All articles Email Compliance

CASL Compliance: What Every Email Sender Needs to Know About Canada's Anti-Spam Law

SSam wallness07 Jul 2026
CASL Compliance: What Every Email Sender Needs to Know About Canada's Anti-Spam Law

Canada's Anti-Spam Legislation — universally known as CASL — has been in force since 2014 and remains one of the strictest email marketing laws in the world. If you send commercial email to recipients in Canada, CASL applies to you regardless of where your business is based. Violations carry serious consequences: fines up to CAD $1 million per violation for individuals and up to CAD $10 million per violation for organizations.

This guide covers what CASL compliance requires, how it differs from CAN-SPAM and GDPR, and what you need to do to operate within the law.

Who CASL Covers

CASL applies to any "commercial electronic message" sent to or from a computer system in Canada. A commercial electronic message is broadly defined — it covers any message with a commercial purpose, including promotional emails, newsletters, transactional messages with upsells, and many B2B communications. If you're sending marketing email and any of your recipients are in Canada, assume CASL applies.

The "in Canada" test applies to where the recipient accesses the message, not necessarily where they reside. If a recipient opens your email while in Canada, CASL can apply to that send.

The Consent Requirement: CASL's Core Rule

The most important thing to understand about CASL compliance is that it requires prior consent before you send. This is fundamentally different from CAN-SPAM, which requires only that you provide an opt-out and honor it promptly. Under CAN-SPAM, you can email anyone and let them unsubscribe. Under CASL, you generally cannot email someone without consent first.

CASL recognizes two types of consent:

Express Consent

Express consent is explicit, affirmative agreement from the recipient to receive commercial messages. A pre-ticked checkbox doesn't qualify. Neither does a privacy policy that mentions you "may send marketing emails." Express consent requires the person to take a deliberate action — checking an unchecked box, clicking a clearly labeled subscribe button — specifically to receive your messages.

Express consent has no expiry date under CASL, but it can be withdrawn at any time and must be honored promptly.

Implied Consent

Implied consent exists where there's an existing business relationship — someone purchased from you within the last 24 months, made an inquiry within the last 6 months, or is in an ongoing business relationship that implies they'd expect your communications. Implied consent is time-limited and expires when the underlying relationship ends or the time period lapses.

An important nuance: implied consent from a prior purchase expires 24 months after the purchase date, not from when the person last opened your email.

Unsubscribe Requirements Under CASL

Every commercial message must include a working unsubscribe mechanism that:

  • Is clearly and prominently displayed in every message
  • Allows recipients to unsubscribe at no cost
  • Functions for at least 60 days after the message is sent
  • Is honored within 10 business days of the request

These requirements are stricter than CAN-SPAM's 10-day honor window. Your email platform or SMTP relay should support fast suppression list updates to ensure removed addresses aren't mailed again. For a detailed look at building a compliant unsubscribe process, see our guide to managing unsubscribe requests.

Required Sender Identification

Every commercial message must clearly identify:

  • The sender — your legal name or business name
  • If sending on behalf of another party, both parties must be identified
  • Valid contact information including a mailing address or PO Box

Hidden, misleading, or missing sender information is a violation of CASL regardless of whether the recipient consented to receive messages.

How CASL Compares to GDPR

CASL and GDPR share a consent-first philosophy, but they're not identical. GDPR is broader — it covers all personal data processing, not just email. GDPR also provides multiple lawful bases for processing personal data, of which consent is only one. CASL is specifically about electronic messages and is primarily consent-driven throughout.

If you're already operating under GDPR requirements, your consent practices are likely close to CASL compliance for most scenarios. The specific areas to review are the 10-day unsubscribe window, the 60-day link validity requirement, and the documentation of implied consent periods.

Record Keeping: The Part Many Senders Miss

CASL requires you to be able to prove consent if challenged by the CRTC (Canada's Radio-television and Telecommunications Commission, which enforces CASL). That means keeping records of:

  • When and how consent was obtained
  • What the subscriber was told at the time of consent
  • The specific form or subscription flow they used

"We had their email address" is not a defense. A timestamped form submission showing the subscriber checked the consent box on a specific date is. This record-keeping requirement is one of the most commonly overlooked aspects of CASL compliance, especially for businesses that have been building lists for years.

Practical Steps for CASL Compliance

  1. Audit your list segmentation. Identify which subscribers are in Canada and confirm you have appropriate consent records for them.
  2. Review your subscription forms. Consent checkboxes must be unchecked by default, and the language should be specific about what subscribers are agreeing to receive.
  3. Set expiry reminders for implied consent. If you rely on purchase-based implied consent, flag those contacts at 22 months post-purchase to run a re-permission campaign before consent lapses.
  4. Verify your unsubscribe flow end to end. Confirm suppression takes effect within 10 business days and unsubscribe links remain active for 60 days after each send.
  5. Update sender identification. Every message should display your legal name or business name and valid contact information.

CASL compliance isn't just about avoiding enforcement action — it also signals to Canadian recipients that you respect their inbox, which directly supports engagement and deliverability. If you need help setting up the right sending infrastructure for compliant email campaigns, get in touch with our team.

Related articles