CASL Compliance: Email Marketing Rules for Canada (2026 Guide)
Canada's Anti-Spam Legislation — universally known as CASL — is among the strictest email marketing laws in the world. While US businesses operate under CAN-SPAM, which requires only that recipients can opt out after the fact, CASL requires explicit consent before the first commercial email is sent. The enforcement regime backs that up with fines of up to $1 million CAD per violation for individuals and $10 million CAD per violation for businesses.
If your business emails anyone in Canada — even if you are a US-based company — CASL applies to you. The law has extraterritorial reach: it governs the recipient's location, not the sender's. A US retailer with Canadian customers is subject to CASL for every commercial email sent to those customers.
This guide covers everything you need to know about CASL compliance in 2026: the two types of consent, what qualifies as an exemption, what your commercial emails must contain, how long implied consent lasts, record-keeping requirements, and the specific practices that trigger enforcement attention.
What Is CASL?
Canada's Anti-Spam Legislation (CASL) came into force on July 1, 2014. It regulates Commercial Electronic Messages (CEMs) — any electronic message that encourages participation in a commercial activity, whether or not the message has a commercial purpose as its primary aim.
CASL is enforced by three Canadian government bodies:
- CRTC (Canadian Radio-television and Telecommunications Commission) — primary enforcement body for commercial email
- Competition Bureau — handles deceptive marketing claims in commercial messages
- Office of the Privacy Commissioner — addresses personal information collection issues related to CEMs
The fundamental difference from CAN-SPAM: CAN-SPAM is an opt-out law — you can email anyone until they tell you to stop. CASL is an opt-in law — you cannot email anyone until they have given consent, with limited exemptions. This distinction changes the entire approach to list building and contact management for businesses with Canadian subscribers.
Who Does CASL Apply To?
CASL applies to any Commercial Electronic Message sent to or from a computer system in Canada. This means:
US businesses with Canadian subscribers: If you are a US company and your email list includes people with Canadian email addresses, CASL governs those contacts. You cannot apply US CAN-SPAM standards to Canadian subscribers and remain CASL compliant.
B2B senders: CASL applies to business-to-business email as well as consumer email. Cold outreach to Canadian business contacts requires consent under CASL — the narrow "business-to-business relationship" exemption has specific requirements.
What counts as a CEM: The threshold is broad. Any message that encourages participation in a commercial activity qualifies — this includes promotional emails, newsletters that mention products, cold outreach proposing a business relationship, and marketing emails for free products or services. The message does not need to involve a direct sale to qualify as a CEM.
What does NOT qualify as a CEM:
- Purely transactional messages (order confirmations, shipping notifications, account alerts) that do not contain any promotional content
- Messages sent to a closed group such as employees of the same company communicating internally
- Messages sent on behalf of a registered charity soliciting donations
- One-to-one personal communications that are not sent on behalf of a business
The Two Types of CASL Consent
The cornerstone of CASL compliance is consent. CASL recognises two types — express and implied — with very different requirements, evidence standards, and expiry timelines.
Express Consent
Express consent is the gold standard under CASL. It is explicit, documented, and does not expire as long as the sender continues to send relevant commercial messages and the recipient does not unsubscribe.
How to obtain express consent:
The request for consent must:
- Clearly describe what the recipient is consenting to receive
- Identify the person or organisation seeking consent
- Include contact information for the person seeking consent
- State that the recipient may unsubscribe at any time
What express consent does NOT require:
- A written signature (oral consent is valid but harder to prove)
- A checkbox on a form (though this is the most common implementation)
- Double opt-in (though this is strongly recommended for evidence purposes)
What express consent explicitly prohibits:
- Pre-checked opt-in boxes — these do not constitute express consent under CASL
- Bundling consent with terms of service acceptance — "by creating an account you agree to receive marketing emails" is not valid express consent
- Implied consent presented as express consent — the request must be unambiguous
Best practice for express consent collection:
"I agree to receive commercial electronic messages from [Company Name]
at the email address I have provided. I understand I can unsubscribe
at any time by clicking the unsubscribe link in any email."This language, paired with an unchecked opt-in checkbox, constitutes valid express consent under CASL. The key elements: specific identification of the sender, description of what will be received, and clear statement of the right to unsubscribe.
Implied Consent
Implied consent exists when there is a pre-existing business or non-business relationship between sender and recipient that would reasonably lead the recipient to expect commercial messages. Implied consent is time-limited and carries a higher evidentiary burden if challenged.
Circumstances that create implied consent:
| Relationship Type | Implied Consent Duration |
|---|---|
| Existing business relationship — purchase of goods/services | 2 years from last purchase |
| Existing business relationship — contract | Duration of contract + 2 years |
| Existing business relationship — inquiry or application | 6 months from the date of inquiry |
| Non-business relationship — volunteer/club/membership | 2 years from last interaction |
| Publicly published contact information — business context | No fixed expiry, but narrow scope |
The 2-year rule in practice: If a Canadian customer purchased from you on January 15, 2024, your implied consent to send them commercial emails expires on January 15, 2026 — unless they make another purchase (which resets the clock) or give express consent (which removes the expiry entirely). After that date, you cannot legally email them without fresh consent.
The 6-month inquiry window: If a Canadian prospect submits a contact form asking about your services on March 1, 2026, you have until September 1, 2026 to convert that inquiry into an express consent sign-up or a purchase. After 6 months with no further action, the implied consent expires.
Publicly available contact information: CASL allows sending to email addresses that have been voluntarily published in an online directory or on a website — but only if the message is relevant to the person's business role or function. This is a narrow exemption used primarily for B2B outreach and requires that the individual has not included an opt-out statement alongside their published address.
Key CASL Exemptions
Several categories of messages are exempt from CASL's consent requirement. These exemptions are specific and narrow — do not assume a message is exempt without confirming it qualifies.
Transactional or relationship messages: Messages that solely facilitate, complete, or confirm a commercial transaction that the recipient has already agreed to are exempt. Order confirmations, shipping notifications, and account alerts qualify — as long as the message contains no promotional content. The moment you add "while you wait, check out our other products" to an order confirmation, the exemption is at risk.
Warranty, product recall, and safety information: Messages providing information about a warranty, recall, or product safety issue for a product the recipient has purchased are exempt.
Responses to requests, inquiries, or complaints: Messages sent in direct response to a request, inquiry, or complaint from the recipient are exempt for a reasonable period following that interaction.
Registered charities and political parties: Messages sent by registered charities soliciting donations, or messages sent by political parties or candidates soliciting contributions, are exempt from CASL consent requirements.
B2B exemption — personal, family, and business relationships: CASL includes a narrow exemption for messages sent between individuals who have a "personal relationship" or "family relationship." For business contexts, a sender and recipient who have previously communicated directly (not through a company-wide newsletter) and who would both reasonably consider their relationship to qualify as an "existing non-business relationship" may exchange commercial messages without consent — but this is a fact-specific determination, not a blanket B2B exemption.
What Every CASL-Compliant Commercial Email Must Contain
Even with valid consent, every CEM sent to Canadian subscribers must meet specific content requirements. Missing any of these elements — regardless of consent status — is a CASL violation.
Required Elements in Every CEM
1. Sender identification: The message must clearly identify the person or organisation sending it. This means a legal business name or the individual's name — not just a brand name if the brand name is not the legal entity sending the email. If the message is sent on behalf of a third party, both the sender and the third party must be identified.
2. Contact information: The message must include a mailing address and at least one of: a phone number, email address, or web address. The mailing address must be valid for a minimum of 60 days after the message is sent.
3. Unsubscribe mechanism: Every CEM must include a clear, functional unsubscribe mechanism that:
- Is easy to identify — typically an unsubscribe link or clear instructions
- Does not require the recipient to pay any fees or provide personal information beyond their email address to unsubscribe
- Can be processed within 10 business days of the request
- Remains functional for 60 days after the message is sent
The 10-business-day rule is strict: Processing an unsubscribe request after 10 business days is a CASL violation — even if the delay is a technical error. Your unsubscribe mechanism must be automated or checked daily to ensure compliance.
What CASL does not require: Unlike GDPR, CASL does not require a privacy policy link in every CEM. Unlike CAN-SPAM, CASL does not require a physical mailing address specifically — any valid mailing address (which can be a PO Box) qualifies.
Record-Keeping: The Most Overlooked CASL Requirement
CASL places the burden of proof on the sender. If the CRTC investigates a complaint, you must be able to demonstrate that you had valid consent for every recipient. "I think they signed up on our website" is not sufficient evidence. You need documented proof.
What to record for every subscriber:
| Record | What to Capture |
|---|---|
| Consent date | Exact timestamp of when consent was given |
| Consent method | Form submission, verbal consent, checkbox, in-person sign-up |
| Consent language | The exact wording of the opt-in request shown to the subscriber |
| IP address | For web-based sign-ups — the IP address of the submission |
| Source | Which page, campaign, or channel drove the sign-up |
| Implied consent basis | If implied, the specific transaction or relationship that created consent |
| Implied consent expiry | The calculated expiry date based on the relationship type |
How long to retain records: CASL does not specify a minimum retention period for consent records, but best practice and general legal guidance recommend retaining records for a minimum of 3 years — the standard limitation period for CASL enforcement actions.
What happens without records: If a recipient files a complaint and you cannot produce a consent record, the CRTC will proceed on the assumption that consent did not exist. The burden is entirely on the sender to prove consent was obtained.
Practical implementation: Every email marketing platform used to collect sign-ups should capture and export timestamp, IP address, and source for each subscriber. For imported lists, retain the original source documentation — the sign-up form, the event registration export, the POS system receipt — that demonstrates the consent basis.
CASL vs CAN-SPAM: Key Differences for US Businesses
US businesses with Canadian subscribers need to understand that CASL and CAN-SPAM are fundamentally different laws — applying US compliance standards to Canadian contacts leaves you exposed.
| Requirement | CASL (Canada) | CAN-SPAM (USA) |
|---|---|---|
| Consent required before sending | ✅ Yes — express or implied | ❌ No — opt-out model |
| Pre-checked opt-in boxes permitted | ❌ No | ✅ Yes |
| Physical mailing address required | ✅ Any valid address | ✅ Physical postal address specifically |
| Unsubscribe processing time | 10 business days | 10 business days |
| Unsubscribe validity period | 60 days | 30 days |
| Maximum fines | $10M CAD per violation | $51,744 USD per email |
| Private right of action | ✅ Yes (suspended pending review) | ❌ No |
| Applies to B2B email | ✅ Yes | ✅ Yes |
| Extraterritorial reach | ✅ Based on recipient location | ✅ Based on sender location |
The consent difference is the critical one. Under CAN-SPAM, you can add a Canadian business contact to your email list after meeting them at a trade show and send commercial emails until they opt out. Under CASL, that same action — without prior consent — is a violation.
Practical approach for US businesses: Segment your list by subscriber location. Apply CASL standards to Canadian contacts (express consent required, 2-year implied consent windows tracked, records maintained) and CAN-SPAM standards to US contacts. Do not apply the lower standard universally — if a Canadian subscriber complains, the fact that you were CAN-SPAM compliant provides no CASL defence.
Managing Implied Consent Expiry
Implied consent expiry is the most operationally complex aspect of CASL for businesses with established Canadian customer lists. Unlike express consent — which is indefinite as long as the subscriber does not unsubscribe — implied consent has a hard expiry date that must be tracked and acted upon.
The implied consent clock:
| Event | Resets Clock | Notes |
|---|---|---|
| New purchase | ✅ Yes — 2 years from purchase | Every transaction resets the clock |
| New contract | ✅ Yes — duration + 2 years | B2B contracts especially |
| New inquiry | ✅ Yes — 6 months from inquiry | Inquiry must be genuine business contact |
| Express consent obtained | ✅ Indefinitely | Eliminates expiry concern entirely |
| Unsubscribe request | ❌ Terminates consent | Cannot re-add after unsubscribe |
The best strategy for managing implied consent: Convert implied consent to express consent before it expires. Before a Canadian customer's 2-year window closes, send a re-permission email asking them to explicitly confirm they want to continue receiving your emails. This converts a time-limited relationship into indefinite express consent and eliminates the need to track expiry dates for that subscriber.
Re-permission email template approach:
- Send 60–90 days before the implied consent expiry date
- Subject line: "Do you still want to hear from us?" or "[Name], a quick question about your inbox"
- Body: Acknowledge the relationship, explain that you want to make sure your communications are welcome, and ask them to confirm with a single click
- Include an unsubscribe option alongside the confirm option
- If no response, suppress the contact before the expiry date
Automating expiry tracking: Your email platform should allow you to store and act on a custom date field (consent expiry date) for each Canadian subscriber. Migomail's segmentation allows you to create a dynamic segment of Canadian subscribers whose implied consent expires within 90 days — enabling automated re-permission workflows before expiry.
CASL Penalties and Enforcement
CASL enforcement is real and has resulted in significant fines for both Canadian and international businesses.
Penalty structure:
- Individuals: up to $1 million CAD per violation
- Businesses: up to $10 million CAD per violation
- Each non-compliant commercial message can constitute a separate violation
Notable enforcement actions: CASL enforcement has targeted businesses across sectors — from software companies installing code without consent to marketing firms sending commercial messages without proper unsubscribe mechanisms. The CRTC has issued fines ranging from $50,000 to $1.1 million CAD for individual enforcement actions, with some cases resulting in consent agreements and compliance programs rather than purely financial penalties.
What triggers enforcement attention:
- Volume of complaints filed with the CRTC's Spam Reporting Centre
- Complaints from competitors or industry associations
- Messages sent to purchased or harvested lists
- Missing unsubscribe mechanisms or delays in processing unsubscribe requests beyond 10 business days
- False or misleading sender identification or subject lines
Private right of action: CASL originally included a private right of action — allowing individuals and businesses to sue senders directly for CASL violations without government involvement. This provision was suspended before it came into force and as of 2026 remains suspended pending government review. However, government enforcement through the CRTC remains active.
Building a CASL-Compliant Email Programme: Practical Checklist
List building
- Express consent captured for all Canadian subscribers via unchecked opt-in checkbox
- Opt-in language is specific — identifies sender, describes content, states right to unsubscribe
- No pre-checked boxes anywhere in sign-up flows
- No bundled consent with account creation or terms acceptance
- Double opt-in enabled for Canadian subscriber sign-ups (not required, but strongly recommended for evidence)
Consent records
- Timestamp, IP address, source URL, and opt-in language stored for every Canadian subscriber
- Implied consent basis and expiry date stored for every subscriber on implied consent
- Re-permission workflow triggered 60–90 days before implied consent expiry
- Records retained for minimum 3 years
Email content
- Legal sender name or business name included in every CEM
- Valid mailing address included — must remain valid for 60 days post-send
- At least one contact method (phone, email, or website) included
- Clear unsubscribe mechanism in every CEM
- Unsubscribe link functional for 60 days post-send
Unsubscribe processing
- Unsubscribe requests processed within 10 business days — no exceptions
- Unsubscribed contacts permanently suppressed — never re-added to any marketing list
- Migomail's bounce management handles automated suppression in real time
Ongoing management
- Canadian subscribers segmented and managed separately from US subscribers
- CASL-specific compliance review conducted at least annually
- New sign-up sources and import processes reviewed for CASL compliance before any Canadian contacts are added
Frequently Asked Questions
Does CASL apply to US companies emailing Canadian recipients?
Yes. CASL applies based on where the recipient is located, not where the sender is based. A US company sending commercial emails to subscribers with Canadian addresses — whether they are Canadian citizens or US expats living in Canada — must comply with CASL for those contacts. The fact that the sending company is based in the US and fully CAN-SPAM compliant provides no defence against a CASL enforcement action. US businesses with Canadian customers need to segment those contacts and apply CASL consent and content standards to them specifically.
What is the difference between express and implied consent under CASL?
Express consent is an explicit, documented agreement by the recipient to receive commercial emails from a specific sender. It does not expire and is the gold standard for CASL compliance. Implied consent arises from a pre-existing business or non-business relationship — for example, a recent purchase or a signed contract. Implied consent is time-limited: 2 years from the last purchase or end of contract, and 6 months from an inquiry. The key practical difference: with express consent, you can email a Canadian subscriber indefinitely until they unsubscribe. With implied consent only, you must stop emailing them when the time window closes — unless they make another purchase or give express consent.
Can I add Canadian business contacts from LinkedIn or trade shows to my email list?
Generally no — not without additional consent steps. Under CASL, a business card exchanged at a trade show or a LinkedIn connection does not constitute consent to receive commercial emails. If the person's email address is publicly listed on their company website specifically for business contact purposes, you may have a basis for one initial outreach under the "publicly available contact information" exemption — but this requires that the message is relevant to their business role and that they have not included an opt-out statement. The safest approach: at trade shows, use a sign-up form or tablet where contacts actively opt in to your list, with the opt-in language and their name recorded.
What happens if I send a commercial email to a Canadian subscriber without consent?
Each non-compliant commercial message can constitute a separate CASL violation subject to fines of up to $10 million CAD per violation for businesses. In practice, enforcement is complaint-driven — the CRTC investigates based on complaints filed through its Spam Reporting Centre. Single inadvertent violations are unlikely to result in maximum penalties, but a systematic programme of sending to Canadian contacts without consent — for example, using a purchased list or failing to obtain express consent through an opt-in process — creates material regulatory risk. Beyond enforcement risk, non-consented Canadian recipients generate high complaint rates that damage your email deliverability and inbox placement for your entire list.
How do I handle existing Canadian subscribers whose consent status is unclear? For any Canadian subscriber where you cannot produce a consent record showing when and how consent was obtained, treat them as having no consent. Send a re-permission email asking them to explicitly opt in — one email is permitted under CASL to request consent where an existing relationship may have existed, even if documented consent is absent. If they do not respond to the re-permission request, suppress them from all future commercial sends. Do not continue to email contacts whose consent status you cannot verify — the enforcement risk is not worth the incremental list size.
Summary
CASL is one of the world's strictest email marketing laws — but compliance is straightforward when you understand its three core requirements:
1. Get consent first. Express consent before the first commercial email to any Canadian recipient. Implied consent only for contacts with a demonstrable recent business relationship — and only within the defined time windows.
2. Include required content in every CEM. Sender identification, a valid mailing address, contact information, and a functional unsubscribe mechanism that processes within 10 business days.
3. Keep records. Timestamp, IP address, source, and opt-in language for every Canadian subscriber. Track implied consent expiry dates and run re-permission campaigns before they lapse.
For US businesses, the practical approach is clean segmentation: separate your Canadian subscribers, apply CASL standards to them, and build a re-permission workflow that converts implied consent to express consent before time windows close.
Migomail's bounce management handles automated suppression of unsubscribes and bounces in real time — one of the core CASL operational requirements. Our segmentation tools allow you to create CASL-specific subscriber groups with custom consent date fields and expiry-triggered workflows.
Start your free trial to access Migomail's compliance-ready email infrastructure and build your CASL-compliant Canadian subscriber management programme from day one.
Note: This guide provides general informational content about CASL and should not be construed as legal advice. Email marketing law is jurisdiction-specific and fact-sensitive. Consult a qualified Canadian legal professional for advice specific to your business situation.