If you send commercial emails to Canadian recipients — whether you’re a local consultancy in Calgary, a national e-commerce brand, or a US-based company with customers in Ontario — Canada’s Anti-Spam Legislation applies to you. It has applied since 2014, its enforcement continues to intensify, and the fines are large enough to permanently alter the trajectory of a small business. Understanding CASL is not optional for anyone doing digital marketing in Canada.
This guide is not a legal opinion, and for anything involving your specific situation you should consult a qualified privacy lawyer. What it is, is a clear, practical summary of what CASL requires, where most marketers get it wrong, and how to run a fully compliant email marketing program that also performs well.
The United States’ CAN-SPAM Act is an opt-out law, meaning you can email anyone until they tell you to stop. Canada took the opposite approach. CASL is an opt-in law, meaning you need permission before you send. This is a foundational difference that catches many American and international businesses off guard when they expand into the Canadian market.
CASL applies to any Commercial Electronic Message — defined broadly as any electronic message that encourages participation in commercial activity. That includes promotional emails, newsletters with product links, webinar invitations where you’ll pitch your service, and outbound B2B sales emails. It applies to messages sent to Canadian recipients regardless of where the sender is located. A company headquartered in Phoenix sending a promotional email to a subscriber in Victoria, BC is subject to CASL.
The penalties are structured to get attention: up to $1 million CAD per violation for individuals, and up to $10 million CAD per violation for businesses. In 2016, Porter Airlines was fined $150,000 by the CRTC for sending commercial emails without appropriate consent records. In practice, penalties of this magnitude are typically reserved for systematic, large-scale violations — but the legislation is clear that even a single non-compliant message can technically result in an enforcement action.
CASL recognizes two forms of consent: express and implied. Understanding the distinction — and which you actually have for each person on your list — is the most important operational skill in CASL compliance.
Express consent is the gold standard. Someone has taken a clear, affirmative action to receive your commercial messages: they checked an unchecked checkbox on your signup form, clicked a “Subscribe” button, or verbally agreed and you documented it. Express consent does not expire. Once someone has given it, you can continue sending them commercial messages until they unsubscribe, provided each message includes your business identification and an easy unsubscribe mechanism.
The critical requirement for obtaining valid express consent is that the opt-in must be active — not pre-checked. A form that says “By creating an account, you agree to receive marketing emails” does not constitute valid CASL consent. Neither does a pre-ticked box. The user must do something positive to indicate they want your messages.
Implied consent is temporary and arises from an existing relationship. There are several scenarios where implied consent exists without an explicit opt-in. If someone purchased from your business, accepted a quote or estimate, or signed a contract with you, you have implied consent for 24 months from the last transaction date. If someone made an inquiry or submitted an application to your business, you have implied consent for 6 months from the date of that inquiry. If someone gave you their business card at a networking event in a context where it was reasonable to assume you might contact them about business matters, you have implied consent for 6 months.
The critical word here is “temporary.” Implied consent has a hard expiry date, and once it expires, you can no longer send commercial messages to that contact without obtaining express consent. Many businesses discover their CASL liability not when setting up their list, but when they continue mailing contacts whose implied consent window closed months or years ago.
CASL requires you to keep proof of consent for three years after the business relationship ends. This is not a suggestion — it is a legal requirement, and it is the first thing regulators ask for when investigating a complaint.
Your consent records should document who consented (name and email address), when they consented (date and time), how they consented (the specific form or action they took, including a screenshot or stored record of the form at that time), and what they consented to (the exact language that was presented to them). For implied consent, you need additional documentation: the nature of the relationship that created consent, when it began, and when it is scheduled to expire.
In practice, the easiest way to maintain compliant records is to use an email marketing platform — Mailchimp, Klaviyo, ActiveCampaign, or similar — that automatically timestamps and logs consent at the point of signup. These platforms store the IP address, form version, timestamp, and email address for every subscriber. If you ever face an enforcement inquiry, this data is your evidence.
Consent records stored only in spreadsheets, without timestamps and form versions, are generally insufficient to demonstrate compliance.
Beyond the consent question, every commercial electronic message you send must include three things: clear identification of your business (your legal business name, not just a display name), valid contact information (at minimum your mailing address, which must remain valid for at least 60 days after sending), and a functional unsubscribe mechanism that allows recipients to opt out without needing to log in, navigate more than one page, or provide any information beyond their email address.
Once someone unsubscribes, you must honour that request within 10 business days. You cannot send them any further commercial messages, you cannot transfer their address to another list, and you must maintain a suppression list to ensure they don’t accidentally re-enter a future campaign.
That unsubscribe confirmation you send after someone opts out — the “you’ve been removed from our list” email — is itself a commercial electronic message only if it includes any marketing content. Keep it simple and transactional: confirm the unsubscribe, provide your contact information, and nothing else.
The most common CASL violations that Canadian businesses unknowingly commit fall into a few categories.
Purchased or scraped email lists are perhaps the single most dangerous CASL liability a business can carry. A bought list comes with zero consent documentation, which means every email sent to it is a potential violation. The fact that the vendor told you the list was “CASL compliant” is not a defence — consent belongs to the relationship between you and the recipient, not to a data broker.
Neglecting implied consent expiry is the second most common problem. Businesses that built their email list five or more years ago often have a substantial segment of contacts whose implied consent windows closed long before any express consent was obtained. A proper list audit should identify these contacts and either launch a re-consent campaign or suppress them.
Using pre-checked opt-in boxes — particularly on checkout forms or account registration pages — remains widespread in Canadian e-commerce and is not compliant with CASL’s active opt-in requirement.
And finally, inadequate unsubscribe mechanisms — including links that require login, pages that time out, or processes that take longer than the mandated 10 business days — remain common despite being straightforward to fix.
The most sustainable approach to CASL compliance is not thinking about it at the end of a campaign, but building it into the infrastructure of your marketing program from the beginning.
When you design signup forms, the language should explicitly state what the subscriber is consenting to receive, how often, and from which business. Your CRM or email platform should be configured to timestamp and store consent at the point of capture. Your implied consent contacts should have expiry dates flagged, with automated re-consent campaigns scheduled to deploy before the window closes. And your email templates should be reviewed quarterly to confirm they contain all required identification and unsubscribe elements.
Businesses that approach CASL this way don’t experience it as a compliance burden — they experience it as a forcing function for better list hygiene and more engaged subscribers. An email list built on genuine, documented consent performs better in every measurable way: higher open rates, lower spam complaint rates, better deliverability, and stronger conversion numbers. The fines are a reason to comply, but the performance benefits are a reason to want to.
*THESEO.ca works with Canadian businesses to build consent-first digital marketing programs that are both fully compliant and highly effective. Contact us to review your current email and marketing practices.*