CASL Compliance Guide for Email Marketing

Understand and comply with Canada's Anti-Spam Legislation, one of the world's strictest anti-spam laws, when sending commercial emails to Canadian recipients.

What is CASL?

Canada's Anti-Spam Legislation (CASL) is a comprehensive anti-spam law that came into effect on July 1, 2014. It is widely considered one of the strictest anti-spam laws in the world, with significant penalties for non-compliance.

CASL regulates commercial electronic messages (CEMs), which include:

  • Email messages that encourage commercial activity
  • Text messages (SMS) with commercial content
  • Social media messages with commercial intent
  • Any electronic message sent to an electronic address

Unlike CAN-SPAM, CASL requires express or implied consent before sending commercial messages, making it an opt-in law rather than an opt-out law.

Who Does CASL Apply To?

CASL has broad international reach and applies if:

Message Sent from Canada

Your commercial electronic message originates from a computer system in Canada

Message Accessed in Canada

The recipient accesses the message on a computer system located in Canada

Canadian Recipients

The message is sent to a Canadian email address or phone number

This means businesses anywhere in the world must comply with CASL when sending commercial messages to Canadian recipients.

Express vs Implied Consent

CASL distinguishes between two types of consent, each with different requirements and validity periods:

Express Consent (Recommended)

The recipient has explicitly agreed to receive commercial messages from you. This is the strongest form of consent.

  • Validity: No expiration - lasts until consent is withdrawn
  • How obtained: Opt-in checkbox, online form, verbal consent (with proof), written consent
  • Best for: Long-term email marketing relationships
  • Required: Must clearly identify who is seeking consent and purpose of messages

Implied Consent (Use Carefully)

Consent is implied from an existing business relationship or conspicuous publication of an email address. More limited than express consent.

  • Existing Business Relationship: Valid for 2 years after last transaction or inquiry
  • Conspicuous Publication: Email published without restriction on use (valid for 2 years)
  • Limitation: Messages must be relevant to the business relationship or published context
  • Risk: Shorter validity period and more restricted use cases

Best Practice: Always seek express consent when possible. It provides the strongest legal protection and allows for unlimited commercial messaging relevant to what they consented to.

Consent Requirements

When obtaining express consent under CASL, your consent mechanism must meet these strict requirements:

Clear and Prominent

The consent request must be clearly visible and not hidden in terms of service or privacy policies. Use clear language and appropriate font sizes.

Easy to Understand

Use plain language that clearly explains what the recipient is consenting to. Avoid legal jargon or confusing terminology.

Identify the Requester

Clearly state who is seeking consent (your business name) and on whose behalf (if applicable). Include contact information.

State the Purpose

Explain what types of messages they will receive. Be specific about the purpose and nature of communications.

Provide Unsubscribe Information

Inform users that they can unsubscribe at any time. Make it clear how to withdraw consent.

Important: Pre-checked boxes are not valid under CASL. Recipients must take a positive action (checking a box, clicking a button) to provide consent.

Message Requirements

Every commercial electronic message you send must include the following information:

Sender Identification

Clearly identify your business name and the person or business on whose behalf the message is sent (if different)

Contact Information

Provide valid contact information including physical mailing address and one of: phone number, email address, or web address

Unsubscribe Mechanism

Include a clear and prominent unsubscribe link or mechanism that is free, easy to use, and accessible

This information must be clear, prominent, and valid for at least 60 days after the message is sent.

Unsubscribe Requirements

CASL has strict requirements for unsubscribe mechanisms. Non-compliance can result in significant penalties.

10 Business Days Maximum

You must honor unsubscribe requests within 10 business days. Best practice is to process immediately.

Free of Charge

Unsubscribing must be completely free. Cannot charge fees, require purchases, or demand payment.

Easy to Use

Must be simple and not require technical skills. Ideally one-click unsubscribe. Cannot require login or multiple steps.

Valid for 60 Days

The unsubscribe mechanism must remain functional for at least 60 days after the message is sent (longer than CAN-SPAM's 30 days).

Clear and Prominent

The unsubscribe option must be easy to find. Don't hide it in small print or use the same color as the background.

Record Keeping Requirements

CASL requires businesses to maintain detailed records of consent. You must be able to demonstrate that you had valid consent to send messages.

Minimum 3 Years

Keep records for at least 3 years from the date consent was obtained or the last message was sent.

What to Document

  • When and how consent was obtained
  • The exact language used in the consent request
  • What the recipient consented to receive
  • IP address and timestamp of consent (for online forms)
  • Who provided consent (if obtained verbally or in writing)

Audit Trail

Maintain a complete audit trail of all communications, unsubscribe requests, and consent withdrawals. This protects you in case of complaints or investigations.

Important: The burden of proof is on the sender. If someone claims they didn't consent, you must be able to prove they did.

Penalties for Non-Compliance

CASL violations can result in severe financial penalties, among the highest in the world for anti-spam legislation:

Individuals

Up to $1 million CAD per violation for individuals violating CASL

Businesses

Up to $10 million CAD per violation for businesses and organizations

Multiple Violations

Each non-compliant message can be considered a separate violation, potentially resulting in cumulative penalties

Who Can Be Held Liable

Both the company and individuals (directors, officers, employees) can be held personally liable for violations

The Canadian Radio-television and Telecommunications Commission (CRTC) enforces CASL, along with the Competition Bureau and the Office of the Privacy Commissioner.

Key Differences from CAN-SPAM

CASL is significantly stricter than the US CAN-SPAM Act. Understanding these differences is critical for compliance:

Opt-In vs Opt-Out

CASL: Opt-in (requires consent before sending)
CAN-SPAM: Opt-out (can send until recipient unsubscribes)

Consent Requirements

CASL: Express or implied consent required before sending
CAN-SPAM: No prior consent required

Unsubscribe Validity Period

CASL: Must remain functional for 60 days
CAN-SPAM: Must remain functional for 30 days

Record Keeping

CASL: Must maintain detailed consent records for 3 years
CAN-SPAM: No specific record-keeping requirement

Maximum Penalties

CASL: Up to $10 million CAD per violation
CAN-SPAM: Up to $51,744 USD per email

Pro Tip: If you comply with CASL, you'll automatically meet CAN-SPAM requirements. Consider adopting CASL standards for all your email marketing.

Best Practices for CASL Compliance

1. Always Use Double Opt-In

Require subscribers to confirm their email address by clicking a link. This creates a clear audit trail and proves consent was obtained.

2. Use Clear, Specific Consent Language

Be explicit about what subscribers are signing up for. Example: "I consent to receive promotional emails and product updates from [Company Name]. I can unsubscribe at any time."

3. Separate Consent Checkboxes

Don't bundle email consent with terms of service acceptance. Use separate, unchecked checkboxes that users must actively check.

4. Implement Robust Record Keeping

Use email marketing platforms that automatically log consent details including timestamp, IP address, consent text, and source. Keep these records for at least 3 years.

5. Make Unsubscribe Obvious and Easy

Include a prominent unsubscribe link in every email. Implement one-click unsubscribe and process requests immediately. Never make users log in to unsubscribe.

6. Include Complete Sender Information

Every message must clearly identify your business and include valid contact information. Use your company's physical address, not a PO box.

7. Regularly Audit Your Lists

Review your email lists periodically to ensure all contacts have valid consent. Remove contacts whose implied consent has expired (2 years) unless you have express consent.

8. Train Your Team on CASL

Ensure everyone involved in email marketing understands CASL requirements. This includes marketers, sales teams, and anyone with access to your email platform.

9. Never Buy Email Lists

Purchased lists are a CASL violation waiting to happen. You cannot prove consent for purchased contacts, and you'll face penalties if caught.

10. Stay Updated on CASL Changes

CASL enforcement and interpretations can evolve. Monitor CRTC announcements and consult with legal counsel when needed to ensure ongoing compliance.

Next Steps

Ensure your email campaigns comply with CASL and other regulations:

Check Compliance →Learn About GDPR →