Canada's Anti-Spam Legislation (CASL) is the strictest email marketing law in North America. Unlike CAN-SPAM's opt-out model, CASL requires express or implied consent before sending commercial electronic messages to Canadian recipients. Express consent has no expiration. Implied consent expires after 2 years (existing business relationship) or 6 months (inquiry). Every email must include sender identification, physical address, and a working unsubscribe. Penalties reach $10 million per violation for businesses.
CASL Compliance Guide: Canadian Anti-Spam Law for Email
Why CASL Matters
CASL is the strictest email consent law in the developed world. Where CAN-SPAM says "you can email anyone until they say stop," CASL says "you can't email anyone until they say go." This fundamental difference catches many US-based marketers off guard when they discover Canadian contacts on their list.
Penalties are severe: up to $10 million per violation for businesses, $1 million for individuals. The Canadian Radio-television and Telecommunications Commission (CRTC) has issued fines ranging from $15,000 to $1.1 million for violations.
The Two Types of Consent
Express Consent
The gold standard. The recipient explicitly agreed to receive your messages. Express consent:
- Never expires (unless withdrawn)
- Must be documented (you need proof)
- Must be specific — consent to email from Company A doesn't mean consent to email from Company B
- Cannot be bundled — consent must be separate from terms of service acceptance
To get express consent, you need:
- A clear request (checkbox, signup form)
- Description of what messages they'll receive
- Sender identification (your name and contact info)
- Statement that they can unsubscribe anytime
Practitioner note: Double opt-in is the safest way to obtain and document express consent for CASL. The confirmation email proves the subscriber actively opted in, and the timestamp plus form URL provide evidence you need if challenged.
Implied Consent
Consent implied by an existing relationship. Implied consent has time limits:
Existing Business Relationship (EBR) — 2 years:
- Customer purchased from you within the last 2 years
- Customer had a written contract with you within the last 2 years
- After 2 years of no transaction, implied consent expires
Inquiry — 6 months:
- Someone inquired about your business within the last 6 months
- Asked for a quote, requested information, made a sales inquiry
- After 6 months without conversion to customer, implied consent expires
Conspicuously Published — Limited:
- The recipient conspicuously published their email address (on their website, business card)
- Your message relates to their professional role
- They haven't indicated they don't want unsolicited messages
This last category is the one cold email operators rely on for Canadian prospects. It's the narrowest category and the most frequently challenged.
Requirements for Every Message
Every commercial electronic message sent to a Canadian recipient must include:
- Sender identification — your name (or business name)
- Contact information — physical mailing address, phone number or email, website URL
- Unsubscribe mechanism — working, free, and effective within 10 business days
- Consent basis — you should be able to identify which consent type applies to each recipient
The unsubscribe must be functional for at least 60 days after the message is sent.
CASL vs. CAN-SPAM vs. GDPR
| Requirement | CAN-SPAM | CASL | GDPR |
|---|---|---|---|
| Consent model | Opt-out | Opt-in | Opt-in |
| Consent before first send | No | Yes | Yes |
| Consent expiration | N/A | 2 years (EBR), 6 months (inquiry) | No expiration |
| Unsubscribe timeframe | 10 days | 10 business days | Immediately |
| Physical address required | Yes | Yes | No |
| Max penalty per violation | $50,776 | $10 million | 4% revenue / 20M EUR |
| Applies to | All commercial electronic messages | All personal data processing |
Practical Compliance for Email
If You're US-Based Sending to Canada
- Identify Canadian contacts in your list (by geography, phone number prefix, or self-reported location)
- Verify consent type for each Canadian contact — express or implied?
- Track implied consent expiration — set reminders for 2-year (customer) and 6-month (inquiry) expirations
- Convert implied to express — before implied consent expires, ask for express consent via a subscription confirmation
- Include all required elements in every email (sender ID, contact info, unsubscribe)
For Cold Email to Canadian Prospects
Cold email under CASL is significantly more restricted than under CAN-SPAM:
- You need implied consent based on conspicuously published email address
- The message must relate to the recipient's professional capacity
- You should have no indication the person doesn't want unsolicited messages
- Document your consent basis for every recipient
Practitioner note: Cold email to Canadian businesses isn't impossible under CASL, but it's riskier than US cold email. I advise clients to seek express consent first (LinkedIn connection + permission to email) rather than relying on the conspicuously published exception. The $10 million penalty creates asymmetric risk.
Converting Implied to Express Consent
Before implied consent expires, run a consent campaign:
- Send a clear message: "Your consent to receive our emails will expire on [date]. Click here to continue receiving our updates."
- Make it easy to confirm — single click, no account creation
- Send 2-3 reminders before expiration
- If no express consent is obtained, stop sending when implied consent expires
Common CASL Mistakes
Assuming CAN-SPAM is sufficient. It's not. CAN-SPAM's opt-out model violates CASL. You need opt-in consent for Canadian recipients.
Not tracking consent expiration. Implied consent has expiration dates. If you don't track when a customer last purchased, you'll keep sending after implied consent expires.
Bundling consent. "By creating an account, you agree to receive marketing emails" fails CASL's requirement for separate, explicit consent.
No consent records. CASL puts the burden of proof on the sender. If you can't prove you had consent, you didn't have it.
Assuming B2B is exempt. CASL applies to B2B and B2C equally. "It's just business email" isn't a defense.
The Bottom Line
CASL is the most demanding email consent law North American marketers face. The key is treating Canadian contacts differently — tracking consent types, monitoring expiration dates, and converting implied consent to express before it lapses. If you already comply with GDPR, CASL is mostly a matter of adding consent expiration tracking.
If your email list includes Canadian contacts and you're unsure about your CASL compliance, schedule a consultation — I'll audit your consent practices and help you close any gaps before the CRTC does.
Sources
- Government of Canada: CASL Full Text
- CRTC: CASL Enforcement
- CRTC: CASL Penalties
- Innovation, Science and Economic Development Canada: CASL for Businesses
v1.0 · March 2026
Frequently Asked Questions
What is CASL?
Canada's Anti-Spam Legislation, in effect since July 2014. It requires consent before sending commercial electronic messages (including email, SMS, and social media messages) to Canadian recipients. It's an opt-in law, unlike the US CAN-SPAM which is opt-out.
How is CASL different from CAN-SPAM?
CASL requires consent BEFORE sending (opt-in). CAN-SPAM allows sending until someone unsubscribes (opt-out). CASL has two consent types with different durations. CASL penalties are higher ($10M vs $50K per violation). CASL applies to all commercial electronic messages, not just email.
Does CASL apply to US businesses?
Yes, if your recipients are in Canada. CASL applies based on where the recipient is located, not where the sender is based. If your email list includes Canadian contacts, CASL governs those messages.
Want this handled for you?
Free 30-minute strategy call. Walk away with a plan either way.