Canada's Anti-Spam Law (CASL): Key Rules for Sending Commercial Messages

Canada's Anti-Spam Legislation (CASL), formally An Act to promote the efficiency and adaptability of the Canadian economy by regulating certain activities that discourage reliance on electronic means of carrying out commercial activities, S.C. 2010, c. 23, is widely regarded as one of the strictest anti-spam regimes in the world. It applies to virtually every business that sends marketing emails, promotional texts, or commercial messages to recipients in Canada, and the penalties for getting it wrong reach as high as $10 million per violation for corporations.

Under CASL, every commercial electronic message must meet three core requirements: (1) the recipient must have given express or implied consent before the message is sent, (2) the message must clearly identify the sender and provide valid contact information for at least 60 days, and (3) the message must include a no-cost unsubscribe mechanism that is honoured within 10 business days. Together, these rules form the foundation of CASL compliance for any organization that communicates electronically with Canadian audiences.

This article walks through the key rules of Canada's anti-spam law for sending commercial messages, the difference between express and implied consent, the limited exemptions available, and what enforcement looks like in practice.

What CASL Is and Who Must Comply

CASL came into force on July 1, 2014, with the private right of action provisions, which would have allowed individuals to sue spammers directly, initially scheduled to take effect on July 1, 2017, but suspended indefinitely by the federal government through an Order in Council on June 7, 2017. Today, the Act is enforced by three federal regulators working together: the Canadian Radio-television and Telecommunications Commission (CRTC), which leads enforcement on spam and electronic threats; the Office of the Privacy Commissioner of Canada, which handles personal information aspects; and the Competition Bureau, which addresses false or misleading representations in electronic messages.

CASL applies broadly. The rules cover individuals, incorporated and unincorporated businesses, partnerships, charities, and not-for-profit organizations. They apply whether the message originates within Canada, leaves Canada, or arrives in Canada from abroad, meaning a U.S.-based company emailing Canadian customers is just as subject to CASL as an Ontario business emailing its own subscribers.

Importantly, CASL replaced Canada's previous "opt-out" approach with an "opt-in" regime. With limited exceptions, a sender needs the recipient's prior consent before any commercial electronic message can be transmitted. The default position is no, and the burden of proving consent rests on the sender, not the recipient.

What Is a Commercial Electronic Message Under CASL?

Before applying any of CASL's rules, the threshold question is whether a particular message qualifies as a "commercial electronic message" (CEM) in the first place.

Under section 1(2) of CASL, a CEM is any electronic message where it is reasonable to conclude that one of its purposes is to encourage participation in a "commercial activity." The definition of commercial activity in section 1(1) is intentionally broad: any transaction, act, or conduct of a commercial character, whether or not it is carried out for profit. This means that even a non-profit organization promoting a paid event, or a charity selling merchandise, can be sending a CEM.

The form of the message does not matter. CASL covers any message sent to an "electronic address," which includes:

• Email accounts
• Telephone accounts (for SMS and MMS text messages)
• Instant messaging accounts
• Social media direct messages
• Any other similar account

What does matter is the purpose test. Because the legislation looks at whether it is reasonable to conclude that the message has a commercial purpose, even a message that is mostly informational can fall within CASL if it also encourages a commercial transaction. A newsletter that includes a promotional offer, an appointment reminder that promotes an upsell, or a webinar announcement that promotes a paid upgrade, all are likely CEMs.

Examples of clear CEMs include promotional emails, marketing newsletters, SMS marketing texts, abandoned-cart reminder emails, and direct social media messages advertising products or services. By contrast, purely transactional messages, such as order confirmations, delivery notifications, warranty information, account statements, or subscription renewal notices that contain no promotional content, generally fall outside CASL's main consent requirement, as discussed in the exemptions section below.

The Three Core CASL Rules for Sending Commercial Messages

Section 6 of CASL establishes the three foundational rules that govern every commercial electronic message. To send a CEM lawfully, all three must be satisfied at the same time. Failing on any one of them is a violation, even if the other two are met.

Requirement 1: Consent

The first requirement is that the recipient must have consented to receive the message. Under CASL, consent comes in two forms: express and implied. The burden of proving that valid consent existed at the time the message was sent rests entirely on the sender (CASL, s. 13).

Express consent means the recipient has actively and clearly agreed to receive commercial messages from the sender. This can be obtained in writing, including electronically through an opt-in form, or orally. Under section 10(1) of CASL, the request for express consent must clearly state the purpose for which consent is being sought, identify the requester (and any third party on whose behalf consent is being sought), and provide prescribed contact information.

A few practical points about express consent are worth highlighting. Pre-ticked checkboxes do not constitute express consent under CASL, the recipient must take a positive action, such as ticking an empty box or clicking a confirmation button. Express consent is also not time-limited: once obtained, it remains valid until the recipient withdraws it by unsubscribing or otherwise notifying the sender. That permanence is one reason express consent is generally preferable to implied consent for any business that intends to maintain long-term marketing relationships.

Implied consent is narrower and is set out in section 10(9) of CASL. It can arise in four main categories:

• Existing business relationship (EBR): A purchase, lease, or barter of a product, service, or land between the recipient and the sender within the past two years; a written contract that is currently in force or expired within the past two years; or an inquiry or application made by the recipient to the sender within the past six months.
• Existing non-business relationship: Membership in a club, association, or voluntary organization for which the sender is responsible; a charitable donation, gift, or volunteer work performed for a registered charity within the past two years; or, in some cases, attendance at a meeting organized by a non-profit.
• Conspicuously published contact information: The recipient has published their electronic address in a manner that is publicly available, for example, on a business website, without any statement that they do not wish to receive unsolicited commercial messages, and the message relates to the recipient's role, function, business, or duties.
• Direct disclosure: The recipient has provided their electronic address directly to the sender without any statement that they do not wish to receive unsolicited commercial messages, and the message again relates to the recipient's role, function, business, or duties.

The duration of implied consent based on an existing business relationship is critical and frequently misunderstood. For a purchase, lease, or barter, implied consent runs for two years from the date of the most recent transaction. For an inquiry or application, it runs for only six months from the date of the inquiry. Each new transaction with the same person resets the clock. Once those windows expire, the sender must obtain express consent before continuing to send CEMs.

Requirement 2: Identification Information

The second requirement is that every CEM must clearly identify who is sending the message. Under section 6(2) of CASL and the regulations made under it, the message must identify the sender and any third party on whose behalf the message is being sent, and must provide contact information that allows the recipient to readily reach the sender.

The required contact details are: the sender's mailing address, plus at least one of: a telephone number with active response voicemail, an email address, or a web address. All identification and contact information must remain valid for a minimum of 60 days after the message is sent (CASL, s. 6(3)). A common compliance failure occurs when businesses change their address, phone number, or email and fail to ensure that previously sent messages still link to working contact channels.

Requirement 3: Unsubscribe Mechanism

The third requirement is that every CEM must include a working unsubscribe mechanism. Under section 11(1) of CASL, this mechanism must allow the recipient to indicate, at no cost, that they no longer wish to receive commercial messages from the sender. The mechanism must use the same electronic means by which the message was sent, for example, a clickable link in an email or a reply code for SMS, or another electronic means that is reasonably practicable in the circumstances.

The unsubscribe address or link must remain valid for at least 60 days after the message is sent (CASL, s. 11(2)). Once a recipient submits an unsubscribe request, the sender must give effect to it without delay and, in any event, no later than 10 business days after the request is received (CASL, s. 11(3)). There is no grace period beyond those 10 business days, and CRTC enforcement actions have repeatedly cited delayed or non-functional unsubscribe processes as the basis for significant penalties.

Key Exemptions: When CASL Does Not Apply

CASL contains a list of specific exemptions in section 6(5) and in the related regulations. The most commonly relied-on exemptions cover the following categories of messages:

• Personal or family relationships: Messages between individuals who have a personal or family relationship as defined in the regulations.
• Internal business communications: Messages between employees, representatives, contractors, or consultants of an organization concerning the organization's activities.
• Direct responses to a request: Messages sent in response to a request, inquiry, or complaint made by the recipient.
• Transactional messages: Order confirmations, delivery notifications, warranty or recall information, subscription notifications, employment-related messages, and account statements, provided they contain no promotional content.
• Charity and political party fundraising: Messages sent for the primary purpose of raising funds by registered charities or by political parties, candidates, and certain political organizations.
• Legal obligations: Messages sent to satisfy a legal obligation or to enforce a legal right or court order.
• Two-way voice communications: Real-time voice calls between individuals.
• Faxes sent to a telephone account: Fax messages.

A critical compliance trap is that purely transactional messages are exempt from the consent requirement only if they contain no promotional content. The moment a delivery confirmation includes a "while you wait, browse our spring collection" banner, the message arguably becomes a CEM and the full set of CASL rules, including consent, identification, and unsubscribe, can apply. Many businesses unintentionally cross this line by adding marketing footers to otherwise transactional emails.

CASL Penalties and Enforcement: Real Consequences

The financial consequences of a CASL violation are substantial. Under section 20 of CASL, the CRTC may impose administrative monetary penalties of up to $1 million per violation against an individual, and up to $10 million per violation against a corporation or other organization. Although the stated purpose of these penalties is to promote compliance rather than to punish, the dollar amounts reflect Parliament's view that spam is a serious harm to Canada's digital economy.

CASL also expressly extends personal liability beyond the corporation. Directors, officers, agents, and mandataries can be held personally responsible if they directed, authorized, assented to, acquiesced in, or participated in the commission of a violation by the organization. Due diligence is a defence, but it must be established by the person seeking to rely on it.

When determining the amount of a penalty, the CRTC considers a range of factors set out in section 20(3), including the purpose of the penalty, the nature and scope of the violation, any prior history of violations, any financial benefit obtained from the conduct, the person's ability to pay, and any other relevant factor. Several enforcement decisions illustrate how these factors play out in practice:

• Compu-Finder (2015 Notice of Violation; reduced on review in 2017): In March 2015, the CRTC issued a $1.1 million Notice of Violation against Quebec-based Compu-Finder for sending 317 promotional emails for its educational and training services without consent and for failing to provide a working unsubscribe mechanism. On review, the CRTC reduced the administrative monetary penalty to $200,000 in Compliance and Enforcement Decision CRTC 2017-368, finding the original amount disproportionate to what was needed to promote compliance.
• Brian Conley, CEO of nCrowd Inc. (2019): In Compliance and Enforcement Decision CRTC 2019-111, the CRTC issued a $100,000 administrative monetary penalty against the CEO of nCrowd personally, the first CASL penalty issued against a corporate officer in their personal capacity.
• Scott William Brewer (2021): The CRTC imposed a $75,000 penalty on an individual for sending over 670,000 unsolicited commercial messages between December 2015 and May 2018, the largest CASL penalty issued to an individual at the time.
• Quebec phishing campaign (2023): The CRTC issued a $40,000 penalty against a Quebec resident for conducting a high-volume phishing campaign in violation of CASL.

Beyond financial penalties, businesses that violate CASL can suffer reputational damage, lose access to email service providers that enforce strict anti-spam policies, and face increased regulatory scrutiny on subsequent campaigns.

A Practical CASL Compliance Checklist

For Canadian businesses that send commercial electronic messages, ongoing CASL compliance generally involves a handful of disciplined practices:

• Audit your contact lists. For every email or phone number on your marketing list, identify the basis of consent (express, implied, or none) and the date the consent was obtained. Where you are relying on implied consent based on an existing business relationship, track the expiry date, two years from the last purchase or six months from the last inquiry.
• Document everything. Because the burden of proof rests on the sender, maintain records that show when, how, and through which channel each contact opted in. A consent log that captures the date, the form used, and the IP address (for online opt-ins) is a strong evidentiary foundation.
• Review your message templates. Confirm that every commercial email, SMS, or social message includes the sender's name, mailing address, and at least one valid telephone number, email, or website. Confirm that the unsubscribe link or reply code works and continues to work for at least 60 days.
• Build a reliable unsubscribe workflow. Whether you use a CRM, an email service provider, or a custom system, ensure that unsubscribe requests are processed within 10 business days. Manual processes are particularly vulnerable to falling outside this window.
• Audit your intake forms. Opt-in checkboxes should not be pre-ticked. The accompanying language should clearly describe the type of messages the person is consenting to receive and identify the organization that will be sending them.
• Mark the calendar. Track the expiry of implied consent and plan to either obtain express consent or remove the contact from the list before the window closes. A small amount of upfront discipline avoids large enforcement risk.

Frequently Asked Questions

Does CASL apply to businesses outside Canada?

Yes. CASL applies to any commercial electronic message that is sent from, within, or to Canada. A foreign business that emails Canadian recipients must comply with CASL, the location of the sender does not provide an exemption from Canada's anti-spam law.

How long does implied consent last under CASL?

For an existing business relationship based on a purchase, lease, or barter, implied consent under CASL lasts two years from the date of the most recent transaction. For an inquiry or application by the recipient, it lasts six months from the date of the inquiry. Each new transaction resets the two-year period.

Can I be personally fined for CASL violations as a business owner or executive?

Yes. CASL expressly extends liability to directors, officers, agents, and mandataries who directed, authorized, assented to, acquiesced in, or participated in a violation. Due diligence is a defence under Canada's anti-spam law, but it must be proven by the individual seeking to rely on it.

What happens if someone makes an inquiry but doesn't buy anything, do I have implied consent?

Yes, but only for six months from the date of the inquiry. After that window closes, you must obtain express consent before continuing to send commercial messages under CASL.

Are SMS marketing texts subject to CASL?

Yes. CASL applies to any electronic message sent to an electronic address, which expressly includes telephone accounts used for SMS and MMS messages. A promotional text is just as subject to the three CASL requirements as a promotional email.

How do I prove I had consent if the CRTC investigates?

You must produce records showing when consent was obtained, by what method (express opt-in, implied through a transaction, conspicuously published address, etc.), and the scope of what the recipient agreed to. Organizations that rely on email service providers should ensure they can retrieve historical opt-in records. Without documentation, the practical reality is that you have no consent.

Sources & Official Resources

Federal Statutes Cited

1. Canada's Anti-Spam Legislation (Electronic Commerce Protection Act), S.C. 2010, c. 23, Full Text

Government of Canada Resources

2. Canada's Anti-Spam Legislation, Government of Canada (ISED)
3. Getting Consent to Send Email, ISED Guidance

CRTC Resources and Guidance

4. Frequently Asked Questions about Canada's Anti-Spam Legislation, CRTC
5. Guidance on Implied Consent, CRTC
6. CRTC Enforcement Actions Index

CRTC Enforcement Decisions Cited

7. Compliance and Enforcement Decision CRTC 2017-368, Compu-Finder Penalty Reduced to $200,000
8. Compliance and Enforcement Decision CRTC 2019-111, $100,000 Penalty Against nCrowd CEO Brian Conley

Contact Hadri Law

If you are unsure whether your business's email or SMS marketing practices comply with CASL, or if you have received a CRTC notice of violation, getting clear legal guidance early can protect you from significant penalties and personal liability. CASL touches on commercial agreements, privacy obligations, and corporate governance, areas where Hadri Law regularly advises Toronto and GTA businesses.

Call (437) 974-2374 for a free consultation. We serve clients in English, French, Spanish, and Catalan.

This article provides general information about Canada's Anti-Spam Legislation and is not legal advice. Every business is different. For advice on your specific situation, contact a lawyer.