Email Marketing and CASL: What Canadian Senders Need to Know

Plenty of US-based marketers assume Canada works like the United States — opt-out by default, unsubscribe link in the footer, done. That assumption has cost some of them millions. Canada’s Anti-Spam Legislation (CASL) flips the model entirely: you need permission before you send, not an escape hatch after. Penalties run up to $10 million CAD per violation for businesses. The CRTC — Canada’s regulator — has issued multi-million dollar fines against US companies that ignored this distinction.

If you have any subscribers with Canadian addresses, CASL applies to you. Headquarters location is irrelevant.

What CASL Covers

CASL governs “commercial electronic messages” (CEMs) — any electronic message that encourages participation in a commercial activity. Email is the primary concern, but SMS, instant messages, and social media direct messages all qualify. The law does not cover purely transactional messages (password resets, order confirmations, receipts), though those still need to include your identification details.

A message is a CEM if it has a commercial purpose, even partially. A newsletter that mixes editorial content with product promotions qualifies. A “friendly check-in” email from a sales rep that happens to mention your product qualifies. When in doubt, treat it as a CEM and comply accordingly.

The Two Types of Consent

CASL requires consent before you send. There are two kinds, and they behave very differently.

Express Consent

Express consent means the person actively opted in. They checked a box (that was not pre-checked), filled out a form, or verbally agreed to receive your emails. The opt-in request must clearly describe what they’re consenting to — “receive weekly marketing emails from Acme Co about new products” is compliant; “subscribe to updates” is too vague to hold up under scrutiny.

Express consent does not expire. Once someone has given it, it remains valid until they withdraw it (by unsubscribing).

Implied Consent

Implied consent arises from an existing relationship. It applies in two scenarios, each with strict time windows:

• Existing business relationship: The person purchased something, signed a contract, or had a membership with you within the past 2 years. Each new transaction resets the 2-year clock.
• Inquiry or application: The person contacted you, requested a quote, or submitted an inquiry within the past 6 months.

Once those windows close, implied consent expires. You cannot keep sending to people on the basis of a relationship from 3 years ago. This is the rule that trips up most marketers who assumed their house list was fine indefinitely.

What Every CEM Must Contain

Beyond consent, every commercial electronic message you send must include three elements:

1. Sender identification: Your full legal business name (or the name of the organization on whose behalf you’re sending), mailing address, and either a phone number, email address, or website URL. This information must be accurate and accessible for at least 60 days after the message is sent.

2. Unsubscribe mechanism: A clear, easy way to opt out that works for at least 60 days after sending. The unsubscribe must be processed within 10 business days. You cannot charge a fee for unsubscribing.

3. No misleading headers or subject lines: The “From” name, reply-to address, and subject line must accurately represent the sender and content. This one sounds obvious but matters legally.

Most email marketing platforms handle items 1 and 2 automatically — the footer address block satisfies the identification requirement, and the unsubscribe link is standard. What platforms cannot do automatically is ensure your subscriber list actually has valid consent on record.

Step-by-Step: Building a CASL-Compliant Email Program

Step 1: Audit Your Existing List

Before you send another campaign, figure out what consent basis exists for each subscriber. Sort your list into:

• Express consent: Subscribers who actively opted in via a form, with a timestamp and the specific consent language recorded.
• Implied consent (active): Customers or inquirers whose time window is still open.
• Implied consent (expired or unknown): Everyone else — people you imported, leads from trade shows, contacts scraped from directories, or anyone whose consent origin you cannot prove.

The third category is your risk. You cannot send to them under CASL without express consent.

Step 2: Run a Re-Permission Campaign

For anyone in the uncertain category, send a re-permission email asking them to actively opt in. Keep it short and honest. Explain that you want to confirm they still want to hear from you. Give them a clear button to click.

Anyone who does not click within a reasonable window (2–4 weeks) should be suppressed. Yes, this will shrink your list. A smaller, consenting list performs better anyway — lower complaint rates, higher engagement, and no regulatory exposure.

Step 3: Set Up Consent-Capturing Forms

Going forward, every signup form must use an unchecked opt-in checkbox. Pre-ticked boxes do not satisfy CASL’s requirement for express consent.

The consent language next to the checkbox should name the sender and describe what the person is agreeing to receive. Vague language like “sign up for our newsletter” may not survive enforcement scrutiny if it does not make clear who is sending and what kind of content.

Record and store the following for every new subscriber:

• Timestamp of consent
• IP address of the form submission
• Exact wording of the consent statement they agreed to
• Source (which page/form they used)

Step 4: Build Consent Expiry Tracking

Set up a process to track implied consent windows. This requires custom fields in your email tool or CRM to store:

• Date of most recent purchase or transaction
• Date of inquiry (if applicable)
• Consent type (express or implied)

Build automated segments that surface subscribers whose implied consent is within 60 days of expiring. Send them a re-permission campaign before the deadline.

Step 5: Keep Records for 3 Years

CASL requires you to maintain consent records for 3 years after the business relationship ends. This is not just a best practice — it is a legal requirement. In an enforcement action, you must be able to produce proof of consent for any subscriber you claim to have permission to email.

Store this data in a format you can actually retrieve. A spreadsheet buried on an old hard drive does not help when the CRTC comes asking.

CASL vs. CAN-SPAM vs. GDPR

It helps to understand where CASL sits relative to the laws you may already know:

	CAN-SPAM (US)	CASL (Canada)	GDPR (EU)
Model	Opt-out	Opt-in	Opt-in
Consent required before sending?	No	Yes	Yes
Consent expiry	N/A	Yes (implied only)	Depends on basis
Max penalty	$51,744 per email	$10M CAD per violation	€20M or 4% of revenue
Private right of action	Limited	Yes (suspended pending review)	Varies by country

CASL is meaningfully stricter than CAN-SPAM. If you run a compliant GDPR program, CASL compliance is closer — but the implied consent rules are specific to CASL and have no GDPR equivalent. Check your consent records regardless of what other compliance frameworks you follow.

Email Tools That Support CASL Compliance

No email tool makes you CASL-compliant on its own — that requires your policies and processes. But some tools make the work easier than others.

Mailchimp

Mailchimp has dedicated CASL documentation and supports double opt-in, which produces a confirmation email that gives you a second timestamp proving the subscriber actively verified their address. This is not strictly required by CASL but provides a stronger paper trail.

The weakness: Mailchimp’s free plan restricts customization of double opt-in confirmation emails, making it harder to document consent language precisely. Paid plans remove that limitation, but pricing starts around $13–20/month and rises significantly with list size — check Mailchimp’s pricing page for current figures before committing.

MailerLite

MailerLite offers strong double opt-in support and lets you customize the confirmation email fully on all plans, including the free tier. Consent management features are clean and easy to configure. The audit trail — the record of when and how someone confirmed — is less detailed than some compliance-focused tools, which means you may need to export and store consent data separately to meet CASL’s 3-year retention requirement.

ActiveCampaign

ActiveCampaign’s CRM capabilities make it the most practical option for tracking implied consent expiry. Custom fields, date-based automations, and contact scoring let you build workflows that automatically segment expiring implied consent contacts and trigger re-permission sequences. The trade-off is complexity: setting up proper consent tracking in ActiveCampaign takes time and technical familiarity. For a small team without dedicated ops resources, the setup cost is real.

Brevo

Brevo (formerly Sendinblue) supports double opt-in and GDPR compliance features that translate reasonably well to CASL. The CASL-specific documentation is thinner than Mailchimp’s, and Brevo does not call out implied consent window tracking as a built-in feature — you would need to handle that through custom fields and manual processes or integrate with a CRM.

For a head-to-head look at MailerLite and Brevo across features and pricing, see our MailerLite vs Brevo comparison. If you’re just starting to build your list the right way, our email list building guide covers opt-in form best practices that work for both CASL and GDPR. For a broader look at EU compliance rules, see our GDPR compliance guide.

Common CASL Mistakes

Importing contacts without verifying consent. You attended a trade show, collected business cards, and added them to Mailchimp. Unless those people indicated consent to receive commercial emails from you specifically, you have no CASL basis to send. An inquiry made in person generally creates 6 months of implied consent, but that assumes the inquiry was actually commercial in nature.

Assuming a subscription from years ago is still valid. Implied consent from a 2019 purchase expired in 2021. If you cannot document when express consent was given, you may not be able to send.

Using pre-ticked boxes on signup forms. This is an opt-out mechanism, not opt-in. Pre-ticked boxes do not satisfy CASL’s express consent requirement no matter how good your consent language is.

Sending re-permission emails to people you never had consent to email in the first place. This is circular. You cannot use a CASL-prohibited email to obtain consent. If you truly have no basis to contact someone, you cannot email them to ask for consent.

Not processing unsubscribes within 10 business days. Most email platforms handle this automatically. Problems arise when you export contacts to secondary systems (CRMs, ad platforms, event tools) that are not synced to your suppression list.

What CASL Compliance Actually Looks Like

A compliant Canadian email program does not need to be complicated. It needs to be intentional.

Your signup forms ask for clear, specific consent. Your email tool captures timestamps. Your CRM tags customer relationships with dates so implied consent windows are visible. Campaigns targeting implied-consent subscribers include an easy “confirm you want to stay subscribed” CTA before the window closes. Your suppression list is synchronized across every tool in your stack. And somewhere, you have a documented record of consent for every active subscriber.

That combination keeps you on the right side of CASL — and, frankly, produces a healthier list. Subscribers who genuinely want your emails open them, click them, and buy from them. The CASL opt-in requirement is a compliance burden on paper and a list quality filter in practice.

If you are not sure which tool fits your compliance workflow, the email tool quiz can match you based on list size, automation needs, and budget.

Sources

1. CASL — Canadian Radio-television and Telecommunications Commission (CRTC) — accessed 2026-04-30
2. Getting Consent to Send Email — Innovation, Science and Economic Development Canada — accessed 2026-04-30
3. CASL Guidance on Implied Consent — CRTC — accessed 2026-04-30
4. About the Canada Anti-Spam Law — Mailchimp Help Center — accessed 2026-04-30