What Makes CASL Different from CAN-SPAM
Canada's Anti-Spam Legislation (CASL), which came into force in 2014, is widely considered the strictest email marketing law in North America — and it differs from CAN-SPAM in one fundamental way: it is an opt-in law, not an opt-out law.
Under CAN-SPAM, you can send commercial email to anyone as long as you provide an unsubscribe mechanism and honor opt-outs. Under CASL, you need prior consent before sending commercial electronic messages (CEMs) to Canadian recipients. If you cannot demonstrate that you had consent before sending, you are in violation of CASL — regardless of whether the recipient has complained or tried to unsubscribe.
CASL applies to anyone sending to a Canadian email address, regardless of where the sender is located. A U.S. business emailing Canadian consumers must comply with CASL. A UK business with Canadian customers must comply. The law's jurisdiction is determined by the recipient's location, not the sender's.
The penalties reflect CASL's seriousness: up to $1 million CAD per violation for individuals and $10 million CAD per violation for organizations. The Canadian Radio-television and Telecommunications Commission (CRTC) enforces CASL, and it has levied significant penalties against both domestic and foreign senders.
Express vs. Implied Consent Under CASL
CASL recognizes two types of consent: express and implied. Understanding the difference is essential because they have very different durations and evidentiary requirements.
Express Consent
Express consent means the recipient has explicitly and actively opted in to receive commercial electronic messages from you. Examples include: checking an unchecked opt-in checkbox on a web form, clicking a "Subscribe" button on a subscription page, providing their email address on a physical form specifically to receive marketing email, or responding to a voice or SMS opt-in request with explicit agreement.
Express consent lasts until the subscriber withdraws it by unsubscribing. There is no expiry window for express consent under CASL as long as the business relationship or consent remains current. Express consent is the most stable, legally defensible form of CASL consent and should be the target for all your Canadian subscribers.
Implied Consent
Implied consent arises from an existing relationship — but only in specific circumstances defined by CASL. The most common scenarios:
- Purchase or lease of a product, good, or service within the last 24 months — a customer who bought from you within the past two years has given implied consent to receive marketing email
- Business inquiry or application within the last 6 months — a prospect who submitted a contact form, requested a quote, or applied for a service within the last six months has given implied consent
- Existing written contract — parties with an active written contract have implied consent for the duration of the contract
- Published email address — if a person or business has conspicuously published their email address (e.g., on a website, in a directory) without a statement prohibiting unsolicited commercial messages, you may have limited implied consent to send messages relevant to their business or professional role
Implied consent is not guaranteed
The published email address provision has been interpreted narrowly. It requires that the email address was published by the recipient in a context that signals openness to commercial contact, and that your message is relevant to the published role or business. Cold emailing anyone whose email address you found online does not automatically constitute implied consent under CASL.
Implied Consent Windows and Expiry
Unlike express consent, which lasts until withdrawn, implied consent under CASL has defined expiry windows. Once a window expires, you can no longer legally send commercial email to that contact under CASL — unless you have renewed the implied consent through a new triggering event or have obtained express consent before expiry.
| Implied Consent Basis | Window Duration | Window Starts |
|---|---|---|
| Purchase of product/service | 24 months | Date of transaction |
| Inquiry or application | 6 months | Date of inquiry submission |
| Existing written contract | Duration of contract | Contract effective date |
The windows reset if the triggering event recurs. A customer who purchased from you 23 months ago — whose implied consent is about to expire — resets their 24-month window if they make another purchase. An inquiry from 5 months ago resets if they submit another inquiry.
The practical implication: you need a system that tracks implied consent acquisition dates for your Canadian subscribers and flags contacts whose consent window is approaching expiry. Most ESPs don't provide this natively — it requires either a custom field in your ESP or a CRM-level tracking system.
The Re-Permission Strategy Before Expiry
The best practice is to run a re-permission campaign approximately 90 days before a contact's implied consent expires. Send an email asking them to confirm they want to continue receiving your marketing email — with a clear, single call to action to click "Yes, keep me subscribed." Contacts who click are converted to express consent, resetting their status permanently. Contacts who don't click within 14–30 days are suppressed before their implied consent window closes.
This approach keeps you compliant with CASL while simultaneously improving list quality — you retain only the Canadian contacts who actively want your email.
CASL Message Requirements
Every commercial electronic message sent under CASL must meet three technical requirements, regardless of consent type:
Sender Identification
Every CEM must clearly identify the sender — or, if the message is sent on behalf of another organization, both the sender and the organization on whose behalf the message is sent. The identification must include:
- Full legal name or trade name
- Physical mailing address
- At least one of: telephone number, email address, or web address
This information must be accurate and current. If your business changes address or contact information, you must update your email footer accordingly. A footer that lists outdated contact information violates CASL's identification requirement.
Functioning Unsubscribe Mechanism
Every CEM must include a functioning unsubscribe mechanism that allows the recipient to opt out at no charge. The unsubscribe mechanism must remain functional for at least 60 days after the message is sent. This is more stringent than CAN-SPAM's 30-day requirement. The mechanism can be an unsubscribe link, a reply-to address, or any other method that allows the recipient to opt out without incurring a charge and without requiring them to provide information beyond an email address.
Honor Unsubscribes Within 10 Business Days
Once an unsubscribe request is received, you must honor it within 10 business days. You cannot send any further commercial messages to that address after the 10-day window. You cannot add a suppressed address back to your list without obtaining new express consent. Most major ESPs process unsubscribes instantly, but the 10-business-day window is the legal maximum.
Unsubscribe link validity: 60 days
CASL requires the unsubscribe mechanism to remain functional for 60 days after sending. If you use time-limited unsubscribe tokens in your URLs that expire sooner, you're violating CASL. Check your ESP's unsubscribe link implementation — most use account-level tokens that don't expire, but verify if you're using a custom system.
CASL-Driven List Hygiene Practices
CASL's consent requirements, particularly the implied consent expiry windows, force a disciplined approach to list hygiene that benefits deliverability beyond mere compliance. Here's how to operationalize CASL compliance as a list hygiene system:
Segment by Consent Type
Maintain clear segmentation between express consent subscribers and implied consent subscribers in your list. In your ESP, use custom fields or tags to record: consent type (express/implied), consent acquisition date, and consent source (purchase, inquiry, form, etc.). This segmentation enables you to apply different sending rules and re-permission logic to each group.
Track Implied Consent Acquisition Dates
For every implied consent contact, record the date the triggering event occurred — the purchase date, inquiry submission date, or contract start date. This is the date from which the consent window is calculated. Without this data, you cannot determine when consent expires.
Automate Expiry Alerts
Set up a system that flags implied consent contacts 90 days before their consent window expires. This gives you enough time to run a re-permission campaign, wait for responses, and suppress non-responders before the window closes. The exact implementation depends on your tech stack — a calculated field in your CRM, an automated segment in your ESP based on a subscription date custom field, or a scheduled export and review process.
Run Re-Permission Campaigns
For contacts approaching implied consent expiry, send a re-permission email 60–90 days before expiry. The email should be straightforward: you're confirming they want to continue receiving your emails, here's one click to confirm. Keep it short. Don't use it as a sales opportunity. Contacts who click get tagged as express consent with the new timestamp. Contacts who don't respond within 14–30 days are moved to a suppression segment before their window closes.
Suppress on Window Expiry
Contacts whose implied consent window expires without a re-permission conversion should be automatically moved to a suppression segment. They are not deleted — you retain their email address in your suppression list to prevent re-import — but they are excluded from all commercial email sends. This is a compliance requirement, and it also removes stale, disengaged contacts from your active list.
How CASL Compliance Improves Deliverability
CASL's strict consent requirements create list hygiene discipline that directly improves deliverability metrics. The mechanism is straightforward: CASL compliance requires you to regularly audit, clean, and refresh your list in ways that produce engaged, current subscribers.
Express Consent Subscribers Engage Better
Express consent subscribers have taken an active step to join your list. They remember subscribing, they expected to receive your email, and they're more likely to engage with it. Higher open rates and lower spam complaint rates from your Canadian express consent segment contribute to better overall domain reputation at Gmail and Yahoo.
Implied Consent Expiry Forces Regular List Cleaning
Without CASL, it's common for senders to retain contacts indefinitely — even those who haven't opened an email in three years. CASL's implied consent expiry windows force you to clean these contacts before their engagement declines to the point where they become deliverability liabilities. A 24-month purchase window means a customer who bought from you more than two years ago and hasn't purchased again gets suppressed — at exactly the point where they've likely gone stale.
Re-Permission Campaigns Create Engaged Subsets
The re-permission campaigns required by CASL's implied consent expiry are, in effect, engagement-based list cleaning campaigns. They identify the contacts who still actively want your email (those who click to confirm) and suppress those who don't respond. The resulting express consent list contains only engaged, interested subscribers — which is exactly the list that ISPs want to see you sending to.
Lower Bounce Rates from Better Data Quality
CASL's consent documentation requirements mean you're tracking when consent was obtained and from what source. Contacts whose email addresses were entered incorrectly — or who used disposable addresses — typically fail the consent confirmation step. The resulting list has higher data quality, lower hard bounce rates, and better inbox placement.
Monitor the inbox placement difference between your CASL express consent segment and older implied consent segments using seed list testing. The engagement gap is typically measurable and validates the value of the re-permission investment.
Measure the Deliverability Difference CASL Compliance Makes
InboxEagle monitors inbox placement, complaint rates, and domain reputation — so you can measure how CASL-driven list hygiene improves your deliverability metrics over time.