emailr_
All articles
explainer·8 min

What is CASL? Canadian anti-spam law explained

compliancecasllegal

Summary

CASL is Canada's anti-spam law requiring express consent before sending commercial emails to Canadian recipients. It's stricter than CAN-SPAM, with penalties up to $10 million per violation. If you email Canadians, you need to understand CASL.

A US-based software company learned about CASL the hard way. They'd been emailing their entire list—including Canadian subscribers—using the same opt-out approach that worked under CAN-SPAM. Then they received a notice from the Canadian Radio-television and Telecommunications Commission. The investigation took months, cost significant legal fees, and resulted in a compliance undertaking that required overhauling their entire email program.

CASL (Canada's Anti-Spam Legislation) is one of the strictest anti-spam laws in the world. Unlike CAN-SPAM's opt-out model, CASL requires opt-in consent before you send commercial electronic messages. If you have Canadian subscribers, CASL applies to you regardless of where your business is located.

What CASL covers

CASL regulates commercial electronic messages (CEMs) sent to or from Canada. This includes email, SMS, and some social media messages.

A message is "commercial" if one of its purposes is to encourage participation in a commercial activity. Marketing emails obviously qualify. But so do emails that promote your business even indirectly—newsletters that mention products, transactional emails with promotional content, even some relationship-building messages.

The geographic scope is broad. CASL applies if the message is sent to a Canadian address, sent from Canada, or accessed in Canada. If you have Canadian subscribers, CASL applies even if you're based elsewhere.

CASL also covers the installation of computer programs and the alteration of transmission data, but for most email marketers, the CEM provisions are what matter.

The consent requirement

CASL's core requirement is consent before sending commercial messages. This is fundamentally different from CAN-SPAM's opt-out approach.

Express consent is the gold standard. The recipient explicitly agreed to receive messages from you. They checked a box, clicked a button, or otherwise affirmatively indicated consent. You have a record of when and how they consented.

Implied consent exists in limited circumstances. You have an existing business relationship (they purchased from you within the last two years, or inquired within the last six months). They conspicuously published their email address without indicating they don't want commercial messages. They gave you their business card.

Implied consent is temporary and limited. Business relationship consent expires after two years of no transactions. Inquiry consent expires after six months. Published address consent only covers messages relevant to their business role.

Express consent doesn't expire (unless withdrawn), which is why building an express consent list is the sustainable approach.

Obtaining valid consent

CASL has specific requirements for how consent must be obtained.

Consent must be opt-in, not opt-out. Pre-checked boxes don't count. Buried terms in lengthy agreements don't count. The recipient must take an affirmative action to consent.

You must clearly identify yourself. The consent request must include your name (or the name of the person on whose behalf you're seeking consent) and contact information.

You must describe the purpose. What types of messages will you send? "Marketing emails" is too vague. "Weekly newsletter about software development" is better.

You must explain how to withdraw consent. Even at the consent stage, recipients need to know they can unsubscribe later.

You must keep records. Document when consent was obtained, how it was obtained, and what the person consented to. If challenged, you need to prove you had valid consent.

Message requirements

Even with valid consent, CASL requires specific elements in every commercial message.

Identification: The message must clearly identify who is sending it. Your name or business name must be included, along with contact information (mailing address, and either phone number, email, or web address).

Unsubscribe mechanism: Every message must include a working unsubscribe mechanism. It must be free to use, easy to access, and valid for at least 60 days after sending.

Processing unsubscribes: You must honor unsubscribe requests within 10 business days. Once someone unsubscribes, you cannot send them commercial messages (though you can still send purely transactional messages).

These requirements apply to every commercial message, regardless of consent type.

Penalties and enforcement

CASL penalties are severe, which is why compliance matters.

Administrative monetary penalties can reach $1 million per violation for individuals and $10 million per violation for businesses. "Per violation" can mean per message, so a campaign to thousands of recipients could theoretically result in massive liability.

The CRTC (Canadian Radio-television and Telecommunications Commission) enforces CASL. They've pursued cases against both Canadian and foreign companies, resulting in penalties ranging from thousands to millions of dollars.

Directors and officers can be personally liable if they directed, authorized, or participated in violations. This isn't just a corporate risk.

Private right of action was planned but has been suspended indefinitely. Currently, only the CRTC can pursue violations, but this could change.

Compliance undertakings are common resolutions. Companies agree to specific compliance measures, often including third-party audits, in exchange for reduced penalties. These are public and can be reputationally damaging.

CASL vs CAN-SPAM

Understanding the differences helps if you're used to US rules.

Consent model: CAN-SPAM allows opt-out (send until they unsubscribe). CASL requires opt-in (don't send until they consent). This is the fundamental difference.

Penalties: CAN-SPAM penalties max at $46,517 per violation. CASL penalties can reach $10 million. The stakes are higher under CASL.

Unsubscribe timing: CAN-SPAM requires honoring unsubscribes within 10 business days. CASL also requires 10 business days. Similar here.

Transactional exemptions: Both laws exempt purely transactional messages, but CASL's exemptions are narrower. Adding promotional content to transactional emails is riskier under CASL.

If you comply with CASL, you'll generally comply with CAN-SPAM. The reverse isn't true.

Practical compliance steps

Building CASL compliance into your email program requires specific actions.

Segment your list by geography. Identify Canadian subscribers so you can apply CASL requirements to them specifically. If you can't identify geography, apply CASL standards to everyone.

Audit your consent records. For Canadian subscribers, do you have documented express consent? If relying on implied consent, is it still valid (within time limits)? Remove subscribers without valid consent.

Update your signup process. Ensure consent is opt-in, clearly identifies you, describes what you'll send, and explains how to unsubscribe. Keep records of consent.

Review your email content. Does every message identify you with required contact information? Does every message have a working unsubscribe mechanism?

Train your team. Anyone involved in email marketing needs to understand CASL requirements. Mistakes often come from people who don't know the rules.

Consider re-permission campaigns. If your consent records are unclear, asking subscribers to re-confirm consent creates clean records. You'll lose some subscribers, but you'll have defensible consent for those who remain.

Common CASL mistakes

Several errors frequently cause CASL problems.

Assuming CAN-SPAM compliance is enough. It's not. CASL's opt-in requirement is fundamentally different.

Pre-checked consent boxes. These don't create valid consent under CASL. Consent must be affirmative.

Vague consent language. "We may contact you" isn't specific enough. Describe what you'll actually send.

Not tracking consent. If you can't prove when and how someone consented, you effectively don't have consent.

Ignoring implied consent expiration. Business relationship consent expires. If you haven't transacted with someone in two years, implied consent is gone.

Adding promotional content to transactional emails. This can convert an exempt transactional message into a regulated commercial message requiring consent.

Frequently asked questions

Does CASL apply if I'm not in Canada?

Yes, if you send commercial messages to Canadian recipients. CASL applies based on where recipients are, not where you're located.

Can I email someone who gave me their business card?

Yes, this creates implied consent for messages relevant to their business role. But implied consent is limited—express consent is better for ongoing marketing.

What if I can't tell if a subscriber is Canadian?

If you can't determine geography, the safest approach is to apply CASL standards to everyone. This also simplifies compliance.

Do transactional emails require consent under CASL?

Purely transactional messages (order confirmations, shipping notifications, account alerts) are generally exempt. But adding promotional content can remove the exemption.

e_

Written by the emailr team

Building email infrastructure for developers

Continue reading

explainer

What causes emails to go to spam?

10 minexplainer

What is SPF? Complete guide for developers

8 minexplainer

What is email spoofing and how to prevent it

8 min

Ready to start sending?

Get your API key and send your first email in under 5 minutes. No credit card required.

Get started for freeTalk to sales