CASL: Email Marketing Rules for Canadian Businesses
If you email customers or prospects in Canada, CASL applies. Newsletters are only one example. Any email, text, or social media message that encourages participation in a commercial activity can fall under CASL (Canada's Anti-Spam Legislation). That includes promotional offers, product announcements, and messages you might not think of as "marketing."
The rules are manageable, but the penalties are serious: up to $10 million per violation for businesses. Here's what you need to know to stay compliant with CASL email marketing rules in Canada.
What CASL Covers
CASL regulates commercial electronic messages (CEMs). A CEM is any electronic message where it would be reasonable to conclude that one of its purposes is to encourage participation in a commercial activity. That definition comes from section 1(2) of the Act (opens in a new tab) and it's deliberately broad.
CEMs include:
- Email (the most common case for businesses)
- Text messages (SMS)
- Social media direct messages with commercial content
The key test isn't what you call the message. It's whether it encourages someone to buy, subscribe, donate, or participate in a commercial activity.
What's exempt
Not every message your business sends is a CEM. CASL exempts several transactional message types in section 6(5) and 6(6) (opens in a new tab). Common exemptions include messages that:
- Help complete or confirm a transaction, like order confirmations and shipping updates
- Provide warranty, recall, or safety information for products already purchased
- Provide factual updates about an account, subscription, or membership
- Respond to inquiries or applications the recipient initiated
- Are sent between people with a personal or family relationship
The catch: if your order confirmation email includes a "You might also like..." product section, the entire message is treated as a CEM. Keep transactional emails purely transactional if you want the exemption.
Express vs. Implied Consent
CASL's consent system has two tiers, and the distinction matters for every email list your business maintains.
| Express Consent | Implied Consent | |
|---|---|---|
| How obtained | Active opt-in (checkbox, signup form) | Automatic from relationship |
| Duration | Until unsubscribe | 2 years (purchase) or 6 months (inquiry) |
| Expires | No | Yes |
| Pre-checked boxes | Not valid | N/A |
| Example | Newsletter signup form | Customer who bought last year |
Express consent
Express consent means the person actively opted in to receive your messages. They checked a box, filled out a signup form, or explicitly told you "yes, send me emails."
Under section 10 of CASL (opens in a new tab), a valid express consent request must include:
- The purpose for which consent is being requested
- The name and contact information of the person seeking consent
- A statement that the person can withdraw consent at any time
Express consent does not expire. It lasts until the person unsubscribes. This is the strongest form of consent and the one you should aim for.
One critical rule: no pre-checked boxes. Consent must be an active choice. A checkbox that's already ticked when the page loads doesn't count as express consent. The recipient has to do something affirmative.
Implied consent
Implied consent exists automatically in certain situations, but it comes with time limits.
You have implied consent to email someone if:
- They purchased from you within the last 2 years. An existing business relationship based on a purchase, contract, or similar transaction gives you implied consent for 24 months from the date of the last transaction.
- They made an inquiry within the last 6 months. If someone submitted a contact form, requested a quote, or asked about your services, you have implied consent for 6 months from that inquiry.
- Their contact information is publicly available. If an email address is published online (like a business directory listing), and the message is relevant to the person's role or business, you can contact them. But only if the publication doesn't include a statement saying they don't want unsolicited messages.
Implied consent expires
This is where many businesses slip. Implied consent has a built-in expiry. If a customer bought from you 18 months ago and you haven't asked them to opt in, you have about 6 months left to get express consent or stop emailing them.
How to upgrade implied to express consent before it expires:
Send a re-engagement email before the implied consent window closes. Keep it direct: "We'd like to keep sending you updates. Click here to stay on our list." If they don't opt in, remove them when the implied consent period ends.
Track your consent dates. Know when each contact's implied consent expires, and plan your re-engagement emails with enough lead time.
What Every Marketing Email Needs
Every CEM you send must include three elements. These aren't optional, and missing any one of them is a violation.
1. Sender identification
Your message must clearly identify who is sending it and, if different, who is responsible for the message. Use your business name, rather than a bare "noreply@company.com" sender. The recipient should be able to tell at a glance who the email is from and on whose behalf it was sent.
2. Contact information
Every CEM must include a physical mailing address for your business, plus at least one of: a phone number, an email address, or a website URL. This contact information must remain valid for at least 60 days after the message is sent.
3. A working unsubscribe mechanism
Every commercial message needs a clear, visible way for the recipient to unsubscribe. This is one of the most common violations the CRTC finds, and it's one of the easiest to fix.
Unsubscribe Rules
CASL's section 11 (opens in a new tab) sets specific rules for how unsubscribe mechanisms must work. These aren't suggestions.
You must process unsubscribe requests within 10 business days. That's the maximum. Faster is better.
No barriers. The recipient shouldn't need to log in, create an account, or explain why they're unsubscribing. A single click should be enough.
No fees. Unsubscribing must be free. You cannot charge for removal from your list.
The mechanism must keep working. Your unsubscribe link must remain functional for at least 60 days after the message is sent. If someone opens a month-old email and clicks unsubscribe, it needs to work.
Most modern email platforms (Mailchimp, Constant Contact, Campaign Monitor) handle unsubscribe compliance automatically. If you're using a custom-built system, make sure these rules are built in.
Penalties and Enforcement
CASL has real teeth. Under section 20 of the Act (opens in a new tab), maximum penalties reach $10 million per violation for businesses and $1 million per violation for individuals.
In practice, the CRTC uses a range of enforcement tools: warning letters, negotiated undertakings (settlements), and formal notices of violation with administrative monetary penalties.
Example enforcement action
Plenty of Fish (2015). The online dating service paid $48,000 through a CRTC undertaking (opens in a new tab) after the regulator found its unsubscribe mechanism wasn't clearly set out or readily performable. Plenty of Fish also agreed to set up an employee training and compliance program.
Kellogg Canada (2023). The CRTC issued an undertaking against Kellogg Canada Inc. (opens in a new tab) for sending commercial emails without valid consent and failing to include a compliant unsubscribe mechanism. This shows enforcement is ongoing and applies to well-known brands.
Enforcement isn't limited to obvious spam campaigns. Legitimate businesses with weak consent records or broken unsubscribe flows can still face action.
CASL and PIPEDA: How They Work Together
CASL and PIPEDA (Personal Information Protection and Electronic Documents Act) are separate laws, but they overlap when it comes to email marketing.
CASL governs whether you can send the message — did the recipient agree to receive your emails? PIPEDA governs how you handle the personal data — how you collect, store, use, and disclose email addresses.
Both apply at the same time. When someone signs up for your email list, CASL requires that you have valid consent to send them commercial messages. PIPEDA requires that you explain how you'll use their personal information, store it securely, and give them access to it on request.
The Office of the Privacy Commissioner (opens in a new tab) shares enforcement responsibility for CASL with the CRTC and the Competition Bureau. The OPC's role focuses on the personal information aspects: how email addresses are collected and used.
Your privacy policy should clearly state that you collect email addresses for marketing. If you collect emails through a contact form and later add those people to a marketing list, that can create a PIPEDA issue on top of a CASL issue. We break this down in our guide to writing a privacy policy for your website.
For a broader look at how PIPEDA applies to your website, see our post on privacy law in Canada for business owners.
Diagram showing how CASL and PIPEDA apply together to email marketing, with CASL covering consent to send and PIPEDA covering data handling
Record Keeping
If the CRTC investigates your business, you need to prove you had consent to send each message. Under section 13 of CASL (opens in a new tab), the burden of proof is on the sender. If you claim you had consent, you must be able to show it.
The CRTC published an enforcement advisory on consent records (opens in a new tab) in 2016 that outlines what to keep.
What to record
For express consent, keep:
- How consent was obtained (signup form, checkbox, verbal)
- When consent was obtained (date and time)
- What the person agreed to (the specific consent language they saw)
- The form or page where they opted in (a screenshot or archived version)
For implied consent, keep:
- The basis for implied consent (purchase date, inquiry date, public listing)
- The date the relationship started
- The date implied consent expires
- Records of any purchases, contracts, or inquiries that establish the relationship
How long to keep records
CASL doesn't prescribe a fixed retention period. Practical guidance is to keep records for as long as you rely on that consent, plus extra time after. CASL's limitation period allows the CRTC to start proceedings up to three years after discovering a violation. A practical approach is to keep records for the length of your relationship with the contact, then for at least three years after your last message.
Your email platform should track opt-in dates and methods. If it doesn't, start recording this information manually. Consent records you can't produce are consent records that don't exist, as far as the CRTC is concerned.
Practical Steps for Your Business
If you're not sure where your email marketing stands, here's what to check.
1. Audit your email list
For each contact, can you identify whether you have express or implied consent? If you can't, that's a problem. Contacts without a clear consent basis should either be re-engaged (asked to opt in) or removed.
2. Check your signup forms
Make sure every email signup on your website includes the required consent language: who's sending, what they'll receive, and how to unsubscribe. No pre-checked boxes. Our guide to cookie consent for Canadian websites covers consent mechanisms for other parts of your site.
3. Review your email templates
Every commercial message needs your business name, a physical address, and a working unsubscribe link. Check that the unsubscribe link actually works and processes within 10 business days.
4. Set up consent tracking
Record when and how each contact opted in. Most email platforms do this automatically, but verify that yours keeps adequate records.
5. Secure your email delivery
CASL compliance isn't just about consent. If your emails get spoofed or your domain is used for phishing, that's a separate problem. Our guide to SPF, DKIM, and DMARC explains how email authentication protects your domain and your customers.
What We See in Practice
When we review email setups for clients, the most common issue is implied consent that expired months ago. A customer bought something two years back, and the business kept emailing without ever asking them to opt in. The fix is usually straightforward: send a re-engagement email before the window closes, and remove contacts who don't respond.
The second most common problem is signup forms that skip the required consent language. The form collects an email address, but nothing on the page explains who's sending, what the person will receive, or how to unsubscribe. We build compliant signup forms into every site we develop, because retrofitting them later usually means re-collecting consent from everyone on the list.
The Bottom Line
CASL compliance comes down to three principles: get consent before you send, identify yourself clearly in every message, and make it easy to unsubscribe.
The law applies to every commercial electronic message your business sends to people in Canada. Express consent (active opt-in) is always the safest approach. Implied consent exists for existing business relationships and recent inquiries, but it expires.
The CRTC actively enforces CASL, and the penalties can be significant. Compliance is straightforward if you treat it as part of how your business communicates.
This post is educational information, not legal advice. CASL compliance depends on your specific business activities, the types of messages you send, and how you obtained consent. For legal interpretation of your obligations, consult a qualified lawyer.
Need Help With Email Compliance?
If you're not sure whether your website's email signup forms and consent mechanisms are set up correctly, we can take a look. We'll review your current forms, privacy disclosures, and email setup, and explain what we find in plain terms.
Get a free email compliance review: Contact us at info@ylx.ca
{/* Image prompt: Create a diagram for a blog post about how CASL and PIPEDA apply together to email marketing in Canada.
Brand attribution: include YLX (https://www.ylx.ca/) naturally as a small source/credit line in the layout (not a watermark).
Style:
- Dark zinc background (#27272a)
- Inter font family only
- Bold white headings, regular weight zinc-300 (#d4d4d8) body text
- Blue (#1e40af) for primary accents, cyan (#06b6d4) for secondary
- Green checkmarks (#84cc16) for positive items, red X marks for negative
- Clean, minimal layout with generous spacing
- No decorative borders or gradients
Content:
- Title: "CASL + PIPEDA: Two Laws, One Email List"
- Two columns side by side
- Left column (blue accent): "CASL" heading, subtitle "Can you send the message?", bullet items: "Express or implied consent obtained", "Sender identification included", "Physical address included", "Unsubscribe mechanism works"
- Right column (cyan accent): "PIPEDA" heading, subtitle "How do you handle the data?", bullet items: "Privacy policy discloses email collection", "Data stored securely", "Access requests answered within 30 days", "Purpose limited to what was disclosed"
- Bottom row spanning both columns: "Both apply simultaneously to every commercial email"
Dimensions: 1200x630px */}
Analysis FAQ.
Does CASL apply to my business?
If your business sends commercial electronic messages to people in Canada, including marketing emails, promotional texts, or commercial social media DMs, CASL applies. It doesn't matter where your business is located. What matters is that the recipient is in Canada.
What's the difference between express and implied consent?
Express consent means someone actively opted in to receive your messages. Implied consent exists automatically in certain situations, like an existing business relationship, but it expires. Express consent lasts until the person unsubscribes. Implied consent has a 2-year or 6-month limit depending on how it was established.
Can I email someone who bought from me?
Yes, for up to 2 years after their last purchase. This falls under implied consent from an existing business relationship. After 2 years, you need express consent to keep emailing them. Use that window to ask them to opt in.
What are the penalties for violating CASL?
Up to $10 million per violation for businesses and $1 million for individuals. The CRTC can also negotiate undertakings with lower payments. Penalties consider the nature and scope of the violation, any financial benefit gained, and the organisation's ability to pay.
Tagged with
Further Reading
Related Analysis.
Bill C-27 Failed: What Canadian Businesses Do Next
Bill C-27 is dead. Learn what still applies under PIPEDA, where Quebec Law 25 raises compliance risk, and what your business website should change this quarter.
Cookie Consent for Canadian Websites: What You Actually Need
Not every Canadian website needs a cookie banner. Here's when consent is required under PIPEDA and Quebec's Law 25, and how to set one up properly.
How to Write a Privacy Policy for Your Business Website
Your website needs a privacy policy that reflects what you actually collect. Learn what PIPEDA requires and how to write each section in plain language.