Email CASL Compliance — Complete Guide to Canada's Anti-Spam Law
CASL (Canada's Anti-Spam Legislation) is one of the strictest anti-spam laws globally, requiring express or implied consent for sending commercial electronic me
Email CASL Compliance — Complete Guide to Canada's Anti-Spam Law
CASL (Canada's Anti-Spam Legislation) is one of the strictest anti-spam laws globally, requiring express or implied consent for sending commercial electronic messages (CEMs) to Canadian recipients. Unlike CAN-SPAM which allows unsolicited email with opt-out, CASL requires consent before sending, with penalties of up to $10 million CAD for organizations and $1 million CAD for individuals. Understanding and complying with CASL is essential for any business emailing Canadian residents.
This comprehensive guide covers CASL's consent requirements, message obligations, compliance strategies, and enforcement considerations.
Understanding CASL
What is CASL?
Canada's Anti-Spam Legislation (S.C. 2010, c. 23):
- Regulates commercial electronic messages (CEMs)
- Requires consent for sending CEMs
- Mandates specific message requirements
- Prohibits false/misleading representations
- Prohibits installation of computer programs without consent
Effective Dates
- July 1, 2014: CEM provisions
- January 15, 2015: Computer program provisions
- July 1, 2017: Private right of action (suspended)
Scope
Applies to:
- SMS/text messages
- Instant messages
- Social media messages (commercial)
If:
- Message is commercial
- Sent to Canadian recipients
- Accessed in Canada
CASL Consent Requirements
Types of Consent
| Express Consent | Implied Consent |
|---|---|
| Clear and documented | Limited circumstances |
| No expiration | Time-limited |
| Revocable | Revocable |
| Best practice | Narrow application |
Express Consent
Requirements:
- Clearly request consent
- State purpose
- Provide contact information
- No pre-checked boxes
- Separate from other terms
Valid Forms:
- Oral (if recorded)
- Written
- Electronic (checkbox)
Documentation Required:
- Date of consent
- Manner of consent
- Purpose
Template: ``` ☐ I consent to receive commercial electronic messages from [Company Name] about [specific topics].
Contact: [Name, Address, Phone, Email]
You may withdraw consent at any time. ```
Best Practice - Double Opt-In:
- Checkbox on signup
- Confirmation email
- Click to confirm
- Clear record maintained
Implied Consent
Categories:
1. Existing Business Relationship:
- Purchase within last 2 years
- Inquiry within last 6 months
- Contract currently in effect
2. Existing Non-Business Relationship:
- Club/association membership
- Charitable donation
- Volunteer work
3. Conspicuous Publication:
- Email published publicly
- No statement saying they don't want CEMs
- Relevant to recipient's role
4. Personal Relationship:
- Family relationship
- Personal friendship
Time Limits:
| Type | Duration |
|---|---|
| Purchase | 2 years from transaction |
| Inquiry | 6 months from inquiry |
| Contract | Duration of contract + 2 years |
| Conspicuous publication | While published |
Important: Implied consent expires. Track dates and refresh or remove.
CEM Requirements
Required Elements
Every CEM must include:
1. Sender Identification:
- Name of sender
- Name on whose behalf sent (if different)
- Contact information
2. Contact Information:
- Valid mailing address
- Telephone number (optional but recommended)
- Email address or web address
3. Unsubscribe Mechanism:
- Free to use
- Easy to use
- Readily performed
- Must work for 60 days
- Honor within 10 business days
Implementation
Header: ``` From: Your Company <email@company.com> ```
Footer: ```
Sent by: Your Company Address: 123 Main Street, Toronto, ON M5V 3A8 Email: contact@company.com Phone: (416) 555-0123
Unsubscribe: [link] or reply STOP
You are receiving this because [consent basis]. ```
Exemptions
Full Exemptions
Not CEMs:
- Personal/family messages
- Internal business communications
- Commercial inquiry response
- Legal obligation
- Safety recall
- Warranty/product safety
Exempt CEMs:
- Closed platform (limited access)
- Limited access account
- Business-to-business (some)
- Political messages (some rules)
- Charitable messages (some rules)
B2B Exemption
Requirements:
- Sent to business address
- Relevant to recipient's role
- Business has presence in Canada
- Message concerns business activities
Limitations:
- Not unlimited exemption
- Must still identify sender
- Unsubscribe required
Compliance Implementation
Consent Tracking
Maintain Records:
- Date of consent
- Type of consent
- How obtained
- What consented to
- Expiration date (implied)
System Requirements:
- Timestamp logging
- Consent type flagging
- Expiration alerts
- Audit trail
List Hygiene
Regular Processes:
- Remove expired implied consent
- Verify express consent records
- Update contact information
- Honor unsubscribes immediately
Quarterly Reviews:
- Check consent expiration
- Validate records
- Clean inactive
- Document actions
Unsubscribe Management
Requirements:
- Must be in every CEM
- Free of charge
- Simple process
- No personal information required
- Honor within 10 business days
- Maintain for 60 days after send
Best Practices:
- One-click unsubscribe
- Immediate processing
- Confirmation message
- Preference center option
Penalties and Enforcement
Administrative Monetary Penalties (AMPs)
Maximum:
- Organizations: $10 million CAD
- Individuals: $1 million CAD
Factors:
- Nature of violation
- Scope of violation
- History of violations
- Financial benefit
- Ability to pay
Criminal Offenses
Applies to:
- False/misleading representations
- Harvesting email addresses
- Use of harvested lists
- Use of spyware
Penalties:
- Fines
- Imprisonment (up to 14 years)
Private Right of Action
Status:
- Originally effective July 1, 2017
- Currently suspended
- May be reinstated
Potential Liability:
- Statutory damages
- Actual damages
- Class actions possible
Notable Cases
- Compu-Finder: $1.1M (lack of consent)
- PlentyOfFish: $48,000 (unsubscribe issues)
- Rogers: $200,000 (consent issues)
CASL Best Practices
1. Prioritize Express Consent
Why:
- No expiration
- Clear documentation
- Stronger legal position
- Better engagement
How:
- Double opt-in
- Clear request
- Record keeping
- Regular confirmation
2. Track Implied Consent Expiration
System Setup:
- Flag implied consent
- Set expiration dates
- Automated alerts
- Renewal campaigns
Renewal Strategy:
- Email before expiration
- Request express consent
- Make it easy
- Document conversion
3. Clear Unsubscribe Process
Implementation:
- Prominent link
- No login required
- Immediate confirmation
- Friendly tone
4. Regular List Cleaning
Schedule:
- Remove expired implied consent
- Verify express consent
- Update contact info
- Remove unsubscribes
5. Documentation
Maintain:
- Consent records
- Unsubscribe logs
- Compliance policies
- Training records
Transition and Grandfathering
Existing Relationships (Pre-July 1, 2014)
Grace Period:
- Existing relationships had implied consent
- Transition period ended July 1, 2017
- Must now have valid consent
Current Status:
- All recipients need valid consent
- Review and refresh older contacts
- Document basis for all
Comparison: CASL vs. CAN-SPAM vs. GDPR
| Aspect | CASL | CAN-SPAM | GDPR |
|---|---|---|---|
| Prior consent required? | Yes | No | Yes (usually) |
| Consent types | Express/Implied | N/A | Consent/Legitimate Interest |
| Maximum penalties | $10M CAD | $43,792/email | €20M or 4% revenue |
| B2B approach | Strict | Lenient | Moderate |
| Unsubscribe | Required | Required | Required |
| Private right of action | Yes (suspended) | Limited (ISPs) | No |
Compliance Checklist
Before Sending:
☐ Valid consent obtained ☐ Consent documented ☐ Consent not expired ☐ Sender identified ☐ Contact information accurate ☐ Unsubscribe mechanism working ☐ Content truthful ☐ List cleaned recently
Program Setup:
☐ Consent tracking system ☐ Expiration monitoring ☐ Unsubscribe automation ☐ Record keeping ☐ Staff training ☐ Compliance policy ☐ Regular audits ☐ Legal review
Frequently Asked Questions About CASL
Do I need consent to send emails to Canadians? Yes. CASL requires express or implied consent before sending commercial electronic messages.
What's the difference between express and implied consent? Express is explicit permission with no expiration. Implied is limited to specific situations with time limits.
How long does implied consent last?
- Purchase: 2 years
- Inquiry: 6 months
- Contract: Duration + 2 years
- Conspicuous publication: While published
Can I email someone who gave me their business card? Only if the email is relevant to their role and they didn't indicate they don't want CEMs. This is "conspicuous publication" implied consent.
What if I bought a list before CASL? Doesn't matter when list was bought. You need valid consent for each recipient under CASL rules.
Do I need consent for B2B emails? Generally yes, though some exemptions exist for intra-business communications. Most B2B marketing requires consent.
How do I document consent? Record: who consented, when, how, and to what. Maintain records as long as you email them plus 3 years.
What happens if I violate CASL? Penalties up to $10 million for organizations. Criminal charges for serious violations. Potential private lawsuits.
Conclusion: Respect Through Compliance
CASL is strict, but its requirements align with email marketing best practices. The consent and transparency that CASL mandates are exactly what build engaged, responsive email lists.
Don't view CASL as a burden — view it as a framework for permission-based marketing that respects recipients and delivers better results. The investment in compliance pays off through higher engagement, better deliverability, and sustainable growth.
For any business emailing Canadians, CASL compliance isn't optional. Make it a priority, implement proper systems, and build your program on genuine consent and respect.