CASL Compliance: The Complete Guide for Canadian Email Marketing (2026)

December 31, 2025 • Mike Buckbee

Everything you need to know about Canada's Anti-Spam Legislation (CASL). Requirements, consent rules, penalties, and how to comply.

TL;DR - CASL Essentials

Canada's Anti-Spam Legislation is the world's strictest email law. If you email anyone in Canada:

1. Get express or implied consent before sending
2. Clearly identify your business in every email
3. Provide an unsubscribe link
4. Honor unsubscribes within 10 days
5. Keep consent records for 3 years after the relationship ends

Penalties: Up to $10 million CAD for businesses. CASL applies even to B2B emails. Compliance is mandatory, not optional.

Why CASL Is the Strictest Email Law

Canada's Anti-Spam Legislation went into effect in July 2014 and immediately changed the game for email marketers.

Unlike CAN-SPAM (US) which is opt-out, CASL requires opt-in consent for virtually all commercial electronic messages. Canada handed out a $1.1 million penalty to a company that sent emails without proper consent.

CASL applies to:

• Commercial Electronic Messages (CEMs) sent to Canadian recipients
• Messages sent from Canada
• Messages sent by Canadian businesses

Being located outside Canada doesn't exempt you. If your recipient is in Canada, CASL applies.

Understanding CASL

What CASL Covers

Commercial Electronic Message (CEM): Any electronic message that encourages participation in commercial activity.

This includes:

• Marketing emails
• Sales outreach
• Newsletter promotions
• Event invitations (commercial)
• Affiliate marketing

This does NOT include:

• Transactional emails (receipts, shipping confirmations)
• Warranty information
• Safety/security notifications
• Messages to family/friends (personal)
• Responses to inquiries (limited time)

The Two Types of Consent

CASL recognizes two forms of consent:

Express Consent:

• Someone actively opts in
• Clear, voluntary action (checking a box, signing up)
• Doesn't expire (but you should refresh it periodically)
• Gold standard, always try to get this

Implied Consent:

• Based on an existing relationship
• Expires after 6-24 months depending on type
• Riskier, consent can expire without you realizing
• Should be converted to express consent ASAP

Express Consent Requirements

To obtain valid express consent, you must:

1. Get Active Opt-In

The person must take a clear, affirmative action:

• Checking an unchecked box
• Clicking a "Subscribe" button
• Verbally agreeing (if documented)
• Filling out a form

Compliant:

• ☐ Yes, I want to receive marketing emails from Acme Corp

Non-compliant:

• ☑ Send me emails (pre-checked box)
• "By creating an account, you'll receive emails"
• Assumed consent from any other action

2. Clearly Identify Yourself

At the time of consent, you must clearly identify:

• Who is seeking consent (your business name)
• Contact information (email, phone, mailing address)
• The person seeking consent on behalf of another (if applicable)

3. State the Purpose

You must clearly explain:

• That they're consenting to receive commercial emails
• What types of emails they'll receive
• How often (approximately)

4. Provide Unsubscribe Information

Even at signup, explain how they can unsubscribe:

• That they can withdraw consent anytime
• How to do it (unsubscribe link, email, etc.)

Example of Compliant Express Consent:

☐ I consent to receive commercial electronic messages from Acme
  Corporation (123 Main St, Toronto, ON, support@acme.ca) about
  products, promotions, and company updates. I understand I can
  unsubscribe at any time by clicking the unsubscribe link in any
  email or emailing unsubscribe@acme.ca.

Implied Consent: Handle With Care

Implied consent is temporary and comes from existing relationships. It's risky because it expires.

Existing Business Relationship (EBR)

You have implied consent for 24 months after:

• A purchase or lease
• A written contract
• An accepted quote or estimate

You have implied consent for 6 months after:

• An inquiry about products/services
• An application submitted

The clock starts from the last purchase/inquiry, so it can extend if there's ongoing activity.

Existing Non-Business Relationship

You have implied consent for 6 months after:

• Receiving a business card (with permission to contact)
• Direct personal contact (conference, meeting, etc.)

Conspicuous Publication

You have implied consent if:

• The person conspicuously published their email (website, directory)
• The email relates to their business/role
• They haven't stated "do not contact"

This is narrow and risky. Don't abuse it.

Record-Keeping Requirements

CASL requires you to keep records proving consent for 3 years after the business relationship ends.

Document:

• Who consented (name, email, identifier)
• When they consented (date, time)
• How they consented (web form, in person, phone, etc.)
• What they consented to (exact language, form screenshot)
• Where applicable (IP address, form location, event name)

For implied consent, also document:

• The business relationship that created consent
• When it was established
• When it expires

Use email marketing platforms that automatically track and store this data.

Content Requirements for Every Email

Every CEM must include:

1. Sender Identification

Clearly identify:

• Your business name
• The person/business on whose behalf the message is sent (if different)

In the email itself, not just in headers.

2. Contact Information

Provide a valid way to contact you:

• Mailing address
• Telephone number
• Email address
• Web address

Must be valid for at least 60 days after sending.

3. Unsubscribe Mechanism

Every CEM must include a clear, easy way to unsubscribe that:

• Is clearly and prominently stated
• Can be performed without cost
• Doesn't require login or navigation beyond one page
• Processes immediately or within 10 business days

The unsubscribe mechanism must remain functional for at least 60 days after sending.

Penalties and Enforcement

CASL has significant penalties:

Administrative Monetary Penalties (AMPs):

• Up to $1 million CAD per violation for individuals
• Up to $10 million CAD per violation for businesses

Who Enforces CASL:

• Canadian Radio-television and Telecommunications Commission (CRTC)
• Competition Bureau
• Office of the Privacy Commissioner

What Triggers Enforcement:

• Consumer complaints
• Spam reports
• Systematic non-compliance
• Deceptive practices

CASL also created a private right of action (individuals can sue), though this was suspended and hasn't been reinstated. But enforcement agencies actively pursue violations.

Special Cases and Common Questions

Q: Does CASL apply to B2B emails?

Yes. CASL applies to all commercial electronic messages, including B2B.

You can use implied consent from business cards or existing relationships, but you still need consent. Work emails are not exempt.

Q: Can I email someone who gave me their business card?

Yes, for 6 months after receiving it. This creates implied consent if:

• The card was given during in-person contact
• Your email relates to their business/role
• They didn't say "don't email me"

After 6 months, you need express consent to continue.

Q: What if someone fills out a "Contact Us" form?

You can respond to their inquiry (not a CEM). But you can't add them to a marketing list without express consent.

The inquiry gives you implied consent for 6 months to send relevant commercial messages related to what they asked about.

Q: Can I send "one more email" after someone unsubscribes?

You can send a confirmation that they've been unsubscribed. Don't use it for:

• Marketing
• Convincing them to stay
• Offering alternatives

Keep it simple: "You've been unsubscribed from our mailing list."

Q: What about purchased email lists?

No. You cannot use purchased email lists under CASL because:

• You don't have express consent from the recipients
• You can't prove any existing relationship
• You can't document how consent was obtained

Purchased lists are a CASL violation waiting to happen.

Q: How do I handle unsubscribes?

Process them immediately. You have up to 10 business days, but do it faster if possible.

You must:

• Stop sending CEMs to that address
• Not transfer the address to other lists
• Keep a record of the unsubscribe (suppression list)

Q: Can I require login to unsubscribe?

No. Unsubscribing must not require:

• Login
• Visiting more than a single page
• Providing additional information (except the email address)
• Solving CAPTCHAs
• Calling or emailing separately

One-click unsubscribe is best practice.

Q: What if I send from outside Canada?

Doesn't matter. If your recipient is in Canada, CASL applies to you.

Location of sender is irrelevant. The law follows the recipient.

Converting Implied to Express Consent

Implied consent expires. Convert it to express consent by:

1. Add an opt-in opportunity in every email:

Want to keep receiving emails after [expiry date]?
☐ Yes, I consent to continue receiving marketing emails from Acme Corp
[Learn more about our email practices]

2. Send a re-consent campaign before expiry:

Send an email explaining:

• Their implied consent is expiring
• You want to keep in touch
• Please confirm they want to continue receiving emails
• Make it one-click easy to confirm

3. Offer value for confirming:

Don't just ask for consent. Give them a reason:

• Exclusive content
• Special discounts
• Early access
• Helpful resources

CASL vs. Other Email Laws

If you're marketing globally, you may need to comply with multiple laws:

CAN-SPAM (United States):

• No consent required (opt-out)
• Less strict overall
• Lower penalties

GDPR (European Union):

• Requires explicit consent
• Similar strictness to CASL
• Different data protection focus

When laws conflict, follow the strictest requirement. If you have recipients in Canada, the US, and EU, you need to comply with CASL, GDPR, and CAN-SPAM.

The Email Compliance Checklist (CASL)

Best Practices Beyond Compliance

1. Always Get Express Consent

Don't rely on implied consent. It expires and creates compliance risk. Always try to obtain express consent through clear opt-in.

2. Double Opt-In

Use confirmed opt-in where subscribers:

1. Submit email
2. Click confirmation link

This proves consent and reduces fake signups.

3. Be Transparent

Tell people:

• Exactly what they'll receive
• Approximately how often
• That you won't sell their data
• How to unsubscribe

Transparency builds trust and reduces unsubscribes.

4. Make Unsubscribing Easy

The easier you make it to leave, the less likely people are to report you as spam. Spam complaints hurt your sender reputation more than unsubscribes.

5. Segment and Personalize

Send relevant emails based on:

• Purchase history
• Stated interests
• Engagement level

Irrelevant emails drive unsubscribes.

6. Re-Consent Regularly

Even with express consent (which doesn't expire), periodically ask subscribers to reconfirm. This:

• Cleans your list
• Refreshes consent records
• Improves engagement

Do this every 1-2 years.

7. Monitor Compliance

Quarterly, audit:

• Signup forms
• Email templates
• Consent records
• Expiry tracking
• Unsubscribe processes

Catch problems before they become violations.

The Bottom Line on CASL

CASL compliance requires discipline:

• Get express consent whenever possible
• Track consent meticulously
• Monitor implied consent expiry
• Make unsubscribing easy
• Keep detailed records

Companies that see CASL as a burden miss the opportunity. Subscribers who actively consent to your emails are more engaged, convert better, and build sustainable business.

CASL forces you to build a quality list. That's good for your business and respectful of your audience.

---

Need help ensuring your emails are compliant? Use our Subject Line Analyzer to check for spam triggers and ensure your emails are clear and honest.