What Makes CASL Different from CAN-SPAM
Canada's Anti-Spam Legislation (CASL), which came into force in 2014, is widely considered the strictest email marketing law in North America — and it differs from CAN-SPAM in one fundamental way: it is an opt-in law, not an opt-out law.
Under CAN-SPAM, you can send commercial email to anyone as long as you provide an unsubscribe mechanism and honor opt-outs. Under CASL, you need prior consent before sending commercial electronic messages (CEMs) to Canadian recipients. If you cannot demonstrate that you had consent before sending, you are in violation of CASL — regardless of whether the recipient has complained or tried to unsubscribe.
CASL applies to anyone sending to a Canadian email address, regardless of where the sender is located. A U.S. business emailing Canadian consumers must comply with CASL. A UK business with Canadian customers must comply. The law's jurisdiction is determined by the recipient's location, not the sender's.
The penalties reflect CASL's seriousness: up to $1 million CAD per violation for individuals and $10 million CAD per violation for organizations. The Canadian Radio-television and Telecommunications Commission (CRTC) enforces CASL, and it has levied significant penalties against both domestic and foreign senders.
Express vs. Implied Consent Under CASL
CASL recognizes two types of consent: express and implied. Understanding the difference is essential because they have very different durations and evidentiary requirements.
Express Consent
Express consent means the recipient has explicitly and actively opted in to receive commercial electronic messages from you. Examples include: checking an unchecked opt-in checkbox on a web form, clicking a "Subscribe" button on a subscription page, providing their email address on a physical form specifically to receive marketing email, or responding to a voice or SMS opt-in request with explicit agreement.
Express consent lasts until the subscriber withdraws it by unsubscribing. There is no expiry window for express consent under CASL as long as the business relationship or consent remains current. Express consent is the most stable, legally defensible form of CASL consent and should be the target for all your Canadian subscribers.
Implied Consent
Implied consent arises from an existing relationship — but only in specific circumstances defined by CASL. The most common scenarios:
- Purchase or lease of a product, good, or service within the last 24 months — a customer who bought from you within the past two years has given implied consent to receive marketing email
- Business inquiry or application within the last 6 months — a prospect who submitted a contact form, requested a quote, or applied for a service within the last six months has given implied consent
- Existing written contract — parties with an active written contract have implied consent for the duration of the contract
- Published email address — if a person or business has conspicuously published their email address (e.g., on a website, in a directory) without a statement prohibiting unsolicited commercial messages, you may have limited implied consent to send messages relevant to their business or professional role
Implied consent is not guaranteed
The published email address provision has been interpreted narrowly. It requires that the email address was published by the recipient in a context that signals openness to commercial contact, and that your message is relevant to the published role or business. Cold emailing anyone whose email address you found online does not automatically constitute implied consent under CASL.
Implied Consent Windows and Expiry
Unlike express consent, which lasts until withdrawn, implied consent under CASL has defined expiry windows. Once a window expires, you can no longer legally send commercial email to that contact under CASL — unless you have renewed the implied consent through a new triggering event or have obtained express consent before expiry.
| Implied Consent Basis | Window Duration | Window Starts |
|---|---|---|
| Purchase of product/service | 24 months | Date of transaction |
| Inquiry or application | 6 months | Date of inquiry submission |
| Existing written contract | Duration of contract | Contract effective date |
The windows reset if the triggering event recurs. A customer who purchased from you 23 months ago — whose implied consent is about to expire — resets their 24-month window if they make another purchase. An inquiry from 5 months ago resets if they submit another inquiry.
The practical implication: you need a system that tracks implied consent acquisition dates for your Canadian subscribers and flags contacts whose consent window is approaching expiry. Most ESPs don't provide this natively — it requires either a custom field in your ESP or a CRM-level tracking system.
The Re-Permission Strategy Before Expiry
The best practice is to run a re-permission campaign approximately 90 days before a contact's implied consent expires. Send an email asking them to confirm they want to continue receiving your marketing email — with a clear, single call to action to click "Yes, keep me subscribed." Contacts who click are converted to express consent, resetting their status permanently. Contacts who don't click within 14–30 days are suppressed before their implied consent window closes.
This approach keeps you compliant with CASL while simultaneously improving list quality — you retain only the Canadian contacts who actively want your email.
CASL Message Requirements
Every commercial electronic message sent under CASL must meet three technical requirements, regardless of consent type:
Sender Identification
Every CEM must clearly identify the sender — or, if the message is sent on behalf of another organization, both the sender and the organization on whose behalf the message is sent. The identification must include:
- Full legal name or trade name
- Physical mailing address
- At least one of: telephone number, email address, or web address
This information must be accurate and current. If your business changes address or contact information, you must update your email footer accordingly. A footer that lists outdated contact information violates CASL's identification requirement.
Functioning Unsubscribe Mechanism
Every CEM must include a functioning unsubscribe mechanism that allows the recipient to opt out at no charge. The unsubscribe mechanism must remain functional for at least 60 days after the message is sent. This is more stringent than CAN-SPAM's 30-day requirement. The mechanism can be an unsubscribe link, a reply-to address, or any other method that allows the recipient to opt out without incurring a charge and without requiring them to provide information beyond an email address.
Honor Unsubscribes Within 10 Business Days
Once an unsubscribe request is received, you must honor it within 10 business days. You cannot send any further commercial messages to that address after the 10-day window. You cannot add a suppressed address back to your list without obtaining new express consent. Most major ESPs process unsubscribes instantly, but the 10-business-day window is the legal maximum.
Unsubscribe link validity: 60 days
CASL requires the unsubscribe mechanism to remain functional for 60 days after sending. If you use time-limited unsubscribe tokens in your URLs that expire sooner, you're violating CASL. Check your ESP's unsubscribe link implementation — most use account-level tokens that don't expire, but verify if you're using a custom system.
CASL Scope: What Counts as an Electronic Address
CASL applies to "commercial electronic messages" (CEMs) sent to "electronic addresses." Most senders think of CASL as an email law, but its scope is much broader:
What Counts as an Electronic Address Under CASL
- Email addresses — the primary scope
- SMS/text message numbers — CASL applies equally to text marketing as to email
- Instant messaging handles — Slack, WhatsApp, Telegram addresses all count
- Social media direct messages — marketing via Facebook Messenger, Twitter/X DMs, etc. is subject to CASL
What CASL Does NOT Apply To
- Voice calls — covered by different telecom laws
- Fax messages — separate regulatory framework
- Physical mail — not covered by CASL
The LinkedIn InMail Grey Area
LinkedIn native messages sent directly via LinkedIn's platform typically fall under LinkedIn's own terms of service rather than CASL — LinkedIn's platform consent and messaging controls are the governing framework.
However, if you use a third-party tool to automate bulk LinkedIn messaging (e.g., a LinkedIn outreach bot), that tool may be considered a separate mechanism for sending commercial electronic messages via LinkedIn's infrastructure. The regulatory status is still unclear as of 2026, but CRTC guidance leans toward: if the message is sent via a third-party tool on behalf of a business to a person's LinkedIn account without prior consent, it may qualify as a CEM under CASL.
Practical recommendation: obtain express consent before using third-party tools to send automated LinkedIn messages to Canadian recipients. The risk is not worth the expedience.
CASL for SMS and Text Marketing
Many senders don't realize that SMS marketing to Canadian phone numbers is subject to CASL. You need express consent before sending commercial text messages, just as you would for email. You must include sender identification in every SMS (which is typically the shortcode or brand name). You must provide an unsubscribe mechanism (typically "Reply STOP"). You have 10 business days to honor unsubscribe requests.
SMS carries additional regulatory considerations (CRTC telecom rules, Wireless Code) beyond CASL, but CASL's consent and message requirements apply equally to SMS as to email.
CASL for B2B SaaS and AI-Generated Outreach
B2B SaaS companies and tech vendors are a major enforcement target for CASL violations. CASL applies equally to B2B and B2C email — there is no exemption for business-to-business contact.
Cold Outreach Under CASL
Sending prospecting emails to Canadian business contacts without prior consent violates CASL unless you can demonstrate implied consent. A cold email to someone at a Canadian company whose email address you found online does not automatically create implied consent. The only exception is if the recipient explicitly published their email address in a context that signals openness to commercial contact — such as a published contact form for business inquiries, a "Contact Us" email, or a professional directory entry.
Implied Consent in B2B Contexts
Implied consent for B2B contact arises only if:
- The person gave you their business card at a conference (with timestamp and context documented)
- They submitted a business inquiry form on your website
- They had an existing business relationship with your company within the relevant timeframe
Many SaaS companies send prospecting emails to Canadian business contacts assuming B2B status grants an exemption. It doesn't. The CRTC has accelerated enforcement against B2B SaaS companies since 2023, and non-Canadian companies targeting Canadian prospects are explicitly on the enforcement radar.
Documenting B2B Consent Events
If you have implied consent for a B2B contact, document the event: conference attendance (date, venue), form submission (date, URL, form submission ID), business card exchange (date, context). For implied consent to be valid, you need to show the specific event that created it and the date of that event — which will determine whether their consent window is still active.
AI-Generated Outreach and CASL
AI-powered prospecting tools (e.g., tools that scrape LinkedIn, crawl websites to extract contact lists, or use AI to personalize cold outreach emails) do not create a CASL exemption. AI tools are subject to existing consumer protection and anti-spam laws. Mass AI outreach to Canadian prospects without express consent violates CASL.
The FTC and CRTC have issued guidance in 2024–2025 that AI tools for commercial outreach are subject to existing consent-based laws including CASL. Using an AI tool to automate cold outreach does not bypass CASL's prior consent requirement.
CRTC Enforcement Trend
The CRTC has dramatically escalated B2B and SaaS enforcement since 2023. Violations can result in penalties up to CAD $1 million per message for individuals and CAD $10 million per organization. Several high-profile enforcement actions have targeted B2B SaaS companies using AI or batch-sending tools to prospect Canadian businesses.
The enforcement message is clear: no B2B exemption, no AI exemption, and no interpretation that a Canadian business email address is automatically available for commercial contact. If you're unsure whether you have valid implied consent for a Canadian business contact, obtain express consent before the first send.
CASL-Driven List Hygiene Practices
CASL's consent requirements, particularly the implied consent expiry windows, force a disciplined approach to list hygiene that benefits deliverability beyond mere compliance. Here's how to operationalize CASL compliance as a list hygiene system:
Segment by Consent Type
Maintain clear segmentation between express consent subscribers and implied consent subscribers in your list. In your ESP, use custom fields or tags to record: consent type (express/implied), consent acquisition date, and consent source (purchase, inquiry, form, etc.). This segmentation enables you to apply different sending rules and re-permission logic to each group.
Track Implied Consent Acquisition Dates
For every implied consent contact, record the date the triggering event occurred — the purchase date, inquiry submission date, or contract start date. This is the date from which the consent window is calculated. Without this data, you cannot determine when consent expires.
Automate Expiry Alerts
Set up a system that flags implied consent contacts 90 days before their consent window expires. This gives you enough time to run a re-permission campaign, wait for responses, and suppress non-responders before the window closes. The exact implementation depends on your tech stack — a calculated field in your CRM, an automated segment in your ESP based on a subscription date custom field, or a scheduled export and review process.
Run Re-Permission Campaigns
For contacts approaching implied consent expiry, send a re-permission email 60–90 days before expiry. The email should be straightforward: you're confirming they want to continue receiving your emails, here's one click to confirm. Keep it short. Don't use it as a sales opportunity. Contacts who click get tagged as express consent with the new timestamp. Contacts who don't respond within 14–30 days are moved to a suppression segment before their window closes.
Suppress on Window Expiry
Contacts whose implied consent window expires without a re-permission conversion should be automatically moved to a suppression segment. They are not deleted — you retain their email address in your suppression list to prevent re-import — but they are excluded from all commercial email sends. This is a compliance requirement, and it also removes stale, disengaged contacts from your active list.
How CASL Compliance Improves Deliverability
CASL's strict consent requirements create list hygiene discipline that directly improves deliverability metrics. The mechanism is straightforward: CASL compliance requires you to regularly audit, clean, and refresh your list in ways that produce engaged, current subscribers.
Express Consent Subscribers Engage Better
Express consent subscribers have taken an active step to join your list. They remember subscribing, they expected to receive your email, and they're more likely to engage with it. Higher open rates and lower spam complaint rates from your Canadian express consent segment contribute to better overall domain reputation at Gmail and Yahoo.
Implied Consent Expiry Forces Regular List Cleaning
Without CASL, it's common for senders to retain contacts indefinitely — even those who haven't opened an email in three years. CASL's implied consent expiry windows force you to clean these contacts before their engagement declines to the point where they become deliverability liabilities. A 24-month purchase window means a customer who bought from you more than two years ago and hasn't purchased again gets suppressed — at exactly the point where they've likely gone stale.
Re-Permission Campaigns Create Engaged Subsets
The re-permission campaigns required by CASL's implied consent expiry are, in effect, engagement-based list cleaning campaigns. They identify the contacts who still actively want your email (those who click to confirm) and suppress those who don't respond. The resulting express consent list contains only engaged, interested subscribers — which is exactly the list that ISPs want to see you sending to.
Lower Bounce Rates from Better Data Quality
CASL's consent documentation requirements mean you're tracking when consent was obtained and from what source. Contacts whose email addresses were entered incorrectly — or who used disposable addresses — typically fail the consent confirmation step. The resulting list has higher data quality, lower hard bounce rates, and better inbox placement.
Monitor the inbox placement difference between your CASL express consent segment and older implied consent segments using seed list testing. The engagement gap is typically measurable and validates the value of the re-permission investment.
Measure the Deliverability Difference CASL Compliance Makes
InboxEagle monitors inbox placement, complaint rates, and domain reputation — so you can measure how CASL-driven list hygiene improves your deliverability metrics over time.