If you send marketing emails to anyone in Canada, Canada’s Anti-Spam Legislation (CASL) applies to you — even if your business sits in New York, London, or Sydney. CASL is widely regarded as the strictest email law in the world, and the penalties prove it: up to $10 million CAD per violation for businesses, and $1 million CAD for individuals.

This guide walks you through exactly what CASL requires, how to obtain valid consent, what every email must contain, and how to operationalise compliance without slowing down your marketing program.

This article is part of our Email marketing guide.

TL;DR — The CASL Essentials

If you only remember five things, remember these:

  1. Get express or implied consent before sending any commercial electronic message (CEM).
  2. Clearly identify your business in every email — including a valid mailing address.
  3. Provide a clear, one-click unsubscribe in every send.
  4. Honour unsubscribe requests within 10 business days.
  5. Keep consent records for 3 years after the business relationship ends.

CASL is enforced by the CRTC. In one widely cited case, Porter Airlines was fined $150,000, and Compu-Finder received a $1.1 million penalty for sending emails without proper consent. Compliance is not optional.

Who CASL Applies To

CASL applies to any Commercial Electronic Message (CEM) sent to a recipient in Canada. The location of the sender doesn’t matter — the law follows the recipient.

CASL covers messages sent via:

  • Email
  • SMS and MMS
  • Instant messaging
  • Push notifications
  • Any other electronic channel used for commercial purposes

What counts as a CEM

A CEM is any electronic message that encourages participation in a commercial activity — marketing emails, sales outreach, newsletter promotions, event invitations, and affiliate offers all qualify.

What’s exempt from CASL

The following message types are exempt, but they must still meet CASL’s identification and unsubscribe requirements:

  • Transactional confirmations (receipts, shipping updates, order status)
  • Warranty information, product recalls, and safety notices
  • Factual information about an existing account, subscription, or membership
  • Responses to inquiries, complaints, or quote requests
  • Personal messages to family or friends

Important: directors, officers, and agents of a corporation can be held personally liable if they directed, authorised, or participated in a CASL violation.

Express vs. Implied Consent

CASL recognises two forms of consent. Knowing the difference is the foundation of compliance.

Express ConsentImplied Consent
How obtainedActive opt-in (form, checkbox, signature)Existing relationship or published contact info
ExpiryDoes not expire6–24 months depending on type
Risk levelLowHigh — expires silently
Best forAll long-term marketingShort-term follow-up only

Express consent: the gold standard

To collect valid express consent, you need a sign-up flow that meets specific requirements. Email subscription forms with proper consent capture are the foundation — every consent shortcut is a future fine waiting to happen. The four requirements:

  • Get an active opt-in — an unchecked box the user must tick, or a “Subscribe” button they actively click.
  • Clearly identify who is requesting consent (your business name and contact details).
  • State the purpose — what kinds of emails the subscriber will receive and roughly how often.
  • Disclose how to unsubscribe at the point of opt-in.

Compliant opt-in example:

☐ Yes, I consent to receive commercial electronic messages from Acme Corporation (123 Main St, Toronto, ON; support@acme.ca) about products, promotions, and company updates. I can unsubscribe at any time using the link in any email.

Non-compliant patterns to avoid:

  • ☑ Pre-checked subscription boxes
  • “By creating an account, you agree to receive marketing emails”
  • Bundling email consent with terms of service acceptance

Sender’s signup forms support GDPR consent checkboxes for sign-up forms out of the box — same mechanism works for CASL since both laws require unchecked-by-default opt-ins.

Implied consent: the four scenarios

Implied consent is temporary and risky because it expires without notice. CASL recognises four scenarios:

  • Existing Business Relationship (EBR) — 24 months: A purchase, lease, written contract, or accepted quote.
  • Inquiry or application — 6 months: Someone asked about your product or applied for something.
  • Non-business relationship — 6 months: A business card exchanged in person, or direct contact at a conference or meeting (provided the email relates to their role and they didn’t say “don’t contact me”).
  • Conspicuous publication: The recipient publicly published their email (e.g. on a company website), the email is relevant to their role, and they haven’t stated “do not contact.” Use this rule narrowly — it’s the easiest to misapply.

The clock resets with each new qualifying interaction (e.g. a repeat purchase extends the 24-month window).

Email Content Requirements for Every CEM

Every commercial email you send must include three elements — and they must appear in the body of the email itself, not just in headers.

1. Sender identification. Clearly name the business sending the message, plus any business it’s being sent on behalf of.

2. Valid contact information. Include at least one of: mailing address, telephone number, email address, or website. The contact details must remain valid for at least 60 days after the message is sent.

3. A working unsubscribe mechanism. It must be:

  • Clearly and prominently displayed
  • Free to use
  • Completable in one page or fewer, without requiring login
  • Processed within 10 business days
  • Functional for at least 60 days after the email is sent

One-click unsubscribe is the safest standard.

Record-Keeping: The 3-Year Rule

CASL requires you to keep consent records for 3 years after the business relationship ends. Email list management without compliance gaps is half engineering, half discipline — both halves matter when a regulator audits you.

Use the 5W model to document every consent event:

  • Who consented — name, email, customer ID
  • When — exact date and time
  • How — web form, in-person event, phone call, double opt-in confirmation
  • What — the exact consent language shown to the subscriber, plus a screenshot if possible
  • Where — IP address, page URL, or event/location

For implied consent, also log the relationship type (purchase, inquiry, business card) and the trigger date so you can track expiry.

A modern email platform should capture most of this automatically, including consent timestamp, source, and IP. If yours doesn’t, switch.

Penalties and Enforcement

CASL is enforced by three bodies:

  • CRTC — the lead enforcement agency
  • Competition Bureau — handles deceptive marketing aspects
  • Office of the Privacy Commissioner — handles privacy violations

Administrative Monetary Penalties:

  • Up to $1 million CAD per violation for individuals
  • Up to $10 million CAD per violation for businesses
  • Personal liability for directors and officers who directed or authorised the violation

Real enforcement cases include:

  • Compu-Finder — fined $1.1 million for sending emails without proper consent and using non-functional unsubscribe links.
  • Porter Airlines — paid $150,000 for inadequate consent records and identification issues.
  • Kellogg Canada — paid $60,000 over CEMs sent without proof of consent.

The most common enforcement triggers are subscriber complaints, high spam complaint rate, non-functional unsubscribe links, and missing consent records.

Converting Implied Consent to Express Consent

Implied consent expires silently — and on the day it expires, every email you send becomes a violation. Build a re-consent program before that happens.

A practical re-consent timeline:

  • 90 days before expiry — first re-permission email asking subscribers to confirm they want to keep hearing from you.
  • 60 days before expiry — second touch, ideally with an incentive (exclusive content, discount, early access).
  • 30 days before expiry — final reminder, framed urgently and clearly.
  • At expiry — move non-responders to a suppression list. Stop sending.

Sample re-consent email structure:

Subject: Confirm you want to keep hearing from us

Hi [Name], we want to keep sending you the [content type] you signed up for. To stay subscribed under Canada’s anti-spam rules, please confirm below.

[Yes, keep me subscribed]

If you don’t confirm by [date], we’ll stop emailing you — no hard feelings.

A good re-consent campaign cleans your list, refreshes legal cover, and almost always lifts engagement metrics on the surviving subscribers.

CASL vs. CAN-SPAM vs. GDPR

If you market across borders, you’ll usually be subject to multiple email laws at once. CASL is the strictest of the three.

CASL (Canada)CAN-SPAM (US)GDPR (EU/UK)
Consent modelOpt-in (express or implied)Opt-outOpt-in (explicit)
B2B includedYesYesYes
Max penalty$10M CAD per violation$50,120 USD per email€20M or 4% of revenue
Unsubscribe window10 business days10 business days“Without undue delay”
Record retention3 yearsNot specifiedWhile processing

Rule of thumb: when laws conflict, follow the strictest. If you build your program around CASL and GDPR, you’ll satisfy CAN-SPAM by default.

CASL FAQ

Does CASL apply to B2B email? Yes. CASL applies to all commercial electronic messages, including B2B. Business cards and existing relationships create implied consent, but you still need a basis for every send.

Can I email someone who gave me their business card? Yes — for 6 months — provided the card was given during in-person contact, your email relates to their role, and they didn’t say “don’t email me.”

Are purchased email lists ever CASL-compliant? No. You can’t prove express consent and you can’t document an existing relationship. Purchased lists are a violation waiting to happen.

Can I send “one last email” after someone unsubscribes? Only a confirmation that they’ve been unsubscribed. Don’t use it to market, retain, or upsell.

Can I require login to unsubscribe? No. Unsubscribe must be possible in one page or fewer, without login, CAPTCHA, or extra info beyond the email address.

What about Contact Us form inquiries? An inquiry creates implied consent for 6 months to send relevant follow-ups. It does not give you permission to add the person to a marketing newsletter.

What if I send from outside Canada? CASL still applies. The law follows the recipient.

CASL Compliance Checklist

Before collecting emails:

  • [ ] Sign-up form clearly identifies your business
  • [ ] Contact details (mailing address, email) are visible
  • [ ] Purpose, content type, and frequency are stated
  • [ ] Opt-in checkbox is unchecked by default
  • [ ] Consent capture (timestamp, IP, source) is configured

For every email you send:

  • [ ] Valid express or implied consent exists and is unexpired
  • [ ] Sender is clearly named in the email body
  • [ ] Mailing address and contact information are included
  • [ ] Unsubscribe link is visible, one-click, and functional

Ongoing operations:

  • [ ] Consent records backed up with 3-year retention
  • [ ] Implied consent expiry dates are tracked
  • [ ] Unsubscribes processed within 10 business days
  • [ ] Re-consent campaigns scheduled before expiries
  • [ ] Quarterly audits of forms, templates, and suppression lists
  • [ ] Marketing and dev teams trained on CASL

Best Practices Beyond Compliance

CASL compliance and high-performing email programs are the same discipline. Both reward best practices for email marketing — sending fewer, better, more wanted messages.

  • Default to express consent. Don’t build a list on implied consent — it expires and you’ll lose subscribers you never had a real relationship with.
  • Use double opt-in. It proves consent, blocks fake signups, and protects sender reputation.
  • Be transparent up front. Tell subscribers what they’ll get, how often, and that they can leave anytime. Setting accurate expectations reduces unsubscribes and spam complaints.
  • Make leaving easy. A frictionless unsubscribe protects your sender reputation. Spam complaints damage deliverability far more than a clean unsubscribe ever will.
  • Segment by engagement. Stop emailing subscribers who haven’t opened in 6+ months. They hurt your metrics and increase compliance exposure.
  • Run a re-permission cycle every 12–24 months. Even with valid express consent, periodic confirmation keeps the list engaged and the records fresh.

How Sender Helps You Stay CASL-Compliant

Sender’s email and SMS platform is built so compliance happens by default, not as an afterthought:

  • Sign-up forms with built-in consent capture — unchecked-by-default opt-ins, and customizable disclosure copy
  • Automatic consent tracking — timestamp, IP, source, and form version captured for every subscriber
  • Double opt-in available with one toggle
  • Pre-built footer compliance with sender name, address, and one-click unsubscribe
  • Suppression management that processes unsubscribes immediately and prevents accidental re-sends
  • Audit-ready exports so you can produce consent records on demand
Start With Free Plan

The Bottom Line

CASL forces email marketers to do what good marketers should already be doing: build a list of people who genuinely want to hear from you, prove it, and respect their inbox. The cost of getting it wrong is real — multi-million-dollar fines, personal liability for executives, and lasting damage to sender reputation.

Get express consent wherever possible. Track it meticulously. Make unsubscribing effortless. Run your re-consent program before implied consent expires. Do those four things, and CASL compliance becomes the foundation of a higher-converting, more durable email program — not a tax on it.