Does CASL apply to me if I'm not in Canada?

Yes, if you send commercial email to recipients in Canada or your messages are accessed from Canada. Like GDPR, CASL applies based on the recipient's location. US companies emailing Canadian contacts must comply.

What's the difference between express and implied consent?

Express consent: the recipient explicitly opted in (clicked a checkbox, submitted a form saying 'send me emails'). Never expires if the relationship is active. Implied consent: exists due to a business relationship (purchased in last 2 years) or inquiry (contacted you in last 6 months). Expires at the time limits.

Can I cold email Canadian businesses?

Very limited. CASL has a narrow exemption for 'conspicuously published' business email addresses where the message is relevant to their role. In practice, this is risky. Cold email to Canadian recipients should have a documented basis for implied or express consent. When in doubt, don't cold email into Canada without consent.

What's the penalty for violating CASL?

Up to $10 million CAD per violation for organizations, $1 million CAD for individuals. The CRTC has issued significant fines. Additionally, CASL includes a private right of action — individuals can sue senders directly.

How does CASL compare to CAN-SPAM and GDPR?

CASL is stricter than CAN-SPAM (requires opt-in, not just opt-out) but more flexible than GDPR (has implied consent for business relationships). CASL sits between the two in strictness. If you comply with GDPR, you likely comply with CASL — but verify the implied consent timelines.

CASL: Canadian Anti-Spam Law Complete Guide

CASL Requirements

1. Consent (Before Sending)

Unlike CAN-SPAM, CASL requires consent BEFORE sending. Two types:

Express Consent:

Recipient explicitly agreed to receive commercial messages
Must be clear what they're consenting to (type and frequency of messages)
No pre-checked boxes
Document: date, method, and what was consented to
Never expires (as long as relationship is active and they don't unsubscribe)

Implied Consent (Time-Limited):

Existing business relationship: You can email someone who purchased from you or has an existing contract. Expires 2 years after last transaction.
Existing inquiry: Someone who asked about your products/services. Expires 6 months after inquiry.
Conspicuously published address: Business email addresses published for business purposes (with conditions — the message must be relevant to their role).

When implied consent expires, you must stop sending unless you've obtained express consent.

2. Sender Identification

Every commercial message must clearly identify:

Who is sending the message (your organization name)
Contact information (physical address, phone, email, or website)
If sent on behalf of another organization, identify both

3. Unsubscribe Mechanism

Every commercial message must include:

A functional unsubscribe mechanism
Must work for at least 60 days after sending
Must be processed within 10 business days
Cannot require more than one simple action
Cannot require the recipient to provide personal information beyond email address

4. Computer Program Consent

CASL also covers software installation (not just email). If your email asks recipients to install software, additional consent requirements apply.

Practical Implementation

For Email Marketing

Use double opt-in (strongest proof of express consent)
Document consent: timestamp, source, what was consented to
Track implied consent expiry:
- Tag contacts with "last purchase date" and "inquiry date"
- Set automated reminders at 18 months (before 2-year expiry)
- Send re-consent campaign before implied consent expires
Include in every email: sender name, physical address, unsubscribe link
Process unsubscribes within 10 business days (2 days recommended)

For Cold Email (B2B)

CASL has narrow exemptions for B2B:

The email address is "conspicuously published" (on a website, business card)
The message is relevant to the person's business role
There's no statement that the person doesn't want unsolicited messages

In practice: This exemption is narrow and risky. Many Canadian privacy lawyers advise against relying on it for cold email campaigns. If your cold email targets Canadian contacts at scale, obtain express consent first.

For International Senders

If you send to both US and Canadian recipients:

Use CASL-compliant practices for all contacts (it's stricter than CAN-SPAM)
Or segment by geography: CAN-SPAM for US, CASL for Canada
The simpler approach: CASL-compliant for everyone

CASL vs CAN-SPAM vs GDPR

Requirement	CASL (Canada)	CAN-SPAM (US)	GDPR (EU)
Consent type	Opt-in (express or implied)	Opt-out	Opt-in (explicit)
Pre-checked boxes	Not valid	N/A	Not valid
Implied consent	Yes (time-limited)	N/A	Limited (legitimate interest)
Unsubscribe	Required (10 days)	Required (10 days)	Required (immediate)
Physical address	Required	Required	Recommended
Penalty	$10M CAD	$51,744 USD per email	4% global revenue

Practitioner note: The implied consent expiration catches most businesses off guard. A customer who purchased 2 years and 1 day ago? You no longer have implied consent. Set up automation to re-consent contacts before the 2-year window closes. A simple "Do you still want to hear from us?" email at 20 months saves you from accidentally sending without consent.

Practitioner note: For US-based businesses with Canadian customers: the safest approach is double opt-in for everyone. It satisfies CASL's express consent requirement, GDPR if you also have EU contacts, and provides the cleanest deliverability baseline. The conversion hit from double opt-in is worth the compliance peace of mind.

If you need email compliance reviewed for Canadian sending, schedule a consultation.

Sources

CRTC: CASL Overview
Government of Canada: CASL Requirements

v1.0 · March 2026