CASL compliance for email marketing: a plain-English guide for Canadian business

Short answer: CASL requires three things for email marketing in Canada: consent before you send, clear identification of your business, and a working unsubscribe. Consent can be express (a clear opt-in that never expires) or implied (from a recent purchase or enquiry, which does expire). Keep records of consent, and never buy or scrape lists. A good automation tool handles most of this for you.

CASL has a fearsome reputation, and the penalties are real: up to CA$10 million for a business. But the rules themselves are not complicated. If you only email people who have agreed to hear from you, identify yourself, and let people opt out, you are most of the way there. This guide makes the rest plain.

It sits alongside our CASL-safe marketing automation guide, which covers the wider setup.

The three core rules

Every commercial email or SMS you send in Canada must meet three conditions.

1. Consent. You need permission before you message someone, either express or implied.
2. Identification. The message must clearly say who you are, with a way to contact you.
3. Unsubscribe. Every message needs a working opt-out, and you must action it promptly, within 10 business days.

On top of that, CASL expects you to keep records of consent, generally for three years after a relationship ends. This is where automation earns its keep, because a good platform logs and timestamps consent automatically.

Express versus implied consent

This is the part owners get wrong, so here it is clearly.

Express consent is a clear, deliberate opt-in. Someone ticks an unticked box, or fills in a form that plainly says they will receive your emails. It does not expire. This is what you want, and you should collect it everywhere you can.

Implied consent comes from an existing business relationship. If someone bought from you, you generally have implied consent for two years from the purchase. If they made an enquiry, it is usually six months. When that window closes, the implied consent is gone, and you need express consent to keep emailing.

The practical move: ask for express consent at every touchpoint, with a clear checkbox and plain wording, so you never depend on a clock that is running out.

How to collect express consent properly

Express consent is only valid if it is genuinely informed and freely given. A pre-ticked box does not count. Buried fine print does not count. Here is what good looks like.

Use a clear, unticked checkbox next to plain wording that says what people are signing up for and who from, something like: “Yes, I’d like to receive marketing emails from [your business].” Name your business, and do not bundle consent with your terms of service, because consent has to be a separate, deliberate choice.

For higher-value lists, consider double opt-in, where someone confirms their email by clicking a link after signing up. You lose a few subscribers who never confirm, but it proves consent beyond doubt and keeps your list clean and engaged.

Record three things every time: that consent was given, when, and where it came from. A good automation tool does this for you, which is the difference between saying you are compliant and being able to show it.

What breaks CASL

Some popular tactics are simply illegal in Canada:

• Buying or renting email lists.
• Scraping addresses from LinkedIn or websites.
• Importing your personal contacts and emailing them as a business.
• Sending “we found your business online” cold blasts at scale.

If a tactic skips consent, it is a liability, not a shortcut. There is no clever workaround.

How automation keeps you compliant

The irony of CASL is that automation makes compliance easier, not harder. A good tool does the bookkeeping you would otherwise forget:

• It records consent, the source and the timestamp when someone signs up.
• It manages unsubscribes and stops messaging anyone who opts out.
• It can track implied-consent windows so you do not email someone after theirs expires.
• It keeps the records CASL expects, ready if you are ever asked.

Set your sign-up forms up with a clear consent checkbox, connect them to your tool, and the system handles the rest. That is a core part of how we build AI automation for Canadian clients, and you can compare tools in our guide to the best marketing automation platforms in Canada.

Not sure you have consent? Run a re-permission campaign

Many businesses inherit a contact list with no clear record of consent: old spreadsheets, a previous owner’s exports, contacts collected before anyone thought about CASL. Emailing that list blind is a risk.

The safe fix is a re-permission campaign. While you still have arguable implied consent, send one message asking people to confirm they want to keep hearing from you, with a clear opt-in. Everyone who confirms moves onto your express-consent list. Everyone who does not comes off. You end up with a smaller list, but a legal one, and smaller engaged lists outperform big stale ones anyway.

Does CASL apply to SMS and social messages?

CASL covers commercial electronic messages, which is broader than email. Marketing SMS is squarely in scope and needs the same consent, identification and unsubscribe. Direct messages on social platforms can also count when they are commercial and sent to an electronic address. Public social posts and ads are generally not caught, because they are not sent to a specific address. When in doubt, treat any direct, commercial message the way you treat email.

CASL vs CAN-SPAM: if you also email Americans

If your list includes US contacts, know that CASL is much stricter than America’s CAN-SPAM Act. CAN-SPAM lets you email people until they opt out, with no consent required up front. CASL requires consent first. The simplest path for a business on both sides of the border is to hold everyone to the CASL standard. Meet it, and you are comfortably compliant with CAN-SPAM too.

A simple compliance checklist

• Every form has a clear, unticked consent box with plain wording.
• Consent, source and date are recorded automatically.
• Every message names your business and how to reach you.
• Every message has a working unsubscribe, actioned within 10 business days.
• You collect express consent wherever possible, rather than relying on implied.

Frequently asked questions

What does CASL require for email marketing? Consent before you send, clear identification of your business in every message, and a working unsubscribe that you honour promptly. You also need to keep records of consent, generally for three years.

What is the difference between express and implied consent? Express consent is a clear opt-in, like ticking a box, and it does not expire. Implied consent comes from an existing business relationship and expires, usually after two years for a purchase or six months for an enquiry.

What are the penalties for breaking CASL? Up to CA$1 million per violation for an individual and up to CA$10 million for a business.

Is buying an email list legal in Canada? No. Buying or scraping lists and emailing them is a CASL violation because you do not have consent. Build your list through opt-ins instead.

---

Want your email marketing set up CASL-safe from day one? Get a free marketing audit. No jargon, no pressure.