Back to Blog
Web & Digital GrowthCompliance & Regulation

Email Marketing and CASL: What Canadian Businesses Must Get Right

K

Keval Chhatbar

Founder, Mitiksha IT Services

||7 min read

Canada's Anti-Spam Legislation has been in force since 2014. The fines are significant — up to $1M per violation for individuals, $10M for businesses. CRTC enforcement actions have targeted both large corporations and small businesses. Most Canadian companies have CASL exposure they are not aware of, and most of the exposure is in email.

This is not a legal opinion. It is a practical overview of how CASL works, where the common gaps are, and what a compliant email programme looks like.

What CASL actually covers

CASL applies to commercial electronic messages (CEMs) sent to Canadian electronic addresses. A CEM is any message whose purpose — even one of several purposes — is commercial. This covers:

  • Marketing emails to subscribers and customers
  • Cold outreach emails to prospects (B2B and B2C)
  • Newsletters with any promotional content
  • Automated follow-up sequences
  • SMS messages with commercial content

It does not cover purely transactional messages (order confirmations, password resets, appointment reminders with no promotional content), messages sent within a personal relationship, or messages from foreign senders to foreign recipients that happen to transit Canadian infrastructure.

The B2B carve-out that many businesses assume exists does not exist. A cold email to a business prospect is a CEM and requires consent.

Express consent versus implied consent

The core of CASL is the consent requirement. There are two kinds, and they work very differently.

Express consent

Express consent is explicit, documented permission to send commercial email. To be valid, the consent request must clearly describe what you will be sending, identify who is asking, and be a positive act by the recipient (an opt-in checkbox that is not pre-checked, a form submission to receive a specific communication, a verbal agreement that is logged).

Express consent does not expire. If someone gave you express consent in 2019 and has not unsubscribed, you can still send to them — provided you have documentation that the consent was given.

Documentation is the operating word. "We asked and they said yes" is not sufficient. You need a timestamped record of how and when consent was obtained, ideally linked to the specific email address and consent mechanism.

Implied consent

Implied consent arises from an existing business relationship. It applies when:

  • A person purchased a product or service from you within the past 2 years
  • A person made an enquiry about your products or services within the past 6 months
  • A person has a conspicuously published business email address (not a generic contact@ or info@) and your message is relevant to their stated professional role

Implied consent has time limits. The 2-year business relationship window closes 2 years after the last transaction. The 6-month enquiry window closes 6 months after the enquiry. After that, you need express consent to continue sending.

The published-business-address provision is frequently misread as a broad B2B cold-email permission. It is not. It applies only to messages relevant to the recipient's business role, and the address must be conspicuously published by the recipient — not scraped from a directory or purchased from a list vendor.

The compliance checklist

A CASL-compliant email programme requires all of the following:

  1. Consent records — for every contact on your list, you must be able to document how and when consent was obtained, what type of consent it was, and whether it is still valid under the applicable time limits.
  2. Sender identification — every CEM must clearly identify who is sending it: business name, mailing address (a PO box is acceptable), and either a phone number, email address, or website URL.
  3. Unsubscribe mechanism — every CEM must include a clear, functional unsubscribe mechanism that works for at least 60 days after the message is sent. Unsubscribe requests must be honoured within 10 business days.
  4. Suppression list management — unsubscribed addresses must be removed and must not be re-added without new express consent. A separate suppression list (not just a tag in your ESP) is the safest approach.
  5. Third-party consent transfer — if you obtained consent through a third party (a list partner, a co-registration form), you must have documentation of the exact consent language used and confirm it meets CASL requirements. Most third-party list purchases do not.

How CASL shapes your outreach strategy

CASL changes the economics and sequencing of outreach. Here is how it applies to the two main categories of commercial email:

Cold outreach (prospecting emails)

Cold email to Canadian prospects requires either express consent (which you would not have for a cold contact) or implied consent via the published-business-address provision. The published-address provision is narrow: the email must be relevant to the person's business role, the address must be publicly available and clearly published by the recipient, and the message must identify who you are and include an unsubscribe option.

What this means practically: scraped email lists and purchased prospect databases are CASL non-compliant by default. The most defensible cold-outreach approach for Canadian B2B is to build prospect lists manually from publicly available sources, confirm that each address meets the published-address criteria, and ensure every message includes compliant identification and unsubscribe instructions.

Volume cold email at the scale that many US-centric outreach tools assume is a different compliance posture in Canada. CASL is not a reason to abandon prospecting — it is a reason to be precise about who you contact and why you have the right to contact them.

Marketing email to existing lists

For established subscriber lists and customer bases, the priority is auditing consent quality. The two most common problems Mitiksha finds when auditing existing lists:

  • Pre-CASL contacts who were never asked for consent and whose implied consent window has long since closed — often 30-50% of "active" lists
  • Express consent obtained through non-compliant mechanisms — pre-checked boxes, ambiguous consent language, or consent obtained for one purpose used to send a different type of message

A list audit before any significant email programme launch is not optional — it is the difference between a compliant programme and one that generates complaints.

Where most businesses have unrecognised exposure

The patterns repeat across industries. The most common CASL gaps in Ontario small and medium businesses:

  • A historical contact list that was never consent-audited when CASL came into force in 2014, and has been in continuous use since
  • A CRM that tracks customers but has no consent date or consent type fields — no way to determine whether a contact's implied consent window is still open
  • Automated email sequences (welcome, nurture, re-engagement) that were built without an unsubscribe mechanism because they "only go to leads who filled out the form"
  • Referring contacts added to a marketing list without their knowledge — someone forwarded a newsletter and the recipient's address was manually added

None of these are malicious. Most businesses running non-compliant email programmes are not aware of the specific requirements. The enforcement risk, however, is real — CRTC complaints can come from a single unhappy recipient, not just a systematic audit.

Practical first steps

If you currently run an email programme without documented consent records, the priority order is:

  1. Audit your list — identify contacts with clear express consent, contacts with potentially valid implied consent (recent transaction or enquiry within the applicable window), and contacts where consent status is unknown or likely expired.
  2. Segment and suppress — the unknown/expired segment should not receive marketing email until re-consent is obtained. A re-consent campaign ("we want to keep in touch — confirm your preference here") addresses this while simultaneously building a cleaner express-consent list.
  3. Fix the infrastructure — add CASL-compliant unsubscribe to every automated sequence, add consent date and type fields to your CRM, and implement a suppression list process that prevents manually re-adding unsubscribed contacts.
  4. Document going forward — consent records do not need to be complicated. A spreadsheet with email address, consent type, consent date, and consent mechanism (which form, which campaign) is sufficient for most small businesses. Your ESP should handle this if properly configured.

If you are launching an email programme or auditing an existing one for CASL compliance, Mitiksha can help structure the consent audit and compliant programme build.