CASL Compliance Guide: Canada's Anti-Spam Law Explained

Exempt Messages:

• Messages to family members (reasonable relationship)
• Messages in response to inquiries
• Quotes or estimates previously requested
• Warranty or recall information
• Messages required by law
• Court-ordered messages
• Messages sent to addresses published without restrictions (with conditions)

The Consent Foundation

Unlike CAN-SPAM's opt-out approach, CASL is built on consent:

Express Consent: Explicit permission before sending. The gold standard.

Implied Consent: Permission inferred from business relationships or other circumstances. Has limitations and expiration dates.

No Consent = No Sending: You cannot send commercial messages to Canadian recipients without one of these consent types.

Express Consent Under CASL

Express consent is explicit, affirmative permission to receive commercial electronic messages. It's the most robust and preferred form of consent.

Requirements for Valid Express Consent

Express Consent Must Be:

Clear and Positive: Active agreement, not passive acceptance. No pre-checked boxes.

Informed: The person must understand what they're consenting to.

Specific: Who will be sending and what type of messages.

Recorded: You must be able to prove consent was obtained.

What You Must Disclose When Seeking Consent

Before obtaining consent, you must clearly provide:

1. Purpose of Consent: Describe what messages will be sent and how often.

Example: "We'll send you weekly email marketing tips, product updates, and occasional promotional offers."

2. Identity of Sender: Name of the organization seeking consent.

Example: "BillionVerify will send you these emails."

3. Contact Information: Mailing address plus one of:

• Telephone number
• Email address
• Web address

4. Statement of Withdrawal: How they can unsubscribe and that they may do so at any time.

Example: "You can unsubscribe at any time by clicking the unsubscribe link in any email."

5. Third-Party Disclosure (if applicable): If consent is sought on behalf of others, name them.

Express Consent Form Examples

Compliant Consent Form:

Email: [________________]

□ Yes, I want to receive email communications from
  BillionVerify, including weekly marketing tips,
  product updates, and promotional offers.

  You can unsubscribe at any time using the link
  in any email.

  BillionVerify Inc.
  123 Main Street
  Toronto, ON M5V 1A1
  info@billionverify.com

[Subscribe]

Non-Compliant Consent Form:

Email: [________________]

☑ I agree to receive emails  (pre-checked)

[Submit]

Double Opt-In for Express Consent

While not required by CASL, double opt-in provides stronger evidence of consent:

Process:

1. User submits email and checks consent box
2. Confirmation email sent (this message is exempt under CASL)
3. User clicks confirmation link
4. Subscription activated

Benefits:

• Stronger proof of consent
• Reduces typos and fake signups
• Better list quality
• Supports defense if challenged

Express Consent Duration

Express Consent Does Not Expire: Once obtained, express consent remains valid until withdrawn.

However, Consider:

• Subscribers who never engage may have changed email addresses
• Very old consent may be harder to prove
• Regular re-engagement helps maintain list quality

Best Practice: Maintain active consent records and periodically confirm interest from long-inactive subscribers.

Implied Consent Under CASL

Implied consent allows sending without explicit permission in specific circumstances, but comes with important limitations.

Types of Implied Consent

1. Existing Business Relationship: You may send to someone you have a business relationship with.

Qualifying Relationships:

• Purchase of goods, services, or business opportunity in past 24 months
• Written contract in effect or expired within past 24 months
• Bartering arrangement within past 24 months

Duration: 24 months from most recent transaction or contract expiration.

2. Existing Non-Business Relationship: For clubs, charities, political parties, and similar organizations.

Qualifying Relationships:

• Membership in club, association, or organization within past 24 months
• Volunteer work within past 24 months
• Donation or gift within past 24 months

Duration: 24 months from most recent interaction.

3. Inquiry Relationship: Someone who inquired about your goods, services, or business.

What Counts:

• Requested quote or proposal
• Asked about products/services
• Made application or inquiry

Duration: 6 months from inquiry.

4. Conspicuously Published Address: Email addresses publicly published without restrictions.

Requirements:

• Address must be "conspicuously published"
• No statement that unsolicited messages aren't welcome
• Message must be relevant to recipient's business role/function
• Identity of sender clearly stated in message

Example: Contacting a business development manager whose email appears on company website, regarding a B2B partnership opportunity.

Limitations: This doesn't authorize bulk emailing everyone whose address appears online. Messages must be relevant to their published role.

Implied Consent Expiration

Critical Difference from Express Consent: Implied consent expires.

Before Expiration: Convert implied consent to express consent by:

• Including opt-in opportunity in messages
• Running re-permission campaigns
• Clearly requesting ongoing consent

Managing Implied Consent

Documentation Requirements: For each contact with implied consent, record:

• Type of relationship
• Date relationship was established
• When consent expires
• Source documentation

Database Setup:

subscriber_records:
  - email: contact@company.com
  - consent_type: implied_business
  - relationship_date: 2024-12-01
  - consent_expires: 2026-12-01
  - relationship_source: "Invoice #12345"
  - converted_to_express: false

Automated Reminders: Set up alerts for consent expiration:

• 60 days before: Run re-permission campaign
• 30 days before: Final opt-in request
• On expiration: Move to suppression list unless express consent obtained

CEM Content Requirements

Every commercial electronic message must include specific content elements.

Required Message Elements

1. Sender Identification: Clearly identify who is sending the message.

Required Information:

• Name of sending organization
• If sending on behalf of another, identify both parties
• Must be truthful and not misleading

Header Requirements:

• Accurate "From" field
• Honest "Reply-To" routing
• No spoofing or impersonation

2. Contact Information: Include valid contact information.

Required:

• Mailing address, AND
• One of: telephone number, email address, or website URL

Contact Information Must:

• Be valid for at least 60 days after message sent
• Enable direct contact with sender
• Be readily accessible (not hidden)

3. Unsubscribe Mechanism: Every CEM must include a working way to unsubscribe.

Requirements:

• Clear and conspicuous
• Easy to use
• Must work for at least 60 days after sending
• Unsubscribe address/link must be valid
• Cannot charge a fee
• Cannot require more than sender's name and address to unsubscribe

4. Unsubscribe Processing: Honor opt-out requests within 10 business days.

After Receiving Request:

• Stop sending within 10 business days
• Add to suppression list
• Cannot sell or transfer the address
• Cannot have others send on your behalf

Email Footer Example

You're receiving this email from BillionVerify because
you previously made a purchase from us.

To unsubscribe from future marketing emails, click here:
[Unsubscribe]

Or reply to this email with "Unsubscribe" in the subject line.

BillionVerify Inc.
123 Main Street
Toronto, ON M5V 1A1
Canada
Phone: 1-800-555-0123
Email: support@billionverify.com

CASL Penalties and Enforcement

CASL carries significant penalties, making compliance essential.

Administrative Monetary Penalties (AMPs)

Maximum Penalties:

• Individuals: Up to $1 million CAD per violation
• Organizations: Up to $10 million CAD per violation

Penalty Calculation Factors:

• Nature and scope of violation
• History of prior violations
• Financial benefit from violation
• Ability to pay
• Voluntary compliance efforts
• Deferred compliance agreements

Personal Liability

Directors and Officers: Can be personally liable if they:

• Directed, authorized, or acquiesced to violations
• Were in a position to prevent violations and didn't

This means executives can face personal fines up to $1 million.

Private Right of Action

Individuals and Organizations Can Sue: CASL includes a private right of action allowing:

• Lawsuits by individuals affected by violations
• Actual damages plus statutory damages up to $1 million per day
• Class action lawsuits for widespread violations

Note: The private right of action provisions have been delayed but may be activated in the future.

Enforcement Agencies

Three Agencies Enforce CASL:

CRTC (Canadian Radio-television and Telecommunications Commission): Primary enforcement for spam and related violations.

Competition Bureau: Handles false or misleading marketing claims.

Office of the Privacy Commissioner: Addresses personal information collection without consent.

Notable Enforcement Actions

CompuFinder ($1.1 million): Sending CEMs without consent, improper unsubscribe.

Porter Airlines ($150,000): Sending promotional emails without proper consent.

Blackstone Learning ($640,000): Misleading email marketing practices.

Compu-Finder: First major CASL penalty, demonstrating enforcement is real.

These cases show regulators actively enforce CASL with significant penalties.

CASL Compliance Checklist

Use this comprehensive checklist to audit your email marketing program.

Consent Management

• [ ] Express consent form includes all required disclosures
• [ ] Consent boxes are unchecked by default
• [ ] Consent records include date, source, and text shown
• [ ] Implied consent types are documented
• [ ] Implied consent expiration dates are tracked
• [ ] Re-permission process exists for expiring consent
• [ ] Double opt-in is implemented (recommended)

Message Content

• [ ] Sender clearly identified in all messages
• [ ] Mailing address included in every CEM
• [ ] Additional contact method included (phone, email, or website)
• [ ] Contact information valid for 60+ days
• [ ] Unsubscribe mechanism in every message
• [ ] Unsubscribe is easy and free to use
• [ ] Unsubscribe works for 60+ days after sending

Unsubscribe Processing

• [ ] Opt-outs processed within 10 business days
• [ ] Suppression list permanently maintained
• [ ] Addresses not sold or transferred after opt-out
• [ ] Staff trained on unsubscribe handling

List Management

• [ ] All addresses have documented consent (express or implied)
• [ ] Consent type and expiration tracked for each address
• [ ] Regular email verification maintains list quality
• [ ] Bounces removed promptly
• [ ] No purchased lists without verified consent
• [ ] List hygiene practiced regularly

Documentation

• [ ] Consent records stored securely
• [ ] Relationship dates documented for implied consent
• [ ] Third-party agreements include CASL compliance requirements
• [ ] Staff training documented
• [ ] Compliance audits performed regularly

CASL vs. Other Regulations

Understanding how CASL compares to other laws helps navigate international compliance.

CASL vs. CAN-SPAM

Key Difference: CASL is fundamentally stricter because it requires consent before sending. CAN-SPAM allows sending until someone opts out.

CASL vs. GDPR

Both require consent for marketing, but GDPR has broader data protection requirements.

For GDPR guidance, see our GDPR email marketing guide.

Complying with Multiple Regulations

For International Senders:

• Segment lists by recipient jurisdiction
• Apply strictest relevant standard to each segment
• Document consent appropriately for each regulation
• Consider unified approach meeting all requirements

Practical Approach: Build consent processes that satisfy CASL (the strictest for consent) and GDPR (the strictest for data protection), and you'll generally comply with CAN-SPAM and most other regulations.

Best Practices for CASL Compliance

Beyond minimum requirements, these practices support robust compliance.

Building Consent-Based Lists

Organic List Building:

• Website signup forms with proper disclosures
• In-person signups at events (document consent)
• Referral programs (new contacts must consent directly)
• Content upgrades with consent capture

Avoid:

• Purchased lists (can't verify consent)
• Scraped addresses (harvesting violates CASL)
• Assumed consent from business cards
• Adding addresses found online without proper conditions

Converting Implied to Express Consent

Before implied consent expires, convert to express:

Conversion Campaign Example:

Subject: Confirm your subscription to BillionVerify

Hi [Name],

We've loved having you as a customer, and we'd like to
keep sending you helpful email marketing tips and updates.

To continue receiving our emails, please confirm your
subscription by clicking below:

[Yes, Keep Me Subscribed]

If you don't confirm, we'll stop sending marketing emails
when your subscription lapses next month. You'll still
receive important transactional emails about your account.

Thank you for being part of our community!

Timing:

• Start conversion campaigns 60-90 days before expiration
• Send 2-3 reminder emails
• Move non-responders to suppression list on expiration date

Email Verification and List Quality

Maintaining clean email lists supports CASL compliance:

Why Verification Matters:

• Invalid addresses suggest poor consent practices
• Bounces indicate outdated consent records
• Clean lists demonstrate data quality efforts

Using BillionVerify: BillionVerify's email verification helps maintain compliance:

• Verify at signup to catch typos and fake addresses
• Regular bulk verification removes degraded addresses
• Identify disposable emails that may be low-quality signups

Staff Training

Train Team Members On:

• CASL basics and why compliance matters
• Consent types and requirements
• Message content requirements
• Unsubscribe processing
• Documentation requirements
• Escalation for questions

Create Reference Materials:

• Quick reference cards for consent requirements
• Approved consent language templates
• Escalation contacts for compliance questions
• Regular compliance reminders

Common CASL Mistakes and How to Avoid Them

Learn from these frequent compliance failures.

Mistake 1: Sending Without Consent

The Problem: Emailing Canadian addresses without express or valid implied consent.

Common Causes:

• Purchasing lists
• Adding contacts from business cards without consent
• Assuming prior relationship equals consent
• Not tracking consent expiration

The Fix:

• Only email addresses with documented consent
• Verify consent type and validity before adding to marketing lists
• Implement consent tracking in your database

Mistake 2: Incomplete Consent Records

The Problem: Unable to prove consent was properly obtained.

Common Causes:

• Not recording consent at time of collection
• Losing records during system migrations
• Insufficient detail in records

The Fix:

• Capture and store consent details immediately
• Include timestamp, source, consent text, and relationship
• Back up consent records securely
• Test record retrieval regularly

Mistake 3: Missing Message Elements

The Problem: CEMs lacking required sender identification, contact info, or unsubscribe.

Common Causes:

• Template errors
• New employee creating emails without training
• Automated sequences missing elements

The Fix:

• Use approved templates with all required elements
• Train all email creators on requirements
• Audit templates and sequences regularly
• Implement pre-send checklist

Mistake 4: Slow Unsubscribe Processing

The Problem: Taking more than 10 business days to process opt-outs.

Common Causes:

• Manual processing delays
• Technical issues
• Suppression list not synced across systems

The Fix:

• Automate unsubscribe processing
• Sync suppression lists in real-time
• Test unsubscribe flow regularly
• Set up monitoring for processing delays

Mistake 5: Ignoring Implied Consent Expiration

The Problem: Continuing to send after implied consent has expired.

Common Causes:

• Not tracking expiration dates
• No conversion campaigns
• System doesn't flag expired consent

The Fix:

• Track consent type and expiration for each address
• Set up automated expiration alerts
• Run conversion campaigns before expiration
• Move expired addresses to suppression

Mistake 6: Improper B2B Prospecting

The Problem: Cold emailing Canadian business contacts thinking CASL doesn't apply to B2B.

The Reality: CASL applies to both B2B and B2C messages.

The Fix:

• Use conspicuously published address exception carefully
• Ensure messages relate to recipient's role
• Consider partnership/referral approaches for initial contact
• When in doubt, find another way to establish relationship first

CASL Compliance for International Senders

If you're based outside Canada but have Canadian subscribers, CASL still applies.

When CASL Applies to International Senders

CASL Applies If:

• Message is sent to a Canadian address
• Message is accessed in Canada
• Computer system in Canada is used to send message

Practical Meaning: If you have Canadian email addresses on your list, you must comply with CASL for those addresses.

Segmenting Canadian Contacts

Options:

1. Apply CASL Standards to Entire List: If CASL is your strictest requirement, apply it universally. Benefits:

• Simpler compliance
• Better engagement (consent-based lists perform better)
• Prepared for stricter regulations elsewhere

2. Segment by Geography: Apply different standards to different regions:

• CASL requirements for Canadian addresses
• CAN-SPAM requirements for US addresses
• GDPR requirements for EU addresses

Implementation:

• Collect country/region at signup
• Use IP geolocation as backup
• Flag addresses by applicable regulation
• Apply appropriate consent requirements

Cross-Border Consent Collection

When Collecting from Canadian Visitors:

• Include all CASL-required disclosures
• Use proper consent form format
• Store consent records appropriately
• Track as express consent

When Collecting from Mixed Audiences: Design forms that satisfy the strictest applicable requirements (usually CASL or GDPR).

Conclusion

CASL sets a high standard for email marketing consent in Canada. Its opt-in requirement, consent expiration rules, and significant penalties make compliance essential for anyone emailing Canadian recipients.

Key Takeaways:

1. Consent Is Mandatory: You cannot send commercial emails to Canadians without express or valid implied consent.

2. Implied Consent Expires: Track expiration dates and convert to express consent before implied consent lapses.

3. Document Everything: Maintain detailed records of when, how, and what consent was obtained.

4. Include Required Elements: Every CEM needs sender identification, contact information, and working unsubscribe.

5. Process Opt-Outs Promptly: Honor unsubscribe requests within 10 business days.

6. Maintain List Quality: Regular email verification supports clean lists and demonstrates data quality practices.

7. Penalties Are Serious: Up to $10 million per violation for organizations makes compliance a business imperative.

CASL's strict requirements actually align with email marketing best practices. Consent-based lists outperform unsolicited email in engagement and deliverability. By building proper consent processes and maintaining quality lists, you'll not only comply with CASL but build more effective email marketing programs.

For comprehensive guidance on email regulations worldwide, see our complete email compliance guide. Ensure your Canadian subscriber lists contain only valid, deliverable addresses with BillionVerify's email verification service.