Canada’s Anti-Spam Legislation, known universally as CASL, has been in force since 2014. More than a decade later, it remains one of the most stringent email marketing laws in the world, and one of the most misunderstood by Canadian businesses.
In the period between April and September 2025 alone, the CRTC’s Spam Reporting Centre received over 150,000 complaints from Canadians about unsolicited commercial messages. Enforcement activity has not slowed. The penalties for non-compliance, which can reach up to $10 million per violation for organisations, are not theoretical.
If you’re sending commercial emails in Canada, or to people in Canada, CASL applies to you. This guide explains what it requires, where businesses commonly go wrong, and how using a properly sourced opt-in list protects your business.
What CASL Covers
CASL applies to commercial electronic messages (CEMs) sent to or from Canada. A CEM is any electronic message, including email, text message, or social media direct message, that has as one of its purposes encouraging participation in a commercial activity.
You don’t need to be selling something directly in the message for CASL to apply. Promotional content, event invitations, newsletters that include product mentions, and even some business communications that encourage a recipient to take a commercial action can all qualify as CEMs.
The three core requirements for every CASL-compliant CEM are:
- Consent. You must have either express or implied consent from the recipient before sending.
- Identification. The message must clearly identify the sender, including contact information.
- Unsubscribe mechanism. Every message must include a clear, functional way for the recipient to opt out of future messages, and that opt-out must be honoured within 10 business days.
The first requirement, consent, is where most compliance failures happen.
Express Consent vs. Implied Consent
Understanding the difference between express and implied consent is the most important thing a Canadian marketer needs to know about CASL.
Express consent means the recipient has explicitly agreed to receive commercial messages from you. This could be through a sign-up form, a checkbox (which must not be pre-checked) at the time of purchase, or any other mechanism where the person actively indicates they want to receive your messages. Express consent doesn’t expire unless the person withdraws it.
Implied consent applies in specific, narrowly defined circumstances. The most common are:
- There is an existing business relationship. This includes situations where the recipient has purchased a product or service from you, or made an inquiry or application, within the past two years.
- There is an existing non-business relationship, such as a donation, volunteer membership, or club membership, within the past two years.
- The recipient’s contact information has been conspicuously published (such as on a company website) and the message is relevant to their business role. This applies to business email addresses, not personal ones.
Implied consent is time-limited. It expires when the qualifying relationship ends, or after two years in the case of a purchase or inquiry. Once it expires, you need express consent to continue sending.
The transition period from implied to express consent that existed when CASL was first introduced expired in 2017. There is no grandfathering. Every contact on your list who doesn’t have an active basis for consent, either express or current implied, is a compliance risk.
Where Canadian Businesses Commonly Go Wrong
Assuming a business card or trade show contact equals consent. Collecting someone’s business card at a conference or adding a contact from a LinkedIn connection does not constitute consent under CASL. It might establish an implied business relationship that allows limited communication, but sending commercial emails to a trade show list without a clearer consent basis is a common and costly mistake.
Pre-checked opt-in boxes. A checkbox that is pre-selected and requires the user to actively uncheck it does not constitute valid express consent under CASL. The consent action must be affirmative.
Using a purchased list without understanding its provenance. This is a significant risk area. If you purchase a list of email addresses and use it for commercial email campaigns, you are responsible for ensuring you have a valid consent basis for every contact on that list. “I bought the list” is not a defence.
Failing to honour unsubscribe requests within 10 business days. CASL requires a functional unsubscribe mechanism in every message, and requires that opt-out requests be processed within 10 business days. Continuing to send to someone who has unsubscribed is a violation.
Misidentifying the sender. Every CASL-compliant message must clearly identify who is sending it. Messages sent on behalf of another organisation must identify both the sender and the organisation on whose behalf the message is sent.
What Opt-In Lists Mean for CASL Compliance
One of the safest starting points for a compliant email campaign is a list where the contacts have expressly opted in to receive commercial communications. This is what an opt-in email list means in practice.
An opt-in list consists of contacts who have, at some point, actively agreed to receive marketing messages from organisations in a particular category or channel. When you use an opt-in list, the consent basis for the contacts already exists. Your obligation is to ensure your own messages meet the identification and unsubscribe requirements, and to honour any future opt-out requests promptly.
This is a fundamentally different starting point from a generic business database, where the consent status of individual contacts is unknown, or from a scraped list, where there is no consent basis at all.
It’s worth noting that using an opt-in list doesn’t transfer full compliance responsibility to the list provider. You are still responsible for your messages meeting CASL’s identification and unsubscribe requirements. But starting with a properly sourced opt-in list removes the single biggest compliance risk in most email campaigns.
Our opt-in email lists are built from contacts who have consented to receive commercial messages. If you’re planning an email campaign and want to discuss what a compliant list looks like for your target audience, get in touch with us.
Managing Your Own List for CASL Compliance
If you’re building your own email list, whether through a website sign-up, in-store opt-in, or another mechanism, a few practices will keep you on the right side of CASL.
Document every consent. Keep a record of when, how, and from whom you obtained consent. In the event of a complaint or investigation, you need to be able to demonstrate that consent was properly obtained. This means storing records that include the date of consent, the mechanism (sign-up form, checkbox, verbal agreement), and what the person agreed to receive.
Use double opt-in for email lists. A double opt-in process, where a subscriber confirms their sign-up via a link sent to their email address, produces the clearest evidence of consent and the cleanest, most engaged lists.
Review implied consent relationships regularly. If your consent basis for a contact is an implied business relationship, track when that relationship qualifies (date of last purchase or inquiry) and remove or re-engage contacts before the two-year window expires.
Make unsubscribing easy. A functional unsubscribe link in every email, leading to a simple opt-out confirmation, reduces friction and protects you legally. Complicated or broken unsubscribe processes are a common source of complaints.
The Cost of Getting It Wrong
CASL penalties are among the highest in the world for email marketing law. The CRTC has the authority to impose administrative monetary penalties of up to $1 million per violation for individuals and $10 million per violation for organisations.
Enforcement has targeted a range of organisations, from large corporations to small businesses, and the CRTC has shown willingness to pursue cases based on complaints from individual recipients. The 150,000+ complaints logged in just six months of 2025 indicate that Canadians are aware of their rights and willing to report non-compliant senders.
For most businesses, the combination of reputational risk, enforcement risk, and the practical deliverability consequences of high complaint rates makes CASL compliance worth taking seriously, not as a bureaucratic obligation, but as a genuine business interest.
Getting Help With a Compliant Campaign
If you’re planning an email campaign to Canadian recipients and want to discuss compliant list options, get in touch with us. We can discuss what opt-in lists are available for your target audience and geography, and help you think through the list requirements for a CASL-compliant campaign.
Note: This article provides general information about CASL requirements and should not be taken as legal advice. If you have specific compliance questions, consult a qualified legal professional.