You send a marketing email to your customer list. Seems normal, right?

In Canada, it might be illegal.

CASL—the Canada Anti-Spam Legislation—is one of the strictest anti-spam laws in the world. Many Canadian businesses don't realize how strict it is until they get a complaint. And the penalties are severe: up to $15 million per violation.

This guide breaks down what CASL actually requires, what counts as a violation, and how to stay compliant. Because you don't need to be scared of CASL—you just need to understand it.

CASL came into effect in Canada in 2014. It applies to all commercial electronic messages (CEMs) sent to or from Canada, regardless of where your business is located.

A CEM is any electronic message (email, SMS, push notification, etc.) sent primarily for a commercial purpose. That includes marketing, but it's broader than you'd think.

Key Point: Even one email violates CASL if you don't have consent. And CASL is interpreted very strictly by Canadian regulators.

CASL has one central requirement: you cannot send commercial electronic messages without prior consent from the recipient. There are two types of consent: express and implied.

Express Consent

The person explicitly agreed to receive messages from you. They checked a box, filled out a form, clicked “subscribe,” or otherwise actively said yes. This is clear and defensible. If you have express consent, you're safe.

Implied Consent

This one is where most businesses get tripped up. Implied consent exists if the person already has an existing business relationship with you (they bought something, used your service, etc.), you're sending messages related to that relationship, and the person has not previously asked you to stop.

Key limitation: implied consent only lasts for 2 years from the last transaction or interaction. After 2 years, you need express consent to keep emailing.

So if someone bought from you in 2023 but hasn't interacted since, and you email them in 2025, you need express consent. Implied consent expires. Even with implied consent, you still need to identify yourself clearly and include unsubscribe information.

This is broader than most people think. A CEM is any electronic message where the primary purpose is commercial. This includes marketing emails, newsletter signups, promotional offers, product announcements, and event invitations (if to buy tickets or products). Transactional emails like receipts and account updates are often exempt, but check.

What's NOT a CEM: transactional emails that are strictly about completing a transaction (receipts, shipping confirmations), email alerts for account activity (if the person asked for them), and compliance-related emails (privacy notices, legal updates).

The “primary purpose” test matters. If an email's main point is to inform (like a notification), it might not be commercial even if it mentions a product. But if the main point is to sell something, market a service, or encourage action for commercial benefit, it's a CEM and requires consent.

CASL violations carry steep penalties: up to $15 million per violation for misleading representations, up to $10 million per violation for failing to include required information, and up to $15 million per violation for sending without consent.

These aren't small fines. The CRTC and other regulators actively enforce CASL, especially for larger violations. For perspective: even 100 unsolicited marketing emails sent without consent could theoretically carry penalties in the millions. That's why compliance matters.

If you're sending a CEM (with or without consent), you must include:

Identification: Clear information about who the message is from. Business name, phone number, mailing address—something that clearly identifies you.

Contact Information: How can the recipient contact you with complaints or questions?

Unsubscribe Mechanism: An easy way to unsubscribe. This can't just be a link to a form—the person should be able to reply to unsubscribe if they want. And the unsubscribe must be processed within 10 business days.

Missing any of these requirements is a violation, even if you have valid consent.

For Your Email List:

Audit your current list. For each contact: Do you have express consent (checkbox, form, signup)? Or implied consent (recent transaction, within 2 years)? Or neither? If neither, don't email them without getting consent first. Segment your list by consent type. Implied consent expires in 2 years—track when and follow up before it expires. For new signups, always get express consent. Use a checkbox (don't pre-check it). Ask explicitly: “I agree to receive marketing emails.”

For Your Website/App:

Make sure signup forms ask for explicit consent to marketing emails. Don't assume people want email just because they're using your product. Include a clear checkbox on checkout if you're capturing emails. Have a clear unsubscribe link in every email. Test it to make sure it works. Document when people consented and how. Keep these records for at least 3 years.

For Your Email Sends:

Include your business name, address, and phone number in the footer. Include contact information for complaints. Make unsubscribe prominent and easy. Process unsubscribe requests within 10 days.

1. Not Tracking Consent Type

You don't know which contacts have express vs. implied consent. Result: you email people after their implied consent expires. Fix: Build this into your email system. Tag contacts with consent type and date.

2. Pre-Checked Consent Boxes

Someone signs up for your product. The “also send marketing emails” box is already checked. They don't notice. That's not valid consent. The person didn't actively agree. Fix: Never pre-check consent boxes.

3. Vague “Implied Consent” Arguments

“They used our app once in 2020, so we can still email them in 2025.” Implied consent expires in 2 years. And “using your app” might not constitute the kind of business relationship that triggers implied consent anyway. Fix: Track transaction dates. After 2 years, get express consent or stop emailing.

4. No Documentation of Consent

You have express consent, but you can't prove it. Someone emails a complaint and the regulator asks for proof. You don't have it. This looks suspicious, even if you did get consent. Fix: Log consent dates and methods. If someone signs up, record the date and what they consented to.

5. Burying Unsubscribe Options

Your unsubscribe link is gray text at the bottom of an unrelated paragraph. CASL requires an easy, clear way to unsubscribe. Burying it creates liability. Fix: Put unsubscribe in a prominent location, ideally in the footer, in clear formatting.

6. Not Processing Unsubscribe Requests Promptly

Someone unsubscribes on Monday. You email them on Tuesday because the list update takes time. That's a violation. Fix: Process unsubscribe requests immediately, or at least remove them before the next send.

Many businesses don't realize this: implied consent has an expiration date. If you have a customer relationship but the customer hasn't interacted with you in 2+ years, implied consent has expired. You can't keep emailing them without getting express consent.

Set a reminder to re-engage old customers before the 2-year mark. Ask them to confirm they want to keep receiving emails. If they don't respond, remove them from your marketing list (but you can still send transactional emails if needed).

SaaS Businesses:

Transactional emails (login alerts, billing notifications) are often exempt from CASL if they're essential to the account. But marketing emails (new features, upgrade invitations) require consent. Separate transactional and marketing sends. Make sure you have consent for marketing emails.

E-Commerce Stores:

Receipt emails are transactional and exempt. But “buy this product you left in your cart” or “here's a new sale” emails are marketing and require consent. Newsletters are marketing and require express consent.

Document everything. If a regulator asks for proof of consent, you need to produce it. Keep records for 3 years.

The core rule is simple: get consent before sending marketing emails. The details matter, but they're manageable.

If you follow these guidelines, you're in good shape. And if you're not sure whether a specific email is a CEM or whether you have valid consent, ask a lawyer. One quick consultation is way cheaper than dealing with a compliance issue later.

Related: CASL is one piece of the compliance puzzle for Canadian digital businesses. Learn more about how we help with advertising compliance, platform rules, and regulatory risk management for e-commerce and SaaS companies.