- CASL applies to commercial electronic messages (CEMs).
- Consent Before sending a CEM, you must have the recipient's consent.
- If you are starting an email list today: 1.
Canada's anti-spam law — commonly called CASL (the Canada's Anti-Spam Legislation) — is one of the strictest email-marketing laws in the world. Ontario businesses that send commercial electronic messages without following its rules face significant penalties. The good news: compliance is straightforward once you understand the three core requirements. This guide walks you through them.
What Is a Commercial Electronic Message?
CASL applies to commercial electronic messages (CEMs). A CEM is any electronic message (email, text, social media direct message) that encourages participation in a commercial activity — which is a broad standard. If the primary purpose or even one purpose of your message is commercial, CASL applies.
Examples of CEMs:
- A promotional email announcing a sale
- A newsletter that contains product recommendations or links to your store
- A text message reminding a customer about an appointment at a fee-for-service business
- An email following up on a quote you provided
Not CEMs (generally exempt):
- Quotes or estimates requested by the recipient
- Messages completing a previously agreed transaction
- Messages between employees of the same organization about internal matters
- Messages to registered charities soliciting donations
The Three Requirements Every CEM Must Meet
1. Consent
Before sending a CEM, you must have the recipient's consent. CASL recognizes two types:
Express consent is the gold standard. The person explicitly agreed to receive your messages — by checking a box, completing a sign-up form, or verbally agreeing in a recorded call. Critically, the consent request must be clearly worded; a pre-ticked checkbox does not count.
Implied consent exists in certain defined circumstances:
- The recipient purchased a product or service from you within the past two years
- The recipient made an inquiry about your business within the past six months
- The recipient has conspicuously published their email address (e.g., on a business website) without a "no solicitation" notice, and your message is relevant to their business role
- You have an existing non-business relationship (member of an organization, subscriber to a publication)
Implied consent has expiry windows (two years or six months, as described above — verify current rules). Once expired, you need express consent to keep emailing.
2. Identification
Every CEM must clearly identify:
- The sender's name (your business name)
- Contact information that is valid for at least 60 days after the message is sent (as of writing — verify)
If you are sending on behalf of another organization, both your name and the organization's name must appear.
3. An Unsubscribe Mechanism
Every CEM must include a working, cost-free mechanism for the recipient to unsubscribe. Requirements include:
- The mechanism must be clearly and prominently set out
- It must be easy to use
- Unsubscribe requests must be honoured within 10 business days (as of writing — verify current deadline)
- You cannot charge a fee or require the recipient to do anything beyond sending a reply or clicking a link to unsubscribe
Building a CASL-Compliant List from Scratch
If you are starting an email list today:
- Use double opt-in. Send a confirmation email after signup. It creates an audit trail of express consent.
- Record consent. Log the date, time, method of consent, and the specific wording shown to the user at sign-up. If CRTC (the Canadian Radio-television and Telecommunications Commission, which enforces CASL) investigates, you must prove consent. Your email platform should store this.
- Timestamp your existing relationships. If you are migrating a legacy list, document when you last had a transaction or inquiry with each contact to establish implied consent windows.
- Purge lapsed contacts. When implied consent expires and you have no express consent on file, remove the contact before their window closes — or send a re-consent campaign before it does.
Common Mistakes Ontario Businesses Make
Assuming a business card = consent. Receiving someone's card at a networking event is not CASL consent to add them to your marketing list. A polite follow-up about the conversation you had that day may be fine; adding them to your newsletter automatically is not.
Forgetting to suppress unsubscribes promptly. Ten business days is the legal maximum, but your email platform can typically do this in seconds. Sending one more message to someone who unsubscribed is a violation.
Relying on stale implied consent. A customer who bought from you three years ago is outside the two-year window. Unless they have done something since that refreshes consent, you need to have obtained express consent before continuing to email them.
Combining unrelated messages. If you obtained consent for one type of content (e.g., service reminders) and start sending promotional offers, that is outside the scope of the consent given.
Penalties for CASL Violations
CASL penalties can reach $1 million per violation for individuals and $10 million per violation for organizations (as of writing — verify current maximums). The CRTC has issued multi-million-dollar fines against Canadian businesses. CASL also contains a private right of action provision (not yet in force as of writing) that could allow individuals to sue — check whether this has changed.
These are not theoretical risks. Invest in compliance now.
Frequently asked questions
Does CASL apply if I email people in the US or EU?
CASL applies to CEMs sent from Canada or accessed by a computer in Canada, regardless of where the recipient is. If your servers are in Canada, CASL likely applies. US and EU contacts may also trigger CAN-SPAM and GDPR obligations separately — get advice if you market internationally.
I run a B2B company. Do I still need consent?
Yes. CASL applies to business-to-business messages. The implied consent rules for published email addresses and existing business relationships may help, but you still need to track consent and include an unsubscribe mechanism.
Can I text message customers without CASL compliance?
Text messages are electronic messages and CEMs if they have a commercial purpose. All three CASL requirements apply to commercial texts.
What records should I keep?
Keep records of how, when, and what you communicated at the point of consent for at least three years beyond the last use of the consent (as of writing — verify). Your email platform's export function is your friend.
This is a corporate question
Start a file online — flat, published fees, reviewed by a licensed Ontario lawyer before a dollar is owed.