Canada's Anti-Spam Legislation (CASL) has been in effect since 2014, but most small business owners we talk to either don't know it exists or have a vague sense that they "probably should worry about it."
You should. CASL carries penalties up to $10 million per violation for businesses. And unlike some regulations that only target big companies, CASL applies to every business in Canada that sends commercial electronic messages — including that newsletter you blast out from Mailchimp.
Here's what you actually need to know.
What CASL Covers
CASL applies to any commercial electronic message (CEM) sent to or from a Canadian computer. That includes:
- Marketing emails
- Newsletters with promotional content
- Text messages with commercial offers
- Social media direct messages with business content
If the primary purpose is to encourage commercial activity — buying, selling, promoting — CASL applies.
What it doesn't cover: Purely transactional messages (order confirmations, shipping updates, password resets), messages to existing customers about their account, or responses to inquiries.
The Three Requirements
Every commercial message under CASL must meet three requirements:
1. Consent
You need permission before sending. CASL recognizes two types:
Express consent: The person explicitly opted in. They checked a box, filled out a signup form, or verbally agreed. This is the gold standard and it doesn't expire.
Implied consent: You can email someone without express consent in limited situations:
- Existing business relationship: They purchased from you or had a contract within the last 2 years
- Existing inquiry: They asked about your services within the last 6 months
- Published address: Their email is publicly listed AND the message is relevant to their professional role
Important: Pre-checked opt-in boxes don't count as express consent. Buying something only gives implied consent, which expires after 2 years.
2. Identification
Every commercial email must clearly identify:
- Who is sending the message (your business name)
- Your physical mailing address
- A way to contact you (phone, email, or web address)
This information must be accurate and current.
3. Unsubscribe Mechanism
Every commercial email must include a working unsubscribe option that:
- Is clearly visible and easy to use
- Works for at least 60 days after sending
- Processes the request within 10 business days
No hoops, no "call us to unsubscribe," no requiring a login. One click and done.
Common Mistakes Small Businesses Make
Buying email lists
This is the most clear-cut CASL violation. If you didn't collect the consent yourself, you don't have consent. Period. Purchased lists, scraped emails, business cards grabbed at a trade show — none of these constitute proper consent under CASL.
Confusing "implied" with "forever"
Implied consent has expiration dates. That customer who bought from you 3 years ago? Your implied consent expired a year ago. You need express consent to keep emailing them.
No records
If someone complains and the CRTC investigates, the burden of proof is on you. You need to show when and how each person consented. If you can't prove consent, you don't have it.
Screenshot signups, timestamp opt-ins, and maintain a consent log. Your email platform should track this automatically — but verify that it actually does.
Forgetting about old contacts
When CASL took effect, businesses needed to re-confirm consent from existing contact lists. If you've been emailing the same list since 2013 without ever confirming opt-in, you're likely out of compliance.
What To Do Right Now
- Audit your email list. Can you document consent for every contact? Remove anyone you can't verify.
- Check your signup forms. Make sure opt-ins are explicit (unchecked boxes), not pre-selected.
- Review your email templates. Every message needs your business name, physical address, and a clear unsubscribe link.
- Set up consent tracking. Use your email platform's built-in tools. Record the date, method, and source of each opt-in.
- Train your team. Everyone who touches email marketing needs to understand the basics.
The Upside
CASL compliance isn't just about avoiding fines. Businesses with clean, consent-based email lists consistently see higher open rates, better click-through rates, and fewer spam complaints. You're sending to people who actually want to hear from you — and that makes your marketing more effective.
If you're unsure about your compliance or need help setting up proper consent systems, get in touch. We help local businesses get their digital marketing on solid legal ground.