Canada's Anti-Spam Legislation (CASL) is widely considered the strictest anti-spam law in the world. Unlike CAN-SPAM, it's an opt-in regime with significant penalties.
Maximum penalty per violation (business)
Source: CASL
Maximum penalty per violation (individual)
Source: CASL
Critical difference from US law:
CASL is opt-in, not opt-out. You generally cannot email someone in Canada without prior consent — express or implied.
Why CASL is "The Strictest in the World"
1. Consent Required Before Sending
Unlike CAN-SPAM (opt-out), you must have consent before sending. The burden is on the sender.
2. Implied Consent Expires
Even if you have implied consent, it expires after 2 years (purchase) or 6 months (inquiry). You must track these dates.
3. Massive Penalties
Up to $10 million per violation for businesses. Unlike CAN-SPAM, there's a private right of action.
4. Broad Definition of "CEM"
Commercial Electronic Message (CEM) covers any message that encourages participation in commercial activity — very broad.
Express vs. Implied Consent
Express Consent
The recipient actively opted in to receive your communications.
- • Does NOT expire (unless withdrawn)
- • Must be clear and specific
- • Cannot be bundled with other consents
- • Must identify sender
- • Pre-checked boxes don't count
Implied Consent
Consent inferred from existing relationship or circumstances.
- • Expires after defined period
- • Based on relationship or inquiry
- • Limited circumstances apply
- • Must track expiration dates
- • Weaker legal standing
When Implied Consent Applies
Existing Business Relationship (EBR)
2 yearsYou sold them something, they purchased, or there was an ongoing contract. Implied consent lasts 2 years from the last transaction.
Inquiry or Application
6 monthsThey contacted you asking about your products/services, submitted an application, or made an inquiry. Implied consent lasts 6 months.
Published Business Email
ConditionalIf someone publishes their work email (website, business card) AND your message is relevant to their business role/function, you may have implied consent. Very narrow.
Professional/Business Relationship
LimitedNon-business relationship that involves the exchange of contact information. Limited applicability for cold outreach.
Pro Tip
Required Message Elements
Every CEM under CASL must include:
- Sender Identification
Name of sender and (if different) person on whose behalf sent
- Contact Information
Mailing address, phone number, email address, or web address
- Unsubscribe Mechanism
Must work for at least 60 days after message is sent
Unsubscribe processing:
You must process unsubscribe requests within 10 business days. The mechanism must be free to use and not require any information beyond email address.
The B2B "Exemption" Myth
There is no blanket B2B exemption in CASL. The "published email" provision is often misunderstood:
Do This
- Message is relevant to recipient's business role
- Email was conspicuously published for business purposes
- No statement indicates they don't want unsolicited emails
- You include proper identification and unsubscribe
- Message relates to their professional functions
Avoid This
- Assume all business emails are fair game
- Email scraped or purchased lists in Canada
- Ignore 'no solicitation' statements
- Send irrelevant commercial messages
- Email to request consent (that's still a CEM!)
Critical trap:
You cannot email someone just to ask for their consent. The email requesting consent is itself a CEM, which requires... consent. Catch-22.
Penalties: Up to $10 Million Per Violation
| Violator | Maximum Penalty |
|---|---|
| Business/Corporation | Up to $10 million CAD |
| Individual | Up to $1 million CAD |
Real CASL Enforcement:
- • $1.1 million — Compu-Finder (first major CASL penalty)
- • $100,000+ — Multiple companies for consent violations
- • Ongoing enforcement — CRTC actively investigates complaints
Private Right of Action
Unlike CAN-SPAM, CASL allows individuals and businesses to sue for violations (though this provision has been delayed multiple times).
- • Statutory damages: Up to $200 per contravention (max $1M/day)
- • Actual damages: Provable losses
- • Class actions: Potential for aggregated claims
- • Director liability: Individuals can be personally liable
CASL Compliance Checklist
- Express consent documented, OR
- Implied consent valid (EBR <2 years, inquiry <6 months)
- Published email exception properly applied (if using)
- Sender identification included
- Contact information provided (address, phone, email, or web)
- Unsubscribe mechanism works for 60 days
- Unsubscribe processed within 10 business days
- Message relevant to recipient's business role (if using published email)
- Consent records maintained with date, method, and proof
- Implied consent expiration dates tracked
- No "no solicitation" statement ignored
Legal Disclaimer
This content is provided for educational purposes only and does not constitute legal advice. Regulations vary by jurisdiction and change frequently. We strongly recommend consulting with a qualified attorney or compliance professional regarding your specific situation before implementing any outreach program. Pipeline Engine is designed with compliance in mind, but ultimate responsibility for legal compliance remains with the business.