← All insights

A Small Business Guide to CASL: Canada's Anti-Spam Law

Most cybersecurity conversations focus on keeping bad messages out. CASL is about the messages you send out — and getting it wrong can be expensive. Canada’s Anti-Spam Legislation governs commercial electronic messages, and it applies to ordinary marketing emails, newsletters, and texts that almost every business sends. Here’s the plain-language version.

This is a general overview, not legal advice — confirm your obligations with qualified counsel.

What CASL covers

CASL applies to commercial electronic messages (CEMs) — emails, texts, and some social messages sent to electronic addresses that encourage participation in a commercial activity. That includes promotions, newsletters, event invites, and “just checking in” sales emails. It’s enforced primarily by the CRTC, and the penalties are serious: violations can carry administrative monetary penalties of up to $10 million for a business (and up to $1 million for an individual).

It rests on three pillars: consent, identification, and an unsubscribe mechanism.

1. Consent

You generally need consent before sending a CEM, and there are two kinds:

• Express consent — the person clearly opted in (for example, ticked an unchecked box to receive your newsletter). It doesn’t expire until withdrawn, and the burden is on you to prove you have it.
• Implied consent — arises in specific situations, such as an existing business relationship (e.g., someone bought from you) or a published or conspicuously displayed business email where the message relates to their role. Implied consent is time-limited — typically two years from a purchase, or six months from an inquiry.

Pre-checked boxes and “consent” buried in terms don’t count. And you must keep records proving when and how consent was obtained.

2. Identification

Every CEM must clearly identify who is sending it and how to reach you — your business name and valid contact information (a mailing address plus a phone, email, or web address), kept valid for at least 60 days after sending.

3. Unsubscribe

Every CEM needs a working unsubscribe mechanism that’s easy to use, and you must honour requests within 10 business days. Keep it simple — one clear link.

A practical compliance checklist

1. Audit your lists. Know, for every contact, whether you have express or implied consent — and when implied consent expires.
2. Fix your signup forms. Use clear, unchecked opt-in boxes and log the date, time, and source of consent.
3. Check every template. Sender identity, valid contact info, and a working unsubscribe link in every commercial message.
4. Process unsubscribes fast. Well within 10 business days, and across all your lists.
5. Keep records. If the CRTC asks, you need to prove consent — undocumented consent is effectively no consent.

How CASL connects to security

CASL and cybersecurity overlap more than you’d expect. CASL also restricts the installation of software on someone’s device without consent — relevant if you distribute apps or tools. And the same email infrastructure you use to stay CASL-compliant (a reputable sending platform, proper SPF/DKIM/DMARC records) is what protects your domain from being spoofed in phishing and business email compromise attacks. Good email hygiene serves both goals.

Treat CASL as part of your broader data-and-privacy posture alongside PIPEDA — handle people’s contact information with consent and care, and you stay on the right side of both.