CASL (Canada's Anti-Spam Legislation)

What Is CASL?

CASL — Canada's Anti-Spam Legislation — is one of the strictest anti-spam laws in the world. It governs the sending of Commercial Electronic Messages (CEMs) to recipients in Canada. Enacted in 2014, CASL applies to any organization that sends commercial email, text messages, or other electronic messages to Canadian recipients — regardless of where that organization is headquartered. If your audience includes Canadians, CASL applies to you.

The Consent Requirement

CASL's defining feature is its consent-first approach. Unlike CAN-SPAM (which allows opt-out marketing), CASL requires express or implied consent before sending a CEM. Express consent is explicit permission — a person checked a box, clicked a button, or signed a form specifically agreeing to receive commercial messages from you. Implied consent arises from an existing business relationship: a recent purchase, an inquiry, an existing contract. Implied consent has time limits — typically 2 years from the last business transaction.

What Must Be in a CASL-Compliant Message

Every CEM sent to Canadians must clearly identify the sender (and any third party on whose behalf the message is sent). Include accurate sender contact information (mailing address and either a phone number, email address, or web address). Provide a functioning unsubscribe mechanism. Honor unsubscribe requests within 10 business days. Failure to include any of these elements is a violation, even if you have consent.

CASL Penalties

CASL penalties are severe. Individuals can be fined up to CAD $1 million per violation. Businesses can be fined up to CAD $10 million per violation. A "violation" is each individual non-compliant message — so a single send to a list of 50,000 Canadians without proper consent could theoretically be treated as 50,000 separate violations. The CRTC (Canadian Radio-television and Telecommunications Commission) is the primary enforcer, and it has levied multi-million dollar fines against Canadian and international companies.

CASL vs. GDPR vs. CAN-SPAM

CASL is stricter than CAN-SPAM but has some similarities with GDPR's consent requirements. GDPR applies to personal data of EU residents; CASL applies to electronic messages to Canadian recipients. GDPR consent must be freely given, specific, informed, and unambiguous. CASL allows implied consent from business relationships, which GDPR generally does not. If you're sending internationally, you need to understand which law applies to which segment of your audience.

How Email Verification Supports CASL Compliance

CASL compliance starts with knowing who you're sending to. Sending to invalid addresses, role-based addresses submitted without individual consent, or addresses from scraped lists all increase compliance risk. EmailVerify.io helps you identify and flag these address types before you send. A cleaner, more deliberately curated list of contacts who actually gave consent is the foundation of a CASL-compliant email program. Verify your Canadian contact lists at emailverify.io.