CASL Guide: What every marketer needs to know about Canada’s Anti-Spam law

Laws and regulations
Apr 12
8 min read
This Guide was written as an easy way to understand what changes (if any) you need to implement to comply with this new legislation.
Sending electronic communications

If you are confused by Canada’s Anti-Spam law – you are not alone. This Guide was written as an easy way to understand what changes (if any) you need to implement to comply with this new legislation. It was written concisely, in plain English, while still giving you everything you need to make sure you remain compliant.

CASL has taken close to a decade to come to where it is today. It was never meant to stifle business in Canada.

This legislation touches on all aspects of digital communication, including social media, cellphone and email in a “technologically neutral” approach. At its core, CASL is simply a way for Canadians (and those marketing to Canada) to promote e-commerce while reducing the amount of spam, spyware/malware, phishing and identity theft.

Does CASL apply to me?

This is the first question you must answer yourself and the short answer is:
CASL will be enforced on anyone in Canada and anyone that is sending commercial electronic messages (CEMs) to Canadians.

If you own or operate a business in Canada, or if you have emails on your list ending in “.ca” – chances are pretty good that CASL applies to you. If you own or operate a business outside of Canada and the recipient(s) on your list are NOT in Canada, CASL does not apply. However, you must still adhere to the rules and regulations of the foreign state in which you live.

If you are not certain the recipients on your list reside in Canada, it is up to you to find out.

The country of origin of your recipients is valuable information, and now it could help you make sure you comply with this new law. If you don’t have it, make sure you send a campaign to get it. IP address Geolocation is another useful tool, but don’t rely on this alone, it may not always be reliable as people may be travelling to Canada.

Does CASL apply to my business [infographic]
Easily validate if CASL applies to your business with this infographic.

What is a “CEM”?

As defined by the CRTC*, a CEM is any electronic message that “encourages participation in a commercial activity” regardless of whether there is an expectation of profit.

What are the requirements of CASL?


If you are sending commercial electronic messages CEMs to anyone in Canada, you need to make sure you have consent to do so (either “Express” or “Implied”).


The sender must be clearly identified and include a valid Postal Address, which must be valid for aminimum of 60 days after the message has been sent.


You must include a working unsubscribe mechanism which will enable the recipient (at no cost) to remove themselves from the list, and this mechanism must stay valid for a minimum of 60 days after the message has been sent. The unsubscribe request must be processed without delay and must be processed within 10 business days. The recipient must not be asked to provide any information other than his email address.

*Canadian Radio-television and Telecommunications Commission


What is “Express” consent?

In order for it to be deemed “Express” consent, the individual must take affirmative action to “opt-in” to your list willingly.

You must ask yourself: Did the recipient say “Yes” to receive my CEM?


What is “Implied” consent?

“Implied” consent is when a relationship exists, but the recipient is added to your list without any affirmative action.

Note : A message sent seeking consent (such as a Confirmation email) is also considered a CEM and must therefore comply with all the requirements of CASL. Most senders will need to acquire “Implied” consent (for example by making a purchase, at a trade show) prior to sending the confirmation email.

How can I prove consent?

Example 1 – Express consent

Someone fills out a form on your website with the intent of being placed on your list. A confirmation email is sent which requires the recipient to click a link in order to confirm that he wishes to be placed on the list. When they click the link, the date/time and IP stamp would be recorded as follows:

Name : Kevin Huxham
Email :
SignupDateTime : 2013-04-21 21:16:58.090 EST
IP :
Host :

Note : The information above in bold is recorded by default for every confirmed opt-in list with Cakemail and can be provided on request.

The form could also be setup to ask for:

Address: 4020, St. Ambroise, #301
City: Montreal
Prov/State: Quebec
Country: Canada
Postal: H4C 2C7
Phone: 555-555-5555

Example 2 – Express consent

A person gives you their business card at a trade show with the intent of being placed on your list. The problem with this is you need to be able to prove you didn’t pick it up off the floor of the men’s room. Ideally, a confirmation email would be sent at (or shortly after) the event requesting confirmation (where the above information could be recorded). “Express” consent could be proven if you had the recipient provide his consent to be placed on your list on the back of the card. It would then be necessary for you to keep the card as proof.

Example 3 – Express consent

A person gives you their email address over the phone with the intent of being placed on your list. The same process of sending a confirmation email applies, but “Express” consent could be proven IF you recorded the conversation for each recipient.

Example 4 – Express/Implied

The recipient provides their email address to the sender at checkout after making an online purchase. IF this is accompanied by a clear statement that requires affirmative action (such as by having the recipient check an empty box that states “Yes, please sign me up to receive your newsletter”) it would be deemed “Express” consent under CASL. IF NOT, it would fall under the category of “Implied” consent and would give the sender a period of 24 months to send CEMs and/or acquire “Express” consent so long as they keep the record of purchase and can prove a business relationship exists.

Note : “Express” consent never expires, unless recipient requests to be removed.

Example 5 – Implied consent

If someone expresses interest in your business as part of the sales process or enters their email address on your website to download educational material (like this whitepaper), they are to be considered “prospects” and “Implied” consent is given to send CEMs for a period of 6 months only.

Example 6 – Implied consent

The recipient is added automatically or is required to uncheck a box to opt-out during the checkout process. This method is not considered “Express” consent under CASL and will typically generate a large volume of emails flagged as spam which negatively affects your reputation as a sender and, in turn, your delivery.

Example 7 – Unknow 3rd party affiliate

Affiliate lists are the result of one company sharing an email address (or a list of addresses) with another. If a person signs up to receive emails from Company A, they should receive emails from Company A only (unless stipulated separately during the opt-in process). If they also receive email from Company B, C, and D, they will be more likely to complain.

Under CASL, Company A must clearly show to the recipient that they are signing up to these “unknown 3rd party list(s)” and all parties are accountable for managing that consent. If a recipient no longer wishes to receive emails from Company B, it is Company A’s responsibility to inform and withdraw consent from Company C, D within 10 business days.

Express vs Implied consent [infographic]
Express vs Implied: an infographic to easily understand the level of consent

What Should I do to Conform to CASL?


  • Audit of all online communications (Newsletters, Transactional, SMS/MMS, Social Media): are they covered by CASL?
  • Are the emails you send accessed in Canada?


  • Learn everything you need to know about CASL
  • Build education and awareness internally (from intern to CEO)
  • Update required documents (Privacy Policy, Sign-up forms, Terms)
  • Ensure current/future contracts, processes are compliant
  • Create roadmap and start update process


  • Do you have “Express” or “Implied” consent for each contact?
  • Burden of proof: make sure you can prove consent
  • Identify input sources ( Points of Sale, Call Center, Web social, Events, 3rd Party signups…)
  • Use the 3 year transition period to obtain “Express” consent from all contacts


  • Clearly identify yourself with a Valid Postal address
  • Provide an unsubscribe mechanism in every CEM


  • Identify gaps in list data: Consent date, consent level, source IP/host, current status
  • Create a centralized database and keep things clean
  • Be able to process and act on all unsubscribe requests


  • Review 3rd part contracts
  • Work vicarious liability into all employee contracts, adopt compliance policies and sanctions for employees who do not comply
  • Should you get insurance?
  • Obtain legal advice – Choose a lawyer who respects and understands CASL

Penalties and Enforcement

The enforcement of CASL is done primarily by the Canadian Radio-Television and Telecommunications Commission (CRTC) and the penalties involved are as follows :

Penalities for CASL breach

Note : A Private Right of Action came into effect July 1st, 2017 allowing class action lawsuits to be filled by anyone against senders that do not comply with CASL.

Share this

Text Link
This is some text inside of a div block.

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Suspendisse varius enim in eros elementum tristique. Duis cursus, mi quis viverra ornare, eros dolor interdum nulla, ut commodo diam libero vitae erat. Aenean faucibus nibh et justo cursus id rutrum lorem imperdiet. Nunc ut sem vitae risus tristique posuere.