Canada's Anti-Spam Legislation - universally known as CASL - came into force on July 1, 2014. It is one of the strictest anti-spam laws in the world, and it applies to any commercial electronic message sent to or from a Canadian computer, regardless of where the sender is located.
More than a decade later, a surprising number of Canadian businesses are still not fully compliant. Some do not know the rules. Some assume it only applies to large companies. Some figure they are too small to attract attention. The law does not make exceptions for size, and the penalties - up to $1 million per violation for individuals and $10 million for businesses - are serious enough to warrant understanding it properly.
What CASL Covers
CASL regulates commercial electronic messages (CEMs) - any electronic message that encourages participation in a commercial activity. This includes:
- Email newsletters and promotional campaigns
- Text message marketing
- Social media messages sent to individuals (not public posts)
- Some automated messages sent by software
It covers messages sent to Canadians, regardless of where you are sending from. A US-based company sending promotional emails to Canadian subscribers must comply with CASL.
CASL does not cover purely transactional messages - a receipt for a purchase, a shipping notification, a password reset email. If the message has no commercial purpose, CASL does not apply.
Express vs Implied Consent
This is the core of CASL, and where most compliance problems originate.
Express consent is a clear, explicit opt-in. The person actively indicated they wanted to receive your commercial messages. Examples:
- Checking a box on a web form that says "Subscribe to our newsletter" (the checkbox must be unchecked by default - pre-checked boxes do not constitute express consent)
- Verbally asking to receive your emails and you recording that request with a timestamp
- Signing a physical form with a clearly worded consent statement
Express consent does not expire as long as the person has not unsubscribed.
Implied consent applies in specific, time-limited circumstances:
- A person made a purchase from you within the past two years - you can send commercial messages related to the purchased product or service
- A person made an inquiry to your business within the past six months
- The person has prominently published their contact information (on a business website, for example) and has not indicated they do not want commercial messages, and your message is relevant to their professional capacity
Implied consent is a ticking clock. When the two-year or six-month window closes, you cannot send commercial messages to that person without express consent.
Required Elements of a Compliant Email
Every commercial electronic message you send must contain four things:
1. Sender identification. The message must clearly identify who is sending it - your business name and any other name on whose behalf you are sending.
2. Contact information. A current mailing address and either a phone number, email address, or web address where the recipient can contact you. A PO Box is acceptable. This information must remain valid for at least 60 days after sending.
3. An unsubscribe mechanism. Every message must include a way for the recipient to unsubscribe from future messages - a clearly visible link, a reply address, or similar. The unsubscribe request must be honored within 10 business days.
4. The mechanism must be free. You cannot charge a fee or require the person to log in to unsubscribe. The process must be simple.
The Penalties Are Real
The CRTC (Canadian Radio-television and Telecommunications Commission) enforces CASL and has issued significant fines. Compu-Finder, a Quebec training company, was fined $1.1 million. Porter Airlines faced a $150,000 fine. Rogers Media paid $200,000. These were not massive corporations - these were penalties issued to demonstrate that CASL enforcement is genuine.
CASL also includes a private right of action - individuals who receive non-compliant messages can sue. This provision was suspended pending a parliamentary review and has not yet been brought into force, but it remains on the books.
Making Your Existing List Compliant
If you have been building an email list without formal CASL compliance, here is how to assess where you stand.
Audit your list. For each subscriber, can you identify the basis for consent? If someone purchased from you within the last two years, you likely have implied consent. If someone opted in through a web form, do you have a record of when and what they agreed to?
Identify the gaps. Anyone you cannot document consent for is a risk.
Run a re-permission campaign. Send a clear email to your undocumented contacts explaining that you want to keep in touch, and asking them to click a link to confirm they want to continue receiving emails. Keep a record of who responds. Remove those who do not - the silence is effectively a non-consent.
Fix your opt-in forms going forward. Your newsletter signup form needs unchecked checkboxes, a clear description of what the person is subscribing to, and logging that captures the timestamp and form version at the point of signup. Most reputable email marketing platforms (Mailchimp, Klaviyo, ActiveCampaign, Constant Contact) handle this logging automatically for new subscribers.
CASL compliance is not a one-time project. It is an ongoing practice: maintain consent records, honor unsubscribes promptly, keep your contact information current in every message, and audit your list periodically. The administrative overhead is modest, and the alternative is a potential enforcement action that nobody wants to deal with.
