (US) | CASL (Canada) | GDPR (EU/UK) |
|---|---|---|---|
| Consent model | Opt-out | Opt-in required | Opt-in (B2C) / LI (B2B) |
| Max fine | $51,744/email | CAD$10M/violation | €20M or 4% turnover |
| B2B cold email | Generally permitted | Permitted with basis | Permitted with LIA |
| Unsubscribe deadline | 10 business days | 10 business days | Promptly / immediately |
| Jurisdiction | US recipients | Canadian recipients | EU/UK residents |
Record-Keeping — The CASL Audit Requirement
CASL requires that you maintain records proving consent for three years from the last date you sent a CEM to a recipient on the basis of that consent. The CRTC can demand these records at any time. Companies that cannot produce consent records when investigated — regardless of whether consent was actually obtained — face the same enforcement outcome as companies that never obtained consent.
For each subscriber, your records should capture: the consent type (express or implied), the consent date, the specific consent mechanism used, the consent language shown, the IP address (for web-based signup), and for implied consent, the basis relied upon and its expiry date. For express consent obtained via email confirmation (double opt-in), the confirmation click timestamp is your consent record.
Use double opt-in as the default for all new Canadian subscribers. The confirmation click creates an automatically timestamped record that satisfies CASL's express consent documentation requirement with no additional work. Single opt-in requires manual logging of IP address, timestamp, form URL, and consent text — achievable but more operationally complex to maintain across all acquisition sources.
CASL Compliance Checklist
Use this checklist before launching any email programme targeting Canadian recipients, or when reviewing an existing programme for compliance gaps.