All articles Email Compliance

CASL Compliance: What Canada's Anti-Spam Law Means for Email Senders

SSam wallness07 Jul 2026
CASL Compliance: What Canada's Anti-Spam Law Means for Email Senders

Canada's Anti-Spam Legislation — universally abbreviated as CASL — has been in force since 2014 and remains one of the strictest commercial email laws anywhere in the world. If you send email to recipients in Canada, it applies to you regardless of where your business is headquartered. Many senders who are careful about CAN-SPAM and GDPR underestimate CASL. That's a mistake: the consent standard is meaningfully higher, enforcement has real teeth, and the fines are substantial.

What CASL Covers

CASL applies to commercial electronic messages — any electronic message that encourages participation in a commercial activity. In practice, this means email, text messages, and some social media messages. The definition is intentionally broad.

A message doesn't need to be overtly promotional to qualify as a CEM. If it contains a commercial element — a link to your website, a mention of your products or services, even a standard email signature with your company name — it's likely a CEM. Transactional emails like order confirmations and password resets have some exemptions, but the safest approach is to assume CASL applies unless your legal counsel says otherwise for a specific message type.

The Central Requirement: Consent Before You Send

The fundamental principle of CASL is that you need consent before sending a commercial electronic message to a Canadian recipient. This is an opt-in regime, not opt-out — and it's the most important distinction between CASL and CAN-SPAM.

CASL recognizes two forms of consent:

Express Consent

The gold standard. The recipient actively agreed to receive commercial messages from you — via a clearly labeled checkbox (never pre-ticked), a written signature, or another unambiguous affirmative action. The burden of proof is entirely on the sender, which means you need to log:

  • When consent was obtained
  • What the person consented to receive (be specific — "marketing emails about our products" is better than "communications")
  • The mechanism through which consent was collected

Express consent doesn't expire unless the recipient withdraws it. This makes it more durable than implied consent but also means your consent records need to be maintained carefully and indefinitely for active subscribers.

Implied Consent

Implied consent is available in narrower situations than most senders assume:

  • An existing business relationship — the recipient purchased from you, signed a contract with you, or submitted an inquiry within the last 2 years
  • The recipient publicly listed their email address in a context where receiving commercial messages would be expected, and your message is directly relevant to that context
  • The recipient gave you their address directly in a context that implied they were open to commercial messages

The 2-year window is critical. For most business relationships, implied consent lapses two years from the last relevant transaction or inquiry. After that, you need either a new transaction or express consent to continue sending legally.

How CASL Differs From CAN-SPAM

If you're accustomed to operating under US CAN-SPAM rules, CASL requires a fundamental shift in thinking:

  • CAN-SPAM: Opt-out regime. You can email anyone as long as you provide an unsubscribe mechanism and honor opt-outs promptly. No prior consent required.
  • CASL: Opt-in regime. Consent must exist before the first message is sent. Sending without consent is a violation regardless of how easy you make it to unsubscribe afterward.

This is not a subtle difference. CAN-SPAM permits cold email to any address; CASL prohibits it unless implied consent exists (e.g., the recipient listed their address publicly in a relevant business context).

What Every CASL-Compliant Email Must Contain

Beyond consent, each commercial electronic message sent to Canadians must include:

  • Clear sender identification: Your name and, if you're sending on behalf of someone else, their name as well
  • Contact information: At minimum a mailing address that remains valid for 60 days after the message is sent; a phone number, email address, or web address is also acceptable
  • A working unsubscribe mechanism: Easy to use, functional for at least 60 days, and must process opt-out requests within 10 business days

The unsubscribe requirement is firm. You cannot charge a fee to unsubscribe. You cannot require the recipient to create an account, log in, or complete a form that involves more than a single action. No re-confirmation prompts. No "are you sure?" friction. Just a functional link and prompt processing.

Penalties Under CASL

CASL's enforcement is administered by the Canadian Radio-television and Telecommunications Commission (CRTC). Administrative monetary penalties can reach up to $1 million CAD per violation for individuals and $10 million CAD per violation for businesses. The CRTC has issued significant penalties to both Canadian and international senders, and the extraterritorial reach of the law has been tested and upheld.

CASL also includes a private right of action, allowing individual recipients to sue for statutory damages — a provision that almost no other anti-spam law includes. This provision has been subject to legal challenges but remains on the books and creates additional legal exposure for non-compliant senders.

Practical Steps to Build CASL Compliance

  1. Audit your list for Canadian recipients. Identify contacts with Canadian addresses or that your business has marketed to in Canada. Segment them and verify consent status for each.
  2. Document your consent records. For every Canadian subscriber, maintain a record of when and how consent was obtained. This is your primary defense in any enforcement action.
  3. Fix your opt-in forms. No pre-ticked boxes. A clear description of what the subscriber is signing up for. Consider double opt-in — it's not legally required under CASL, but it generates cleaner consent records and reduces the risk of disputed consent claims.
  4. Track your implied consent windows. Configure your CRM or email platform to flag contacts when their 2-year implied consent window is approaching expiry. Have a plan for re-engaging them before it lapses.
  5. Automate unsubscribe processing. CASL's 10-business-day window is strict. Manual processing is too slow and error-prone at any meaningful list size. Ensure your sending platform handles unsubscribes automatically and updates your suppression list immediately.

CASL compliance is achievable without significant overhead — it mainly requires disciplined list management and solid documentation. If your email infrastructure already handles suppression lists and tracks subscriber source data, most of the compliance mechanics are already in place. Learn more about MailDog's email sending infrastructure at maildog.io/smtp, or explore pricing options that scale with your list.

Related articles