The Canada Anti-Spam Legislation (CASL) came into force in 2014 and immediately established itself as one of the most demanding anti-spam frameworks in the world. Unlike the US CAN-SPAM Act, which allows marketers to send commercial emails until recipients opt out, CASL requires consent before you send. This fundamental difference catches many businesses off guard, particularly those used to operating under US-style opt-out email marketing rules.
Express consent vs implied consent
CASL distinguishes between two forms of consent for sending commercial electronic messages (CEMs) — which includes email, SMS, social media messages, and any other electronic communication sent to an electronic address for commercial purposes.
Express consent is the gold standard. It must be obtained through a clear, positive action — a checkbox that the recipient ticks, a sign-up form they complete, a verbal agreement that is documented. The consent request must clearly describe what the recipient is consenting to receive, identify who is requesting consent, and explain how to withdraw consent. Importantly, the checkbox must be unticked by default.
Implied consent applies in limited, time-bound circumstances:
- An existing business relationship — someone who has purchased from you or donated within the past 2 years
- An existing non-business relationship — a member of your club or association within the past 2 years
- A conspicuously published email address — an address published on a website without a "no commercial messages" notice, but only for messages relevant to the person's business role
- Someone who has provided their business card to you directly
Implied consent from a purchase relationship expires 2 years from the date of the transaction. You cannot send indefinitely on the basis of a years-old purchase — you must convert implied consent to express consent before it expires.
Mandatory requirements for every commercial message
Every commercial electronic message you send to a Canadian recipient must include:
- Identification of the sender — who is sending the message and on whose behalf
- Contact information — mailing address and either telephone number, email address, or web address
- A working unsubscribe mechanism — a link or address to which recipients can opt out
- The unsubscribe must be free of charge and honoured within 10 business days
You must maintain records of your consents. If you cannot demonstrate that a valid consent exists for a recipient and you are challenged, you will be presumed to be in violation. Enforcement actions under CASL have resulted in fines ranging from tens of thousands to millions of CAD — the CRTC (Canadian Radio-television and Telecommunications Commission) has demonstrated willingness to pursue enforcement across borders.
How CASL differs from GDPR and CAN-SPAM
CASL occupies a middle ground between the most permissive (CAN-SPAM, opt-out only) and most restrictive (GDPR, which requires a lawful basis for every processing activity and has stricter consent standards for sensitive data). The key differences: CASL requires prior consent for all commercial messages (like GDPR but specific to electronic messages); GDPR applies to all personal data processing (broader than CASL); CAN-SPAM requires only an opt-out mechanism (much weaker). If you send emails to recipients in all three jurisdictions, your email marketing practices must satisfy CASL as the most demanding specifically email-focused standard.