Key takeaways
- CASL has three core rules: get consent, identify yourself clearly, and offer an easy unsubscribe.
- Express consent is a real opt-in and never expires. Implied consent is time-limited: two years after a purchase, six months after an inquiry.
- Every commercial message needs your name, a mailing address, a live contact path, and an unsubscribe honoured within 10 business days.
- The onus to prove consent is on you, so keep records of every opt-in.
- Penalties run up to ten million dollars per violation for a business, so compliance is worth getting right.
On this page
What is CASL, and does it apply to my business?
CASL is Canada’s Anti-Spam Legislation. If you send a commercial electronic message, like a marketing email or promotional text, to an electronic address, it almost certainly applies to you. It is not just for big senders. A local shop emailing a newsletter is covered the same way a national brand is.
A commercial electronic message, or CEM, is any message that encourages someone to take part in a commercial activity: a sale, a booking, a promotion, an offer, or a newsletter that markets what you do. The law focuses on consent and honesty, not on stopping you from emailing customers who want to hear from you.
This guide is general information, not legal advice. The rules below are accurate as of June 2026, but you should confirm the current details on the official sources listed and, where the stakes are high, talk to a Canadian lawyer.
CASL is not anti-email. It is anti-surprise. Permission and plain identification are the whole game.
What are the three core CASL requirements?
CASL boils down to three things you must do before and inside every commercial message: get consent, identify yourself clearly, and provide a working unsubscribe. Miss any one of them and the message is non-compliant, even if the other two are perfect. Get all three right and the rest is detail.
- Consent: you need express or valid implied consent before you send a commercial electronic message.
- Identification: every message must clearly say who you are and how to reach you, with a mailing address.
- Unsubscribe: every message needs a working unsubscribe that you action within 10 business days at no cost.
Everything else in this guide is really just these three rules explained in more depth. Consent is the part people get wrong most often, so we start there.
What is the difference between express and implied consent?
Express consent is when someone clearly opts in, in writing or orally, through a proactive action like ticking an unchecked box or filling in a signup form. It never expires. Implied consent comes from an existing relationship, like a recent purchase or inquiry, and is time-limited, so it eventually runs out.
| Express consent | Implied consent | |
|---|---|---|
| How you get it | A deliberate opt-in, written or oral | A recent purchase, contract, inquiry, or relationship |
| Expiry | Does not expire until withdrawn | Time-limited: two years or six months |
| Best for | Newsletters and ongoing marketing | Following up after a transaction or inquiry |
| Pre-checked boxes | Not allowed, the person must opt in | Not relevant, it comes from the relationship |
| Proof needed | Date, source, and wording of the opt-in | Records of the transaction or inquiry and its date |
| Safest foundation | Yes, build your list on this | Use carefully and track the expiry window |
The practical takeaway: build your real list on express consent. Implied consent is a useful bridge for following up after a sale or inquiry, but it is a clock that is always running down. The onus to prove either kind of consent is on you, not the recipient.
How long does implied consent last under CASL?
Implied consent is valid for a set window, then it expires. The two main windows are two years after a purchase, lease, or written contract, and six months after an inquiry or application. Existing non-business relationships, like memberships and volunteering, can also create implied consent.
- Recent purchase or contract
- A purchase, lease, or written contract in the two years before you send creates implied consent. The two-year clock runs from the transaction, not the sign-up.
- Recent inquiry
- If someone asked about your product or service, you have implied consent for six months from the inquiry. Shorter window, so act on it.
- Membership or volunteer ties
- Existing non-business relationships, such as club members or volunteers with a charity, can also create implied consent under the rules.
- Published or given address
- If a business publishes an address without a "no marketing" notice, or hands it to you, narrow implied consent can apply when your message relates to their role.
Because these windows close, treat implied consent as a chance to earn express consent. When you follow up after a sale or inquiry, invite the person to opt in to your newsletter so the relationship does not quietly expire. Track the dates so you can re-permission or remove contacts before their window runs out.
What has to be in every marketing email?
No matter what kind of consent you rely on, every commercial message needs clear identification and an unsubscribe. You must say who you are, give a mailing address and at least one live contact path, and include an obvious unsubscribe that you action within 10 business days at no cost.
- 01
Who is sending
Your business or organization name. If you are sending on behalf of someone else, name them too.
- 02
A mailing address
A current physical or postal mailing address where you can be reached.
- 03
One live contact path
At least one of: a phone number, an email address, or a web address that actually works.
- 04
A clear unsubscribe
A simple, obvious way to opt out, set out plainly in the message and honoured within 10 business days.
Most decent email tools, like Mailchimp or similar Canadian-friendly platforms, add the mailing address and unsubscribe footer for you. That is helpful, but it is still your responsibility to make sure the details are accurate, the unsubscribe works, and requests are honoured on time. The 10-business-day rule is firm, so process opt-outs promptly.
Before
A blast to a bought list of 4,000 addresses, no real opt-in, a vague 'from' name, no mailing address, and an unsubscribe link that loops back to the homepage. High complaint rate, low trust, and squarely offside CASL.
After
A smaller list of people who opted in on a clear form, each email signed by the business with a mailing address and contact info, a one-click unsubscribe honoured within days, and consent records on file. Smaller, but legal and far more effective.
Composite example for illustration. The point is the shape of compliant sending, not specific numbers.
What are the real penalties for breaking CASL?
The CRTC enforces CASL and can issue administrative monetary penalties. The maximum is one million dollars per violation for an individual and ten million dollars per violation for a business. Real-world penalties depend on the severity, the number of violations, financial benefit, and ability to pay, but the ceiling is high enough to take seriously.
You usually will not jump straight to a maximum fine. The CRTC weighs factors and a recipient of a notice of violation typically has 30 days to pay or make representations. The bigger everyday risk for a small business is reputational: spam complaints, blocked sending, and lost trust hurt long before a regulator ever calls.
The honest framing is this. Compliance is not expensive or hard. It is mostly a clean signup form, accurate footers, and honouring unsubscribes. The downside of getting it wrong, on the other hand, is genuinely large. That asymmetry is why doing it right is simply good business.
How do I build an email list that grows without breaking CASL?
The best CASL strategy and the best marketing strategy are the same thing: build a list of people who actually want to hear from you. Clean, honest opt-ins outperform bought lists on every metric that matters, and they keep you on the right side of the law without effort.
- Single opt-in forms with honest, specific copy beat bought lists and scraped addresses every time.
- Never assume consent from a business card, a quote request, or a one-time purchase without checking the rules.
- Keep proof of consent for every subscriber, because the onus to prove consent is on you, not the recipient.
- Re-permission or remove implied-consent contacts before their window expires.
- Make unsubscribing easy. A clean, willing list outperforms a big, annoyed one.
This is where compliant and effective stop being a trade-off. A willing list opens more, clicks more, and complains less. If you want this set up properly, tell me what you send today and I will build the opt-in forms, consent records, and sending setup so you grow a list you own. If you are still deciding whether email is the right next move, our free audit can point you to the highest-leverage step first, and you can see how this fits the wider picture in the difference between a website and a growth system.
What does a compliant, effective welcome flow look like?
A welcome flow is the sequence a new subscriber gets right after they opt in. Done well, it confirms consent, identifies your business, delivers value fast, and starts the relationship on a compliant footing. It is the single highest-return email you can set up.
- 1Use a clear opt-in form that says exactly what people will receive and who is sending it.
- 2Record the consent: date, time, source, and the wording the person agreed to.
- 3Send a welcome email that confirms what they signed up for and identifies your business.
- 4Put your name, mailing address, contact info, and unsubscribe link in every send.
- 5Process every unsubscribe within 10 business days and keep your list clean.
Notice that every step is both a compliance step and a conversion step. Confirming what people signed up for reduces complaints and builds trust. Identifying your business meets CASL and looks professional. An easy unsubscribe keeps your list clean and your sender reputation strong. Good email marketing and CASL compliance are not in tension. They are the same craft.
If you would rather not assemble all of this yourself, send me the messy version and I will set up the forms, the flow, and the footers so your email grows the business and stays well inside the rules.
Sources and further reading
- Government of Canada: Canada’s Anti-Spam Legislation (fightspam.gc.ca)
The official plain-language overview of CASL: who it applies to, the three core requirements, and how the rules work.
- CRTC: FAQ about Canada’s Anti-Spam Legislation
The regulator’s answers on consent, identification, unsubscribe, the 10-business-day rule, and penalties.
- CRTC: Guidance on implied consent
How existing business relationships, the two-year and six-month windows, and record-keeping work in practice.
- ISED: Getting consent to send email
Express versus implied consent explained, including why the proof of consent rests with the sender.
Frequently asked questions
What is CASL in simple terms?
CASL is Canada’s Anti-Spam Legislation. If you send a commercial electronic message, like a marketing email or text, you generally need consent, you must identify yourself with contact details and a mailing address, and you must include a working unsubscribe that you action within 10 business days.
What is the difference between express and implied consent?
Express consent is when someone clearly opts in, in writing or orally, through a proactive action like ticking an unchecked box or signing up. It does not expire. Implied consent comes from a recent purchase, contract, inquiry, or relationship and is time-limited, so it eventually runs out.
How long does implied consent last under CASL?
Implied consent generally lasts up to two years after a purchase, lease, or written contract, and six months after an inquiry or application. Existing non-business relationships, like memberships or volunteering, can also apply. Express opt-in consent does not expire.
What has to be in every marketing email?
Your business or organization name, a current mailing address, at least one live contact path (phone, email, or web address), and a clear unsubscribe mechanism. If you send on behalf of someone else, you must identify them too.
How fast do I have to honour an unsubscribe?
You must give effect to an unsubscribe request within 10 business days, at no cost to the person. The unsubscribe path must be easy to find and easy to use in the message itself.
What are the penalties for breaking CASL?
The CRTC can issue administrative monetary penalties up to one million dollars per violation for an individual and up to ten million dollars per violation for a business. Actual penalties depend on the violation, history, and other factors, but the ceiling is high enough to take seriously.
Do I need to keep records of consent?
Yes. The onus of proving consent, express or implied, is on you, not the recipient. Keep the date, source, and wording of every opt-in, and track when implied-consent windows expire so you can re-permission or remove those contacts.
Is this legal advice?
No. This is general information to help you understand CASL and ask better questions. For your specific situation, confirm the current rules on the official sources listed and, where the stakes are high, talk to a Canadian lawyer.
Kootenay Made Digital
We build websites, local presence, and calm AI setups for Kootenay small businesses. No jargon, no agency fog, no surprise fees.
