Resources / Compliance
CASL: Canada's anti-spam law for senders
CASL is an express opt-in law with a narrow, time-limited implied-consent exception. Every commercial electronic message must identify you and carry a working unsubscribe honored within 10 business days, and the burden of proving consent is on the sender. Penalties reach CAD $1M for individuals and CAD $10M for businesses per violation.
Last checked: June 21, 2026
Canada’s Anti-Spam Legislation (CASL, S.C. 2010, c. 23, in force since July 1, 2014) is an opt-in regime, and a stricter one than most senders expect. The default is express consent; the “implied consent” exception is real but narrow and on a clock. The Canadian Radio-television and Telecommunications Commission (CRTC) enforces it through Administrative Monetary Penalties, with backstops from ISED and the Office of the Privacy Commissioner.
This is general information, not legal advice. Consult Canadian counsel for your situation. The obligations below come from ISED and CRTC primary guidance.
The 60-second version
- Express opt-in by default. A commercial electronic message (CEM) generally requires consent before you send it.
- Implied consent exists but only in defined cases, and it expires on a statutory timeline.
- A request for consent sent by electronic message is itself a CEM - you cannot email someone to ask for permission to email them.
- Every CEM must identify you (name, mailing address, and a phone/email/URL) and carry a functional unsubscribe.
- Honor unsubscribes within 10 business days; keep the mechanism live for at least 60 days.
- No B2B exemption (registered-charity fundraising is the notable carve-out).
- The sender carries the burden of proof - keep consent records.
- Penalties: up to CAD $1,000,000 (individual) and CAD $10,000,000 (business) per violation.
Express vs implied consent
This is the heart of CASL. The two are not interchangeable, and only one expires.
Express consent
The recipient must take a proactive action - signing up, ticking an (unchecked) box, agreeing verbally. Critically, a message sent to ask for consent is itself a CEM and cannot be sent without an existing basis. Express consent does not expire: it remains valid until the recipient unsubscribes.
Implied consent
Implied consent is allowed only in defined circumstances:
| Basis | Condition | Expiry |
|---|---|---|
| Existing business relationship - purchase | The recipient purchased goods or services from you | 2 years from the purchase/transaction |
| Existing business relationship - inquiry | The recipient made an inquiry or application to you | 6 months from the inquiry |
| Conspicuously published address | The recipient published their address (e.g., on a website) without a “no marketing” statement, and your message is relevant to their role or function | While the conditions hold |
When the clock runs out, implied consent is gone and you need express consent to keep sending.
Sender identification
Every CEM must include:
- Your name, or the name of the person on whose behalf the message is sent.
- A mailing address.
- At least one of: a telephone number, email address, or web address for contact.
- Content that is consistent with the consent you obtained.
Unsubscribe
| Requirement | Detail |
|---|---|
| Mechanism | Every CEM must include a functional unsubscribe that is easy to use and free of charge. |
| Timeframe | Honor an unsubscribe request within 10 business days. |
| Availability | The mechanism must remain functional for at least 60 days after the message is sent. |
Note the contrast with the United States: same 10-business-day honor window, but a 60-day (not 30-day) availability requirement.
B2B and the charity carve-out
CASL applies to business-to-business email on the same terms as B2C - the same consent and identification obligations. The notable exception is that CEMs sent to a registered charity for the primary purpose of fundraising are exempt (s. 3(g) of the Governor-in-Council Regulations). There is no general “we’re both businesses” exemption.
Record-keeping: the due-diligence defense
CASL puts the burden of proving consent on the sender, which makes records the practical core of compliance. Keep records demonstrating consent for the full duration of your contact with each person (the statute sets no minimum period). The CRTC’s guidance points to:
- CEM policies and procedures
- Unsubscribe request logs
- Evidence of express consent (forms, audio recordings)
- Consent logs and CEM campaign records
- Training documentation
These records support the due-diligence defense in an enforcement proceeding.
Penalties
| Item | Detail |
|---|---|
| Individual | Up to CAD $1,000,000 per violation |
| Business | Up to CAD $10,000,000 per violation |
| Director/officer liability | Directors and officers who directed, authorized, or acquiesced in a violation can be personally liable |
| Mechanism | CRTC issues Administrative Monetary Penalties (AMPs) |
Common confusion
- “Implied consent is a default I can rely on.” Only in the defined cases above, and it expires (2 years / 6 months).
- “I’ll email to ask if they want my emails.” That request is itself a CEM and needs a basis.
- “B2B doesn’t count.” It does - same rules, minus only the charity-fundraising carve-out.
- “The recipient has to prove they didn’t consent.” No - the sender must prove consent. Records are your defense.
What Egressif does, and what stays with you
CASL is won or lost on records and prompt suppression, which is exactly the layer Egressif operates. We provide authenticated, identifiable sending (your name and contact stand behind a domain you control), a functional unsubscribe, suppression on receipt so an opt-out is enforced well inside the 10-business-day window and the mechanism stays live past 60 days, and durable logs of unsubscribe events and sends. Those logs are the raw material of a due-diligence defense. What stays with you is the consent itself - holding valid express or in-window implied consent, and keeping the evidence of it - which is a legal call for you and your counsel, not something infrastructure can manufacture.
Related references
- Email marketing laws by country (2026) Anti-spam laws look alike until you sort them by consent. The US (and, for B2B, Turkey) let you mail first and honor opt-outs; Canada, the UK, the EU, and Australia want permission before the first message. This page lines all six up on consent, sender identity, unsubscribe timeframe, who enforces, and the penalties we could verify.
- CAN-SPAM Act: what US email law requires CAN-SPAM is an opt-out law: you may email someone who never asked, as long as the message is honest, names you, carries a physical address, and offers an unsubscribe you honor within 10 business days. There is no B2B exemption, and each non-compliant email is a separate violation.
- UK PECR and UK GDPR for email marketing UK email marketing runs on two laws at once - PECR for the consent rules and UK GDPR for the data underneath. Marketing to individuals is opt-in (with a narrow soft opt-in for existing customers), while corporate bodies can be emailed without prior consent. We describe the ICO's enforcement powers qualitatively because the specific PECR penalty ceiling is not confirmed from a primary source.
- EU email marketing: GDPR and ePrivacy In the EU, marketing email is governed by the ePrivacy Directive (the consent rule) layered over the GDPR (the data rule). ePrivacy Article 13 generally requires prior opt-in for individuals; GDPR supplies the lawful basis, the right to object, and the accountability that turns consent into something you must be able to prove. Because the directive is transposed by each member state, the specifics vary by country.
- Australia's Spam Act 2003 for senders Australia's Spam Act 2003 is an opt-in law built on three rules - consent, identify, unsubscribe. Consent is express or (narrowly) inferred, the burden of proving it sits on the sender, and an unsubscribe must work and be honored within 5 working days. ACMA enforces; we describe its role without a penalty figure because the current amounts were not confirmed from a primary source.
- Turkey's ETK, KVKK and IYS for email Turkey requires prior consent (onay) to send commercial electronic messages to consumers, allows B2B sends to merchants and traders without consent, and routes consent and opt-outs through a central government registry, the IYS. Unsubscribe must be honored within 3 business days. The ETK obligations below come from the official law text; the KVKK data-protection layer is flagged where we could not verify it.
Tell us what you run today.
Domains, rough volume, current providers, and what hurts. You will get a straight answer on fit, and a real number, in one conversation.