Skip to Content
← The Compliance ShieldCanada's Anti-Spam Legislation

CASL Compliance

CASL governs all commercial electronic messages sent to or from Canadian email addresses — with fines up to $10 million per violation.

Overview

Canada's Anti-Spam Legislation (CASL) came into force in July 2014 and is widely regarded as one of the world's strictest commercial email laws. It applies to any Commercial Electronic Message (CEM) — including promotional emails, SMS, and social DMs — sent to or from a Canadian electronic address. Unlike CAN-SPAM, CASL requires express or implied consent before sending, not just an unsubscribe mechanism after. Fines for individuals reach $1 million per violation; organizations face up to $10 million per violation. Private rights of action (class actions) are expected to be enabled in future amendments.

Who This Applies To

  • Email marketing campaigns (promotional, transactional hybrid) to Canadian subscribers
  • SMS marketing messages to Canadian phone numbers
  • Post-purchase email sequences and win-back flows
  • Newsletter welcome series and abandoned cart automations
  • Account notification emails that contain promotional content

Your Obligations

Express or Implied Consent

You must obtain express consent (a clear opt-in checkbox) before sending CEMs. Implied consent exists only in narrow circumstances: a prior business relationship within the last 2 years, or the recipient publicly posted their address for business purposes.

Consent Records

CRTC requires you to maintain proof of consent — including timestamp, IP address, and the exact consent language shown. If you cannot produce consent records during an investigation, you are presumed non-compliant.

Identification & Contact

Every CEM must identify the sender, include a mailing address (not a PO box for certain senders), and provide a working unsubscribe mechanism.

Unsubscribe Honouring

Opt-outs must be honoured within 10 business days. Sending even a single email after an opt-out request is a separate CASL violation.

Referring Parties

If a third party (lead gen vendor, affiliate) provides you with a contact list, you inherit liability for whether those contacts gave valid CASL consent. Due diligence records are mandatory.

Real Enforcement Cases

These are not hypothetical risks. The following cases represent actual regulatory enforcement actions and civil litigation — each with documented penalties.

2015$1.1 Million

Compu-Finder

The CRTC issued its first major CASL fine — $1.1 million — against Compu-Finder for sending emails without consent and providing a broken unsubscribe mechanism. 26% of their emails were sent to addresses scraped from websites without the account holder's knowledge.

2017$200,000

Rogers Media

Rogers settled with CRTC for $200,000 after sending commercial messages to individuals who had not consented. The case highlighted that even large, compliance-aware organizations make systemic list management errors.

2019$60,000

Kellogg's Canada

Kellogg's sent promotional emails to a list that included addresses collected before CASL came into force, without proper transition-period consent. The brand agreed to a compliance program and $60,000 penalty.

2016$75,000

Blackstone Learning Corp.

Blackstone was fined $75,000 for sending emails to individuals who had not consented and failing to provide proper identification in their messages — two separate CASL obligations violated simultaneously.

Free Consultation

Is your e-commerce store exposed?

Deskulpt engineers audit your current technology stack against CASL Compliance requirements, identify gaps, and produce a prioritised remediation roadmap. No retainer required to start.

Book Your Free CASL Email Marketing Audit