What is CASL?

Canada's Anti-Spam Legislation (S.C. 2010, c. 23) is federal law that regulates the sending of commercial electronic messages (CEMs) — primarily email, but also text messages and some forms of social media messaging. It is enforced by three federal bodies: the Canadian Radio-television and Telecommunications Commission (CRTC), the Competition Bureau, and the Office of the Privacy Commissioner of Canada.

CASL applies to anyone who sends a commercial electronic message to a Canadian recipient — which means it applies to Canadian businesses sending email to Canadian customers, and to foreign businesses sending email to people in Canada. If you are a Canadian business with a mailing list, a newsletter, or any form of email marketing, CASL applies to you.

What CASL covers — and what it does not

CASL applies to commercial electronic messages: any electronic message that has as one of its purposes the encouragement of participation in a commercial activity. This includes promotional emails, newsletters with product or service mentions, follow-up emails after a purchase, and emails about sales or offers.

CASL does not apply to purely transactional messages — a receipt confirming a purchase, a shipping notification, a password reset email, or a reply to a direct inquiry from a customer. These are not commercial messages in the CASL sense because their primary purpose is to facilitate a transaction rather than to promote something.

CASL also does not apply to messages sent to a person who explicitly asked you to contact them — for example, someone who submitted your contact form asking for a quote. Your reply to that inquiry is a transactional response, not a commercial message requiring CASL consent.

Express consent is the strongest form of CASL consent and the one you should aim for in most situations. It requires that the person explicitly agreed to receive commercial messages from you, and that this agreement was obtained in a specific way.

A valid express consent requires: a clear description of what the person is consenting to receive, who they are consenting to receive it from, and an unchecked checkbox or other active opt-in mechanism. The person must take a positive action — ticking a box, clicking a button — to indicate consent. Pre-ticked checkboxes do not constitute valid CASL express consent.

Example of a valid newsletter signup: a form with a field for email address and an unchecked checkbox labelled "I agree to receive the iWebServe monthly newsletter with web tips and updates from Michael Perks at iwebserve.ca. You can unsubscribe at any time." The person must actively tick that box before submitting.

Express consent does not expire — once obtained, it remains valid until the person withdraws it. You must keep records of how and when express consent was obtained.

Implied consent covers situations where a prior relationship exists and a reasonable expectation of communication can be inferred from that relationship.

CASL recognises implied consent in several specific situations. An existing business relationship — where someone purchased from you or entered into a contract with you — creates implied consent to send related commercial messages for two years after the last transaction. An existing non-business relationship — where someone made an inquiry or application — creates implied consent for six months after that inquiry. A person who has conspicuously published their electronic address (on a website, for example) without stating they do not want to receive commercial messages may have created implied consent for messages relevant to their professional capacity.

Implied consent has time limits. Once the time period expires, you need express consent to continue sending commercial messages. This is where many businesses run into problems — they continue sending newsletters to people they have not heard from in years, without realising their implied consent window closed long ago.

Contact forms and CASL

A contact form submission is not, by itself, CASL consent. When someone fills out your contact form asking about your services, they are asking you to respond to their inquiry — they are not consenting to receive your newsletter, your promotional emails, or any ongoing commercial communication.

You can respond to the inquiry (that is a transactional response). You cannot add that person to your mailing list without separate consent. Many small businesses do exactly this — someone gets a quote, is added to a "past leads" list, and then receives monthly newsletters for years. This is a CASL violation.

You can, however, include an optional unchecked checkbox on your contact form that gives people the choice to also subscribe to your newsletter. If they tick it, you have express consent. If they do not, you respond to their inquiry and leave it there.

The unsubscribe requirement

Every commercial electronic message you send must include a clearly visible and functional unsubscribe mechanism. The unsubscribe must: be easy to identify, be functional for a minimum of 60 days after the message is sent, and process the unsubscribe request within 10 business days.

The mechanism must be free — you cannot charge people to unsubscribe. It must not require the person to log in to an account to unsubscribe (a barrier that CASL specifically prohibits). A simple link at the bottom of every email that processes the removal and confirms it within 10 business days satisfies the requirement.

Once someone unsubscribes, you cannot send them commercial messages again without obtaining fresh consent. An unsubscribe is permanent until the person re-opts in themselves.

Record-keeping: why it matters

Under CASL, the burden of proof is on the sender. If a complaint is filed or an investigation is opened, you must demonstrate that you had valid consent to send each message to each recipient. You cannot prove consent you did not record.

Your records should capture: when consent was obtained, how it was obtained (the form, page, or interaction through which it was given), who gave it (email address, IP address where possible), and what they consented to receive. Modern email marketing platforms — Mailchimp, Klaviyo, Campaign Monitor — handle much of this automatically, storing signup timestamps and consent details per subscriber.

If you are managing your mailing list in a spreadsheet with no consent records, you are exposed. The list may contain people you have no documented consent for, and you would have no way to prove otherwise in an investigation.

Penalties and enforcement

CASL penalties are among the highest for anti-spam law globally. Individuals can be fined up to $1 million per violation. Businesses can be fined up to $10 million per violation. Directors and officers of corporations can be personally liable.

In practice, CASL enforcement has focused on larger-scale violations — mass spam operations, deceptive marketing, businesses with thousands of illegitimate contacts. Small businesses sending newsletters to a modest list with reasonable consent practices are not the primary enforcement target.

However, the penalties exist, complaints can be filed by anyone, and CASL has a private right of action (though this provision has not yet been brought into force). Compliance is not difficult — it is mostly a matter of using the right tools and establishing good habits from the start.

What your business should do now

Audit your existing list. Do you have documented consent for every person on your mailing list? If not, consider a re-permission campaign — send a message explaining that you want to keep in touch and asking people to confirm they want to stay subscribed. It will shrink your list, but the people who remain are engaged and legitimately opted in.

Fix your signup forms. Every signup form should have an unchecked checkbox with a plain-English description of what the person is subscribing to and who they will hear from. Remove any pre-ticked boxes.

Do not add contact form submissions to your newsletter list. Treat inquiries as inquiries. If you want to invite them to subscribe, include a separate optional checkbox on the contact form.

Include a working unsubscribe link in every email. If you use an email marketing platform, this is usually handled automatically. If you are sending newsletters manually through Gmail or Outlook, you need to build this in yourself — which is another reason to use proper email marketing software.

Keep records. Your email platform should be recording consent timestamps. Verify that it is and that you can export a consent report for any subscriber if you ever need to.

On Vancouver Island? Design Menu builds contact forms and newsletter signups with correct CASL consent checkboxes and unsubscribe handling built in from the start — not bolted on after the fact.